BsideDFW 2013 Mike Landeck

in this day and age security is very important and there's a lot of security professionals out there that know a lot about security but as security professionals we're not talking much about business acumen how to how to lead an organization how to lead how to talk to our management about security we all speak we all speak security language but very few of us speak business language and what happens is you see security or professionals and their organizations become outside the primary organization and for security to be effective you have to have it embedded in the organization you hear a lot about security being baked into an architecture it has to be baked into processes as well well we've done a lot

security we've done a lot to do that to do that to ourselves we've we've spent time playing the fed card we've you know fear uncertainty and doubt we've we've got our needs met by by through fear and scaring people and we like to build empires we all build our own little security fighters so instead of having a place at the organizational table we've got the security table outside of the organization and that's not an effective way to lead security yeah the power the power we get from fight is short-lived and the truth is it does work sometimes so when i i've got it myself i couldn't get a single injection wearable be fixed so i dug the database

to a thumb drive instead here i played the front card sometimes it works but you if you do it too much you're going to lose your credibility and you'll become ineffective and in your your point up there we risk becoming the obstructionists that we're accused of being it's a very short-lived it's a very short-lived way to be effective do more cost benefit analysis do more risk analysis um you know do more do more staffing analysis you know it's really we instead of playing the fear card or instead of just saying enough money say what it you know what is it you need and why and we don't we in security we do a very poor job of saying

you know here's our staff utilization rates here's what we need to do here's a here's a here's a really good risk assessment here's a cost benefit analysis here's our here's our business justification so the takeaway really is do more math as odd as that sounds we um we speak we speak security speak you and i know what opponent network means and we we have a really good i we understand what the cost to the company is of point a network means but we don't know how to say that in business speak you know what we do is instead of saying if this were compromised it would impact our ability to create 500 widgets per day instead of

saying that we say yeah it'd be bad instead of saying what we do is when we ask for things we'll say i'm mad i'm not getting more help making security better what we should be saying is i want your support in implementing a policy that no one tested code goes to production so we need as a overall profession we have to get better at being very specific and clear on what we need to make organizations effective

you