SlideShare a Scribd company logo

No More Snake Oil: Why InfoSec Needs Security Guarantees

Download as PPTX, PDF
Jeremiah Grossman
Jeremiah Grossman

Ever notice how everything in InfoSec is sold “as is”? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole.

Technology
1 of 39
No More Snake Oil: © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. @jeremiahg Why InfoSec Needs Security Guarantees
Ever notice how everything in the Information Security is sold “AS-IS”? • No Guarantees • No Warranties • No Return Policies © 2015 WhiteHat Security, Inc.
© 2015 WhiteHat Security, Inc. Unlike every day ‘real world’ products…
Customer challenges… • Difficult telling security vendors apart. • Justifying the business value of security products to management. • Trusting security vendors since their interests are misaligned. © 2015 WhiteHat Security, Inc. Answer: Security Guarantees
© 2015 WhiteHat Security, Inc. 5
© 2015 WhiteHat Security, Inc. “According to the IT research and advisory firm [Gartner], global IT security spending will reach $71.1 billion this year [2014], which represents an increase of 7.9% compared to 2013. Next year, spending will grow even more, reaching $76.9 billion.” Security Industry Spends Billions
© 2015 WhiteHat Security, Inc. In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013. Result: Every Year is the Year of the Hack Survey of security professionals by CyberEdge Group
© 2015 WhiteHat Security, Inc. AppSec: Too Many Vulns, Too Little Time
© 2015 WhiteHat Security, Inc. Windows of Exposure
© 2015 WhiteHat Security, Inc.
© 2015 WhiteHat Security, Inc. • As of 2014, American businesses were expected to pay up to $2 billion on cyber- insurance premiums, a 67% spike from $1.2 billion spent in 2013. • Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. • It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance. Downside Protection
© 2015 WhiteHat Security, Inc. “Premiums for a $1 million plan are generally $5,000 to $10,000 annually, though that can vary based on several factors, including the company's revenue, cyber-risk management efforts and the coverage chosen, Fenaroli said. For hospitals, premiums can be much larger—sometimes more than $100,000 or even $1 million for larger health systems, he said.”
© 2015 WhiteHat Security, Inc. Sony Pictures Entertainment holds $60 million in Cyber insurance with Marsh, according to documents leaked by the group claiming responsibility for the attack on the movie studio. “The documents, covered in detail by Steve Ragan at CSO, say that after sonypictures.com was breached in 2011, Sony made a claim of $1.6 million with Hiscox, its Cyber provider at the time. The insurer declined to quote at renewal, so Sony Pictures turned to Lockton, which brokered a $20 million policy that included $10 million in self- insured retention.”
© 2015 WhiteHat Security, Inc. “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.”
© 2015 WhiteHat Security, Inc. “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.
© 2015 WhiteHat Security, Inc. “Liability enforcement is essential. Remember that I said the costs of bad security are not borne by the software vendors that produce the bad security. In economics this is known as an externality: a cost of a decision that is borne by people other than those making the decision. However it happens, liability changes everything. Currently, there is no reason for a software company not to offer more features, more complexity, more versions. Liability forces software companies to think twice before changing something. Liability forces companies to protect the data they're entrusted with.”
Objections to Security Guarantees © 2015 WhiteHat Security, Inc. "You're not entitled to take a view, unless and until you can argue better against that view than the smartest guy who holds that opposite view. If you can argue better than the smartest person who holds the opposite view, that is when you are entitled to hold a certain view." Charlie Munger Vice-Chairman Berkshire Hathaway
© 2015 WhiteHat Security, Inc. Rebuttal: Nothing is ever 100% secure, just like no every-day product is 100% reliable. With product performance data, even if unable to provide 100% protection, offering security guarantees is possible. Objection: 100% security is impossible.
© 2015 WhiteHat Security, Inc. Rebuttal: It’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. Insurance companies do this routinely. Objection: Guarantees can’t keep up.
© 2015 WhiteHat Security, Inc. Rebuttal: Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, all providing real-time access to an ample supply of performance data. Objection: Vendors don’t have the data.
© 2015 WhiteHat Security, Inc. Rebuttal: For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible. Objection: Pinpointing product failure is difficult.
© 2015 WhiteHat Security, Inc. Rebuttal: Security guarantees and cyber- security insurance typically cover only hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on. Objection: Soft costs are hard to quantify.
© 2015 WhiteHat Security, Inc. Rebuttal: Security guarantees represent a unique opportunity for vendors to differentiate from competitors and an opportunity for customers to demand more effective products. Objection: Security vendors don’t want the liability.
© 2015 WhiteHat Security, Inc. Rebuttal: Like many other products we buy, guarantees only covers intended use. Security vendors can specify how their product is meant to be used for its effectiveness to be guaranteed. Objection: Improper product use is often the cause.
© 2015 WhiteHat Security, Inc. 2014-2015 Annual Spending Increase Information Security Spending (N. America) ~$2.4 billion in new spending (+7.8%) Cyber-Security Insurance ~$1.34 Billion in new spending (+67%) Forecast Overview: Information Security, Worldwide, 2014 Update (Gartner Published: 25 June 2014) 1/3 of the budget left on the table! 1,340,000 2,400,000
© 2015 WhiteHat Security, Inc. “We also asked about the importance of being offered a ‘security guarantee’ by cloud service providers. Three- quarters of respondents (74%) say it’s ‘Very Important’ that cloud providers offer a guarantee, and another 22% say ‘Somewhat Important.’ Companies not using cloud place a greater importance on security guarantees than current users. As such, security guarantees give cloud service providers an opportunity to attract new customers.” Subsidiary of 451 Research Survey of 1,097 respondents involved in their company's IT buying decisions (Jul, 2014). 445 currently uses public cloud.
© 2015 WhiteHat Security, Inc. Customer challenges… Difficult telling security vendors apart. Justifying the business value of security products to management. Trusting security vendors since their interests are misaligned. Security guarantees help customers differentiate truly effective security products from those that are…less effective. Security guarantees help quantify the value of security products in dollars and cents for the business. Security guarantees hold vendors accountable for the performance of their products and therefore more credible.
© 2015 WhiteHat Security, Inc. How WhiteHat Approaches Security Guarantees WhiteHat Sentinel: Tests tens of thousands of websites 24x7x365 Incident Data: Data sharing relationships incident responders Customer Relationships: ‘Missed’ vulns leading to breaches Our success rate is over 99%.
© 2015 WhiteHat Security, Inc. What WebApp Attacks Are Adversaries Using? “This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 Data Breach Investigations Report
© 2015 WhiteHat Security, Inc. Vulnerabilities We Test For The World of Web Vulnerabilities Vulnerabilities We DON’T Test For
© 2015 WhiteHat Security, Inc. Vulnerabilities We Test For Vulns We Found Vulns Not Exploited Vulns Exploited Vulns We Missed Vulns Not Exploited Vulns Exploited That Got Website Hacked
Vulnerabilities Missed & Exploited © 2015 WhiteHat Security, Inc. • Why was the vulnerability missed? Improve technology, training, and process. • Other consumer products have standard performance metrics (MTB; Operating Hours – runtime of motors; Mileage for drivetrain, tires, etc.)
© 2015 WhiteHat Security, Inc. If a website covered by Sentinel Elite is hacked, using a vulnerability we missed and should have found, the customer will be refunded in full. Plus up to… $500,000…to help cover the cost associated with the breach.
© 2015 WhiteHat Security, Inc. Monetary loss distribution per data breach ~75% have losses less than $500K “The Post Breach Boom”, Ponemon Institute, 2013
© 2015 WhiteHat Security, Inc. Ranges of expected loss by number of records Verizon 2015 Data Breach Investigations Report
Paths for Other Security Vendors to Follow • Obtain as much performance data as possible • Contractually capture what your product is able to reliably guarantee and disclaim the rest. • Back your security guarantee with an insurance provider. © 2015 WhiteHat Security, Inc.
“The only two products not covered by product liability are religion and software, and software shall not escape much longer.” Dan Geer (CISO, In-Q-Tel) © 2015 WhiteHat Security, Inc.
Questions? Jeremiah Grossman Founder, WhiteHat Security blog.whitehatsec.com Twitter: @JeremiahG © 2015 WhiteHat Security, Inc.
Thank you! © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. @jeremiahg

Recommended

Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsJeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportJeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSilicon Valley Bank
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSilicon Valley Bank
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&ANick Normile
 

Recommended

Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsJeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportJeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSilicon Valley Bank
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSilicon Valley Bank
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&ANick Normile
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorAccenture Insurance
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryAccenture Insurance
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud PreventionGuardian Analytics
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...CNseg
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Jef Lacson
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbookJames Fintain Lawler
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowLeona Markham
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of CybercrimeIDG
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilienceaccenture
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firmsJohn Davis
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemTransUnion
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesKevin Duffey
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditNationalUnderwriter
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportJasonSchupp1
 

More Related Content

What's hot

The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorAccenture Insurance
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryAccenture Insurance
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud PreventionGuardian Analytics
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...CNseg
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Jef Lacson
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowLeona Markham
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of CybercrimeIDG
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilienceaccenture
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firmsJohn Davis
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemTransUnion
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesKevin Duffey
 

What's hot (18)

The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
Insuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industryInsuring your future: Cybersecurity and the insurance industry
Insuring your future: Cybersecurity and the insurance industry
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud Prevention
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of Cybercrime
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilience
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firms
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 
The Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud ProblemThe Insurance Digital Revolution Has a Fraud Problem
The Insurance Digital Revolution Has a Fraud Problem
 
Cyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial ServicesCyber Resilience: managing 3rd Party Risks in Financial Services
Cyber Resilience: managing 3rd Party Risks in Financial Services
 

Similar to No More Snake Oil: Why InfoSec Needs Security Guarantees

Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditNationalUnderwriter
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportJasonSchupp1
 
WatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxWatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxRachatrinTongrungroj1
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber riskaakash malhotra
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Ghostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery, Inc.
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Michael C. Keeling, Esq.
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityCentrify Corporation
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
 
CA Technologies Predictions for Identity Management in 2015 – The Application...
CA Technologies Predictions for Identity Management in 2015 – The Application...CA Technologies Predictions for Identity Management in 2015 – The Application...
CA Technologies Predictions for Identity Management in 2015 – The Application...CA Technologies
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalPatrick Florer
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1Clay Melugin
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkMichael Davis
 
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?Executive Leaders Network
 

Similar to No More Snake Oil: Why InfoSec Needs Security Guarantees (20)

Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an AuditCyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats Report
 
WatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxWatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptx
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber risk
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Ghostery Enterprise Security Study
Ghostery Enterprise Security StudyGhostery Enterprise Security Study
Ghostery Enterprise Security Study
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and Preparation
 
CA Technologies Predictions for Identity Management in 2015 – The Application...
CA Technologies Predictions for Identity Management in 2015 – The Application...CA Technologies Predictions for Identity Management in 2015 – The Application...
CA Technologies Predictions for Identity Management in 2015 – The Application...
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
 
GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1GR - Security Economics in IoT 150817- Rel.1
GR - Security Economics in IoT 150817- Rel.1
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
 
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

No More Snake Oil: Why InfoSec Needs Security Guarantees

  • 1. No More Snake Oil: © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. @jeremiahg Why InfoSec Needs Security Guarantees
  • 2. Ever notice how everything in the Information Security is sold “AS-IS”? • No Guarantees • No Warranties • No Return Policies © 2015 WhiteHat Security, Inc.
  • 3. © 2015 WhiteHat Security, Inc. Unlike every day ‘real world’ products…
  • 4. Customer challenges… • Difficult telling security vendors apart. • Justifying the business value of security products to management. • Trusting security vendors since their interests are misaligned. © 2015 WhiteHat Security, Inc. Answer: Security Guarantees
  • 5. © 2015 WhiteHat Security, Inc. 5
  • 6. © 2015 WhiteHat Security, Inc. “According to the IT research and advisory firm [Gartner], global IT security spending will reach $71.1 billion this year [2014], which represents an increase of 7.9% compared to 2013. Next year, spending will grow even more, reaching $76.9 billion.” Security Industry Spends Billions
  • 7. © 2015 WhiteHat Security, Inc. In 2014, 71% of security professionals said their networks were breached. 22% of them victimized 6 or more times. This increased from 62% and 16% respectively from 2013. 52% said their organizations will likely be successfully hacked in the next 12 months. This is up from 39% in 2013. Result: Every Year is the Year of the Hack Survey of security professionals by CyberEdge Group
  • 8. © 2015 WhiteHat Security, Inc. AppSec: Too Many Vulns, Too Little Time
  • 9. © 2015 WhiteHat Security, Inc. Windows of Exposure
  • 10. © 2015 WhiteHat Security, Inc.
  • 11. © 2015 WhiteHat Security, Inc. • As of 2014, American businesses were expected to pay up to $2 billion on cyber- insurance premiums, a 67% spike from $1.2 billion spent in 2013. • Current expectations by one industry watcher suggest 100% growth in insurance premium activity, possibly 130% growth. • It’s usually the firms that are best prepared for cyber attacks that wind up buying insurance. Downside Protection
  • 12. © 2015 WhiteHat Security, Inc. “Premiums for a $1 million plan are generally $5,000 to $10,000 annually, though that can vary based on several factors, including the company's revenue, cyber-risk management efforts and the coverage chosen, Fenaroli said. For hospitals, premiums can be much larger—sometimes more than $100,000 or even $1 million for larger health systems, he said.”
  • 13. © 2015 WhiteHat Security, Inc. Sony Pictures Entertainment holds $60 million in Cyber insurance with Marsh, according to documents leaked by the group claiming responsibility for the attack on the movie studio. “The documents, covered in detail by Steve Ragan at CSO, say that after sonypictures.com was breached in 2011, Sony made a claim of $1.6 million with Hiscox, its Cyber provider at the time. The insurer declined to quote at renewal, so Sony Pictures turned to Lockton, which brokered a $20 million policy that included $10 million in self- insured retention.”
  • 14. © 2015 WhiteHat Security, Inc. “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.” “Target spent $248 million after hackers stole 40 million payment card accounts and the personal information of up to 70 million customers. The insurance payout, according to Target, will be $90 million.”
  • 15. © 2015 WhiteHat Security, Inc. “Anthem has $150 million to $200 million in cyber coverage, including excess layers, sources say.” Insurers providing excess layers of cyber coverage include: Lloyd's of London syndicates; operating units of Liberty Mutual Holding Co.; Zurich Insurance Group; and CNA Financial Corp., sources say.
  • 16. © 2015 WhiteHat Security, Inc. “Liability enforcement is essential. Remember that I said the costs of bad security are not borne by the software vendors that produce the bad security. In economics this is known as an externality: a cost of a decision that is borne by people other than those making the decision. However it happens, liability changes everything. Currently, there is no reason for a software company not to offer more features, more complexity, more versions. Liability forces software companies to think twice before changing something. Liability forces companies to protect the data they're entrusted with.”
  • 17. Objections to Security Guarantees © 2015 WhiteHat Security, Inc. "You're not entitled to take a view, unless and until you can argue better against that view than the smartest guy who holds that opposite view. If you can argue better than the smartest person who holds the opposite view, that is when you are entitled to hold a certain view." Charlie Munger Vice-Chairman Berkshire Hathaway
  • 18. © 2015 WhiteHat Security, Inc. Rebuttal: Nothing is ever 100% secure, just like no every-day product is 100% reliable. With product performance data, even if unable to provide 100% protection, offering security guarantees is possible. Objection: 100% security is impossible.
  • 19. © 2015 WhiteHat Security, Inc. Rebuttal: It’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. Insurance companies do this routinely. Objection: Guarantees can’t keep up.
  • 20. © 2015 WhiteHat Security, Inc. Rebuttal: Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, all providing real-time access to an ample supply of performance data. Objection: Vendors don’t have the data.
  • 21. © 2015 WhiteHat Security, Inc. Rebuttal: For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible. Objection: Pinpointing product failure is difficult.
  • 22. © 2015 WhiteHat Security, Inc. Rebuttal: Security guarantees and cyber- security insurance typically cover only hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on. Objection: Soft costs are hard to quantify.
  • 23. © 2015 WhiteHat Security, Inc. Rebuttal: Security guarantees represent a unique opportunity for vendors to differentiate from competitors and an opportunity for customers to demand more effective products. Objection: Security vendors don’t want the liability.
  • 24. © 2015 WhiteHat Security, Inc. Rebuttal: Like many other products we buy, guarantees only covers intended use. Security vendors can specify how their product is meant to be used for its effectiveness to be guaranteed. Objection: Improper product use is often the cause.
  • 25. © 2015 WhiteHat Security, Inc. 2014-2015 Annual Spending Increase Information Security Spending (N. America) ~$2.4 billion in new spending (+7.8%) Cyber-Security Insurance ~$1.34 Billion in new spending (+67%) Forecast Overview: Information Security, Worldwide, 2014 Update (Gartner Published: 25 June 2014) 1/3 of the budget left on the table! 1,340,000 2,400,000
  • 26. © 2015 WhiteHat Security, Inc. “We also asked about the importance of being offered a ‘security guarantee’ by cloud service providers. Three- quarters of respondents (74%) say it’s ‘Very Important’ that cloud providers offer a guarantee, and another 22% say ‘Somewhat Important.’ Companies not using cloud place a greater importance on security guarantees than current users. As such, security guarantees give cloud service providers an opportunity to attract new customers.” Subsidiary of 451 Research Survey of 1,097 respondents involved in their company's IT buying decisions (Jul, 2014). 445 currently uses public cloud.
  • 27. © 2015 WhiteHat Security, Inc. Customer challenges… Difficult telling security vendors apart. Justifying the business value of security products to management. Trusting security vendors since their interests are misaligned. Security guarantees help customers differentiate truly effective security products from those that are…less effective. Security guarantees help quantify the value of security products in dollars and cents for the business. Security guarantees hold vendors accountable for the performance of their products and therefore more credible.
  • 28. © 2015 WhiteHat Security, Inc. How WhiteHat Approaches Security Guarantees WhiteHat Sentinel: Tests tens of thousands of websites 24x7x365 Incident Data: Data sharing relationships incident responders Customer Relationships: ‘Missed’ vulns leading to breaches Our success rate is over 99%.
  • 29. © 2015 WhiteHat Security, Inc. What WebApp Attacks Are Adversaries Using? “This year, organized crime became the most frequently seen threat actor for Web App Attacks.” Verizon 2015 Data Breach Investigations Report
  • 30. © 2015 WhiteHat Security, Inc. Vulnerabilities We Test For The World of Web Vulnerabilities Vulnerabilities We DON’T Test For
  • 31. © 2015 WhiteHat Security, Inc. Vulnerabilities We Test For Vulns We Found Vulns Not Exploited Vulns Exploited Vulns We Missed Vulns Not Exploited Vulns Exploited That Got Website Hacked
  • 32. Vulnerabilities Missed & Exploited © 2015 WhiteHat Security, Inc. • Why was the vulnerability missed? Improve technology, training, and process. • Other consumer products have standard performance metrics (MTB; Operating Hours – runtime of motors; Mileage for drivetrain, tires, etc.)
  • 33. © 2015 WhiteHat Security, Inc. If a website covered by Sentinel Elite is hacked, using a vulnerability we missed and should have found, the customer will be refunded in full. Plus up to… $500,000…to help cover the cost associated with the breach.
  • 34. © 2015 WhiteHat Security, Inc. Monetary loss distribution per data breach ~75% have losses less than $500K “The Post Breach Boom”, Ponemon Institute, 2013
  • 35. © 2015 WhiteHat Security, Inc. Ranges of expected loss by number of records Verizon 2015 Data Breach Investigations Report
  • 36. Paths for Other Security Vendors to Follow • Obtain as much performance data as possible • Contractually capture what your product is able to reliably guarantee and disclaim the rest. • Back your security guarantee with an insurance provider. © 2015 WhiteHat Security, Inc.
  • 37. “The only two products not covered by product liability are religion and software, and software shall not escape much longer.” Dan Geer (CISO, In-Q-Tel) © 2015 WhiteHat Security, Inc.
  • 38. Questions? Jeremiah Grossman Founder, WhiteHat Security blog.whitehatsec.com Twitter: @JeremiahG © 2015 WhiteHat Security, Inc.
  • 39. Thank you! © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. @jeremiahg

Editor's Notes

  1. Ever notice how everything in the information security industry is sold “as is”? No guarantees, no warrantees, no return policies. This provides little peace of mind that any of the billions that are spent every year on security products and services will deliver as advertised. In other words, there is no way of ensuring that what customers purchase truly protects them from getting hacked, breached, or defrauded. And when these security products fail – and I do mean when – customers are left to deal with the mess on their own, letting the vendors completely off the hook. This does not seem fair to me, so I can only imagine how a customer might feel in such a case. What’s worse, any time someone mentions the idea of a security guaranty or warranty, the standard retort is “perfect security is impossible,” “we provide defense-in-depth,” or some other dismissive and ultimately unaccountable response.
  2. http://www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner http://www.gartner.com/newsroom/id/2828722 http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-1416182536 http://mspmentor.net/managed-security-services/100314/pwc-cybersecurity-costs-rise-budgets-decrease
  3. http://www.darkreading.com/attacks-breaches/most-companies-expect-to-be-hacked-in-the-next-12-months/d/d-id/1319497?
  4. Window of exposure is defined as the number of days an application has one or more serious vulnerabilities open during a given time period. We categorize window of exposure as: Always Vulnerable: A site falls in this category if it is vulnerable on every single day of the year. Frequently Vulnerable: A site is called frequently vulnerable if it is vulnerable for 271-364 days a year. Regularly Vulnerable: A regularly vulnerable site is vulnerable for 151-270 days a year. Occasionally Vulnerable: An occasionally vulnerable application is vulnerable for 31-150 days a year. Rarely Vulnerable: A rarely vulnerable application is vulnerable for less than 30 days a year. Our analysis shows that 55% of the Retail Trade sites, 50% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are always vulnerable. Similarly, only 16% of the Retail Trade sites, 18% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are rarely vulnerable. Conversely, Educational Services is the best performing industry with the highest percentage of rarely vulnerable sites (40%). Arts, Entertainment, and Recreation is the next best industry with 39% of sites in rarely vulnerable category.
  5. http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/ http://www.techtimes.com/articles/27454/20150120/cyber-insurance-forefront-companies-minds.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html http://www.cnbc.com/id/101804150 http://www.darkreading.com/risk/the-problem-with-cyber-insurance/a/d-id/1269682?#ftag=YHF87e0214
  6. http://www.modernhealthcare.com/article/20150205/NEWS/302059939/anthem-hack-will-shake-up-market-for-cyber-risk-insurance
  7. http://www.propertycasualty360.com/2014/12/18/sony-pictures-holds-60-million-cyber-policy-with-m
  8. http://www.insurancejournal.com/news/national/2014/02/26/321638.htm http://www.latimes.com/business/la-fi-hacking-insurance-20150210-story.html
  9. http://www.businessinsurance.com/article/20150206/NEWS06/150209857/aig-unit-leads-anthems-cyber-coverage?tags=%7C83%7C299%7C302%7C329
  10. https://www.schneier.com/essays/archives/2003/11/liability_changes_ev.html
  11. 1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer. 2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well. 3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to. 4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible. 5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on. 6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products. 7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed. 8: Products with a guarantee do tend to cost more than those sold AS-IS. Someone may purchase an ultra-cheap computer on eBay, without a guarantee, but they’ll have to take their chances with how long it might last. Or, someone can buy a new computer at Dell.com, which may cost more, but the peace of mind could be worth it. The option they prefer is their choice. It’s also quite common for consumers pay even more for extended warrantees on various products including cars and electronics, and many industries have found doing so to be highly profitable. 9: Every business encounters obstacles when competing in a market. For example, to do business with large organizations, they may require vendors to have general business liability insurance, a minimum amount of cash in the bank, physically located in a given country, and more. These are generally viewed as a cost of doing business. If and when organizations require security vendors to offer product guarantees, that’s just one more thing an organization must offer in order to play in the market. The customer is always right.
  12. 1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer.
  13. 2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well.
  14. 3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to.
  15. 4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible.
  16. 5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on.
  17. 6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products.
  18. 7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed.
  19. Gartner Forecast Overview: Information Security, Worldwide, 2014 Update Published: 25 June 2014 1) We're leaving 1/3rd of the money on the table.  Imagine if I could say that I can increase your revenue by 1/3rd. If your board figures out that they're loosing this much money because you can't get your stats in order they're not going to be pleased. The insurance industry is taking money from our industry, and that means less security spend, less jobs, less innovation, less growth and less security. 2) The insurance industry is on a path to grow faster than us by leaps and bounds.  Their power and influence will easily dwarf ours if we don't act soon. We're ceding control of our industry to the insurance industry - do we want them to dictate/mandate spend?  Do we really want a new regulatory body we have to comply with?  The growth seems like a graph too.  Show ours increasing by 7% or whatever and theirs increasing by 67%.  If they're growing that much faster than us, we need to demonstrate how much faster and give them the ominous feeling that we're being gutted from the inside.
  20. https://451research.com/report-long?icid=3155
  21. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  22. http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
  23. https://www.youtube.com/watch?v=nT-TGvYOBpI&list=UUJ6q9Ie29ajGqKApbLqfBOg