Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.

1. They are all
Scor pi ons
(Security and Business, Abusive Codependence)

2. . .WWW ISECOm OR
G

3. !Make a wish

4. Oooh you said
“ ”cybersecurity
Better
cybersecurity

5. The Frog and the Scorpion

6. And not without good
.reason
Cybersecurity
professionals
are an unhappy
.bunch

7. If you got into
cybersecurity
mostly because
you like to
hang out with
-middle aged
white men with
big egos who
...humble brag

8. If cybersecurity were an
animal

9. ’ .But they won t
Business should
learn the
language of
.cybersecurity

10. companies will not change
Security is all too
often seen as the
thing in the way of
good profits like how
environmental
protection was viewed
, , ..in the 70s 80s 90s
… , ,Now well fracking
-reactor cooling
radioactive ocean
,water marine vehicle
,fuel leaks any kind
,of energy production
,Any carbon footprint
….plastic straws

11. ’But This isn t a disney
movie

12. Yet business needs it
Cybersecurity is
a cost center
with a loss
motive and no
profit incentive

13. .We need each other
’But business doesn t know
.that yet

14. ’But there s easier ways to
.do it
Security sells
itself as a way
to increase
,profits
,customers and
.stock price

15. “ !”Think of the children we
.say

16. So we try to
make
cybersecurity
sexier to get
’business
.attention
.Desperation

17. =Success numbers go
down
Times caught cheating
on spouse
Bones broken for
gambling debts
Raccoons in the
bedroom at night
Episodes of kardashians
’you ve watched

18. Security effectiveness is
going down
Security controls
%utilization from 40 to
%30
Avg Number of sec
products from 4 to 5
Avg Number of secops
from 3 to 2
The crowbar of statistics
:says

19. How do we move forward?
Cybersecurity is built
on human suffering

20. Cybersecurity analgesics
Separate threat and
security from assets
clean the environment
and own it
Control the interactions
Only after all that is
,done deal with vulns

21. 4 Point Process
2. INQUEST
investigate emanations
1. INDUCTION
establish facts about the environment
4. INTERVENTION
changing resource interactions
3. INTERACTION
trigger responses

22. Trifecta
1. How do current operations work?
2. How do they work differently from how
everyone thinks they work?
3. How do they need to work?

23. TRIFECTA IN PRACTICE

24. Trifecta Table

25. VENDOR
SECURITY
CALC

26. ATTACK
SURFACE
METRICS

27. THE STAR

28. :In conclusion
’they re all
!scorpions

29. Thank you.
You have questions?
.I have answers