A presentation delivered by FRSecure's president Evan Francen at the August, 2015 Twin Cities AFCOM Chapter Meeting. There were more than 50 people in attendance to learn about FRSecure, current information security events and threats, what companies are doing, and basic information security principles.
2. Information Security State of the Union
Topics
• Introduction
• FRSecure
• Evan Francen (Speaker)
• Current Events/Threats
• What Companies Are Doing
• Let’s Make it Simple
• Questions & Answers
3. Information Security State of the Union
Information security is a broad topic.
What can I give you in 30 – 45 Minutes?
Follow-up discussions are encouraged!
4. Information Security State of the Union
Introduction – FRSecure
◦ Established in 2008
◦ Information security is all we do. We’re experts.
◦ Product agnostic
◦ We solve complex information security challenges for our clients.
We exist “to fix a broken industry”
The “industry”
The “industry” is the information security industry;
consisting of solutions (services and products)
designed to protect information.
5. FRSecure, the company
Vision & Mission
We exist “to fix a broken industry”
What’s “broken”?
1. Confusion - At the core, there is a lack of basic security understanding.
◦ Security is a big thing - We provide SIMPLE, but COMPREHENSIVE and EFFECTIVE solutions.
◦ We’re speaking different languages – Our solutions are CONSISTENT and we TEACH as part
of everything we do.
6. FRSecure, the company
Vision & Mission
We exist “to fix a broken industry”
What’s “broken”?
2. Motives- Motives are often wrong or unclear. Money, politics, and pride all get in the way.
◦ Our motive is clear - Our PRIMARY motive is to make security better, and we are the BEST at
doing that.
◦ We are product agnostic for a reason – Representing products may make us more money
now, but detracts from our motive and message.
7. FRSecure, the company
Vision & Mission
We exist “to fix a broken industry”
What’s “broken”?
3. Expertise - There is a general lack of expertise.
◦ We make experts internally – We INVEST in each other to make the BEST security experts in
the industry.
◦ We make experts externally – We TEACH everyone every time we get the chance.
8. FRSecure, the company
Vision & Mission
We exist “to fix a broken industry”
Fixing it…
1. What we’re going to do
◦ FRSecure’s Ten Security Principles™
◦ FRSecure Information Security Assessment – FISA™
◦ FRSecure’s Services – Compliance (GLBA/FFIEC, PCI, HIPAA, etc.)
◦ FRSecure’s Services – Other (vCISO, Penetration Testing, Incident Response, Portal, etc.)
◦ FRSecure’s Mentor Program
2. How we’re going to do it
Relationships
9. Information Security State of the Union
Introduction – Evan Francen
◦ Founder & President of FRSecure
◦ 20+ information security leadership experience
◦ Specialties:
◦ Information security methodologies (the way to do things…)
◦ Information security risk management
◦ Executive & board of directors education
◦ Building security programs
◦ Social engineering
15. Information Security State of the Union
Current Events/Threats
All the fad. Money is fast an furious.
The worldwide cybersecurity market is defined
by market sizing estimates that range from $77
billion in 2015 to $170 billion by 2020.
CB Insights reported that in the first half of 2015, venture firms
invested $1.2 billion into cybersecurity startups. Yup, you read
it correctly - one point two billion in just the first six months of
2015.
16. Information Security State of the Union
Current Events/Threats
Money is (always has been) the motive for the bad guys. Follow the
money:
◦ Credit card breaches peaked? Sorta.
◦ Next up; health information (PHI/ePHI)
◦ Identity theft is steady
◦ Extortion is steady after a big rise
“A new survey of 600 small business owners compiled by Wells Fargo
found that more than half of those who accept point-of-sale card
payments are unaware of the requirement to change to EMV chip card
technology.”
17. Information Security State of the Union
Current Events/Threats
◦ For the datacenter, it’s not the datacenter itself, it’s:
◦ Everything connected to the datacenter
◦ Social engineering
18. Information Security State of the Union
What Companies Are Doing – The GOOD
1. Visibility is higher than it’s ever been.
2. Boards of directors and the executive suite
are more involved than ever.
3. Compliance (in general) is getting more
effective.
19. Information Security State of the Union
What Companies Are Doing – The BAD
1. Confusion (more than ever)
◦ We’re speaking different languages
◦ We’re making this harder than we should
◦ What to do? – NIST Cybersecurity Framework (CSF), SOC 2
Type 1/2 (less popular now), ISO/IEC 27001, COBIT, HITRUST
◦ How much is too much?
2. Still too IT focused
3. Still looking for an easy button
20. Information Security State of the Union
Let’s Make it Simple
• Complexity is the enemy to security (remember this)
• Start with a definition of “information security”… Easy, right?
Information security is the application of
administrative, physical and technical controls to
protect the confidentiality, integrity, and availability
of information.
21. Information Security State of the Union
Let’s Make it Simple
• How ‘bout some truths about security?
FRSecure’s Ten Security Principles™
1. A business is in business to make money
2. Information Security is a business issue
3. Information Security is fun
4. People are the biggest risk
5. “Compliant” and “secure” are different
22. Information Security State of the Union
Let’s Make it Simple
• How ‘bout some truths about security?
FRSecure’s Ten Security Principles™
6. There is no common sense in Information Security
7. “Secure” is relative
8. Information Security should drive business
9. Information Security is not one size fits all
10. There is no “easy button”