The information security industry is broken. It's our duty to fix it, and it starts with getting on the same page. The model isn't broken, but our application is. How do we apply the basics and fundamentals on a wider scale? It starts with defining a common language and a common approach. Next, make it all free.

1. WANTED – People Committed to
Solving our Information Security
Language Problem
Evan Francen, CEO, SecurityStudio

2. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/

3. IMPORTANT!
Before I get started…
• The World Health Organization states that over 800,000
people die every year due to suicide, and that suicide is the
second leading cause of death in 15-29-year-olds.
• 5 percent of adults (18 or older) experience a mental illness
in any one year
• In the United States, almost half of adults (46.4 percent) will
experience a mental illness during their lifetime.
• In the United States, only 41 percent of the people who had a
mental disorder in the past year received professional health
care or other services.
• https://www.mentalhealthhackers.org/resources-and-links/

4. ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
I do a lot of security stuff…
• Co-inventor of SecurityStudio®, S²Score, S²Org, S²Vendor,
S²Team, and S²Me
• 25+ years of “practical” information security experience
(started as a Cisco Engineer in the early 90s)
• Worked as CISO and vCISO for hundreds of companies.
• Developed the FRSecure Mentor Program; six students in
2010/500+ in 2018
• Advised legal counsel in very public breaches (Target, Blue
Cross/Blue Shield, etc.)
Solving our Information Security Language Problem
AKA: The “Truth”

5. UNSECURITY: Information Security Is Failing. Breaches Are Epidemic.
How Can We Fix This Broken Industry?
Published January, 2019
Solving our Information Security Language Problem

6. You know we have an
language problem in
our industry, right?
Our Industry
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
multifactor
authentication
behavioral analytics
deception technology

7. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT

8. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT

9. You know we have an
language problem in
our industry, right?
Normal
People See
Us Like
AI
Blockchain
Penetration Test
Vulnerability
Management
NIST CSF
RiskRisk
Management
Containers
Incident
Management
Cyber
Insurance
Threats
Maturity
Assessment
Malware
Security
Cryptography
Breach
APT
B.S. The model isn’t broken, the application of
the model is!

10. Why?
Because we
don’t agree on a
language
Their Language
FIX: Fundamentals and
simplification.
Translation/Communication
WARNING – It’s work and
it’s NOT sexy.

11. Information Security is

12. Managing RiskInformation Security is

13. ComplianceInformation Security is
NOT

14. Managing RiskInformation Security is
in what?

15. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is

16. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Easier to go through your
secretary than your firewall
Firewall doesn’t help when
someone steals your server
YAY! IT stuff

17. Managing Risk
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
What’s risk?

18. Managing Risk
Likelihood
Impact
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Of something
bad happening.
If it did.

19. Managing Risk
Likelihood
Impact
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
How do you figure out
likelihood and impact?

20. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Start with vulnerabilities.

21. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Start with vulnerabilities.
• Vulnerabilities are weaknesses.
• A fully implemented and
functional control has no
weakness.
• Think CMMI, 1 – Initial to 5 –
Optimizing.

22. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
OK, but there’s no risk
in a weakness by itself,
right?

23. Managing Risk
Likelihood
Impact
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
OK, but there’s no risk
in a weakness by itself,
right?
That’s right! We need threats too.

24. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is

25. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
There is NO risk
• For vulnerabilities
without a threat.
• For threats without
a vulnerability.

26. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
There is NO risk
• For vulnerabilities
without a threat.
• For threats without
a vulnerability.
So, what is information
security?

27. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is

28. Some truth about information security
It’s relative.
Something insecure at the core will always be insecure.
You can’t manage what you can’t measure.
You can’t manage risk without assessing it.
Complexity is the enemy.

29. Some truth about information security
Must be put on a scale (degrees of security)
Must master the fundamentals
Must measure it.
Must do risk assessments.
Keep it simple!
As much as 90% of
organizations fail to do
fundamental information
security risk assessments.
WHY? Reason #1: Complexity

30. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Fine for our tribe, but
what about the others?

31. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
What if we made a
simple score to
represent this?

32. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
We call it the S2Score.
We did.

33. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
ControlsThe S2Score is a simple and effective language to
communicate information security to everyone
(executives, other security people, auditors, regulators,
etc.).
Information Security is

34. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
As much as 90% of
organizations fail to do
fundamental information
security risk assessments.
Reason #2: Cost

35. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
free.
The assessment that creates the S2Score is
available at no cost to anyone.
Cool. Speaking the same language
should be free.

36. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
Information Security is
Let’s make an information security risk assessment that’s
free.
The assessment that creates the S2Score is
available at no cost to anyone.
Cool. Speaking the same language
should be free.
OK. You did an information
security risk assessment.
Now what?

37. The next thing after an information
security risk assessment is?

38. The next thing after an information
security risk assessment is?
Doing something with it.

39. The next thing after an information
security risk assessment is?
Doing something with it.
Risks

40. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept

41. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate

42. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate
Transfer

43. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate
Transfer
Avoid

44. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate
Transfer
Avoid
Who makes the
decisions?

45. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate
Transfer
Avoid
Ignorance is not an option!

46. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate
Transfer
Avoid
When?
Prioritize
Ignorance is not an option!

47. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate
Transfer
Avoid
When?
Prioritize
Who?
Prioritize
Ignorance is not an option!

48. The next thing after an information
security risk assessment is?
Doing something with it.
Risks
Accept
Mitigate
Transfer
Avoid
When?
Prioritize
Who?
Prioritize
Ignorance is not an option!
This is your roadmap.

49. Other Fundamentals?
Risk management also requires communication.
Now you can say:
1. Where we’re at.
2. Where we’re going.
3. When we’re going to get there.
4. How much it’s going to cost.
Five minutes or less
with the board.

50. Other Fundamentals?
Everything should be driven from risk management.
Including:
• Governance
• Asset Management
• Hardware (lifecycle including configuration and vulnerability management)
• Software (lifecycle including configuration and vulnerability management)
• Data
• Access Control
• Change Control
OK. Now back to
language.

51. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
We have another language problem
What about the language between organizations?
We can use the S2Score to communicate 3rd-party information
security risk too.

52. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
If two organization’s use S2Score as their
language, just share the scores.
SIMPLE!

53. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Or through
translation.
Here’s you.

54. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Or through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Here’s you.
Here are your 3rd-
parties.

55. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.

56. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built a translator.

57. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
FISASCORE® is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built a translator.
What’s the
point?

58. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
FISASCORE® is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built VENDEFENSE
to be a translator.
What’s the
point?
Information security language and
translations are the point!
People are the point! People within our industry and
people who work with us are confused and we’re wasting
valuable resources on a 1,000 different solutions to the
same problems, all using different languages.

59. Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
FISASCORE® is
Through
translation.
Company #1’s way. Company #2’s way. Company #3’s way. Company #4’s way.
Let’s say each company
has there own way,
their own language.
Here’s you.
Here are you’re 3rd-
parties.
We built VENDEFENSE
to be a translator.
What’s the
point?
Information security language and
translations are the point!
People are the point! People within our industry and
people who work with us are confused and we’re wasting
valuable resources on a 1,000 different solutions to the
same problems, all using different languages.
OK, I get it. Two last
questions.
1. What does the future of
S2Score look like?
2. What should I do now?

60. What does the future hold for the S2Score Language?
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Other
tools/integrations
These are things that
are coming:
• The roadshow.
• Community
involvement
program.
• Vendor/product
incorporation.
• Integration with
any/all.

61. What should you do now?
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Managing Risk
Likelihood
Impact
Threats
Vulnerabilities
Administrative
Controls
Physical
Controls
Technical
Controls
S2Score is
Other
tools/integrations
Simple.
• Get your S2Score.
• Participate with us; give
us feedback, help us solve
problems.
• The S2Score is mapped to
NIST CSF, ISO 27002, NIST
SP 800-53, CIS, and COBIT.
More to come.
• SIMPLE. FUNDAMENTAL.
COMPLIANT.

62. Fixing the broken industry starts with speaking the same
language.

63. Resources & Contact
Want to participate?
Want to partner?
Want these slides?
LET’S WORK TOGETHER!
S2Org/S2Score – https://app.securitystudio.com
• Email: efrancen@securitystudio.com
• @evanfrancen
• @StudioSecurity
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)
Thank you!