2/27: So You Want To Be A CSO?

by Gene Kim on

#bsidesSF

Daniel Blander, @djbphaedrus

  • .@djbphaedrus presenting "So you want to be a CSO?" on his research on how CSOs got there
  • Telling story of newly minted CSO, scolded by mind
  • Proposing that infosec analysts/engrs need to learn certain skills before a CSO
  • (@djbphaedrus is using iPhone to present, and having technical difficulties. Attempting suicidally difficult move. :)
  • "Things dumb CSOs say: misalignment of IT/business (nonsense), blaming politics (fact of life)"
  • "More dumb CSO quotes: the company will fail if company hacked (Heartland stock price higher now)"
  • "More dumb CSO quotes: 'our biggest risk is our personal data' (but ignored revenue stream)"
  • "What dumb CSOs hear: 'it's all just a black box to us.. just go do it', 'you're blowing smoke; what's next on ur agenda?"
  • "Dumb CSOs: 'just give me money & I'll buy the tech to fix all our infosec problems"
  • "Dumb CSOs: 'the company needs to revise all SOX controls; there's no reason to have mgmt involved in process"
  • "Dumb CSOs: 'we need to force the users to do it;' 'this technology sucks'"
  • Chris Hayes: "It's not our risk tolerance that matters. It's the person who is accountable for risk (CEO) who matters"
  • "Most companies are not in the business of security; they're in the business to stay in business" (Nice)
  • "Fact: infosec must talk to everyone to figure out what they care about: May find surprises: "physical employee safety"
  • "New Hawaiian Airlines CEO spent 2 days in almost every job in company: baggage handling, maintenance, etc..."
  • (Talking about the #devops meme of embedding Ops into Dev. Infosec must follow. Right on.)
  • (Talking about how diff it is to gain a true understanding of the business: almost requires walking in everyone's shoes)
  • "Infosec isn't about locking down stuff: to enhance business, focus on effectiveness, efficiency, availability"
  • (Retailer CSO: no PCI budget PCI: no $$ in infosec/ops; store mgrs had budget to overhaul all POS. Bingo. Found $700K)
    • "Imagine stunned expressions when ppl saw infosec/ops and store managers working together" (haha)
    • "The fact the business stepped up to overhaul all POS shows we were creating real biz enablement value"
  • "Winning pattern seems to be security steering committee: comprising of IT, finance, HR, sales, legal"
    • (moving security operations into IT ops allows putting infosec into everyone's job desc: networking, sysadmin, etc.)
    • (telling how you do need, as preqrequisite, to impl controls around operations: go @TripwireInc. :)
    • RT @InfoSecKaizen: don't use SOD as a reason to not work on what matters...use controls that matter and allow biz to function.
    • Haha. RT @InfoSecKaizen: auditor asked for mainframe AV. sigh, happened to me..auditor created finding on Unix A/V yrs ago.
    • (stressing need for infosec to be dispassionate, combining advocacy with inquiry. Nice.)
  • .@djbphaedrus is presenting on Ghandi-approach to infosec: "understand users, walk in others shoes, feel pain & complexities" (NICE)
  • Motivations
    • Certainty, Love and Connection, Significance, Uncertainty (core four)
    • Growth and Contribution
  • "Claim: CSOs need to understand keenly

TODO:
* what was story about felons that needed controls?

Flynn notes:
* Tweets showing up as "iOS"
* If in Session View, change the Title, but Session View doesn't change until you shift focus to Editor -- not sure if this is a problem, but it seems risky
* In Session View when focus is in Editor, I think you need "Now Playing" (to give ourselves a placeholder)
*