.@djbphaedrus presenting "So you want to be a CSO?" on his research on how CSOs got there
Telling story of newly minted CSO, scolded by mind
Proposing that infosec analysts/engrs need to learn certain skills before a CSO
(@djbphaedrus is using iPhone to present, and having technical difficulties. Attempting suicidally difficult move. :)
"Things dumb CSOs say: misalignment of IT/business (nonsense), blaming politics (fact of life)"
"More dumb CSO quotes: the company will fail if company hacked (Heartland stock price higher now)"
"More dumb CSO quotes: 'our biggest risk is our personal data' (but ignored revenue stream)"
"What dumb CSOs hear: 'it's all just a black box to us.. just go do it', 'you're blowing smoke; what's next on ur agenda?"
"Dumb CSOs: 'just give me money & I'll buy the tech to fix all our infosec problems"
"Dumb CSOs: 'the company needs to revise all SOX controls; there's no reason to have mgmt involved in process"
"Dumb CSOs: 'we need to force the users to do it;' 'this technology sucks'"
Chris Hayes: "It's not our risk tolerance that matters. It's the person who is accountable for risk (CEO) who matters"
"Most companies are not in the business of security; they're in the business to stay in business" (Nice)
"Fact: infosec must talk to everyone to figure out what they care about: May find surprises: "physical employee safety"
"New Hawaiian Airlines CEO spent 2 days in almost every job in company: baggage handling, maintenance, etc..."
(Talking about the #devops meme of embedding Ops into Dev. Infosec must follow. Right on.)
(Talking about how diff it is to gain a true understanding of the business: almost requires walking in everyone's shoes)
"Infosec isn't about locking down stuff: to enhance business, focus on effectiveness, efficiency, availability"
(Retailer CSO: no PCI budget PCI: no $$ in infosec/ops; store mgrs had budget to overhaul all POS. Bingo. Found $700K)
"Imagine stunned expressions when ppl saw infosec/ops and store managers working together" (haha)
"The fact the business stepped up to overhaul all POS shows we were creating real biz enablement value"
"Winning pattern seems to be security steering committee: comprising of IT, finance, HR, sales, legal"
(moving security operations into IT ops allows putting infosec into everyone's job desc: networking, sysadmin, etc.)
(telling how you do need, as preqrequisite, to impl controls around operations: go @TripwireInc. :)
RT @InfoSecKaizen: don't use SOD as a reason to not work on what matters...use controls that matter and allow biz to function.
Haha. RT @InfoSecKaizen: auditor asked for mainframe AV. sigh, happened to me..auditor created finding on Unix A/V yrs ago.
(stressing need for infosec to be dispassionate, combining advocacy with inquiry. Nice.)
.@djbphaedrus is presenting on Ghandi-approach to infosec: "understand users, walk in others shoes, feel pain & complexities" (NICE)
Certainty, Love and Connection, Significance, Uncertainty (core four)
Growth and Contribution
"Claim: CSOs need to understand keenly
* what was story about felons that needed controls?
* Tweets showing up as "iOS"
* If in Session View, change the Title, but Session View doesn't change until you shift focus to Editor -- not sure if this is a problem, but it seems risky
* In Session View when focus is in Editor, I think you need "Now Playing" (to give ourselves a placeholder)