Andy EllisChief Security Officer @csoandy #RSAkamai
Mind over Matter
The Problem: A Typical Business Risk Conversation
Business OwnerHere is my project. Is it safe?
SecurityHere’s our ISO 27002 checklist of
every mistake anyone’s ever made.Prove you haven’t.
That’s really long. Canyou fill it out for me?
Really? Is that ashowstopper?
Sure. You have a bunch of esoteric risk here.
If I say yes, you’re going to overrideme, aren’t you? And if I say no, I’m
in trouble if this goes wrong...
The Goal: Increasing Value
Steady State: Security Value Balances Perceived RiskP
E R
C E
I V
E D
R I
S K
S E
C U
R I
T Y
V A
L U
E
Low perceived risk leads to lower resource investment!Low perceived capability leads to lower perceived risk!
Peltzman Effect
What your
Organizationsdon’t think: People do.
organization thinksorganizationthinks
it can get away with
What Do Organizations Consider Risk?People
Lizards
Business OwnerIs my P/L good? Will I gain market share?
CEOIs this profitable?
SalesCan I meet my quota with this?
CFOIs this a good allocation of resources?
EmployeesWill I have a job?
SecurityIs this safe?
Set-Point Theory Of Risk ToleranceP
E R
C E
I V
E D
R I
S K
S E
C U
R I
T Y
V A
L U
E
Unmitigated Risk Psychosis
P E
R C
E I
V E
D R
I S
K
S E
C U
R I
T Y
V A
L U
E
A C
T U
A L
R I
S K
*
Attempts to leave residual risk may result in new risk budgets!*not actually actual risk
Training LizardsP
E R
C E
I V
E D
R I
S K
A C
T U
A L
R I
S K*
S E
C U
R I
T Y
V A
L U
E
Risk Management can be trained like any other muscle.
Where Is Your Residual Risk?
Business OwnerCompetitors are gaining.
Have to move faster!
CEOProducts A & B are highrisk. C should be safer.
SalesThat last product didn’t sell.
I’ll sell something else.
CFOYou came in over budget. Are yournumbers accurate?
EmployeesThis business is unprofitable.
Update my resume!
SecurityHere’s our ISO 27002 checklist ofevery mistake anyone’s ever made. Prove you haven’t.
Success: A Better Business Risk Conversation
Business OwnerHere is my project. Is it safe?
SecurityI don’t know. Is it?
Wait, what?
Ummm....
Here’s how to think aboutsafety. Do you think your
product is safe?
Great, glad to hear it. Can you fix those outliers
in your next release?Here’s my assessment ofmy risk. I think this is reasonablysafe.
An Approach: How Do You Get Better?
Takeaway: Improve Security Value
Goal of any security program: dv/dt > 0
Beating your head against the wall: focusing on increasing resources.Goal: dr/dt > 0
A good security program wants to create surplus.Goal: dc/dt > 0