Sands LVR 514 Security Strategic Planning Lecture Notes PDF
Document Details
Uploaded by Deleted User
Sands
Frank Kim
Tags
Summary
This is a lecture introduction for a class on security strategic planning, policy, and leadership. The instructor, Frank Kim, introduces the course material and logistics, including Slack communication and hybrid in-person/online format.
Full Transcript
Hey again everybody online i mentioned i would check in every once in a while i see\ \ Somebody else has joined so nathan hello there thanks for joining\ \ Early we are going to start class at the\ \ Top of the hour\ \ Nine a m i see a julie just joined\ \ As well thank you for joining we\'ll start...
Hey again everybody online i mentioned i would check in every once in a while i see\ \ Somebody else has joined so nathan hello there thanks for joining\ \ Early we are going to start class at the\ \ Top of the hour\ \ Nine a m i see a julie just joined\ \ As well thank you for joining we\'ll start class at nine\ \ A m in the meantime if you haven\'t already please go ahead and do number two click the join slack button\ \ In your sand\ \ In your sands portal\ \ And just say hello in slack check out the recent messages i\'ll check in again every once in a while as we get closer to the start time i think you might\ \ Have received an email to join before eight thirty but that\'s just to make sure everybody\'s connected and\ \ We\'re all set up start the lecture at nine a m central time talk to you\ \ Guys soon hey everybody online just checking in again nathan i just saw that you asked if we had audio i saw earlier that you had joined and then\ \ You had kind of i think\ \ Disconnected briefly and then rejoined\ \ So yeah we\'ll be starting class in about fifteen minutes at the top of the hour just so you guys know we\'ve got nine\ \ People scheduled to be online and nine people scheduled to be in person here so we are waiting\ \ For one more person\ \ Online a few more people here in person and yeah we\'re going to start at the top of the\ \ Hour i see\ \ Everybody\ \ It appears so far is connected to slack even for folks here in person if you haven\'t yet\ \ Connected to slack please do so cause you\'re going\ \ To be using it to communicate with your in person\ \ Teams as well\ \ All right we will see you guys momentarily hey just one last check in before\ \ We start in five minutes at the top of the hour just\ \ Saying hello again everybody online yes\ \ Hang in there we\'re going to start in just five minutes five minute warning\ \ Here\ \ All\ \ Right it\'s good\ \ Morning everybody hello everybody online everybody here in person welcome\ \ To sands l v r five one four security strategic planning policy and leadership nice to see\ \ You all here in person and virtually as well now let\'s go ahead and get started before we get into the course material quick introduction and then we\'ll get through some logistics as well\ \ My\ \ Name is frank kim i\'ll be your instructor of course for the entire class we will\ \ Be together for five days\ \ Of the course across five different sections that we will see momentarily\ \ I\'m teaching writing classes with sans for\ \ Seventeen years now as i had other day\ \ Jobs along the way the reason that i remember it\'s seventeen years is because my oldest daughter is seventeen years old and i\ \ Started doing stuff with sans shortly after she was born i was also the cecil here at sands for a little bit most recently the cecil in residents at a\ \ Venture capital firm where we invested\ \ In different cyber security companies and help build different\ \ Security teams along the way for example at kaiser permanente\ \ Big health care company here in\ \ The u s now that being said let\'s go ahead and talk about some logistics\ \ Real quick everybody i believe is already connected\ \ To to slack yeah what\'s up patrick is your microphone always my mic tech\ \ Oh ok sorry thank you for checking that thank you i\ \ Saw everybody one thing i want to\ \ Do everybody online we\'re going to do this numerous times\ \ Here throughout the class but everybody online let\'s do a quick\ \ Sound check an emoji check i should say if you could\ \ Turn your attention to slack and just go ahead and\ \ Putting in an\ \ Emoji of your choice to just confirm that yes you can hear me i just patrick just let me know that i made a mistake he\ \ Already starting off the class on a good foot here making a mistake by not turning on my mic pack wesley julie charles richard thank you so much for the confirmation appreciate it very much now you guys are all connected to slack already as maybe a\ \ Few\ \ Other folks trickle into class i might have to remind them of this as well\ \ Now the question is why are\ \ We using slack everybody online is connected to zoom i mentioned this earlier\ \ We\'ve got a fifty fifty class this\ \ Week half the people are online and half the people are here in person i\'ve had classes where it\'s seventy five twenty five twenty five seventy five it just kind of depends on the class and the reason\ \ That we\'re using both zoom and slack because sometimes people say hey why are we using slack for messaging can\'t we just use the zoom messaging\ \ Witching over\ \ Here to oh slack right well hey one thing we just saw is that hey we\ \ Got a lot\ \ Richer emojis in slack but if i scroll all the way up hey in slack we can do cool things like have different poles we can go ahead and have threaded conversations like we see here like this one where a lot of folks especially online thank you for introducing yourselves everybody in person feel free to chime in here as well you can go ahead and emoji various messages as well\ \ And we\'re going to do most of our conversation here in the classroom slack\ \ Channel that\ \ I\'m showing\ \ Now but\ \ There\'s also some teen private channels\ \ Here that we will get to later on as the course progresses each\ \ Of you guys are going to be part of a classroom team right that you\'re going to be using that we\'re going to share some information in there where you\'re going to go ahead and get info about how to connect to the cyber forty two leadership simulation game it\'s\ \ Just a web app but we\'ll give you more information about that as we\ \ Move forward in class\ \ O a lot of slack communication here throughout\ \ The week and switching back over to the\ \ Slides right now everybody here\ \ Online you can at any\ \ Point in time unmute yourselves here\ \ And everybody here in class can hear you if anybody would like to try it if anybody any volunteers feel free to go ahead and unmute yourself online and just say hello so we can go ahead and do a quick\ \ Sound check here in the room feel free\ \ Yes all right richard jesse\ \ Thank you so much for the confirmation we heard\ \ You loud and clear now also hey it turns out\ \ Though in addition to being able to hear everybody online\ \ Did you guys notice here in person\ \ In front of each of you guys there\'s a microphone right a tabletop speaker\ \ It used to be in the prehistoric days right of some months ago that\ \ If somebody in class had a\ \ Comment for everybody online to hear you we had to run over\ \ And give you a handheld microphone now yes modern technology\ \ Here just by you guys talking\ \ Everybody online can automatically\ \ Hear you it\'s very cool and if i\'m talking and you\'re talking at the same\ \ Time it naturally lowers the volume\ \ Of what you\ \ Guys are saying so everybody online can hear me right first right so just so you know though i will mute all of the in classroom microphones during breaks during lunchtime and during lab time as well it\'s only during lecture time sometimes we might have a conversation you got something to share heads up\ \ Everybody online can hear you conveniently\ \ As well\ \ All right now with all of\ \ These logistics out of the way one last thing to mention here we\'ve got some classroom help classroom support we\'ve got adam here in class right so adam is our\ \ In person facilitator and\ \ If you have that just means what that if you there\'s\ \ Any complaints anything wrong adam is the\ \ One that\'s responsible for it right but all kidding aside right adam is here to a help out in case we need anything\ \ With that being said i\'m going to go ahead and momentarily switch over to the\ \ Class slides here\ \ All right so let\'s go ahead now and turn our\ \ Attention to the material at hand oh i forgot to mention you guys might see when we\'ve got a hybrid class like this in the post pandemic era the vast majority of our classes are hybrid in person and online folks at the same time because we are\ \ Using slack lot\ \ Of times well people might unmute themselves but sometimes they\ \ Their questions comments directly in slack so you will see me holding my phone\ \ Black\ \ Open here and every once in a while i glance at it to see if anybody online has a comment or a question just want to give you a heads\ \ Up because in the pre pandemic era to hold your phone while speaking while lecturing that was\ \ A no no item\ \ So i just want to let you know ahead of time i\'m not just texting my friends and family i\'m monitoring slack right pretty much this whole time here\ \ For everybody all of you guys online\ \ O now let\'s turn our attention to the course ldr five one four security strategic planning policy and leadership we\'ve got a table of contents here at the beginning\ \ Of every day for your convenience but\ \ What are\ \ We going to be\ \ Covering here in class over the next five days today section number one day number one\ \ We are setting our strategic\ \ Planning foundations here understanding\ \ Not only the threat landscape but the corresponding business landscape as well\ \ I started my career over twenty years ago as a handson keyboard\ \ Technical person and engineer building and deploying various systems and\ \ Applications and you know back then i to be honest naively thought i would never\ \ Go into a management role because as i was hands on\ \ Keyboard all day long i looked\ \ At what my manager and other managers were doing and i incorrectly thought that they\ \ Weren\'t doing anything right because what did i see i thought that they were in meetings\ \ All of the time\ \ Well now that is you know my life maybe a big portion of\ \ Your lives as well right and so\ \ Fast forward as we progressed i realized you know hey it\'s not just about the technical work right it\'s about understanding\ \ What should be the plan what should be the road map for what our organizations are actually trying to achieve which leads us into section number\ \ Two\ \ Developing that road map doing the gap analysis sharing\ \ That with the rest of the organization\ \ Section number three is all about\ \ Policy development and assessment now you\'ve got this amazing plan\ \ That you might put together right well turns out policy is one of\ \ The strongest tools that you\'ve got\ \ In your tool belt as a security leader too steer the organization in a certain direction because basically in policy you\'re\ \ Codifying parts elements of your overall\ \ Plan so that the organization knows what needs to be done from a policy and procedure perspective\ \ Now as i progress to different leadership roles over the years at\ \ One point in time you know me and some trusted team members\ \ Put together a really good to be honest in retrosect a really good strategic\ \ Plan and when we had written out that strategic plan we got buy in from senior leadership on that plan and then check this out i shared that plan\ \ With the\ \ Rest of the security team\ \ And it had all of this stuff in it in the multi year\ \ Security plan we got a thirty percent increase in\ \ Budget and when i share that plan with the rest of the security team first\ \ Time they were seeing it did they jump up and down for\ \ Joy and said frank this is great thanks for getting thirty percent increase in budget and thanks for\ \ Getting this approved and we will be happy to work on this stuff\ \ I see some shaking heads no why weren\'t they hay about this plan that\ \ I was sharing with them now\ \ And\ \ Everybody online feel free if you want chime in here in slack why don\'t you think that\ \ They were\ \ Happy excited to see that plan\ \ You all unanimously shook your\ \ Heads known imported it adam mentions yes they had no input in\ \ It right now who who made the plan me and a couple of my\ \ Trusted colleagues on the security team but i didn\'t ask the wider team right well what\ \ Do they think what do you think should actually be worked on i said here\'s a plan we got\ \ It approved go ahead and work on this stuff well turns out as we will mention numerous times throughout the course\ \ People humans we generally\ \ Don\'t like being told what to do\ \ Right so i didn\'t get their input we didn\'t\ \ Get any of their buy in right and so the mistake that i had made even though arguably objectively that was a very good and appropriate strategic plan well i didn\'t\ \ Do the stuff in section number four right i didn\'t get there buying i didn\'t involve them i didn\'t lead motivate and inspire them to want to get the work done right and that\'s why we\'re going to talk about a lot of different\ \ Leadership and management competencies\ \ On day number four section number four here\ \ Now section number five the last day of the\ \ Course quick show of hands here everybody online maybe chime\ \ In with a thumbs u who\ \ Has ever taken a technical security course before\ \ All right now when you take a technical security course esecially a sans course usually\ \ The last day of the class is some sort of capstone exercise i capture the flag i defend the flag and so on where you use the tools and techniques that you learned earlier in the class to bring to bear on a real\ \ Life environment right to gather points and\ \ So on however here in a leadership class\ \ A\ \ Management class the tools that we\'re using are more management and leadership tools they\'re\ \ Not\ \ Hands on keyboard running commands type of tools\ \ And so what we\'ve got throughout the course is we\'ve got various ace scenarios\ \ Case studies the leadership simulation game\ \ Section number five is our equivalent of the defend the flag capstone exercise but we refer to it as our strategic planning\ \ Workshop and i see a number of people thank you nathan chuck richard charles jesse have all taken a technical security class before well our capstone the strategic planning workshop is where you will be in your teams reviewing reading various\ \ Real world case studies\ \ And seeing how based on those scenarios of those\ \ Fictional companies how you might right understand evaluate analyze\ \ And respond to the different events\ \ That\ \ Occur bringing the different topics management leadership tools that we\'ve\ \ Talked about bringing\ \ Those to bear right on those various situations\ \ O for\ \ Today section number one what are we going to be talking about in\ \ More detail now we\'re going to start with a little bit of an overview but then there\'s two major themes that we\'re going to discuss today we are going to talk about well what are some tools management tools too decipher\ \ The business understand the organization right like historical analysis values and culture stakeholder\ \ Management and so on and what are various tools to decipher the threat landscape down\ \ Here towards the bottom\ \ Remember this is setting the foundations for what we\'re going to talk about\ \ In the rest of the course specifically moving on to\ \ Section number two to develop the plan itself\ \ Let\'s start with a little bit of\ \ An overview i think we all know that really the focus the mind share right of organizations of executives on cyber security has never been higher than it is today to be honest when i started decades ago i\ \ Wouldn\'t have necessarily predicted it right i knew security was important but it\'s right i didn\'t realize it would get to\ \ The place where it is today part of that historical evolution\ \ If i take you back to your mental time machine all the\ \ Way back in twenty thirteen\ \ There were two what i considered to be watershed events\ \ That occurred in twenty\ \ Thirteen and everybody\ \ Online i\'m going to ask you to guess here as well oh leon i see you\'ve joined us here as well welcome\ \ Go ahead and guess\ \ Everybody chime in online or\ \ Here in person feel free to just verbally state it what are your\ \ Guesses as to what i believe are the two watershed\ \ Events security related events that occurred in twenty thirteen\ \ Wow\ \ All\ \ Right we got the first guess here which yes you nailed it right off the bat twenty\ \ Thirteen the target breach occurred now target is\ \ Of course as we know a u s retail company still one of the largest retailers in the world one of the largest in the u s and there were big breaches before target there\'s been big breaches\ \ After target but why do we say why do i say that target was a watershed event\ \ It was the first time that senior leadership the board\ \ The ceo was terminated after that event after the target reach the cio\ \ Was terminated there was number cecil at target a name ciso at that time and so this is the first\ \ Time that senior sea level executives realized and the board realized oh\ \ Well there could be some personal ramifications for cyber security related issues and mishaps and lapses\ \ Right and the rest of the world\ \ Started to pay more attention every\ \ Board every other organization said uh oh if this could\ \ Happen to target this could happen to us as well\ \ Right\ \ Now if that was the first major watershed event happened toward the end disclosed toward the end of twenty thirteen and he guesses as\ \ To what the second one was wesley mentions yahoo yahoo is still i believe the biggest breach in history one point five billion records were stolen over the course of\ \ I think some years and it wasn\'t actually discovered and\ \ Disclosed until some years after the breach but that was after twenty thirteen so that was a\ \ Big deal too\ \ Right and that actually impacted the verizon acquisition of yahoo\ \ Right they were able to verizon was able to negotiate if i remember correctly some three fifty million dollar discount on that acquisition price because the breach came to light\ \ During the acquisition negotiations but\ \ That wasn\'t it right target happened first any other guesses richard mentions\ \ Home depot if\ \ I remember correctly and we could google this real quick home depot i believe was twenty fifteen but that was also another notable one at\ \ The time\ \ Jesse mentions colonial pipeline yes colonial pipeline\ \ Was another important one\ \ Related to kind of your our critical infrastructure but that happened much later\ \ Much later than twenty fifteen\ \ Liana mentions huawei right the chinese manufacturer right and there\ \ Was some concerns about a potential modifications of the hardware itself and\ \ So on but yes no there\ \ Was another one and i will give you a hint\ \ This one the other one i\'m thinking about is more rivacy related\ \ Stocks\ \ And info now nathan men should oh so stuxnet stuxnet did happen a little bit\ \ After twenty thirteen\ \ But that was another important one a big one that was referred\ \ To as the most advanced malware at the time right but that\'s a a good one nathan mentions adobe no they\'ve had a couple incidents breaches over the years wesley mentions the n\ \ S a yes now i will say wesley it is related to nsa specifically\ \ The snowden\ \ Disclosures right that also happened in\ \ Twenty thirteen now i\ \ Mentioned that\'s another big watershed event because that\'s when well the rest of the world said wait a second now to be honest\ \ We know that many countries around the world are doing this type of thing but that was the first time that there was such clear information shared with the rest of the world and especially folks in europe they said wait a second well we now need to focus more on privacy\ \ Fast forward right some years later this is what greatly informed\ \ Gdpr the general data protection regulation which we\'re going to talk more about in section number three downstream that inform the\ \ Ccp a ccpr california consumer privacy rights act right that\'s similar got some similar things to g d p r and now we\'ve got a bigger focus around the world on privacy\ \ Right so\ \ Those\ \ Are two watershed events that occur right julie mentioned snowden yes exactly\ \ All right so\ \ Yes a\ \ Number of things have occurred now as this these trends over the years cyber security getting more important increased visibility at the senior\ \ Levels of every organization\ \ For us in security though what does\ \ That mean it means we\'ve got more opportunity\ \ Right all of our security teams over the last decade in your organizations\ \ I believe have probably grown right over the last decade well when you have\ \ More opportunity though is senior leadership just going to give you more budget and resources and say here you go go figure out what to do\ \ Well no they probably will get some more resources but it comes with\ \ Additional\ \ Scrutiny\ \ Right they want to know one year one time i was able to get an increase of our security budget from thirty million dollars a year to sixty million dollars a year now did they give us\ \ All of that additional thirty million dollars all at once\ \ No as\ \ Part of the proposal the plan or the strategic plan we had to say look we\'re going to do these things in year one\ \ Year two year three and so on and this is what the money is going to be used for to accomplish these various goals so then\ \ Basically finance came back and said\ \ Great now we\'ll give you this much money but that\'s for\ \ The first quarter then if you accomplish the things that you said you\'re going to do well in the second quarter we\'re going to give you more money according to the\ \ Plan right so they provided the money in various\ \ Tranches\ \ They\ \ Have never had at a large enterprise them give us all of the money up front\ \ Why well that\'s how they manage right the resources appropriately\ \ And they want to\ \ Know that you\'re able to\ \ Deliver making progress and oh by the way when year two and three roll around if the economy changes and hey they didn\'t meet their revenue targets well not just us in security but every other\ \ Org they might right get a change right in that budget as well probably experience something similar\ \ So\ \ There is definitely not just increased responsibility but increased scrutiny\ \ So how do we get better at this now you\ \ Can\'t just be like i was the technical person sitting\ \ Typing away at the keyboard right because senior leadership doesn\'t understand that er say there\'s a keyword key\ \ Phrase down here at the bottom\ \ Security business leader\ \ Right\ \ There we need to be knowledgeable of course about security but we need to be able to tie that back to what the organization\ \ Is trying to accomplish in the quote unquote old school of security it was really just a focus on\ \ Yep technology it right it security but now in the\ \ Modern world to be a modern\ \ Security leader sure we still of course need to know about technology and i t i t security\ \ But there\'s increased regulatory compliance legal issues we\'ll talk about some\ \ Of those with the s c c related requirements with the n i s two in\ \ Europe related requirements there\'s more and more regulation that in scrutiny that is happening but we really need to make sure that we\'ve got\ \ An understanding of the business the organization what are\ \ Crown jewels of your\ \ Particular organization and that\'s why we are in this class together at a high level we cover three different topics in this class right\ \ What to do to build and right execute\ \ On various strategic plans but\ \ Strategic plans that aren\'t just technical strategic plans that can be more understandable to non technical folks\ \ Your senior business leaders and as i mentioned developing and assessing security policy too steer the gigantic ship in an appropriate direction and making sure that you do it in\ \ A way to right you can lead inspired motivate your teams and\ \ The rest of the org to want to get the work done\ \ Whole point\ \ Of all of this is to say hey what are the tools that you can have in your\ \ Pocket in your tool belt to\ \ Become a security business leader right so really this class is all about this process now let me ask you a question everybody here online chime in here as well in any successful attack in any successful attacker campaign what is arguably the most\ \ Important phase of the attack\ \ Business attack it\'s also understand\ \ The attacker the victor understand the attacker now coming from the attacker\'s perspective right so then what did\ \ You say\ \ The business site understand the business side all right we\'re\ \ Going to get to that for any successful attack what is the\ \ Attacker\'s the most important thing that the attacker can do i see some people here jesse mentioned it charles mentions this is\ \ Reconnaissance right for\ \ The attacker to be successful well they need to do the spend a lot of time\ \ On reconnaissance understanding the business\ \ Understanding the target understanding the victim right who are they\ \ Actually targeting understanding the systems the people right and so on\ \ Similarly so from a security perspective we are red teams are you know our\ \ Purple\ \ Teams for example might spend a lot of time on that well similarly for you as a security leader the equivalent of reconnaissance from a technical perspective the equivalent from a planning perspective is what we refer to as decipher right the decipher phase is where we want\ \ To\ \ Spend a lot of our time\ \ Give you an example hello welcome come on in\ \ I\'ve got a friend we used to work together and\ \ Really shar guy from a security perspective we had put together a good really\ \ Good plan at our organization sometime later he left to join a different company and it was a kind of big company slow\ \ Moving so he said i want to make progress faster so he basically took the plan that we had developed and plopped it in to\ \ His new company and said ok let\'s start working on that let\'s start\ \ Following the plan from the\ \ Prior place that he knew was successful in the other org\ \ Did it work\ \ No did not work didn\'t work\ \ At all why because he jumps straight to the develop right developing a plan that was kind of pre canned and tried\ \ To skip straight to deliver the execution but he\ \ Didn\'t spend the time deciphering the current states of his new organization where were the actual gaps what is appropriate understanding what the stakeholders needed and wanted and so on right and\ \ So that plan while he was appropriate for our prior organization\ \ Totally fell flat right because he\ \ Also didn\'t do the appropriate what down here at\ \ The bottom\ \ Motivate inspire get everybody\'s buy in along the way\ \ Right another example i\'ve\ \ Got a friend he\'s been a multi time cecil his first big cecil gigi he started let me ask\ \ You to guess how long\ \ Do you think he lasted in his first big cecil gig\ \ Six months oh six months is a guess\ \ Now jesse mentioned six months here as well very good guess yeah he lasted less than a year he lasted eleven months that is not very long\ \ Right now even though various surveys will say the average\ \ Tenure of a cecil is a year and a half to\ \ Two years\ \ Right two two and a half years roughly it\'s been slowly increasing but eleven months is arguably very\ \ Short why because he came in and the prior cecil who had left for whatever other reasons to go get another job\ \ He basically my friend came went in and said hey\ \ All the stuff that we\'re doing\ \ He didn\'t word it like this but these were his actions he said all the stuff that\'s happening from a security perspective we\'re going to change it we\'re going to\ \ Do something different the business units actually went to him and said wait a second we\'ve been working on these types of processes and this assessment and we got to remediate these findings we\'ve been working on this stuff with your predecessor for the last three years and he said yeah i don\'t care we\'re going to\ \ Switch it up so the business\ \ Hated him right and that\'s why he only lasted for eleven months because\ \ He didn\'t spend enough time deciphering\ \ Right what the organization needs what\ \ The business needs what the various stakeholders needed\ \ Give you another example as anybody here know steve katz\ \ He\'s known as the world\'s first sea soap he\ \ Was a he\'s one of my mentors he sadly passed away last year and after a long career and he was this the cecil in the nineties\ \ At citigroup right and he\'s told me numerous times he said frank when i first started at citigroup citigroup big global company the\ \ First six months the main thing that\ \ He did is he\ \ Flew all around the world meeting with as many stakeholders as he could\ \ Not only the leaders but the different people in\ \ All of the different areas of the organization\ \ Because he wanted to understand how the business works what\'s important\ \ To them understand their personal preferences get their different attitudes around various things that are happening in the company and he spent right the vast\ \ Majority of his time\ \ In decipher so this is what are we\'re going to come back to this over and over again\ \ Throughout class this is our strategic planning process\ \ Right we\'ve got here listed in each of these boxes various\ \ Leadership and management tools that we\'re going to cover that help you do\ \ This in terms of deciphering what the organization actually needs developping the plan itself\ \ Delivering right on the plan executing the\ \ Plan\ \ Because unless\ \ You can have the most amazing plan but unless your team is able\ \ To deliver execute on the plan\ \ You don\'t have a plan\ \ Right because just like when i gave the plan to my team members and they basically said no we don\'t want to work on it but we\ \ Didn\'t have a plan because if you can\'t execute on it you can\'t deliver well then you\ \ Don\'t really have a plan itself and as a result\ \ Section four right here at the bottom we\'re going to spend a lot of time right figuring out what we can do to lead motivate and inspire our teams to once to get\ \ The work done\ \ Here on this slide is just a reference for you we just showed you various tools\ \ That we\'re going to cover now these tools again are management and leadership tools that usually come now from in a management leadership role i spend most of my time on zoom meetings calls talking to people and\ \ Most of my time in powerpoint right and as a result\ \ The different tools that we have in class\ \ Come in the form\ \ Of various powerpoint\ \ Templates we\'ve provided for you here\ \ Online if you go to l d r five one four dot com\ \ It will redirect you to a google drive\ \ Folder the google drive folder has different subfolders like\ \ We see here on the slide that contain the corresponding tools for each of the different leadership\ \ And management tools that we\'re going to cover throughout the class so this is just a reference for you this is freely available on the internet you can go download these anytime use them as a\ \ Starting point in your classes as well\ \ All\ \ Right so who should\ \ Actually take this class well ok of course as like all of us here in the room anybody that has some sort of responsibility for security right you\ \ Could be a pence on the org right your title might be different a manager\ \ Director v p security officer whatever it might\ \ Be but it\'s anybody that\'s interested in going beyond just the technical skills the technical topics\ \ Right to learn how to better communicate\ \ With non technical folks non security folks in\ \ A way that those business leaders can actually understand\ \ So how does the course actually work\ \ It turns out that just\ \ By nature of you being in some sort of management or leadership role\ \ Right team lead manager director and so on it turns out you are expected\ \ To voice\ \ Your opinions example i was once working at a company where a new c i o joined\ \ And i found myself in the same meetings with the\ \ Cio along with the ceo and other v p s other senior v p\ \ S and so on all right now i noticed that the new cio he wasn\'t really saying anything\ \ In these meetings right and we became friends over time about six months later he mentioned he told me he said hey frank remember when i first joined the c e o actually pulled him\ \ Aside and said hey\ \ Mister c i o we\'re in these meetings together\ \ How come you\'re not saying anything\ \ And the cio said well you know i want to seek first to understand which makes sense i want to get a lay\ \ Of the land first totally makes sense and then the but the c e o said well yeah that makes sense but you need to say\ \ Something you\'re a senior leader in the organization so by you saying\ \ Nothing in these meetings it makes us think either right you don\'t know\ \ Anything or you\'ve got nothing\ \ To contribute right you\'ve got to say something you\'ve got to contribute to the conversation\ \ So by virtue of the fact\ \ That you are in a leadership role some\ \ Sort of management\ \ Role right you need to contribute to the conversation and as\ \ A result\ \ This class is structured in a way to\ \ Help you do exactly that and practice here in\ \ A lab type of environment we\'ve got various leadership labs that we\'re going to cover throughout the entire class heads up a little foreshadowing here at the very end of the class you are going\ \ To put together but not a whole presentation but an outline an outline for an executive presentation to your c\ \ E o\ \ Right about the security team about the security program as we move\ \ Forward in class\ \ You\'re going to read three\ \ Different business case studies we\'re going to cover four fictional companies hello good morning feel free to come up here sit closer because yeah we\'re going to need to talk a little bit\ \ More come on in as we move forward they\'ll also\ \ Be fifteen different case scenarios and fifteen different cyber\ \ Forty two events that\'s our security leadership simulation game\ \ That i mentioned before that\'s just in web app form\ \ So a ton of leadership labs that we\'re going to be covering along the way\ \ Here\'s an example here\'s well\ \ Not an example here are the four fictional companies that we\'re going to be\ \ Covering very shortly you\'re going to meet healthhound healthhound is the first\ \ Company that we\'re going to talk about and the last company that we\'re going to cover at the very end of class so we\'re kind of book ending it with health hound which is a fictional company that provides wearable activity trackers thunderbolt is a fictional shipping\ \ Company and like a fedex ups and so on\ \ Pharmaco based on the name you could probably guess what line\ \ Of business they\'re in\ \ I premiere is another company that we won\'t see until\ \ The very end of class the last\ \ Section of class it\'s a fictional online retailer alright so we\ \ Try\ \ To give you different types of organizations of slightly different sizes to understand to try to think through ok well what\ \ Would be appropriate in these different cases\ \ All right\ \ Now from a security strategic planning perspective it turns out we need\ \ Strategic planning because we need to understand how\ \ The needs of security\ \ Fit in\ \ Relation to everything else because if you get a one million dollar increase in your budget\ \ What does that mean that\'s\ \ Good because you can improve your security stuff but it also means that\'s one million dollars that the organization can\'t spend someplace else improving operations building a new plant right investing in new product\ \ Whatever it might be so this is always a trade off based on the limited\ \ Resources time money attention right hey why is what we\'re proposing from a\ \ Security perspective more important than the other business investments themselves and so that\'s why we need to go through\ \ This\ \ Strategic planning process\ \ To factor in the changing threat landscape right and we\ \ Know with the increased change in technology we\'ve got mobile work remotely work from home cloud computing generative ai and so on right now we\'ve got\ \ A change in the landscape\ \ Right because we\'ve got an increase to our attack surface and as a result security issues as we were talking about\ \ Of course are on the rise it used to be in the olden days\ \ How do you catch a bank robber\ \ Right\ \ You just figure out how far a horse can run within that period of time and look within\ \ The overall\ \ Radius of that but now the attacker could be anywhere online\ \ Anywhere in the world and\ \ So there\'s this concept of at the\ \ Bottom information as a commodity jesse mentions ots is more vulnerable now as well\ \ We\'ve got some ot folks here in class two\ \ Anybody read any of bruce schneider\'s books\ \ Bruce sneer right really started off from a\ \ Cryptography perspective one of the more well known people in cyber security written i don\'t know probably dozens of books at this\ \ Time but one of the books that he\ \ One of his more recent books is called\ \ Data and goliah right and he compares data right to\ \ Well the negative externality the side effect of the industrial revolution is\ \ Pollution right and he says the negative externality if\ \ You will decide effect of the internet revolution\ \ Is data\ \ Right because now there\'s all this data that is being constantly spewed out by our various systems that organizations are using and collecting and so on now i don\'t necessarily care right about all of\ \ This data right so there\ \ Was the some years\ \ Ago there was the big ashley madison\ \ Breach right ashley madison is the website that encourages people to have an\ \ Affair and they had a big breach revealing the personal information\ \ I don\'t care what people are doing on their personal time but who might care\ \ About\ \ The people\'s data in ashley madison of course the people\ \ Themselves but who else\ \ Why would a bad guy care about that data\ \ Extortion extortion blackmail\ \ Right because maybe jeff and jeff was in\ \ That was in the ashley madison website and if the attacker finds you then they could say jeff this is some information that you probably don\'t want your\ \ Family\ \ To know about well go ahead and give me something but now you\'re not going to target any just random person like me right that doesn\'t have anything valuable well you\'re going to cross reference this with some other important information maybe somebody that is more susceptible to blackmail like people having\ \ Financial problems\ \ And we know\ \ You can\'t find stolen financial information anywhere on the internet right\ \ Well but\ \ Also are they in imortant or useful\ \ Positions one of the biggest u government breaches was the\ \ Anybody remember\ \ The\ \ Opm breach the office of personnel management right which was the people people\'s information but not just about various government workers kind of\ \ Like the quote un quote hr department of the of the government if you will and\ \ But it was also people\'s friends\ \ Relatives and so on who also had to have background checks done on them so if the attacker the bad guy can\ \ Figure out hey who might be in a sensitive position\ \ Then they cross reference that with something like ashley madison\ \ Right so now information right is definitely a commodity but when you\ \ Intersect it in an appropriate\ \ Way it could lead to right more sensitive more sensitive outcomes\ \ And as we know security is no longer justin it issue every\ \ Other organization right anybody here have the problem\ \ The challenge of shadow it\ \ Other departments right bringing in their own software signing up for\ \ Other software services we\'ve got to spend a lot of time trying to understand that and\ \ As technology changes right we need to understand what\ \ The corresponding risks actually are but from a senior level now executives are paying more attention right anybody here know of an\ \ Organization called the n a c d\ \ The national association of corporate directors there are\ \ Similar organizations in other parts of the world call different names like the iod\ \ The institute of directors in different european countries and these\ \ Are the organizations\ \ That provide guidance to\ \ Board members boards of directors the senior governing people of any organization and they provide them tips\ \ On nominating and\ \ Governance who should be hired who should come on to the board diversity equity inclusion finance\ \ And so on right but they also now provide guidance on\ \ Cyber security\ \ Right and nacd for example has a document called effective cyber risk oversight for the boards of directors one of the key things that they mentioned is hey you\ \ As a board member you need to be understanding your organization and making sure asking figuring out asia organization treating\ \ Security as a i t issue or is it treating it as a enterprise risk management issue\ \ As a strategic risk like the other risks that the organization is facing\ \ And that\'s partly why right we\'ve got increased scrutiny\ \ In what we\'re doing from a security perspective as is evidenced by\ \ The increasing regulatory and\ \ Compliance requirements that security leaders are facing since in\ \ The last decade as we mentioned since the target breach and other things have happened over the years leana says what was the name\ \ Of that document it\'s the n a c d if you google n a c d\ \ It\'s the cyber risk oversight cyber risk oversight document\ \ If\ \ You can\'t it used to be a free registration on their website that you could\ \ Download\ \ It\ \ If not i\'ve got a copy of it here that i can share in slack when we get to the next break\ \ All right so who here has ever had a\ \ Challenge of getting more money for your security team\ \ No never happens you get all the money that you want\ \ Right some years ago i was meeting with my c f o and\ \ My goal my personal goal in that meeting was to not get anything from her in that meeting\ \ But was to slowly\ \ Start to get her buy in to eventually be on board with the new business case\ \ That we were proposing that would eventually lead to an increased insecurity investment internally\ \ Now she saw right through me right away right she within i don\'t know five minutes she\'s like frank\ \ We get it\ \ We in finance we know that cyber security is important but what we want to know is are we spending too much are we\ \ Spending too little how are we doing in relation to our industry peers she was asking that proverbial bear in the forest question are we running faster than the\ \ Bear in the forest or\ \ Are we running faster than our friend in the forest whom the\ \ Bear is also chasing right and a lot of times that\'s how\ \ Senior leaders want to frame it and so\ \ Those are the types of things that we\'re going to be talking about\ \ Section number two we\'re going to talk about hey\ \ Tips on framing your security business case and it really boils down\ \ To risk based decision making\ \ All right give you another historical example here you remember all the way back in two thousand and two\ \ Twenty plus\ \ Years ago right there\ \ Is a company that was arguably the laughingstock of the security industry\ \ You would go to\ \ Security conferences and events and security professionals we would\ \ Poke fun at this company about their poor state of security\ \ And that company was\ \ Yes that company was microsoft right\ \ Because all of their most popular products windows sql server office were besieged by security vulnerabilities remember these were the times when a\ \ Host based firewall did not even come by default right\ \ On the operating system itself resulting in if you\ \ Plug in one of those operating systems to the internet it was able to be compromised within now\ \ Less than two\ \ Minutes right just by default\ \ And so this\ \ Resulted in huge worms\ \ Code red nimda that resulted in huge data center outages\ \ And at the time shortly thereafter bill\ \ Gates sent a memo to all at the time thirty thousand fulltime microsoft employees and he said from now on we\ \ Need\ \ To stop working on new\ \ Features and functionality and we\'re going to direct all of our efforts to security\ \ Why did bill gates say this\ \ He understood he understood that security was an existential risk to microsoft that if people customers didn\'t\ \ Trust microsoft\'s products and services they would stop buying microsoft\'s\ \ Products and services and it could result in potentially microsoft ceasing to exist this became known as the trustworthy computing memo and it\'s because\ \ Bill gates\ \ Understood right that the risk associated to microsoft\ \ And bad security right what that meant for the organization\ \ And we\'ve seen since then in the pandemic era zoom the zoom ceo eric yuan basically said the same thing after some security\ \ Issues were discovered in zoom right so many c e o s have said similar things over the years this is kind of a insecurity right kind of a watershed example right of why security is so important\ \ Because\ \ It\'s related to bill\ \ Gates inherently understood right hey if we want to sell our products if we want to continue to exist we need\ \ To factor in security risk which is why fast forward twenty plus years later\ \ Microsoft i would never have guessed in the\ \ Early two thousands that microsoft would eventually be one of the leading\ \ Security vendors in the world right which they are\ \ Today sure they still have vulnerabilities they still\ \ Have issues like every other organization but they\'ve got a very\ \ Mature security program and security product portfolio now\ \ All right now for you in particular what does this\ \ Mean now there\'s a management tool you\'re thirty sixty\ \ Ninety day plan right coming up with your thirty sixty ninety day plan\ \ Usually when you start a job\ \ This is what you\'ll want to think about it\'s not to say that you\'re going to finish everything in thirty sixty ninety days is to give you a personal road map for you and your team to say hey what are we going to do first second and third\ \ Right i\'ve even have\ \ Friends colleagues that are\ \ Interviewing for senior security positions cecil positions and so on and they get asked in the interview hey by\ \ The time i talk to you again next\ \ Week can you come up with a draft thirty sixty ninety day plan\ \ Right so i\'ve got friends who even taken the examples that you\'re going to see and use that as a template and use that in their interview and they say hey\ \ It\'s helped\ \ Them get the job right and so it\'s really about framing security\ \ In a way that\'s hey what\ \ Do you need to do to first right thirty days you\ \ Need to understand the environment you need to decipher what\'s going on now depends on the size of your company right remember steve cats at sea group\ \ Huge organization he spent at least six months traveling around the world\ \ Deciphering what\'s going on\ \ After\ \ Those thirty days or after that six months does that mean\ \ You\'re done with decipher\ \ No it\'s continuous right but the main point is hey kind of what do you do kind of what do you prioritize first second and third then in your second\ \ Proverbial sixty days this is where you develop the plan don\'t be like\ \ My friend that takes an existing plan and pops it into a new organization right you\'ve got to decipher\ \ Then develop the plan and\ \ Then figure out what to do to execute on it right and\ \ This is the typical process even\ \ Though we use the term decipher developed deliver a lead\ \ Right other places right\ \ Conceptually it\'s the same thing you need\ \ To understand you need to evaluate you need to learn optimize\ \ And right then figure out what you can actually execute on\ \ The whole idea is you want to show some progress\ \ Within those first ninety days i\'ve got a friend who\ \ He\'s been the cecil at this large biomedical company for the last seven years now he did something\ \ Interesting check this out when he first started he was not reporting directly\ \ To the c e\ \ O but he in the interview process he talked to the c e o and he knew that he would be working you\ \ Know regularly with the c e o so he said to his boss and the c e o he said hey\ \ We\'re a big company\ \ The first six months i\'m not going to ask you for anything\ \ Right i\'m going to figure out\ \ What the team is doing i\'m\ \ Going to decipher and within those first six months i\'m going to use the existing budget and resources that we have and i want to show you how we\'re going to improve you know\ \ X number of things\ \ Which he did and within those six months his leader senior\ \ Leaders were very impressed by the progress he was able to make without asking\ \ For new money\ \ What did that result in\ \ Why did he do that did you go in and do that at a new company usually when we go in as\ \ The new security leader security manager we\'re thinking ok well what more resources what more budget can i have so he took a little bit of a chance right but what\ \ Did it\ \ Do\ \ It built up the trust and confidence that senior leadership had\ \ In him that is one of the key reasons i\ \ Believe why he\'s been there so long right because he built that\ \ Relationship from the beginning because he spent time deciphering and then ah remember the whole point of a ninety\ \ Day plan\ \ Is what can you get done within the first quote unquote ninety days now for him it was six months right but you want to show some\ \ Progress right that\'s the whole idea of this planning tool here\ \ Which leads us to yes as jesse\ \ Mentioned trust nathan mentions credibility and confidence exactly\ \ Right you build credibility\ \ And confidence right and that leads to conviction right\ \ Now the ceo his boss right now has conviction that\ \ He is the right person to lead this program for the organization\ \ O this brings us to our very first case scenario here\ \ Our very first\ \ Lab that is about health pound healthhound that fictional company that makes wearable activity trackers like your apple watch like fitbit and so on now it turns out that your friend a guy named dennis right he\ \ Was just hired at health town as the senior most security person in the company the director of security now he\'s got a a small team a three person team two technical\ \ Folks and one compliance person it\'s his second day on the job and he\ \ Calls you up after work around six o\'clock and\ \ As soon as\ \ You pick up the\ \ Phone you can tell in his voice that he\'s a little bit panicked\ \ Second day on the job the person that hired him the vp of it operations decides to leave the company right to go someplace else and he gets an unexpected call from the\ \ Ceo who he hasn\'t talked to before and the c\ \ E o says hey i want to meet with you by the end of\ \ The week i want a briefing on the state of cyber security and i\'m looking forward to meeting because i hear here you really\ \ Know your stuff\ \ So he\'s a little bit\ \ Freaked out because well he\'s just started the first week and he\'s never talked to\ \ The ceo before and he\ \ Has to get prepared for this upcoming meeting\ \ So that\'s a little bit of the background right it\'s also written down in the notes to the page here ceo specifically says hey i want to make sure you show me your thirty sixty ninety day plan so your friend dennis is calling you and asking for some\ \ Advice\ \ Right what can i do what should i do to\ \ Get ready for this meeting at the end of the week now health\ \ Town as we said is the maker of those wearable activity trackers technology driven company fifteen hundred employees two billion\ \ In revenue and not only do they make the custom hardware but\ \ Also got various systems a mobile application the various stuff\ \ Deployed to the cloud accessible via api right to gather personal health related information\ \ So there\'s\ \ Some important data that they\'re dealing with here\ \ So with that background guys this brings us to our\ \ Very first lab here\ \ And in the lab there\'s is to think about this scenario read what\'s written in the notes to this page and write\ \ Down the answers to two questions i\'m going to what\ \ I\'m going to do is i\'m going to put these two questions in slack and in a slack thread you guys are just going to type in your\ \ Responses all right the two questions are number one\ \ What are three things you think the c e o cares about\ \ What does the ceo want to get out of this meeting with dennis and then number two what should dennis lan\ \ To get out of this meeting what\ \ Does dennis need to show the ceo what does dennis need to prepare\ \ For this meeting itself all\ \ Right i\'m going to put those two\ \ Questions in slack that\'s where you guys are going to type in your responses will time box this for just you\ \ Know five ish minutes or so five seven minutes or\ \ So depending on the responses that are coming in and by the way don\'t turn the page\ \ Because we\'ve got some suggested answers on the next page\ \ Once you guys type in your responses in slack then going to go ahead and come\ \ Back and we\'ll debrief on these questions together as a class all right\ \ Makes\ \ Sense all right\ \ So read what\'s in the notes start to note down your responses i\'m going to put the questions in slack in just a moment hey everybody we\'re going to start to debrief on this one in just two minutes two minute warning\ \ All right everybody\ \ I know some of you are still typing here but let\'s go ahead and start to\ \ Debrief on this one a lot of great responses here in slack so first question here in terms of the debrief what does the c e o care about now a lot of you guys put in some good common themes here and christina\ \ Mentions this wesley mentions this right julie mentions this other people down here in the thread mention it as well is\ \ What does the c e o think about dennis\ \ Now remember this is\ \ The first time that dennis is meeting with the ceo and one of the\ \ Key things that the ceo wants to think about is is\ \ Dennis the right person for the job today and\ \ Is he potentially also the right person for the job in the future now what was the title that dennis came in as\ \ You guys remember\ \ Dennis is the director of security\ \ And previous and he\'s brought boss as of\ \ Yesterday when the first week on the job his boss was the\ \ Director of i t operations right so what is this indicate right so he hasn\'t met the c e o before didn\'t talk to the c e o during the interview process he\'s title\ \ As director and he\'s\ \ Reporting to the director of it operations\ \ Why didn\'t the company if he\'s the senior most security person\ \ Why didn\'t the company give him the ceo title\ \ What is your guess why do you think maybe they had no\ \ Option maybe no options right well i thought it was a vp of it\ \ Team right\ \ Uh huh أوكيه\ \ Yeah he was reporting to the v p of i t operations and dennis is the director of security yep and he knows stuff and dennis dennis knows stuff about security so if he\'s the senior most security person why wouldn\'t you give him the security title now richard mentions hey security is not considered important\ \ Right so the hints that we have so far reporting to the director of\ \ I t operations it\'s perhaps right dennis coming in if you took that job you would need to\ \ Consider try to decipher try to evaluate\ \ Does the company currently think\ \ Of security as just an it issue right or is it something broader\ \ Now wesley mentions hey he saw something in the resume he needs right so that we could think about it that way like hey\ \ What\'s the company lacking because it turns out that through some bad experiences\ \ I realized that hey security can only improve and mature as much as\ \ I t is mature because if i t is\ \ Very immature in the org it kind of hinders limits the progress that you\ \ Can make from a security perspective\ \ Because it has to mature as well so we already have hints here that hell pound\ \ Is not that mature so on the positive\ \ Side\ \ Though is at the best case the c e o would have had conversations with his leadership team and said look we need somebody that\'s responsible for security but we know that as a business we\'re not\ \ That mature yet and we also know that i t is not that\ \ Mature so if we hired somebody as the cso role\ \ Well\ \ Maybe that might be two not the right fit right we need somebody that\'s\ \ Maybe a little bit more roll up the sleeves for now\ \ And so the ceo might be trying to meet with dennis now to determine hey can he get the job\ \ Done today as many of you pointed\ \ Out hey does he dennis have a\ \ Plan for security but is he somebody that can grow with\ \ The organization and maybe grow into the cecil role so they\ \ Might have purposely hired somebody at the director level to see hey is he going to be able to take on that expanded responsibility in the\ \ Future or do we need to bring in somebody else\ \ Right example you guys know most of\ \ Us right whenever i\'ve worked at a company we\'ve\ \ Got an annual performance review that\'s on a onetofive scale five being the best right you got to be doing really\ \ Well to get a five i had a senior vp once and she said frank\ \ When i first meet somebody rightly or wrongly i\ \ Immediately determine are they a five level performer or not\ \ Right now they might still be great they\ \ Might be a four level performer but if you don\'t indicate in some way that you\'re a five level performer it\'s going to take a lot of time and proof for me to believe that you\'re actually a five level performer so that\'s what the c e o is trying to determine about dennis right now is\ \ He a five level performer or not so that first impression\ \ Really makes a a\ \ Difference now what else is important to the c e o what are what is\ \ The c e o s\ \ Top priority\ \ Right about the security\ \ Posture of the company the security posture of the company yes\ \ Now he\'s hired dennis for that so that\'s important so as many of you pointed out the second question what does dennis want to show in the meeting right dennis wants to show that he\'s got some understanding right\ \ Of the current state some understanding of what\'s important to the organization but the c e o s main goal is to\ \ Remember the context of the company\ \ Profit is to sell more devices\ \ Right sell more devices and make more money right in a\ \ For profit organization that\'s\ \ Told that\'s the main goal to achieve the mission of the organization and to in this case sell more devices right and then he also wants to know\ \ Right hey how does security support that right so that\'s what he\'s trying to\ \ Figure out is\ \ Dennis the right person for today and maybe tomorrow and what can we do right what can we do so if that\'s the\ \ Most important thing for the\ \ C e o then turn our attention to the second question\ \ Right what should dennis\ \ Provide in the meeting itself\ \ Now member in this scenario dennis has been on the job for one week\ \ Is dennis\ \ Going to have enough time to come up with a thorough and comprehensive\ \ Plan or even understanding of the organization\ \ No right not in a week right he has some sense\ \ Of it right but what can he show some of many of you mentioned that dennis needs\ \ To build trust confidence with the c e o how is he going to do that in one short week in this first meeting what\'s he going to do\ \ Maybe a short analysis a swat analysis right to show hey where is\ \ The organization\ \ Strong week we\'re going to talk about swat later on\ \ Now because dennis won\'t be able to\ \ Build a lan or any comrehensive analysis within a week\ \ Right well what can he do he can say ah more time ask for more\ \ Time she can say well\ \ Yeah show that he\'s got a plan for the plan hey\ \ So this is what i\'ve done in my prior organization this is the process that we\ \ Go through\ \ Decipher develop and lead these are the types of things that we do and the outcomes that we expect for each\ \ Of these phases of the process now a number of you mentioned something\ \ Along the lines of determined the risk appetite\ \ Right understand\ \ What\'s important to the organization what keeps him up at night and so on now these are all good things to get in place however right\ \ I find that it\'s useful to kind of reframe the question\ \ A little bit if we go and ask the c e o so what\'s your risk appetite if we go and ask the c e o\ \ What keeps you up at night and the c e o s not a security person they\'re a business person are they going\ \ To really understand\ \ What their risk appetite is\ \ Now maybe more so in financial services but maybe not a fitbit if they\'re technical maybe a little bit\ \ So the cat\ \ A\ \ Better way to frame the question is to say hey so\ \ What do you think are the most important processes at the organization\ \ We\'re like hey you know if for some reason you know you were to\ \ Be replaced as c e o right what do you think could have led to that\ \ Right because then what you\'re trying to identify\ \ Is figure out the most important processes assets crown jewels\ \ And so on right because your job is to decipher right but\ \ When you ask hey c e o what\ \ Do you think is your risk appetite we\'re kind of\ \ Putting the burden of the work the deciphering on the\ \ C e o the c e o doesn\'t necessarily know because\ \ They don\'t know how that might map back to different security things we need to do\ \ So first by you understanding the processes then you can do the\ \ Work of deciphering\ \ Right what is important to the\ \ Organization for each of the different\ \ Stakeholders right that ties back to you as some of you guys point out julie mentions the strategic direction of the company the vision culture and so on that lets you then decipher the risk appetite now as part of this meeting with the c e o you show the plan for the plan you build confidence you ask the right questions and then you can as nathan points out you can figure out\ \ How committed is\ \ The organization to security now given\ \ The scenario here the context i\'ve found that it\'s\ \ Very hard to be the first cso at any organization\ \ Why well\ \ Because usually that\'s an indication that the security program is not that mature the\ \ Processes are not in place and\ \ The working relationships aren\'t in place so to be the first see so add an org\ \ You\'ve got a lot of\ \ Stuff to do right and usually a lot of times it\'s the second cso right that it has it a little\ \ Bit easier because the first cso is already laid a bit of the the groundwork especially for a seemingly less mature organization like a healthhound that we see here\ \ Right so if you are taking that job right these are things that you\ \ Would want to consider as well but the main thing here is that yes you got to make sure that you\'ve got a plan for the plan a plan for the strategic plan a plan\ \ For the road map right so kind of\ \ In summary here let me glance back at slack\ \ All right that here right in summary what did we talk about\ \ What is the ceo care about getting new products to market making sure customers trust health hounds products and services so that they\'ll continue to buy them and use them and knowing that you your friend dennis has a plan for security so as a result well dennis\'s goals should be to show that he can understand what healthhound\'s business goals\ \ Are how perhaps security\ \ Will be built into\ \ Health town\'s products and services right as part of that\ \ Overall\ \ Process and showing that you got that as we said that plan for the plan\ \ All right now you definitely in this first\ \ Meeting you don\'t want to go\ \ In and say so what\'s my budget can i increase my budget\ \ Not eventually you\'re going to get there\ \ We\'ll talk about that later as the course progresses but that\'s not\ \ The first thing that you want to ask\ \ Right so it\'s\ \ Going to be a balance of kind of tactical conversation and more strategic\ \ Conversation in this meeting with the ceo\ \ All right and part of that here is getting us to our example thirty\ \ Sixty ninety day plan now as we mentioned right we\'ve got the what do we do first second and third directionally and in a lot small org maybe you can get it all done in thirty days but in a medium sized larger org it\'s going to take more this is a continuous process here and i like to break it up\ \ Into three different categories\ \ What do you need to do for your executives slash organization\ \ What do you need to do\ \ For your team and also hey what do you need to do for you\ \ So taking these one at a time where the organization for your executives in the first thirty days deciphering you meet with your stakeholders you understand where they\'re coming from you try to understand the culture of the crown jewels right then you develop the plan right using as we\'ll talk about\ \ In section number two various security frameworks creating the road map and the business case and then you deliver right to deliver to execute you got to have metrics to track your progress you\'ve got to have a marketing\ \ A communications plan you\'ve got to maybe brief\ \ The board on a regular basis have the corresponding policy\ \ Talk about all of these things as we move forward\ \ In class but\ \ Now what\ \ About for your team right well you need to understand your team what they want right the team member goals analyzing the current state you mentioned mohammed mentions the swat it\'s the strength and weaknesses not just for the org but this could be for your team as well at defining those various goals and creating a training plan but check it out at the bottom for you\ \ Are you going to be in this job at health town\ \ For the rest of your career probably not\ \ Right so that means for you right now this bottom row most of\ \ The time you\'re probably going to keep that to yourself in some cases right if you\'ve got a great executive right that that is\ \ Your sponsor that cares about you you may be going to share some element\ \ Of those things but not right off the bat usually right but going into any\ \ Job or even the job you have today you want to think to yourself well what\ \ Are you going to get out of the job\ \ What are the goals\ \ For you in that job right what are the fungible transferable skills that you\'re going to build in that\ \ Job right that helps you\ \ Achieve your career goals and if you want to\ \ Develop if you want to get better right this is where you find somebody to mentor because by helping others to take the next step in your career\ \ You learn\ \ Throughout that process as well but then if your\ \ Goal in the lower right corner is to get a higher level osition to move\ \ U the ranks if you will you need to find and we\'ll talk about this in section four you need to find a sponsor right somebody that\'s going to be your supporter introducing youtube new key opportunities alright so usually you want to think about\ \ Breaking it up in this\ \ Way what\'s good for your executives to org what\'s good for your team and what\'s good for you\ \ Now this is\ \ Hard because being in any management\ \ Role is difficult because you\'ve got to what\ \ Lead in\ \ Three directions you\'ve got to lead up you\'ve got to\ \ Lead across to your eers and colleagues and you\'ve got to lead down with your\ \ Team right now from a senior executive perspective right i\'ve seen the worst senior executives only lead in one direction which is\ \ Which direction\ \ So right they only lead up because they are trying\ \ To right so how amazing they are to their bosses now the better senior\ \ Leaders they\ \ Lead in at least two directions usually that\'s up and across\ \ The\ \ Best senior leaders they lead in all three directions but it is\ \ Not as frequent at least\ \ From what i\'ve seen as we\ \ Would hope right maybe you\'ve experienced something similar but that\'s why\ \ Leadership right any management leadership role is challenging\ \ So we want to remind ourselves of that on a continuous basis\ \ Alright i\'m a pause for a moment here glance back\ \ At slack\ \ Right that was our health hound scenario make\ \ Sure there\'s no other comments or questions here\ \ Now that\ \ Brings us to our introduction of the cyber forty two game now real quick here\ \ Before i move on and talk about this i\'m going to switch over to my browser and in the browser this\ \ Is for only the\ \ Online people all\ \ Right i\'m going to share the link to this that\'s weird what happened here\ \ Hold on one moment what\'s happening in terms of the alignment here all\ \ Right hold on\ \ Ok there we go\ \ All right so everybody online what we\'re going to do here as we move forward is each of you guys are going to join your classmates here in teams of four or five\ \ All right so for only the online people you are going to join\ \ One of these teams and i\'m going to ask you once i share this link here in slack to add your name to one of these green cells all right\ \ So there should be nine people here online\ \ Still i believe so add your name to one of these green cells\ \ I\'m going to put this here in slack\ \ Only the online people please go ahead as we\'re talking through this next set of slides here just go ahead and add your name as it appears in slack to one of these\ \ Green cells and that\'s the team that you\'re going to be on for the rest of the week here in class you\'re just going to be on teams related to\ \ Seating proximity all right so as everybody\ \ Online does that we\'ll come back to that later\ \ Let\'s turn our attention back to the slides here\ \ We\'re going to do a little bit of an overview of the cyber forty\ \ Two game anybody played cyber forty two before in a different class\ \ No alright so it\'s new yeah one yeah all right so maybe you play some board games at home with your family with your friends with your kids and when you play a board game if it\'s not a\ \ Simple game like checkers right where everybody\ \ Knows that the rules usually when you unbox the board game you\'ve got to refresh your memory on the rules you\'ve got\ \ To understand the game mechanics\ \ And that\'s exactly what we\'re going to do here\ \ Now this game as i\'ve mentioned before is just a web based game when the time comes\ \ Shortly we\'ll give\ \ You the link to access the game but here just like we\'re doing\ \ In our strategic planning process one of the game mechanics is\ \ To improve your strategic planning capabilities your\ \ Decipher developed deliver and lead capabilities as you move forward in class now just like in real life you\'ve got\ \ Limited time and\ \ You\'ve got limited\ \ Money in the game you\'re\ \ Starting with you have one point two five million dollars\ \ And you\'re starting with forty time units right\ \ These are just generic units in the game the goal of the game here\ \ Is to increase your security culture your security culture score so how do you win the game there\'s going to be\ \ Four teams in class the team\ \ With the highest security culture score at the end of the class is the winner right and every member of the winning team is going to get a\ \ Five fourteen challenge coin\ \ Right i\'ll show i forgot to bring it i\'ll show you the coin here\ \ Later on later in\ \ Class now it doesn\'t mean there can only be one winning team but\ \ It doesn\'t mean that hey that only that team did well if you happen to finish the class with a hundred or more culture points that\'s really good actually you get three starry eyed emojis\ \ If you have a score in the nineties\ \ That\'s also very good right you get three\ \ Really happy emojis eighty to eighty nine three smiley face emojis now\ \ Seventy to seventy nine or sixty to sixty nine you get\ \ Some frowning faces here because\ \ You might have noticed remember from the rior slide you start with sixty culture\ \ Points o we think you can do better than sixty\ \ To sixty nine all right so this is rough rubric here we\'ll show this\ \ Again at the end of the class\ \ The game kind of like a\ \ Basketball game\ \ Is divided up into four not quarters but four rounds each round has a certain number of challenges the first round which we play over section one and two of the course right that contains six different challenges you\'re going to be presented it\'s kind of like a if you ever read those choose your own adventure books as a kid where\ \ You read a book and it says if you choose a then\ \ Turn to this page if you choose b then turn to this page now i was one of those kids that\ \ Read it cover to cover\ \ To know what all of the options and the outcomes were the\ \ Game is kind of like a choose your own adventure for each of the challenges\ \ You\'re going to be presented with a scenario that your team has to talk about discuss and say should we choose option a b\ \ C or d and so on and then each option is going to have some outcome\ \ Right sometimes just like at work you know you make a decision to do something at work because you think it\'s going to have a positive outcome\ \ Most of the time it does but sometimes it has an unexpected\ \ Side effect right as this ever happened to you at\ \ Work yeah similarly the game is going to have some unexpected not a lot but\ \ Some unexpected side effects depending on the choices that you might make sections three four and five cover the subsequent rounds of\ \ The course with three challenges each\ \ All right\ \ Now as you\'re playing the game there are some positive and negative\ \ Scoring accelerators at the end of\ \ Every round at the\ \ Very bottom here for everyone point greater than three for each of your functions decipher developed deliver\ \ Lead at the end of every round you get two bonus culture points\ \ For example if you have a four\ \ Score in one category then you get a two bonus culture points\ \ Next round if you still have that four if you\'re just at four still you get another two\ \ Bonus culture points right so it\'s additive so because you\'ve built u your capability you get value you get benefit from it at the end of every round but remember\ \ At work if you don\'t deliver on time\ \ If you go\ \ If you blow your budget every single time does that make you look good or bad at\ \ Work\ \ Yeah ben not so good\ \ Similarly in the game if you are negative budget for every negative two hundred fifty k in budget at the end of each round you get minus one culture point if\ \ You are negative time if you\ \ Don\'t deliver your projects on time then you get minus one culture for every minus one time now these negative accelerators are\ \ Not going to hit at the\ \ End of round one because you just haven\'t gone that far in the game\ \ They\'re unlikely to hit in round two but by the end of the game\ \ Right they\'ll probably come into play\ \ All right so just like in real life you got a balance\ \ The limited time and money the resources that you actually have\ \ Ok now in\ \ A little bit here right we\'re going to let you access the cyber forty two game that\'s hosted on the ranges dot i o platform you got to\ \ Do two things only two things here is first you\'re going to need to go to ranges dot i o and create an user id and password if you don\'t already have one\ \ All of you have already in person and\ \ Online you guys have all signed into your sans portal\ \ When you go\ \ To ranges\ \ Dot i o there\'s actually a button to do single sign on across the two you can\ \ Just say click here to sign on with your\ \ Account so then automatically you\'ll have arranges dot io\ \ Account right that\'s easy so you could do it that way or create a separate user id and password if you want then which will come a little bit later you can\ \ Join your specific team in a little bit not now\ \ I\'m gonna share with you guys here\ \ Right access i\'m going to go back to slack here\ \ Access to your\ \ Private teen channels here all right so the two online teams are going\ \ To be team leaky cauldrin and team mose tavern\ \ The two in person teams are going to\ \ Be team aviary and team kumiko alright inside\ \ Of these private channels which i will add you to lay in a little bit right are links to your specific team so you create an account on ranges dot io you sign in and\ \ Then you click the link it will automatically join you to your team\ \ All right\ \ And your team link is\ \ In these private slack channels here on the left hand side i\'m not going to go into\ \ One because i don\'t want to reveal the\ \ Link for right the details for that particular team\ \ All right so going back to the slides\ \ Now this is very\ \ Important you\'re going to be playing the game as a team o everyone of your team members can do anything in the web app if you read the\ \ Scenario when the time comes any team member could push\ \ The button could push the submit button\ \ However\ \ Do not push the button until you and your team have discussed and suggestion here there\'s a very important role that each member\ \ One member on the team has to play and that is the role of the\ \ Chief button pusher\ \ All right you have to\ \ Identify one person on your team that may be for the whole class or maybe just for the day it\'s u to you guys the one person that\'s going to push the\ \ Submit button all right because if anybody pushes the button first then that choice is final we can\'t go\ \ Back there\'s no take backs there\'s no reversal so you have to first discuss with your team\ \ Then agree are you going to choose a b c or d then have the chief button\ \ Pusher be the only one that pushes the button\ \ All right makes sense i\'m going to repeat that\ \ Here several times as we\ \ Go forward right because we don\'t want to accidentally make a mistake sometimes you can accidentally hit refresh or not think you\'re pushing the button this has happened in a very few cases right so make sure that your chief button pusher your team lead is the one that pushes the the\ \ The button\ \ All right so what we\'re going to do now quick logistics here every day break\ \ Morning break is from ten thirty to ten fifty everyday lunch is from twelve fifteen to one thirty an afternoon break is from three\ \ O\'clock to three twenty we are five six minutes away from our morning break here so we\'re going to\ \ Do morning break slash cyber forty two setup so\ \ Momentarily i\'m going to ask you to one\ \ Create your login on rangesio and number two i\'m going to go ahead and\ \ Add each of you to your private team channels in slack that i showed you from there just\ \ Go ahead and click the link and\ \ Then get added to your team all right and everybody online based on what you put in the spreadsheet i\'m going to\ \ Add you to that private slack channel here in person we\'re going to add you here momentarily as well so do that in the next five minutes that we have\ \ And then come back from break at ten fifty\ \ All right all right you guys should all be set up or close to\ \ Finalizing your setup so it\ \ Is break\ \ Time here feel free to leave you know take a break\ \ Everybody online get up stretch refresh yourself grab a drink and then we\'ll start at ten fifty ten fifty central time\ \ All\ \ Right welcome back everybody welcome back it is the end of break so before we get started we\'ve got some people trickling back into the room here adam thanks\ \ For posting that message i did\ \ Want to ask you know we had the slack thread you know with people introducing\ \ Themselves and sharing a fun fact so i want to ask a couple people online wesley\ \ And christina if you could just in a moment unmute you know the wesley i want to ask you you shared that you live in arizona\ \ But your kids play hockey are you from\ \ Arizona or did you live in a colder climate and that\'s how they got into hockey wesley if you could just unmute real quick and tell us a little bit about that\ \ History no i\'m actually from arizona ok from arizona did you play hockey\ \ Grown ice hockey two growing up no actually my kids\ \ Are a\ \ First generation because they solve the movie inside out and decided that they wanted to play hockey like she did\ \ That\'s\ \ One of my favorite pixar movies so\ \ I haven\'t seen the second one yet actually though i hear that\'s\ \ Good too\ \ Cool thanks for\ \ Sharing that and then christina if you could unmute in just a moment i\ \ Wanted to ask you you\ \ Know you shared that you\'re interested in genetics\ \ And kind of\ \ The the interplay how did you get into that and kind of what\'s been the maybe the biggest takeaways for you\ \ Sure sure so i have a ten year old son who was diagnosed with a d\ \ H d really young and\ \ Just really struggled\ \ To do well in the school environment and you know we were just kind of told the only way that you can manage this is is to medicaid and and we tried and and that\ \ Didn\'t work well for him so i started diving into like what\ \ You know all of this is that there\'s\ \ So much biology behind it there\'s so much genetics behind it so\ \ Trying to figure out you know what type of genetic mutations he might have how it impacts his behavior you know different systems in his body that\ \ That you know is not getting the things\ \ That that they need in\ \ Order to you know function\ \ Correctly and then what type of dietary changes we could make so it\'s it\'s been a\ \ Really interesting journey of trying to figure out how to\ \ Support his\ \ Body\ \ And brain in a way where we can kind of help him learn to cope and\ \ Manage adhd\ \ Without having medication it\'s it\'s\ \ It\'s been fascinating as i was writing a fun fact i\ \ Thought that might not be fun to\ \ A lot of people but it\'s it\'s been an interesting journey yeah awesome hey thanks for sharing that\ \ My younger daughter actually has\ \ A d h d as well and we only used a medication for a little bit but\ \ It\'s been kind of sleep and kind of diet and some kind of what do you call\ \ It like herbal herbal supplements and stuff so yeah since then so yeah appreciate you\ \ Sharing that\ \ Journey the you know your audio did just in case you unmute in the\ \ Future your audio was started out really strong and then it\ \ Got to a little bit lower here in the room so i don\'t know if maybe you went away from the mic or not or maybe\ \ That\'s something on our end but just a f y i in case you unmute and talk in the future too\ \ All right well welcome back\ \ Everybody here so right before\ \ Break during break here you guys just finished up your setup in cyber forty two now as you notice nothing is\ \ Available to do just yet as we progress in class we\'re going to be unlocking various challenges here so we\'re\ \ Going to kind of take those one at a time as you see from the outline right moving forward with event one event two event three\ \ And so\ \ On but for now let\'s go ahead and jump into our next topic here which is\ \ Deciphering the business right arguably the\ \ Most important phase of our strategic planning process and usually we need to talk about this because hey coming from a technical background hey to be honest those early jobs i\ \ Had early in my career i was doing all of my technical work but i had pretty much zero understanding of what those companies what those organizations did from a business\ \ Perspective so there was a huge gap from\ \ A personal perspective and i seen other\ \ Technical colleagues security\ \ Colleagues over the years have be in a similar situation\ \ One way to think about this is your proverbial elevator pitch you know you get in an elevator it stops at\ \ A floor and maybe the ceo walks on and usually naturally the ceo will start\ \ Up some conversation so what is it that you what do you do at the company what do you do at the organization now you can\'t go into you can but they might not understand\ \ It\ \ Going\ \ To all of the\ \ Details of the vulnerability scanning and the detailed vulnerabilities and the c v s s scores and so on that you might be working on at that particular time\ \ You\'ve got to distill down everything that the team does in a thirty second elevator pitch right there\'s that maxim that says hey i\ \ Would have\ \ Written you a shorter letter if i had more time right it\'s usually harder to say things in a more concise way so you got your thirty second elevator pitch maybe you\'ve got your sixty sixty minute and more\ \ In depth presentation that you might do about the program to some other technical partners as well but we got to figure out hey how\ \ Do we summarize that\ \ To get\ \ To the point\ \ Where you can do a thirty second elevator pitch well we suggest using these various tools\ \ Number one doing a little bit of\ \ Analysis understanding where\ \ The organization has been and how that might inform the potential future outcomes understanding number two\ \ Well a little\ \ Bit of\ \ The the how how things get done in the organization that then factors into number three\ \ Your key stakeholders right what are their preferences what do they want how do they view risk in the organization related to number\ \ Four\ \ Those key crown jewels remember i mentioned the n a c\ \ D earlier right and the iod institute of directors\ \ One of the things that they suggest to board members is make sure you as\ \ A your responsibility as a board member is to understand ask and understand what are the crown jewels for the organization\ \ Where are they and what are we doing to\ \ Gain visibility and protect those corresponding assets and then finally right\ \ Figure out how\ \ Our security activity step number five maps back to the strategic\ \ Objectives of the\ \ Organization overall so we\'re going to do each of those five\ \ Things here one at a time\ \ Starting with a relatively short module on historical analysis\ \ Now you guys might know the guy george santayana he\'s the one that said those who\ \ Cannot remember the past are condemned to repeat it he\'s also the guy that said only the dead have seen the end of war right so he\'s\ \ Saying it was a kind of a wise person but the whole idea here is to understand what\'s worked in the past what why it didn\'t work before and what might work in the\ \ Future for you a\ \ Key way to start to do this\ \ Is to identify and some of you have mentioned to\ \ Me separately that you\'ve been at your organization\ \ Fifteen sixteen eighteen years and\ \ So on right is to look back and identify what were the periods\ \ Of change i was doing a consulting engagement a little while\ \ Ago with a one of the large\ \ Utility company and it turns out that that security team had been\ \ Around for about the last fifteen years or so so when looking at what they were doing helping them come up with their updated strategic plan doing a gap assessment\ \ Part of what we did was put together a historical timeline of how the\ \ Team had evolved when they first started it\ \ Turned out that what we wound up categorizing it as kind of the era of i t\ \ It security because they were doing more of the technical it\ \ Related security activities and that was fine but as the team matured as regulatory requirements increased then it\ \ Moved into an era of regulatory compliance\ \ Right but we know we can\'t stop there so by the time that\ \ I got involved with them they said hey we need to then move into turn this into a technology risk technology risk function factoring in more of the business requirements right the changing and the changing technology and the changing threat landscape so\ \ As we looked\ \ Back right you know there\'s that steve\ \ Jobs saying you could only connect the dots looking backward you can\'t connect them looking forward right there was a clear evolution of that particular security team which is actually a similar journey that many of our security teams\ \ In general undergo over time as well now we mentioned this here right related to the\ \ History of computing the phases of computing over time\ \ Remember back then the earliest computers were mainframes right they would\ \ Be big gigantic computers that would take up entire rooms like this\ \ And then but it progressed to many computers pcs right\ \ Client server architecture and then you\'ve got the rise of\ \ The internet in the mid nineties now notice mobile why do we have mobile listed as\ \ Starting in two thousand and seven what happened in two thousand and seven\ \ The smartphone yes well now smart phones in general had been around well before two thousand seven but as adam\ \ Mentioned it was the iphone\ \ That\ \ Was introduced in two thousand seven that we used to mark the modern start of\ \ The modern smartphone era\ \ And then check it out what happened with artificial intelligence artificial intelligence has been around for years but why do we\ \ Mark twenty twenty two\ \ As the quote unquote start of the a i era what happened in\ \ November twenty twenty two\ \ Yeah we remember chad g p t was released now if you look at those dates now\ \ Roughly speaking each of these phases of computing right\ \ The height of the era of computing was approximately fifteen years\ \ Now\ \ Does that mean the prior technology goes away are do mainframe still exists today yes\ \ Of course many organizations still rely on mainframes so it\'s not that the prior technology goes away it\'s that\ \ The prior technology becomes usually eclipsed by what comes next in terms of number of endpoints number of devices number of systems right going from hundreds of thousands to billions and for gen a i we are still early right so we don\'t know yet know what all of the use cases are\ \ Going to be but many\ \ People think we think that it\'s going to become perhaps ubiquitous\ \ Right in terms of not just devices but gnai that type of\ \ Analysis will be happening kind of on\ \ An ongoing basis here similarly for users going from some smaller number of millions to now\ \ Billions right most\ \ Of the\ \ People in the world have mobile\ \ Devices now we mentioned this here in terms of the evolution of computing because\ \ Security history parallels right the history of\ \ Computing we mentioned the tie between it and security right nineteen seventy two the buffer overflow was first described it wasn\'t until many years later that the first big exploitation via the morris worm\ \ Right came\ \ Into actually being resulting in many outages at\ \ The time nineteen ninety six\ \ Some years later right alf one publishes right smashing the stack for fun and profit step by step guide for exploiting\ \ For overflow\ \ But if we mentally think about those years in relation to the history\ \ Of computing on the prior slide ah that\ \ Was the height of the pc error and as the\ \ Web the internet starts to become more\ \ Popular you get things like sql injection right you get things like cross site scripting\ \ Right that was announced that was a popularized by jeremiah grossman and robert arsene hansen in there at the time talk at the annual black hat conference in las vegas\ \ And a huge example of this was you guys remember the sami myspace worm\ \ Anybody had a myspace account back in the day nobody huh see it\'s kind of a long time ago right i\ \ Had one and it\ \ Allowed you\ \ To do ugly create\ \ Ugly home ages right with blink tags and ugly colored text and so on the most popular social network at the time with some three hundred million users sammy cankar created the first ever cross site scripting worm that automatically anytime somebody viewed his profile he would copy right the javascript code that he had uploaded to his profile to the\ \ Next person\'s profile that\'s why he wasn\'t worm he was self propagating\ \ And he would do\ \ Two things it would one automatically copy that code and two host the message sami is my hero and three right automatically add sammy as a friend as a connection created so much traffic on myspace at the time that it had to be temporarily shut down to get it to be cleaned up well now that\'s small potatoes because facebook has some billions of users now versus the three hundred million\ \ At the time and then who mentioned stuxnet earlier right that\ \ Was twenty ten i\ \ Had forgotten the year twenty ten well before target right few years\ \ Before target and the\ \ Closures\ \ So why do we talk about this\ \ If you don\'t have a security\ \ Team timeline like this in your back pocket in one of your decks i suggest you go and create this right because you want to show\ \ Just at a glance this shows the investments the organization has made and you have done in improving your security capabilities over the years now this doesn\'t mean you\'re not going to\ \ Use this\ \ Slide in every presentation but depending on the context of the conversation again you want to have this in your back pocket to include\ \ At the appropriate time to show how your security program has evolved\ \ Over the years it\'s generally pretty easy\ \ To come up with this and you\'re usually going to have the level of detail\ \ Is going to be similar to what you should what we show here on the slide\ \ And yours might be a little bit different maybe you did\ \ Network security endpoint security maybe you did cloud security earlier than others right but those are the bigger type of initiatives that you want to make sure that you highlight and take credit for and of course now twenty twenty four right the big thing\ \ That manny organizations are trying\ \ To figure out is\ \ What do we need to do about use of gen a i and corresponding gen a i\ \ Security when we get to the\ \ Policy section on day number three right we\'ve got a module on\ \ Ni and jnai security and how that\'s related to the policies that we might\ \ Want to\ \ Put\ \ In place as well\ \ Here\ \ We\'ve got another view of a timeline here\'s another example and we\'ve got the template for this in the google drive that\ \ I mentioned earlier today at ldr five one four dot com if you don\'t have a slide like this highly suggest putting something like it together because it shows at a\ \ Glance a number of different things one the business line\ \ It\'s the bottom\ \ Here is over the years your organization every organization has had\ \ To invest in technology not just for the sake of\ \ Technology but to meet various business outcomes why do you have a wireless network right to make it easier more convenient for your users why\ \ Do you have a web app why do you have mobile devices why do you have a mobile app to enable some new business functionality why do\ \ You move to the cloud right to enable new business features faster\ \ More effectively more efficiently perhaps more securely\ \ Right perhaps cheaper\ \ Right and why do organizations why are we starting to try to\ \ Figure out how to use gen ai to have people be more productive enable new business use cases but as you\ \ Adopt these new technologies what happens\ \ Your operational risk increases right because hey these\ \ Technologies they need to be secured you\'re you\'re your exposure increases as\ \ Well but what else is changing not only the\ \ Business landscape as is evidenced by the implementation of various technologies\ \ The threat landscape has been changing over the years as well\ \ It\'s no longer just basic threats adversaries get more advanced in terms of organized crime nation states advanced\ \ Persistent threats as well resulting in in the upper right hand corner usually a widening gap right between right\ \ The what you\ \ Have in place versus the threat landscape itself\ \ I\'ve done some versions of this presentation where i have a third line any\ \ Guesses everybody online feel free to chime into slack any guesses\ \ As to what the third line should be\ \ We\'ve got the changing business technology landscape we\'ve got the changing\ \ Threat landscape\ \ Ah charles mentions it yes exactly the mitigation specifically the controls\ \ Usually i have a line in here that is\ \ Some high level illustration of the controls usually at most of the places that i\'ve been at\ \ The controls line is below the business line the technology line because usually in a large organization hey we\'re trying to catch up the controls that we\'re trying\ \ To implement is trying to catch up do we have all of gen a i security figured out now\ \ No of course not right so we\'re lagging a little bit there\ \ Right in terms of figuring out how to secure that for\ \ Some amount of these controls maybe the line is going to be in between the controls line will be in between those because perhaps for some of them you\'ve got more mature controls in some areas but\ \ This is intended to be a\ \ Kind of visual and a high level representation to senior leadership showing hey why do you need to continue to invest in\ \ Security because the threat landscape is continuously changing and\ \ The business landscape\ \ And technology landscape is continuously changing as well\ \ All right so in summary we talk about this because turns out your business leaders they naturally understand the history of\ \ The organization that\'s why we right have to frame our overall work in the history of the various technology investments we\'ve made and the various business therefore\ \ Investments that have been made over the years along\ \ The way highlighting the accomplishments of this security team\ \ Now this brings us to our second fictional company which is thunderbolt as\ \ We progress through\ \ Section one and section two you guys are going to be reading portions\ \ Of the thunderbolt case starting here just momentarily in the notes to this page there\'s your first portion of the thunderbolt case that you\'re going to be reading as we mentioned before right this is a fictional company like fedex ups\ \ D h l large organization hundreds of thousands of employees around\ \ The\ \ World they are in the early phases of considering a cloud migration strategy\ \ And they\'re trying to work through this\ \ Right so in the notes to this page and when you turn the page right there\'s\ \ The one and a half page case study it takes approximately ten minutes to\ \ Read this case right some people read at different speeds that\'s ok i might take you a little bit less than ten minutes might take you a little bit more than ten minutes but once you read it\ \ Right that\'ll give you background about thunderbolt and\ \ Then what you\'re\ \ Going to do after you finish reading you\'re then going to turn your attention to the cyber forty two app\ \ On ranges io i\'m going to go\ \ Ahead and momentarily unlock event number one challenge number one for you so based on what you read and what is what is the question\ \ In the challenge event number one you\'re going to one discuss with your team and agree are\ \ You going to choose a b or c and then you\'re going to\ \ Have who\'s going to push the button\ \ Anybody on the team no only the chief button pusher right the\ \ Chief button pusher is going to push the button very important so i\'m going to unlock\ \ This right now\ \ Here in just a moment and then we\'re going to give you time to\ \ Read right the the case study and then we\'ll give you time\ \ To do this so i\'m going to check in check in here in twenty minutes and see if you need a little bit more time\ \ Hey just for everybody online i forgot to mention this\ \ I\'m going to be putting you guys in your teams in zoom breakout room so whenever you\'re do