Description: Slide : - http://www.sourceconference.com/publications/bos12pubs/pfost%20Source_Bos.final.pptx
No Victims Allowed. We’re not talking about consumers, we’re talking about security pros who think business leaders don’t understand infosec risk or provide sufficient resources to manage it. This session presents a case study on techniques how security pros can avoid feeling sorry for themselves: measuring and communicating risk. We’ve been working on identifying a population of outcome based metrics that matter to business owners by reducing incidents and provide visibility into actual vs. expected operational performance. We’ll share examples how to communicate risk priorities to drive spending decisions. We’ll show examples of communicating single event risks e.g. sqli to dump records, and multiple event scenarios e.g. social engineering -> custom malware -> access management -> data egress. The result is executive leadership who understands expected outcomes of their spending decisions and a security team who takes pride having facilitated an evidence-based risk decision.
Jared brings 17 years of infosec experience to Third Defense, which he co-founded on the belief that effective management is the key to manage risk, not more technology. Jared's career combines working in IT Security teams and consulting with designing and shipping software across startups, banking, and technology. Jared is a self-proclaimed process nut and has demonstrated you don't need unlimited resources to run a measurable, accountable, and effective security shop.
Tags: securitytube , hacking , hackers , information security , convention , computer security , SOURCE-boston-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.