Proprietary and confidential

Moving Up the Maturity CurveThe Sisyphean Task

Proprietary and confidential

• Managed Security Services Provider x 2• DNS Security Vendor• Video Surveillance & Analytics Vendor• Enterprise Software / Financial / Telecom

2

INTRODUCTION

Jamie Hari – Director of Cloud & Security

Proprietary and confidential

• Technology Geek• Comic Book Geek• Music Geek• Security Geek

3

INTRODUCTION

Jamie Hari – Director of Cloud & Security

4

10.4M Fiber Miles124,000 Route Miles49 zColo Data Centers391 Markets Served

Proprietary and confidential 5

SECURITY MATURITY

Defining Security Maturity

Proprietary and confidential 6

Proprietary and confidential 7

SECURITY MATURITY

Maximize ROSI

Proprietary and confidential 8

SECURITY MATURITY

Technology Is Not the (Only) Answer

Proprietary and confidential 9

SECURITY MATURITY

Holistic Thinking

Proprietary and confidential

• Exhaustive?• Up-to-Date?• Automated?

10

SECURITY MATURITY

Back to Basics

Proprietary and confidential 11

HOW TO THINK ABOUT ROSI

ROSI Calculators

Proprietary and confidential

“It's a good idea in theory, but it's mostly bunk in practice. […] The key to making this work is good data.”- Bruce Schneier

12

HOW TO THINK ABOUT ROSI

The Data Imperative

Proprietary and confidential 13

HOW TO THINK ABOUT ROSI

Beware the Cost of Free

Proprietary and confidential 14

ACCOUNTABILITY & RESPONSIBILITY

Consolidate Accountability

Proprietary and confidential 15

ACCOUNTABILITY & RESPONSIBILITY

Define, Educate, Reinforce

Proprietary and confidential

• Security Team Skills Matrix

• IT / Internet AUP

• Asset Summary

• Application List

• BC/DR Plan

SECURITY PROGRAM ASSETS

Security Program Assets

• Data Retention Policy

• Network Architecture Diagram

• Recent Vulnerability Assessment

• List of Applicable Compliance Standards

Proprietary and confidential 17

PASSWORD POLICY

Password Reuse

55%

Proprietary and confidential 18

PASSWORD POLICY

Rethink Password Dogma

Proprietary and confidential 19

PASSWORD POLICY

Password Management

Proprietary and confidential

ROLE-BASED ACCESS CONTROL

Drive Efficacy, Reduce Human Error

Proprietary and confidential

• Identify and continually monitor:• Existing skills, missing skills, and single points of failure

• Part of the documented RACI• Improved through measured repetition, just like fire drills

21

SECURITY INCIDENT RESPONSE PLAN

Define, Educate, Reinforce

Proprietary and confidential 22

PARTNER SECURITY

Your Security Includes Their Security

Proprietary and confidential 23

SECURITY CULTURE

Resting Suspicious Face

Proprietary and confidential

• Many modern applications support it• Simplified MFA tools, like Authenticator,

provide improved UX• Combined with SSO, further reduces

password challenges

24

ATTACK SURFACE

Use MFA Everywhere

Proprietary and confidential

• Aggregate Internet ingress / egress• Less to manage, easier to monitor

• Remove bloatware from default system images• Less to patch, less to exploit

• Software• Deprecated / Custom APIs• Admin interfaces / Login and authentication entry points

25

ATTACK SURFACE

Reduce Your Attack Surface

Thank You