Richard Staynings keynotes the Ohio Information Security Conference |
We need to get out of the reactive security operations mode that many organizations are stuck in. We need to get away from checking 'after-the-fact' logs of security events that tell us we were hacked over the weekend when no one was watching, and the perpetrators are now long gone. Oh, an incidentally, they got out with a whole heap of valuable information that is going cause the CEO to have to personally apologize to shareholders and to customers.
That was the message I gave to attendees during my keynote at the Ohio Information Security Conference yesterday in Dayton, Ohio.
We need to understand where our organization is from a operational security maturity and build a plan for the CEO to take us from a 're-active' posture to a 'pro-active' one using better tools than legacy SIEMs and log aggregators, to ones using big data, holistic monitors and threat intelligence. We need to get away from allocating a third of an FTE to managing the security operations of the organization to a 'round-the-clock' team of pro-active threat hunters or a managed service that can do that for us cheaper, better, faster using a leveraged resource cost model.
Just because additional budgets have not been assigned to improved security, doesn't mean that as technology or security leaders its not our jobs to assess, plan and design what is needed to protect the enterprise. Its our responsibility to make recommendations to the CEO so that the Board can make a well-informed decisions on risk - whether to accept, mitigate or transfer that risk. Regardless of whether our recommendations fall on deaf ears or not, and regardless of whether they result in improved security budgets, we have done our job as security leaders and covered our backsides. You can't do much more than that!
The 2016 OISC was held in Dayton Ohio this week |
Thanks also to ‘TechnologyFirst’ for organizing the event, along with all the sponsors for making it such a success. I wasn’t able to attend all of the presentations, but those that I did, were top notch, well thought-out, very insightful, and highly educational - even for those of us who have been playing in the security sandbox for many years!
There was hardly an empty seat in the house! And that, despite the competition from Bill Clinton, who was presenting at a political event just down the street. I’m sure the entrance price for the OISC was considerably better value however, than the ‘donation’ required to get you in front of Bill!
For those who asked, I have made my presentation available for reference. You can either view the slides using the built in slide viewer or can download a PDF.