Premiership CISOs – How Are You Treating Yours?

Archive for the ‘Leadership’ Category

Guest on PVC Security

Posted by

PVC is short for Passion, Vision, Communication (& Execution) and is a leadership podcast hosted by Ed Rojas (@EdgarR0jas) and Paul Jorgensen (@prjorgensen). I am a fan of both of their leadership styles, and was pleased that they joined us at BSides Detroit 14. (The talk Ed gave, for example, landed one guy a job and helped another guy launch his own city sec group.) Ed and Paul had me on the podcast to discuss leadership, grandparenting, my strange love of Excel, and the adhocracy that is MiSec.


They also got me singing the intro. So, there’s that. Listen to the episode on iTunes or catch it here:

Security Culture Show – Making Plans

Posted by

Yesterday, I joined Kai Roer and Mo Amin on the Security Culture Show. We discussed the SCF and, in particular, the planner. What are the corporate goals? What are the executive management goals? What are the technical goals and activities? By knowing this and knowing the desired end state, we can build a successful culture management program. People, process, and technology. In this episode, we dig deeper into these ideas and more.

Story-Driven Security and Threat Modeling

Posted by

I continue to expand the Story-Driven Security concept that I discussed a few years back. Over the past six months, I have fleshed out its role in the security program (GrrCON), the method for creating the models (CircleCityCon), using those models to run incident response drills (GrrCON), and finally its use in driving change (BSides Chicago). Below are links to talks that cover these areas. Check it out, give it a try, and please provide me feedback.

Beautiful Models @ GrrCON 2013

We need beautiful models. Models attract and hold your attention. They excite you. They prompt action. And action, excitement, and focus is exactly what is needed to defend IT. By models, of course, we mean threat models. Intricate and beautiful, a good threat model tells a story. It indicates what we are protecting and where the attacks may come from. Done right, modelling highlights both the strengths and weaknesses of our IT. It becomes a means for strengthening and focusing our efforts. We need beautiful models to see what is and what could be. This session will explore threat modeling as part of the secure development lifecycle. A case study will be presented. The stories are real and only the names have been changed to protect the innocent. Beautiful Models answers the question: what is it that makes a threat model beautiful and actionable?

How to create an attack path threat model @ CircleCityCon

Everyone advocates for threat modeling. Few actually do it. This session aims to close that gap by demonstrating the #misec Attack Path methodology. First, we will select and analyze a security incident. Using threat modeling, we will break the incident down into the path the attacker followed through the network. Second, we will perform a table top exercise to identify the detective and preventative controls along that path. Using a controls assessment, we can determine our actual defense-in-depth for this particular attack. Third and finally, we will create a security exercise that tests the controls along the path. The session will conclude with a discussion of using the Attack Path for incident response drills.

Exercising with Threat Models @ GrrCon 2014

Now that we have a threat model, let’s cover using the model to create and execute security exercises.

Aligning Threats and Allies through Stories @ BSides Chicago 2014

Successful defense occurs when the interests of a security team’s stakeholders intersect with the attackers actions. This session provides a three-part management methodology to enable defense-in-depth through effective stakeholder and threat management. Internally, the method models the political power of our target audience, the audience coverage of our message, the timing, and the benefits used to influence our audience. Externally, the method models the attacker’s objectives, tactics, techniques, and mitigating controls. Using this story-driven security methodology, we can identify what our allies need, identify what our attackers want, and build business cases to satisfy one while thwarting the other.

(Updated: 2014-06/18 following CircleCityCon)
(Updated: 2014-10/18 following GrrCon)