Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done
0 likes318 views
Eugene Pilyankevich discusses common reasons why security projects fail and how to avoid those pitfalls. He argues that the root causes are often misaligned values, languages, and mental models between stakeholders. People also make poor risk decisions under pressure and uncertainty. To succeed, one must understand the domain, avoid fear-mongering, clearly communicate technical and business risks, take ownership of problems, and work to bridge gaps between clients and suppliers. It is important to lead throughout the organization and make the work fun by finding relevance.
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security Challenges Done
- 1. Eugene Pilyankevich Chief Technical Officer, Cossack Labs GETTING SECURE AGAINST CHALLENGES OR GETTING SECURITY CHALLENGES DONE
- 2. # whoami (1997) -> #sprintnet, #x25zine, ru.nethack ;) (2002) -> security & network engineer. (2008) -> CTO in finance. (2012) -> C*O in software dev company. (2015) -> founder, CTO @ cossacklabs.com
- 3. Why security projects fail? ?
- 4. Problem 1
- 5. SOME STORIES TO START WITH Finnish SNAFU
- 6. SOME STORIES TO START WITH How to be smart and fail miserably.
- 7. CONCLUSIONS?
- 10. Nope.
- 11. ROOT CAUSE?
- 15. ROOT CAUSE –
- 16. ROOT CAUSE –
- 17. ( ) ROOT CAUSE – ? ? ? ? ? ?
- 20. People frequently suck at making risk decisions under pressure and uncertainty. Problem 1
- 22. Problem 2?
- 23. TWO MORE STORIES Banking fraud prevention.
- 24. TWO MORE STORIES Managing risk for real.
- 25. Business risk is the possibility a company will have lower than anticipated profits or experience a loss rather than taking a profit.
- 27. Problem 2 If you’re in an ivory tower, no one will bother listening.
- 28. Let’s take a closer look: client.
- 29. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific.
- 30. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific. - Knowledge is not distributed evenly.
- 31. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific. - Knowledge is not distributed evenly. - FUD doesn’t work.
- 32. TAKE HARD CONTRACTS AND SURVIVE. - Excellence is domain-specific. - Knowledge is not distributed evenly. - FUD doesn’t work. - Speaking in business risk - helps.
- 33. TRY WALKING IN CLIENT’S SHOES Auditing crypto libraries for fun and profit.
- 34. Domain-specific thinking High-level complex skills do not distribute across all behavior, and get reinforced locally.
- 35. FUD counteracts good decisions Scaring customer who’s facing the unknown leads to significant decrease in quality of decision-making.
- 36. Double-layered risk aversion Instead of mitigating technological risks (proper risk aversion), people avoid making decisions about technological risks they don’t understand.
- 37. Compliance and forget Avoiding substance of compliance to mitigate risks?
- 38. Quid faciam?
- 39. Let’s take a closer look: supplier.
- 40. supplier client
- 41. Who has to cross the gap?
- 42. You are to cross the gap.
- 43. Misalignment and misunderstanding is default state anyway. You are to cross the gap.
- 45. Own the problems
- 48. Communicate risk properly Technical risk, financial impact.
- 49. Communicate risk properly Technical risk, compliance impact.
- 50. Communicate risk properly Process risks with business impact.
- 51. Communicate risk properly Process risks with market impact.
- 52. Lead up the chain
- 53. Lead down the chain Lead up the chain
- 56. Examples: talk to your manager
- 57. Examples: talk to your customer
- 58. Examples Manager is a passthru with process lubrication capabilities, if you take care of the hard details.
- 59. Examples. Manager is pain in the ass, if you don’t take care of technical details.
- 60. Examples are sad
- 61. Praxis.
- 62. Talk human. - Docs & business materials.
- 63. Talk human. - Docs & business materials. - Talk to customers soon.
- 64. Take over processes. - Self-learning processes. - Reinforce ownership.
- 65. Love compliance. - PCIDSS, HIPAA, oldschool. - GDPR.
- 66. Avoiding domain specificity. - Multi-skilled team. - Boring smoothie tech is relevant.
- 67. Talk real risk.
- 68. Ain’t no fun unless you find it.