enterprise it security| cio innovation and leadership
TRANSCRIPT
Exponential Technologies 101
Enterprise IT Security
CIO Innovation and Leadership
Presenter: Bill Murphy
Exponential Technologies 101
• Artificial Intelligence (AI)• Machine Learning & Deep Learning• Robotics• Biotechnology & Bioinformatics & Digital Biology• Virtual Reality & Augmented Reality• Energy & Environmental Systems• Medicine & Neuroscience• Nanotechnology & Digital Fabrication (3D Printing)• Blockchain• Networks & Computing Systems (IT Security)
What is an Exponential Technology?
Offense and Defense
Shola – United Therapeutics
BRANDING
Shola – United Therapeutics
Exponential vs Linear
15
4DS OF EXPONENTIALS
DECEPTIVETO
DISRUPTIVE
D I G I T I Z E D E M AT E R I A L I Z E D E M O N E T I Z E D E M O C R AT I Z E
Disruptive Stress /Opportunity
Awareness
Self Awareness
Examples of Disruption
Solid and Stable
Disruptive
What is a Disruptive Tech?
• Blackberry and Nokia• Tesla and Automotive
Books to Help + Resources• SU DC Chapter- singularityudc.com• Singularity University – su.org• Singularity HUB – singularityhub.com• Daniel Burrus - www.burrus.com• Exponential Organizations –
exponentialorgs.com
With all the opportunities that Exponentials bring there are Risks. Big Risks1. Governance2. Ethics3. Privacy4. Complexity
TRANSITION TO DEFENSE
DEFENSE – Enterprise IT Security
QualitativeVs
Quantitative
HealthDr Ordered - reluctantlyFood Panel – AllergyHematologyMetabolic ChemistryLipid profileHormonesUrinalysisVitamins etc
SymptomsMental FogMood VariabilityJoint Pain
Frontiers of Optimal Performance &Human Potential
• Firewalking 7x• Active Spartan race training• Cold water immersion via
Wim Hof• Blackbelt• Survival School• Kiting and windsurfing
• Coaching Travel Soccer• IronMan x2• 2 x ½ IronMans• Meditation/Mindfulness
(MBSR, Thich Nhat Han)• Personal and Team Flow
States Experiments (Steven Kotler)
• Innovation at the edge – Design Thinking (SU)
2015
The Plan
• Primary Target, Time Frame, Re-test• Diet to deal with inflammation• Exercise – Mobility, Strength• Vitamins• Meds• Testing• Execution• Follow-up and Follow-Thru
Am I Done?
• You only saw a 2015 Food Allergy Panel. Where is the 2016 Comparison?
• What about the stool sample?• Year after Year. Massively Proactive.• Rinse and Repeat
So What About Enterprise IT Security?
Back ToQualitative and Quantitative
• Marry Qualitative and Quantitative• Evidence Based• Building Defensible Arguments/Plans
Security Defense StrategyWhack-a-Mole?!
COMPREHENSIVE IT SECURITY HEALTH PANEL
Second Priority
COMPREHENSIVE IT SECURITY HEALTH PANEL
(1)External Facing Systems(2)Firewall Internal Systems (systems used by employees, mail services, activesync, vpn, etc.)(3) Do your company PCs have an anti-virus program?
EXECUTION PLAN – IT ROADMAP - PRIORITIZATION
Year Over Year Comparison
When you spend a $ What boats are effected?
External Facing Systems (systems used by external public/customers)– Do you have an up to date list of all systems presented to the public or customers
including services in use?• How many are there? (answer the next set by # based on yes count)
– Are the front end user interfaces behind an application filter security device with active blocking capability beyond layer ¾ firewall?
– Does the application filter block all high risk issue?– Does the application filter block all medium risk issues?– Do you have any exceptions for sites or subsites on the application filter?– Does this system terminate ssl or encryption?– Is the application or db tier in a different zone/subnet/across a security boundary?– Is the communication between the front end and the next tier unencrypted so the
security systems can review cross tier traffic?– Do you formally audit to ensure that these settings are active and working:
• Monthly• Quarterly• Yearly
• Firewall Internal Systems (systems used by employees, mail services, activesync, vpn, etc.)– Are all non-security devices behind a firewall?– Is the firewall a full UTM with services active and in automated blocking
mode for high risk items?– Is the firewall a full UTM with services active and in automated blocking
mode for medium risk items?– Are all inbound rules configured explicit in at least two of the following:
source, destination and protocol.– Do you formally audit to ensure that these settings are active and
working:• Monthly• Quarterly• Yearly
Anti-Virus PC – Do your company PCs have an anti-virus program?– How often are definitions updated?
• Multiple times a day• Daily• Weekly or more
– Do you run centrally managed antivirus?– Are alerts for viruses, service failures, and update problem sent to staff?– Do you exclude any pc from AV?– What percent of systems are covered (I.e. do you skip Macs, Linux etc)– How often do you check for gaps in coverage
• Weekly• Monthly• Quarterly
– How often do you audit scanning exclusions for files and processes?• Quarterly• Twice a year• Yearly
– Is there an approval process prior to allowing exclusions?
• Email Encryption and DLP– Do you have a system that automatically audits mail messages for context
driven content (PII, PCI, Confidential, etc)– Do you formally audit to ensure that the system is are active and working:
• Monthly• Quarterly• Yearly
– Can anyone opt out of the system?– Does the system encrypt, reject, or redact ALL emails that fail the
automatic audit?– Does the system allow external parties to initiate and reply in an
encrypted fashion?– Do you formally audit to ensure that the policies used and look for gaps?
• Monthly• Quarterly• Yearly
My Vision for You is to Reign in Complexity
But this is only a Blood Panel……What do you do about it?
Overall Gaps
• Based on the review a lot of good mature security technologies exist however the following is required:– Additional implementation work is required to realize
the full impact of the solution– Review system X to ensure intended use is in line with
current state of the system. Currently this is not the case
– A proactive process of managing security systems A, B and C need to be developed in order to ensure security
Action Plan Step 1
• Concentrate on validating and hardening what is in place– Perform an user account audit– Perform an edge security audit– Enable Varonis to provide proactive security– Enable Secret Server to harden the environment
Action Plan Step 2
• Two technologies that can be added to bolster security, especially if HIPAA compliance is desired– Endpoint security for USB device security– ZixGateway for Email Encrytion and DLP
Sample Deliverables• Varonis Data Governance
(steps needed to complete the install)
• Thycotic Gap Comparison• Edge Assessment +• AD /Account Audit • Road Map – with Priority
Data Gov Eg
Thycotic Eg
Edge AD Account
Roadmap
Audit/Compliance
Regulators/Regulations
FFIEC, PCI, DoD,HIPPA, etc
Standards
Staff
Gartner
Vendors
Consultants
Business Framework
ExO CIO Business IT Framework
Framework
• What happens when you lose your CFO or Accounting Manager?
Versus
• What happens when you lose your CIO, CISO, VP IT, Manager IT, etc
Common Language of Business
• Debits and Credits• Income Statement and Balance Sheet• P&L
Align Proper Business Expectations
Does your VP of Sales guarantee revenue?Where in your business do you have guarantees?
Premiums to Mitigate Risk
The Role of Transparency
• Defensible• Logical
Powerful Leadership
Governance (Governing) and Risk
Forget Big Data – Think Little Data…..
With Context
Thunder & House & Squirrel
DAR Scan – Data at Rest Scan
Being GovernedVS
The Governor
How Data is lost?
Employee post to share drive Employee shares with vendor Employee theft Employee accident Malware/Virus Social Media Hacking attack (Spear Fishing) Social Engineering USB
Incidents by File Type Policy File Type Hits Number of Files
Customer List Adobe PDF 1846 90 Customer List Email Message File (MIME, EML) 1071 43 Customer List HTML 311 16 Customer List Microsoft Excel 73842 360 Customer List Microsoft PowerPoint 125 6 Customer List Microsoft Word 1258 34 Customer List Plain Text 7539 55 D_CCN (pattern) Adobe PDF 479 3 D_CCN (pattern) Microsoft Excel 146 144 D_CCN (pattern) Plain Text 1442 5 D_SSN (pattern) Adobe PDF 2264 7 D_SSN (pattern) Microsoft Excel 180 93 D_SSN (pattern) Microsoft PowerPoint 2 1 D_SSN (pattern) Microsoft Word 1 2 D_SSN (pattern) Other Word Processors 1 1 D_SSN (pattern) Plain Text 63 3
Example of Incidents
Example of IncidentsIncidents Made in the last 90 Days
File Creation Time File_Share Policy Hits Number of Files
7/28/2012 1:12:00 AM
BadFileServer\\customers\\BIGEFCU\\Audit Customer List 14 1
8/3/2012 2:43:00 PM BadFileServer\\customers\\NurseFirst Cor Customer List 87 1 8/29/2012 11:35:00
PM BadFileServer\\customers\\UniversityFCU\ Customer List 92 3
9/11/2012 11:44:00 PM
BadFileServer\\marketing\\Partners\\Blue Customer List 35 1
9/6/2012 11:49:00 PM
BadFileServer\\marketing\\Partners\\GTB D_SSN (pattern)
1 1
9/6/2012 11:50:00 PM
BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_CCN (pattern)
239 1
9/6/2012 11:50:00 PM
BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_SSN (pattern)
381 1
10/4/2012 5:55:00 PM
BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_SSN (pattern)
500 1
10/4/2012 11:41:00 PM
BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_SSN (pattern)
500 1
9/6/2012 11:50:00 PM
BadFileServer\\MKT\\_MKT_Reports\\XYZ\\S Customer List 16 1
10/2/2012 11:48:00 PM
BadFileServer\\MKT\\_MKT_Reports\\XYZ\\S Customer List 17 1
8/9/2012 11:45:00 PM
BadFileServer\\MKT\\MKT Customers\\123 F Customer List 38 1
9/6/2012 11:51:00 PM
BadFileServer\\MKT\\MKT Customers\\123 F Customer List 74 1
Example of Incidents
Full Incident Report
File_Share Policy Incidents Files File Path
BadFileServer \\ operations \\Docs \
D_SSN (pattern)
AprilMainZix.xlsx BadFileServer \\ operations \\
Docs\\ Documents.bak \\ ZixMain\\ 2010
BadFileServer \\ marketing \\CIOES
D_SSN (pattern)
Sales_OldStuff.zip/Golf Outing_June27.doc
BadFileServer \\ marketing \\ CIOES
BadFileServer \\ marketing \\CIOES
Customer List
Sales_OldStuff.zip/VMware Attendance List
CIOES.xls
BadFileServer \\ marketing \\ CIOES
BadFileServer \\ marketing \\CIOES
Customer List
Sales_OldStuff.zip/Sept Sales email blast.doc
BadFileServer \\ marketing \\ CIOES
BadFileServer \\ marketing \\CIOES
Customer List
Sales_OldStuff.zip/Rockville List from Vania
March 02.xls
BadFileServer \\ marketing \\ CIOES
Example of IncidentsIncidents by File Share
File_Share Policy Incidents Files
BadFileServer\\accounting Customer List 144 1 BadFileServer\\accounting\\Archive D_CCN (pattern) 139 139 BadFileServer\\accounting\\Archive D_SSN (pattern) 170 85 BadFileServer\\accounting\\Archive\\2005 D_SSN (pattern) 5 1 BadFileServer\\accounting\\Const_Assoc \ Customer List 288 18 BadFileServer\\accounting\\Sherrie Customer List 1000 1 BadFileServer\\accounting\\Sherrie D_SSN (pattern) 1 1 BadFileServer\\customers\\_InActive_Clie Customer List 276 13 BadFileServer\\customers\\_InActive_Clie D_CCN (pattern) 1 1 BadFileServer\\customers\\123FCU\\contra Customer List 70 4 BadFileServer\\customers\\ABC \\_Network_ Customer List 12 1 BadFileServer\\customers\\ABC \\Assessmen Customer List 60 2 BadFileServer\\customers\\Alpha Systems Customer List 15 1 BadFileServer\\customers\\XYZ\\SSL_VPN Customer List 12 1 BadFileServer\\customers\\StateDep \\ Statu Customer List 237 1
HIPPA/HIPAA, NIST/DOD since we are a downstream contractor, NCUA, PCI, SOC
compliance
Technical Framework
OFFENSE
• Study top Disruptors in your field
Exponential Technologies
• IT Security and Networks• Robotics• Artificial Intelligence• Virtual Reality/ Augmented
Reality• Deep Learning & Machine
Learning• Neuroscience• Biomedicine & Digital
Biology
• Energy and Environmental Systems
• Blockchain• 3D Manufacturing
Printing• IT Security and
Networks• Nanotechnology• IoT and Big Data• Algorithms & APIs
Exponentials in the Health Field
Pay Attention to Blockchain
“The Smartest People in the WorldDon’t Work for You”
Measure Your Organizational Readiness to Innovate
• Visualize this • Are you leaning into disruption or playing
afraid
10
5
1
Software is Eating the World
Quote “Everything that Humans are Inefficient at will be eaten by Software.”
APIs & Algorithms
NIH – Gut Health - Microbiome
Micro- Experiments
• NIH data sets – Gut Health example• Fail fast and forward• Push projects to the edge. Starve the edge.
• Start small with innovation pockets/ Labs• Apply Design Thinking & Lean Startup
Mentality• Align with people who have entrepreneurial
tendencies within the company• Principle of Innovation at the edge of the
company
Staffing to Build Expertise
Community and Crowds
Bigger Thinking - Exponential
World Wide Expansion
MTP – Massive Transformational Purpose
• Identify and avoid corporate anti-bodies• Pay attention to when you disbelieve to avoid
being disrupted during the curve when the technology seems odd or weird
What to Avoid
Summary – Offense Take-aways• Learn to play offense - Join an innovation group like mine or
someone else's• Be surrounded by ideas and people who think similar• You are the average of the 5 people you hang around• Build systems at the edge• Avoid corp anti-bodies• Pay attention to Lean and Design Thinking as it applies to
innovation (Joy, Inc, Exponential Org)• Forget Big Data – Think Little Data• Understand who your disruptors are? Technologies in Health?
Disruptive business practices, Communities, blockchain, algorithms, & APIs
Offense Take-aways
• You don’t need permission to add revenue….• Are you retiring in the next 5 years?• It is a mindset first (for you) then a culture thing• Neuroscience The Brain of a Leader thinking
Exponentially • IoT & Dashboards• Remember - role of offense and defense • Financial Statements of the business – Point in Time
versus Progress over Time.
Defense Take-aways
• Play defense hard. Don’t play ping pong. Settle into strategy and risk. Which will drive all tactical execution.
• Embrace IT Security complexity with strategy. Eliminate overlapping technology confusion. Data Governance, privacy, risk – understand context.
• Flush out unnecessary costs• Create Defensible Arguments/Plans• Forget Big Data – Think Little Data• Take a multi-year approach
Bill’s BIO & How to Contact Me?
World Class IT Security, Strategic and Tactical Thought Leadership for EnterpriseIT Business Leaders, Intra-preneurs, Entrepreneurs, Innovation, Design
Thinking, Creativity, Frontiers of Human Performance, Breakthroughs in Neuroscience, & Exponential Technologies
CIO Security Scoreboard
CIO Innovation InsiderGroup Meetings
Insider Updates Weekly Report
Singularity UniversityWashington DC Chapter
Ambassador
Examines Disruptive and Exponential Technologies
By looking at how they can be used to Improve the lives of a billion of People”
Bill [email protected]: @exoitleader
www.redzonetech.netwww.cioscoreboard.com