Building Tomorrow's Security Leaders

intelligent information securityAN IT IAN

BUILDING TOMORROW’S SECURITY LEADERS

intelligent information securityAN IT IAN

MEET THE SPEAKER – ANDREW PLATO

• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security

assessments & projects• Discovered SQL injection in 1995• Helped develop first in-line IPS engine

(BlackICE) • Co-developed RiskNow™ - Rapid Risk

Assessment approach • Championed movement toward practical,

pragmatic information security solutions

intelligent information securityAN IT IAN

• We enlighten, protect and empower great security leaders. • We believe security will make the world a better place. • Security intelligence services:• Compliance (PCI, HIPAA, NERC, etc)• Risk Assessment • Penetration testing• Incident response • Security integration • Managed threat intelligence

ANITIAN

intelligent information securityAN IT IAN

OVERVIEW

Intent • Discuss the importance of leadership on organizational security• Define the qualities of a great security leader

Outline1. The Security Leadership Challenge2. Foundation of Trust3. Qualities of Great Leaders

intelligent information securityAN IT IAN

SECURITY LEADERSHIP CHALLENGE

intelligent information securityAN IT IAN

Logic clearly dictates that the needs of the many, outweigh the needs of the few…or the one.

- Spock, Star Trek II, The Wrath of Khan

intelligent information securityAN IT IAN

I just want to do the right things

intelligent information securityAN IT IAN

Please care about security…

…but don’t care about security

SCHIZOID SECURITY

intelligent information securityAN IT IAN

MOST DANGEROUS THREAT TO A BUSINESS

PEOPLE

intelligent information securityAN IT IAN

INDIGNATIONIS NOT INSPIRING

intelligent information securityAN IT IAN

The Very Important Corporation possesses information that is sensitive and valuable, e.g., personally identifiable information, financial data, building plans, research, and other information considered sensitive. Some information is protected by federal and state laws or contractual obligations that prohibit its unauthorized use or disclosure. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the Very Big and Extremely Important Company or its board members, and could also subject the Company to fines or other government sanctions. Additionally, if Company information were tampered with or made unavailable, it could impair the Company’s ability to make wads of cash. The Oh So Massively Huge and Phenomenally Important Company therefore requires all employees to diligently protect information as appropriate for its sensitivity level.

COMPLIANCE ROCKS!

intelligent information securityAN IT IAN

The Golden Circle

Simon Sinek: www.startwithwhy.com

intelligent information securityAN IT IAN

intelligent information securityAN IT IAN

intelligent information securityAN IT IAN

SECURITY LEADERSHIP MUST EVOLVE• Programs that empower• Audits that fuel growth and improvement • Controls that truly protect• Policies with vision• Shared values• High-value, high-trust relationships

intelligent information securityAN IT IAN

PEOPLE NEED PURPOSE• Engaged employees are more likely to:• Take responsibility• Be accountable • Focus on results over effort • Keep commitments • Do the right things• Protect and care about the business• Grow and mature

• We need people with a stake in the business

intelligent information securityAN IT IAN

A leader is best when people barely know he exists, when his work is done, his aim fulfilled, they will say: we did it ourselves.-Lao Tzu

intelligent information securityAN IT IAN

VIRTUOUS CYCLE OF ENGAGED EMPLOYEES

Engaged Employees

Informed Decision Making

BetterPractices

Effective Controls

AuthenticCare

Innovation, Growth,

Prosperity

Great Leader

intelligent information securityAN IT IAN

FOUNDATION OF TRUST

intelligent information securityAN IT IAN

HIGH-TRUST ENVIRONMENT

• Trust is the fuel, energy, currency, and foundation of security leadership

• Trust is the bedrock of security and leadership

• Trust can polarize

intelligent information securityAN IT IAN

1. COMMUNICATE CLEARLY

DO• Always honest• Use simple, direct language• Say it like it is• Start with why

DO NOT• Lie, deceive • Ignore issues issue• Manipulate through deception

intelligent information securityAN IT IAN

2. BE TRANSPARENT

DO• Share openly, be authentic• Declare your intent • Admit your mistakes, solicit feedback• Be honest about why you cannot be open sometimes

DO NOT• Hide, cover up information• All talk, no action • Horde information

intelligent information securityAN IT IAN

3. CONFRONT HARD TRUTHS

DO• Acknowledge weaknesses• Solicit feedback• Conduct rigorous tests and audits• Share results openly• Make everybody aware of the problems

DO NOT• Hide weaknesses • Cover up problems • Conduct meaningless check-box type tests

intelligent information securityAN IT IAN

4. RIGHT WRONGS

DO• Fix the problem• Apologize quickly and make restitution• Be humble, respect differences

DO NOT• Blame others• Avoid problems

intelligent information securityAN IT IAN

5. COMMIT

DO• Only make commitments you can keep • Make things happen, deliver real, tangible results • Terminate people who cannot deliver results

DO NOT• Make commitments you cannot keep• Deliver activity or busywork• Keep underperforming employees, they are toxic

intelligent information securityAN IT IAN

6. BE AGILE

DO• Constantly grow, improve, and mature• Push people outside of their comfort zones• Make change the normal• Cross-train• Be conspicuously appreciative of feedbackDO NOT• Retain broken procedures and practices• Inflexible• Focus on comfort• Criticize improvement

intelligent information securityAN IT IAN

7. CLARIFY EXPECTATIONS & VISION

DO• Establish clear expectations• Have a clear vision for success• Revalidate expectations & vision regularly • Re-clarify, re-re-clarify, re-re-re-clarify if necessary

DO NOT• Assume people know what the right thing is • No planning, vision, or direction• Be indecisive

intelligent information securityAN IT IAN

8. LISTEN

DO• Spend more than 50% of any conversation listening• Intentionally slow down• Analyze, ponder, and reflect• Validate what has been said • Ask why

DO NOT• Dominate the conversation• Cut people off • Tell how

intelligent information securityAN IT IAN

9. TRUST BUT VERIFY

DO• Trust freely, those who have earned it• Trust conditionally, those who are earning it• Verify trusting behavior• Require trust from others

DO NOT• Trust those that behave untrustworthy• Trust based on what people say

intelligent information securityAN IT IAN

10. BE LOYAL

DO• Openly give credit to others• Speak as if they are present • Stand behind your people

DO NOT• Take credit • Badmouth• Throw them under the bus

intelligent information securityAN IT IAN

QUALITIES OF GREAT SECURITY LEADERS

intelligent information securityAN IT IAN

TRUSTWORTHY

ABRAHAM LINCOLN

intelligent information securityAN IT IAN

ANALYTICAL

NIKOLA TESLA

intelligent information securityAN IT IAN

VISIONARY

STEVE JOBS

intelligent information securityAN IT IAN

INSPIRATIONAL

VINCE LOMBARDI

intelligent information securityAN IT IAN

INCLUSIVE

DR. MARTIN LUTHER KING JR.

intelligent information securityAN IT IAN

HUMBLE

MAHATMA GANDH

intelligent information securityAN IT IAN

FEARLESS

AUNG SAN SUU KYI

intelligent information securityAN IT IAN

I do the right things...

…always

intelligent information securityAN IT IAN

Final Thoughts• This is not weak leadership• Not everybody can handle it• Long term effort • Benefits are lasting and profound • Must put your attitude and ego in check

It's a far, far better thing I do than I have ever done before. A far better resting place that I go to than I have ever known.

intelligent information securityAN IT IAN

EMAIL: andrew.plato@anitian.comLINKEDIN:www.linkedin.com/in/andrewplato/TWITTER: @andrewplato

@AnitianSecurityWEB:www.anitian.comBLOG: blog.anitian.comSLIDES: bit.ly/anitianCALL: 888-ANITIAN

THANK YOU