© 2015 Denim Group – All Rights Reserved

The Savvy Security Leader: Using Guerrilla

Tactics to ID Security Program Resources

John B. Dickson, CISSP

@johnbdickson

Denim Group

© 2015 Denim Group – All Rights Reserved

• Application Security Enthusiast

• Helps CSO’s and CISO’s with

Application Security Programs

• ISSA Distinguished Fellow

• Security Author and Speaker

2

© 2015 Denim Group – All Rights Reserved

Denim Group | Company Background

• Professional services firm that builds & secures enterprise applications• External application & network assessments

• Web, mobile, and cloud

• Software development lifecycle development (SDLC) consulting

• Secure development services:• Secure .NET and Java application development & remediation

• Classroom and e-Learning for PCI compliance

• Developed ThreadFix

3

© 2015 Denim Group – All Rights Reserved

Overview

• Background on the Issue

• Key Concept

• Examples of Guerrilla Tactics

• Questions and Answers

4

© 2015 Denim Group – All Rights Reserved

Key Thought

• Executives are becoming more resistant to FUD carpet

bombing

5

© 2015 Denim Group – All Rights Reserved

Getting Your Security Budget Approved without

FUD

• RSA 2014 track session

• Assumption: internal sale of security budget to

executives is fundamentally different

• Security leaders competing for scarce

corporate resources

• Common denominators exist• See more on RSA’s site here

6

© 2015 Denim Group – All Rights Reserved

Getting Your Security Budget Approved without

FUD

• Exploiting Pet Projects

• Accounting for Culture

• Tailoring to their Vertical

• Consciously Cultivating Credibility & Relationships

• Using Timing to Capitalize on Certain events

• Selling by-Products of Security Activities

7

© 2015 Denim Group – All Rights Reserved

Security Budgets: The Starting Point

• Some have lost the game before getting on the field

• Competing Against:

• Line of business pet projects – expansion of production

• Executive level visibility or utility – e.g., new corporate jet

• Things that product more tangible ROI

• Information security as the “silent service” – Rich Baich, Wells Fargo CISO

• Source: “Winning as a CISO,” Rich Baich

8

© 2015 Denim Group – All Rights Reserved

Security Budgets: The Starting Point

• Annual operations budgets are highly scrutinized

• Are normalized to past budget years and easy to

compare

• Some budgets items are easier to get approved

• Items mandated by compliance

• Items mandated by buyers

• Historical operations; Example: Licensing fees

9

© 2015 Denim Group – All Rights Reserved

Security Budgets: The Starting Point

Photo by Matt Mechtley10

© 2015 Denim Group – All Rights Reserved

Security Budgets: The Starting Point

• So…. What does a savvy security leader do?

11

© 2015 Denim Group – All Rights Reserved

Key Concept

• Adopts guerrilla selling tactics to increase budget

• Uses the resources of others to expand your security coverage

12

© 2015 Denim Group – All Rights Reserved

Mergers and Acquisitions

• Corporate Mergers and Acquisition (M&A) activities include substantial attorneys fees for:

• Due diligence and contracts

• M&A activity is the domain of the CEO

• The CEO will be less price sensitive to security costs

• Insert security testing into M&A process to ID:

• Risk of the acquired entity & provide a remediation path

• Lower downstream security exposure

13

© 2015 Denim Group – All Rights Reserved

Leverage Things Already Bought

• Identify technologies bought by business units, leverage any security by-product

• Example #1: Web Application Firewalls (WAF’s)

• Mandated by PCI, bought by IT or Internal Audit

• Creates incredible Layer 7 logging and protection

• Example #2: Big Data Technologies

• Big Data

14

© 2015 Denim Group – All Rights Reserved

Development Tools

• Development tools stack

• Expensive

• Dwarf security vulnerability scanners

• Get development team to purchase scanner for SDLC because they own the SLDC

• A line item in a larger quote for a development stack

• Bake testing into SDLC earliest in the process

• Might be able to use leverage of large purchase to get tools thrown in

15

© 2015 Denim Group – All Rights Reserved

Development Training

• For internally developed software

• Cost of vulnerability most expensive when put into production

• Change the reality, make security a quality issue!

• Have development teams pay for training

• Make this part of general developer training and onboarding

16

© 2015 Denim Group – All Rights Reserved

Leverage Open Source

• Use what others have already contributed to the Open Source community to further your security coverage

• First steps

• Hire a security pro w/ Open Source experience

• Add an Open Source project that solves a problem – start small

• ThreadFix

• Capture licensing cost savings and communicate

17

© 2015 Denim Group – All Rights Reserved

Q&A @johnbdickson

18