"Is security even important?" and other clickbait titles

Slide 1

Slide 1 text

Besides To. (these will be up at SpeakerDeck.com/barnbarn a8er the show) @benjammingh for Besides To 2018 1

Slide 2

Slide 2 text

Who's this clown? [^2] • Security Engineer at Stripe. • Infrastructure security at Etsy. • Infra stuﬀ at Puppet (Labs). • Once wore shorts and skateshoes to Montreal in winter, because they're very smart. @benjammingh for Besides To 2018 2

Slide 3

Slide 3 text

“IS SECURITY EVEN IMPORTANT?" AND OTHER CLICKBAIT TITLES @benjammingh for Besides To 2018 3

Slide 4

Slide 4 text

"Of course it is you idiot, I paid $2,695 for an RSA 4cket" @benjammingh for Besides To 2018 4

Slide 5

Slide 5 text

Cybersecurity Market Reaches $75 Billion In 2015; Expected To Reach $170 Billion By 2020 @benjammingh for Besides To 2018 5

Slide 6

Slide 6 text

Again, real Freedom Dollars. @benjammingh for Besides To 2018 6

Slide 7

Slide 7 text

• Cybersecurity Ventures predicts global cybersecurity spending will exceed $1 trillion from 2017 to 2021 • Gartner forecasts global enterprise security spending will grow 8% to $96.3 billion I could go on... @benjammingh for Besides To 2018 7

Slide 8

Slide 8 text

The people in security actually making money who aren't giant vendors @benjammingh for Besides To 2018 8

Slide 9

Slide 9 text

The criminals! @benjammingh for Besides To 2018 9

Slide 10

Slide 10 text

@benjammingh for Besides To 2018 10

Slide 11

Slide 11 text

• Cybercrime Damages $6 Trillion By 2021 • Global ransomware damage costs are predicted to exceed $5 billion in 2017 • "Ransomware: Are health systems opening bitcoin wallets?" • Verizon Data Breach InvesKgaKons Report, in case you've been living under a rock • ThreatbuP's bePer version from 2016 @benjammingh for Besides To 2018 11

Slide 12

Slide 12 text

So [cyber] security is a very serious business @benjammingh for Besides To 2018 12

Slide 13

Slide 13 text

"The security of your data, the func3onality of your servers, and your conﬁdence in Linode are extremely important to all of us." -Linode completely owned - 2016 @benjammingh for Besides To 2018 13

Slide 14

Slide 14 text

"Earning your trust through the opera1on of a secure service will always be our highest priority." - Slack's breach report - 2015 @benjammingh for Besides To 2018 14

Slide 15

Slide 15 text

"Your trust is a top priority for Target" - Message from Target CEO about being hella owned @benjammingh for Besides To 2018 15

Slide 16

Slide 16 text

"Security is (our|a) (top|number one) priority at $company" @benjammingh for Besides To 2018 16

Slide 17

Slide 17 text

How serious? @benjammingh for Besides To 2018 17

Slide 18

Slide 18 text

Uber serious! @benjammingh for Besides To 2018 18

Slide 19

Slide 19 text

Uber will pay $148M to US states to se5le claims from 2016 breach @benjammingh for Besides To 2018 19

Slide 20

Slide 20 text

Uber net worth: $5.9b Uber net worth - $148M: $5.752b @benjammingh for Besides To 2018 20

Slide 21

Slide 21 text

@benjammingh for Besides To 2018 21

Slide 22

Slide 22 text

Did Uber throw its CSO under the bus? @benjammingh for Besides To 2018 22

Slide 23

Slide 23 text

Fired Uber cybersecurity chief Joe Sullivan was just hired to run security at start-up Cloudﬂare @benjammingh for Besides To 2018 23

Slide 24

Slide 24 text

Intel @benjammingh for Besides To 2018 24

Slide 25

Slide 25 text

@benjammingh for Besides To 2018 25

Slide 26

Slide 26 text

@benjammingh for Besides To 2018 26

Slide 27

Slide 27 text

"[Intel] is oﬀ to an excellent start in the ﬁrst half of the year and expects 2018 to be another record year" @benjammingh for Besides To 2018 27

Slide 28

Slide 28 text

So.... No implica*ons for one of the largest and most ingrained vulnerabili*es in compu*ng, aﬀec*ng pre9y much every device nearly ever made. In fact, they made more money, as they probably sold some more chips. @benjammingh for Besides To 2018 28

Slide 29

Slide 29 text

Intel CEO Brian Krzanich Resigns... @benjammingh for Besides To 2018 29

Slide 30

Slide 30 text

Timing of $24 million stock sale by Intel CEO draws scru=ny Also note: “Security is job number one for Intel and our industry,” — Brian Krzanich @benjammingh for Besides To 2018 30

Slide 31

Slide 31 text

"These processors are buggy as hell, and some of these bugs .... will ASSUREDLY be exploitable" — Theo "the people's pirate" de Raadt @benjammingh for Besides To 2018 31

Slide 32

Slide 32 text

Intel CEO Brian Krzanich Resigns... ... over rela)onship with employee @benjammingh for Besides To 2018 32

Slide 33

Slide 33 text

Sony (Pictures) @benjammingh for Besides To 2018 33

Slide 34

Slide 34 text

Sony Pictures got a bit owned @benjammingh for Besides To 2018 34

Slide 35

Slide 35 text

@benjammingh for Besides To 2018 35

Slide 36

Slide 36 text

"Sony administrators reportedly shut down much of its worldwide network and disabled VPN connec;ons and Wi-Fi access in an eﬀort to control the intrusion" "the company had told him their email systems were down and they had been told to go home because the company's networks had been hacked" This isn't even the biggest Sony breach there's been. @benjammingh for Besides To 2018 36

Slide 37

Slide 37 text

How data breaches aﬀect stock market share prices • "In the long term, share prices con4nue to rise on average" • "Larger breaches had less of an impact on share price than smaller breaches" • "The sensi4vity of breached data had a less clear impact on share price in the long term" @benjammingh for Besides To 2018 37

Slide 38

Slide 38 text

@benjammingh for Besides To 2018 38

Slide 39

Slide 39 text

Other, diﬀerent, examples @benjammingh for Besides To 2018 39

Slide 40

Slide 40 text

"No security report in an M&A has ever stopped the sale, it's just lowered the price" — Rich Smith, 2015...ish? probably @benjammingh for Besides To 2018 40

Slide 41

Slide 41 text

"So what are you saying Benjamin?" @benjammingh for Besides To 2018 41

Slide 42

Slide 42 text

Security is unlikely the most important thing your company does @benjammingh for Besides To 2018 42

Slide 43

Slide 43 text

Shipping/selling product is probably more important @benjammingh for Besides To 2018 43

Slide 44

Slide 44 text

Security is a part of that, it is not all of that @benjammingh for Besides To 2018 44

Slide 45

Slide 45 text

Security informs and advises the business @benjammingh for Besides To 2018 45

Slide 46

Slide 46 text

Security as a business unit, IS a compromise @benjammingh for Besides To 2018 46

Slide 47

Slide 47 text

Your job is not to make everything 100% secure As then it would be impossible to do anything @benjammingh for Besides To 2018 47

Slide 48

Slide 48 text

Your job is balance the risk trade- oﬀs between your company being secure, and moving fast @benjammingh for Besides To 2018 48

Slide 49

Slide 49 text

Examples: Alex Stamos @benjammingh for Besides To 2018 49

Slide 50

Slide 50 text

Examples: Alex Stamos @benjammingh for Besides To 2018 50

Slide 51

Slide 51 text

Alex Stamos • Le$ Yahoo! 2015 because of them working with NSA or FBI • Le$ Facebook 2018 due to, well, a lot @benjammingh for Besides To 2018 51

Slide 52

Slide 52 text

Alex Stamos "The security team generally pushed for more disclosure about how na8on states had misused the site, but the legal and policy teams have priori8zed business impera8ves, said the people briefed on the ma

Slide 53

Slide 53 text

Alex Stamos So even the CSO at the top companies in the world, the ones who pioneer amazing security products (osquery, End to end encryp=on in WhatsApp) is not above compromise as a business unit. @benjammingh for Besides To 2018 53

Slide 54

Slide 54 text

Ben, what doth this mean? This isn't a tale of them and us, this is sta2ng your job is help the business to its goals. @benjammingh for Besides To 2018 54

Slide 55

Slide 55 text

Ben, what doth this mean? This again is not saying that security is unimportant or ignored, just not the be all and end all. @benjammingh for Besides To 2018 55

Slide 56

Slide 56 text

Ben, what doth this mean? Security can be the centre of your world, it's not the centre of capitalism. @benjammingh for Besides To 2018 56

Slide 57

Slide 57 text

Ben, what doth this mean? This is a good thing! @benjammingh for Besides To 2018 57

Slide 58

Slide 58 text

Ben, what doth this mean? If /Dev(Sec)?Ops/ has taught us anything its talking and working together IS BETTER. @benjammingh for Besides To 2018 58

Slide 59

Slide 59 text

Ben, what doth this mean? This is just a natural extension of this. @benjammingh for Besides To 2018 59

Slide 60

Slide 60 text

We're done, thank the maker! Go forth and work with your teams and your company, not against them! @benjammingh for Besides To 2018 60

Slide 61

Slide 61 text

• Twidder: @benjammingh • LinkedIn: lnkdin.me/p/benyeah • SpeakerDeck: speakerdeck.com/barnbarn • Stripe: Careers <--- Engineering blog @benjammingh for Besides To 2018 61