enterprise it security| cio innovation and leadership

Exponential Technologies 101

Enterprise IT Security

CIO Innovation and Leadership

Presenter: Bill Murphy

Exponential Technologies 101

• Artificial Intelligence (AI)• Machine Learning & Deep Learning• Robotics• Biotechnology & Bioinformatics & Digital Biology• Virtual Reality & Augmented Reality• Energy & Environmental Systems• Medicine & Neuroscience• Nanotechnology & Digital Fabrication (3D Printing)• Blockchain• Networks & Computing Systems (IT Security)

What is an Exponential Technology?

Offense and Defense

Shola – United Therapeutics

BRANDING

Shola – United Therapeutics

Exponential vs Linear

15

4DS OF EXPONENTIALS

DECEPTIVETO

DISRUPTIVE

D I G I T I Z E D E M AT E R I A L I Z E D E M O N E T I Z E D E M O C R AT I Z E

Disruptive Stress /Opportunity

Awareness

Self Awareness

Examples of Disruption

Solid and Stable

Disruptive

What is a Disruptive Tech?

• Blackberry and Nokia• Tesla and Automotive

Books to Help + Resources• SU DC Chapter- singularityudc.com• Singularity University – su.org• Singularity HUB – singularityhub.com• Daniel Burrus - www.burrus.com• Exponential Organizations –

exponentialorgs.com

With all the opportunities that Exponentials bring there are Risks. Big Risks1. Governance2. Ethics3. Privacy4. Complexity

TRANSITION TO DEFENSE

DEFENSE – Enterprise IT Security

QualitativeVs

Quantitative

HealthDr Ordered - reluctantlyFood Panel – AllergyHematologyMetabolic ChemistryLipid profileHormonesUrinalysisVitamins etc

SymptomsMental FogMood VariabilityJoint Pain

Frontiers of Optimal Performance &Human Potential

• Firewalking 7x• Active Spartan race training• Cold water immersion via

Wim Hof• Blackbelt• Survival School• Kiting and windsurfing

• Coaching Travel Soccer• IronMan x2• 2 x ½ IronMans• Meditation/Mindfulness

(MBSR, Thich Nhat Han)• Personal and Team Flow

States Experiments (Steven Kotler)

• Innovation at the edge – Design Thinking (SU)

2015

The Plan

• Primary Target, Time Frame, Re-test• Diet to deal with inflammation• Exercise – Mobility, Strength• Vitamins• Meds• Testing• Execution• Follow-up and Follow-Thru

Am I Done?

• You only saw a 2015 Food Allergy Panel. Where is the 2016 Comparison?

• What about the stool sample?• Year after Year. Massively Proactive.• Rinse and Repeat

So What About Enterprise IT Security?

Back ToQualitative and Quantitative

• Marry Qualitative and Quantitative• Evidence Based• Building Defensible Arguments/Plans

Security Defense StrategyWhack-a-Mole?!

COMPREHENSIVE IT SECURITY HEALTH PANEL

Second Priority

COMPREHENSIVE IT SECURITY HEALTH PANEL

(1)External Facing Systems(2)Firewall Internal Systems (systems used by employees, mail services, activesync, vpn, etc.)(3) Do your company PCs have an anti-virus program?

EXECUTION PLAN – IT ROADMAP - PRIORITIZATION

Year Over Year Comparison

When you spend a $ What boats are effected?

External Facing Systems (systems used by external public/customers)– Do you have an up to date list of all systems presented to the public or customers

including services in use?• How many are there? (answer the next set by # based on yes count)

– Are the front end user interfaces behind an application filter security device with active blocking capability beyond layer ¾ firewall?

– Does the application filter block all high risk issue?– Does the application filter block all medium risk issues?– Do you have any exceptions for sites or subsites on the application filter?– Does this system terminate ssl or encryption?– Is the application or db tier in a different zone/subnet/across a security boundary?– Is the communication between the front end and the next tier unencrypted so the

security systems can review cross tier traffic?– Do you formally audit to ensure that these settings are active and working:

• Monthly• Quarterly• Yearly

• Firewall Internal Systems (systems used by employees, mail services, activesync, vpn, etc.)– Are all non-security devices behind a firewall?– Is the firewall a full UTM with services active and in automated blocking

mode for high risk items?– Is the firewall a full UTM with services active and in automated blocking

mode for medium risk items?– Are all inbound rules configured explicit in at least two of the following:

source, destination and protocol.– Do you formally audit to ensure that these settings are active and

working:• Monthly• Quarterly• Yearly

Anti-Virus PC – Do your company PCs have an anti-virus program?– How often are definitions updated?

• Multiple times a day• Daily• Weekly or more

– Do you run centrally managed antivirus?– Are alerts for viruses, service failures, and update problem sent to staff?– Do you exclude any pc from AV?– What percent of systems are covered (I.e. do you skip Macs, Linux etc)– How often do you check for gaps in coverage

• Weekly• Monthly• Quarterly

– How often do you audit scanning exclusions for files and processes?• Quarterly• Twice a year• Yearly

– Is there an approval process prior to allowing exclusions?

• Email Encryption and DLP– Do you have a system that automatically audits mail messages for context

driven content (PII, PCI, Confidential, etc)– Do you formally audit to ensure that the system is are active and working:

• Monthly• Quarterly• Yearly

– Can anyone opt out of the system?– Does the system encrypt, reject, or redact ALL emails that fail the

automatic audit?– Does the system allow external parties to initiate and reply in an

encrypted fashion?– Do you formally audit to ensure that the policies used and look for gaps?

• Monthly• Quarterly• Yearly

My Vision for You is to Reign in Complexity

But this is only a Blood Panel……What do you do about it?

Overall Gaps

• Based on the review a lot of good mature security technologies exist however the following is required:– Additional implementation work is required to realize

the full impact of the solution– Review system X to ensure intended use is in line with

current state of the system. Currently this is not the case

– A proactive process of managing security systems A, B and C need to be developed in order to ensure security

Action Plan Step 1

• Concentrate on validating and hardening what is in place– Perform an user account audit– Perform an edge security audit– Enable Varonis to provide proactive security– Enable Secret Server to harden the environment

Action Plan Step 2

• Two technologies that can be added to bolster security, especially if HIPAA compliance is desired– Endpoint security for USB device security– ZixGateway for Email Encrytion and DLP

Sample Deliverables• Varonis Data Governance

(steps needed to complete the install)

• Thycotic Gap Comparison• Edge Assessment +• AD /Account Audit • Road Map – with Priority

Data Gov Eg

Thycotic Eg

Edge AD Account

Roadmap

Audit/Compliance

Regulators/Regulations

FFIEC, PCI, DoD,HIPPA, etc

Standards

Staff

Gartner

Vendors

Consultants

Business Framework

ExO CIO Business IT Framework

Framework

• What happens when you lose your CFO or Accounting Manager?

Versus

• What happens when you lose your CIO, CISO, VP IT, Manager IT, etc

Common Language of Business

• Debits and Credits• Income Statement and Balance Sheet• P&L

Align Proper Business Expectations

Does your VP of Sales guarantee revenue?Where in your business do you have guarantees?

Premiums to Mitigate Risk

The Role of Transparency

• Defensible• Logical

Powerful Leadership

Governance (Governing) and Risk

Forget Big Data – Think Little Data…..

With Context

Thunder & House & Squirrel

DAR Scan – Data at Rest Scan

Being GovernedVS

The Governor

How Data is lost?

Employee post to share drive Employee shares with vendor Employee theft Employee accident Malware/Virus Social Media Hacking attack (Spear Fishing) Social Engineering USB

Incidents by File Type Policy File Type Hits Number of Files

Customer List Adobe PDF 1846 90 Customer List Email Message File (MIME, EML) 1071 43 Customer List HTML 311 16 Customer List Microsoft Excel 73842 360 Customer List Microsoft PowerPoint 125 6 Customer List Microsoft Word 1258 34 Customer List Plain Text 7539 55 D_CCN (pattern) Adobe PDF 479 3 D_CCN (pattern) Microsoft Excel 146 144 D_CCN (pattern) Plain Text 1442 5 D_SSN (pattern) Adobe PDF 2264 7 D_SSN (pattern) Microsoft Excel 180 93 D_SSN (pattern) Microsoft PowerPoint 2 1 D_SSN (pattern) Microsoft Word 1 2 D_SSN (pattern) Other Word Processors 1 1 D_SSN (pattern) Plain Text 63 3

Example of Incidents

Example of IncidentsIncidents Made in the last 90 Days

File Creation Time File_Share Policy Hits Number of Files

7/28/2012 1:12:00 AM

BadFileServer\\customers\\BIGEFCU\\Audit Customer List 14 1

8/3/2012 2:43:00 PM BadFileServer\\customers\\NurseFirst Cor Customer List 87 1 8/29/2012 11:35:00

PM BadFileServer\\customers\\UniversityFCU\ Customer List 92 3

9/11/2012 11:44:00 PM

BadFileServer\\marketing\\Partners\\Blue Customer List 35 1

9/6/2012 11:49:00 PM

BadFileServer\\marketing\\Partners\\GTB D_SSN (pattern)

1 1

9/6/2012 11:50:00 PM

BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_CCN (pattern)

239 1

9/6/2012 11:50:00 PM

BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_SSN (pattern)

381 1

10/4/2012 5:55:00 PM

BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_SSN (pattern)

500 1

10/4/2012 11:41:00 PM

BadFileServer\\BLD \\_BLD_Reports \\XYZ\\C D_SSN (pattern)

500 1

9/6/2012 11:50:00 PM

BadFileServer\\MKT\\_MKT_Reports\\XYZ\\S Customer List 16 1

10/2/2012 11:48:00 PM

BadFileServer\\MKT\\_MKT_Reports\\XYZ\\S Customer List 17 1

8/9/2012 11:45:00 PM

BadFileServer\\MKT\\MKT Customers\\123 F Customer List 38 1

9/6/2012 11:51:00 PM

BadFileServer\\MKT\\MKT Customers\\123 F Customer List 74 1

Example of Incidents

Full Incident Report

File_Share Policy Incidents Files File Path

BadFileServer \\ operations \\Docs \

D_SSN (pattern)

AprilMainZix.xlsx BadFileServer \\ operations \\

Docs\\ Documents.bak \\ ZixMain\\ 2010

BadFileServer \\ marketing \\CIOES

D_SSN (pattern)

Sales_OldStuff.zip/Golf Outing_June27.doc

BadFileServer \\ marketing \\ CIOES

BadFileServer \\ marketing \\CIOES

Customer List

Sales_OldStuff.zip/VMware Attendance List

CIOES.xls

BadFileServer \\ marketing \\ CIOES

BadFileServer \\ marketing \\CIOES

Customer List

Sales_OldStuff.zip/Sept Sales email blast.doc

BadFileServer \\ marketing \\ CIOES

BadFileServer \\ marketing \\CIOES

Customer List

Sales_OldStuff.zip/Rockville List from Vania

March 02.xls

BadFileServer \\ marketing \\ CIOES

Example of IncidentsIncidents by File Share

File_Share Policy Incidents Files

BadFileServer\\accounting Customer List 144 1 BadFileServer\\accounting\\Archive D_CCN (pattern) 139 139 BadFileServer\\accounting\\Archive D_SSN (pattern) 170 85 BadFileServer\\accounting\\Archive\\2005 D_SSN (pattern) 5 1 BadFileServer\\accounting\\Const_Assoc \ Customer List 288 18 BadFileServer\\accounting\\Sherrie Customer List 1000 1 BadFileServer\\accounting\\Sherrie D_SSN (pattern) 1 1 BadFileServer\\customers\\_InActive_Clie Customer List 276 13 BadFileServer\\customers\\_InActive_Clie D_CCN (pattern) 1 1 BadFileServer\\customers\\123FCU\\contra Customer List 70 4 BadFileServer\\customers\\ABC \\_Network_ Customer List 12 1 BadFileServer\\customers\\ABC \\Assessmen Customer List 60 2 BadFileServer\\customers\\Alpha Systems Customer List 15 1 BadFileServer\\customers\\XYZ\\SSL_VPN Customer List 12 1 BadFileServer\\customers\\StateDep \\ Statu Customer List 237 1

HIPPA/HIPAA, NIST/DOD since we are a downstream contractor, NCUA, PCI, SOC

compliance

Technical Framework

OFFENSE

• Study top Disruptors in your field

Exponential Technologies

• IT Security and Networks• Robotics• Artificial Intelligence• Virtual Reality/ Augmented

Reality• Deep Learning & Machine

Learning• Neuroscience• Biomedicine & Digital

Biology

• Energy and Environmental Systems

• Blockchain• 3D Manufacturing

Printing• IT Security and

Networks• Nanotechnology• IoT and Big Data• Algorithms & APIs

Exponentials in the Health Field

Pay Attention to Blockchain

“The Smartest People in the WorldDon’t Work for You”

Measure Your Organizational Readiness to Innovate

• Visualize this • Are you leaning into disruption or playing

afraid

10

5

1

Software is Eating the World

Quote “Everything that Humans are Inefficient at will be eaten by Software.”

APIs & Algorithms

NIH – Gut Health - Microbiome

Micro- Experiments

• NIH data sets – Gut Health example• Fail fast and forward• Push projects to the edge. Starve the edge.

• Start small with innovation pockets/ Labs• Apply Design Thinking & Lean Startup

Mentality• Align with people who have entrepreneurial

tendencies within the company• Principle of Innovation at the edge of the

company

Staffing to Build Expertise

Community and Crowds

Bigger Thinking - Exponential

World Wide Expansion

MTP – Massive Transformational Purpose

• Identify and avoid corporate anti-bodies• Pay attention to when you disbelieve to avoid

being disrupted during the curve when the technology seems odd or weird

What to Avoid

Summary – Offense Take-aways• Learn to play offense - Join an innovation group like mine or

someone else's• Be surrounded by ideas and people who think similar• You are the average of the 5 people you hang around• Build systems at the edge• Avoid corp anti-bodies• Pay attention to Lean and Design Thinking as it applies to

innovation (Joy, Inc, Exponential Org)• Forget Big Data – Think Little Data• Understand who your disruptors are? Technologies in Health?

Disruptive business practices, Communities, blockchain, algorithms, & APIs

Offense Take-aways

• You don’t need permission to add revenue….• Are you retiring in the next 5 years?• It is a mindset first (for you) then a culture thing• Neuroscience The Brain of a Leader thinking

Exponentially • IoT & Dashboards• Remember - role of offense and defense • Financial Statements of the business – Point in Time

versus Progress over Time.

Defense Take-aways

• Play defense hard. Don’t play ping pong. Settle into strategy and risk. Which will drive all tactical execution.

• Embrace IT Security complexity with strategy. Eliminate overlapping technology confusion. Data Governance, privacy, risk – understand context.

• Flush out unnecessary costs• Create Defensible Arguments/Plans• Forget Big Data – Think Little Data• Take a multi-year approach

Bill’s BIO & How to Contact Me?

World Class IT Security, Strategic and Tactical Thought Leadership for EnterpriseIT Business Leaders, Intra-preneurs, Entrepreneurs, Innovation, Design

Thinking, Creativity, Frontiers of Human Performance, Breakthroughs in Neuroscience, & Exponential Technologies

CIO Security Scoreboard

CIO Innovation InsiderGroup Meetings

Insider Updates Weekly Report

Singularity UniversityWashington DC Chapter

Ambassador

Examines Disruptive and Exponential Technologies

By looking at how they can be used to Improve the lives of a billion of People”

Bill Murphy410-320-6433billm@redzonetech.netLinkedintwitter: @exoitleader

www.redzonetech.netwww.cioscoreboard.com