Embed Size (px)
Citation preview
SESSIONID:SESSIONID:
#RSAC
GretchenMyers
FromVisiontoReality:DeliveringEmergingCyberTechnologiesEffectively
TECH-T10
Lead,SecurityStrategyandEmergingTechnologiesChevronCorporation
©2017Chevron. ThisdocumentisintendedonlyforusebyChevronforpresentationattheRSA®ConferenceFebruary13-17,2017.Noportionofthisdocumentmaybecopied,displayed,distributed,reproduced,published,sold,licensed,downloaded,
orusedtocreateaderivativework,unlesstheusehasbeenspecificallyauthorizedbyChevroninwriting.
Thechallenge…
…thestakes
#RSAC
EvergreenStrategyManagement
5
InnovationQueue
BusinessFunction/TechnologyDomains
MasterCybersecurityStrategyLife-cycle&GovernanceTrackComponentStages Roadmap
Review&Refreshedannuallywithportfolioplanning.
External•Research•Vendors•Universities•Partnerships•AnalystServices
Internal•BusinessStrategy•ITStrategy•ITStrategists,TechnologyExperts&ArchitectureLeaders
Influences
FocusAreasTechnologyQualificationProcess
#RSAC
TDS Name Description
1 Initiation Basicprinciples observedandreported
2 Concept Technologyconceptand/orapplicationformulated
3 Proof ofConcept
Analytical andexperimentalcriticalfuncitonsand/orcharacteristicproofofconcept
4 Integration Component and/orbenchconfiguredsub-systemvalidationinlaboratoryenvironment
5 DemonstrationComponentand/or benchconfiguredsub-systemvalidationinrelevant‘realworld’environment
6 Prototype System/sub-systemmodelorprototypedemonstrationinarelevantenvironment
7 Pre-productionSystemprototype ordemonstrationintheintendedoperatingconditionsandenvironment
8 ProductionAcutal systemcompletedandqualifiedthorughtestanddemonstrationinrealistic operatingenvironments
9 FieldProven Actualsystem(s)proventhorugh successfulfieldoperations
Chevron’sTechnologyQualificationProcess
#RSAC
SlowRoad:CybersecurityAdvancedAnalytics
7
• Chevronhasencouragedstrategicresearchindatascience,modelingandanalyticsforalmostadecade
• CISOrecognizedtheneedforanalyzinglargevolumesofdataeffectivelyandapprovedaprojecttodevelopdatascienceandadvancedanalyticscapability
• Last2yearshavebeenworkingontransitioningtheemergingresearchintoanoperationalenvironment
#RSAC
CybersecurityDataScience/BigDataPlatform
explorationè earlyadopters•nostandards•proofofconcept
standardizationè defining/refining•standardsselection•targetedpilots
initialbuildè deployment•productionplatform•continueresearch
researchlab production
2016-17
hadoop/clouderadataacquisitionandprovisioning
advancedanalyticsvisualization
analytics
bigdata
#RSAC
FastLane:CloudSecurity
9
• Cloudservicesaresoeasytouse– acreditcardandaclicktoacceptTermsandConditions
• Cloudsecuritywasidentifiedasanareaoffocusinearly2015
• Atthesametime,ITstrategybegantofocusonadoptingcloudservicescreatingasenseofurgency
#RSAC
DiscoveringExistingUsageandRiskExposure
Executed simultaneous threads of discovery and analysis in 2015/2016
Ø Enterprisewide view of usage and risk exposure
Ø Recommended monitoring solutions
identify Cloud
Access Security Brokers
compare test results
and recommend best product
analyze results and
prepare stakeholder
reports
Understand current usage of infrastructure and platform
services
Prepare report on
overall cloud usage & projected
risks
#RSAC
DiscoveryResultsasofDecember2016
8356
Discovered Services
7067
Filtered Services
400
Services in Registry
107
Active Services(In Registry)
RisksReviewed Service1 Service2 Service3 Service4 Service5 Service6 Service7 Service8
ServiceHasKnownVulnerabilities&Exploits
3 3 3 3 3 3 3 3
Ownershipofuploadeddata
3 0 0 3 0 3 3 3
TimelyDataPurgeonCustomerDeparture
0 0 0 2 0 3 3 3
PersonalInfoSharedwith3rdParties
0 0 0 0 0 0 0 3
Third-partyCookies 0 0 0 0 0 0 0 0
DataCenterIsCertified
3 3 0 3 0 3 3 3
DataEncryptedIntransit
3 3 3 3 3 3 3 3
DataEncryptedAtRest
3 0 0 3 3 3 3 3
Role-basedAuthentication 3 0 0 3 0 3 3 3
Rating ScorePositive 3
NotYetDetermined 2Negative 0
EnterpriseRiskAnalysisofSignificantCloudServices
#RSAC
Challenges
12
Datamanagementanddataqualitycontinuetoconsumesignificantefforttoaddress
Findingtherightmixoftechnologistsanddatascientistsisachallengebecausefewindividualshavethefullrangeofskillsincludingcybersecurity,softwaredevelopmentanddatascience
Ifnotbuildingcompletelywithinthecyberfunction,thenbeveryclearondependencieswithotherpartsoftheorganization
FastLaneWithafastmovingtarget,decisionsneedtobemadequickly,butalsocarefullydocumented
Whenevaluatingvendors,strategicroadmapsmatter– howtheyalignwithyourplans,andhowmuchcanyourelyonthevendortoexecuteasplanned
Whenevaluatingthetradeoffs,understandwhatyoucanfixandwhatyoucan’t– i.e.embracetheserenityprayer
SlowRoad
#RSAC
LessonsLearned
13
Engageyourcritics- skepticscanbeyourbestresourcetocombattunnelvisionListentotheconcernsandletthemaskthehardquestions…acommonlanguageiscrucialtoworkingwithyourextendedcommunity…nothingunderminescredibilitymorethanmisinterpretationsofresults
EmbracefailureandcapturethelessonslearnedEmergingtechnologyisoftentoonarrowlyfocusedortoobroadlyappliedtobesuccessful– findthenichethatworksandgofromthere…investmentinaPoCorpilotdoesnotmeanyouareobligatedtothevendortobuytheirproduct…implementingasolutiondoesnotmeanyouhaveto‘justifytheinvestment’withanextendedinstallation
FrametheproblemyouneedtosolveandsticktoitShorttermgaptofillorlongtermvisiontobuild?Updatelegacytechnologyorfindopportunitytoinserttheemergingsolution?
#RSAC
ApplyWhatYouHaveLearnedToday
14
Nextweek:Identifyinternalorindustryprocessesdevotedtoinnovation,researchanddevelopmentIfnoneexistforyourorganization– defineatleasttwoopportunitiestofosterinnovationonyourteam
Inthefirstmonthfollowingthispresentation:Curateyourfavoritesourcesofinformationintoalibraryofresourcestofacilitateidentifyingtrends,sharingthoughts,andchallengingassumptionsDevelopaconsistentlanguageforthe“fuzzyfrontend”acrossyourteam
Withinsixmonths:DefineavisionforinnovationthataccommodatesthepracticalissuesthatfaceyourorganizationtodayExtendyourresourcelibraryandconsistentlanguageouttoyourextendedteams
