But, we only sell ______ : Helping Business Leaders Understand Security Risk via Red Teaming - B-Sides Tampa 2016

Do you often find yourself desperately trying to get your boss to understand why a security issue must be addressed? Do they look at you like you are speaking a foreign language? Business leaders and security professionals often find themselves speaking different dialects of the same language when discussing problems within an organization. Business leaders make decisions around risk they know and understand. Security professionals often speak in more theoretical terms that may be understood in a narrow field of view, but don’t translate to the wide field of view leaders at the top of an organization see.

When confronted with expensive security solutions that solve “theoretical” problems we are often faced with this response from leaders, “We only sell ______, why do we need that level of protection?”

We need to help business leaders understand attackers don’t care what we sell; they care about what data they can take.

This talk will cover using relatively easy low impact Red Team exercises to create narratives that business leaders understand. These narratives can then be used to help drive conversations around specific controls within an organization.

We will cover:

• Getting approval and permission for Red Team exercises
• Examples of how to run exercises to drive specific security goals, projects, and initiatives.
• Creating an attack narrative that drives conversations about specific controls
• Relating the Red Team activities to real losses from real companies that were attacked in similar ways
• Presenting the results to business leaders in impactful formats

Attendees should leave the talk with new ideas to help create fast effective Red Team exercises and use the results to guide discussions about risk with leaders.

Click here to download the PDF of the slides: 
https://drive.google.com/open?id=0BzY3yLosRyyxYi1UekZSVS1CVzQ