[Owasp-dallas] October meeting October 1st Richland College

Matthew Parsons mparsons at parsonsisconsulting.com
Wed Sep 24 17:18:21 UTC 2014

Succeeding with Enterprise Software Security Key Performance Indicators


Enterprise software security has been a hot topic for over a decade, yet
enterprises of all sizes continue to fail at explaining measurable gains,
but why? The answer lies in what and how is measured. Success begins with
realistic, business-aligned KPIs which can be effectively measured to
demonstrate improvement, or lack thereof. Come learn what, and how to
effectively measure software security.

As long as enterprise software has been a target for exploit by attackers,
software security has been on the enterprise CISOs radar. The truth is that
after over a decade of efforts from vendors, open-source communities, and
pundits alike, many organizations are still uncertain whether their
enterprise software security effort is benefitting or hurting their
business. Uncertainty continues to be a problem as threats grow and budget
requests continue to ramp up. Is your organization spending its resources
wisely when it comes to your enterprise software security program? Can you
prove it? More importantly, can you prove it with certainty to someone who
is not a security professional? These are difficult challenges even the
most successful security professionals still face today, as business wants ‘
secure’ while new-school enterprise security wants to pivot to something
more realistic. Moving from measuring defects, even in business context, to
measuring operational impact on development goals (impact-to-effort),
release schedules (impact-to-release), incident response
(impact-to-response), and impact to operational uptime (impact-to-uptime)
is just a few ways that security can demonstrate improvement and business
impact. This talk shines a spotlight on creating realistic enterprise
software security goals and strategies, and supports the development of
strong governance programs which can effectively define and measure
improvement towards realistic goals. The speaker will cover the changing
goals of enterprise security programs such as design-to-fail principles and
recoverability, all of which require a change in the approach to building
safer software. Most importantly you will learn, from many years of
defining and designing software security programs, realistic examples of
what you should be measuring and how these new school KPIs provide
concrete, evidence-based knowledge into the direction of your software
security efforts. It is time to finally get real and measure it, or quit
wasting time, money and effort.

Richland College, 12800 Abrams Road, Dallas, TX 75243, Room: Sabine Hall:


Oct 1, 2014 - 11:30 AM – 1:00 PM

Director, Office of the CISO

Rafal Los brings a pragmatic approach to enterprise information security
using his 15 years of technical, consulting and management skills. As
director of advisory solutions research and analysis and member of the
Office of the CISO for Accuvant, Los helps organizations build intelligent,
defensible and operationally efficient security programs. He also is
responsible for driving Accuvant’s solutions research for the information
security community.

Prior to joining Accuvant, Los served as principal, strategic security
services at HP Enterprises. While there he developed new services-based
offerings from concept through prototype and launch stages, and spearheaded
a cross-business task team to develop new use cases for products and
service offerings within the existing portfolio. Previously at HP, Los
served several diverse roles including security strategist of enterprise
security products where he advised customers on implementing practical
solutions, and wrote and maintained the top blog in HP Software, “Following
the White Rabbit.” Prior to HP, Los held various positions at GE Energy,
EnterEdge Technology and EnvestnetPMC.

Los is an advocate for focus on sound security fundamentals and for the
principles of “right defenses, right place, right reason.” He is a
contributor to open standards and various organizations such as OWASP and
the Cloud Security Alliance. He has served as a speaker at conferences such
as Black Hat, ISSA International and InfoSec World.

Los received his bachelor’s degree in computer information systems from
Concordia University.
- See more at:
http://www.accuvant.com/office-of-the-CISO#sthash.PZVyUuwe.dpufRafal Los

Matt Parsons, CISSP, MSM
mparsons at parsonsisconsulting.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-dallas/attachments/20140924/5bdfed79/attachment-0001.html>

More information about the OWASP-Dallas mailing list