Presentation on the need for security as part of a NISO/NFAIS conference on why it is important for people to invest in their systems.

1. SECURITY IS AN
ENABLER.
NOT SECURING
IS AN INHIBITOR.
NISO TRANSFORMING CONTENT THROUGH
TRANSFORMED SYSTEMS CONFERENCE
THURSDAY, 17 JUNE 2021
Daniel Ayala (@buddhake)
CISO/CPO, Managing Partner

2. Why is it important
for people to invest
in their systems?

3. Confidentiality
Integrity Availability

4. Security in the
News
https://www.cisa.gov/coronavirus
https://www.ic3.gov/Media/News/2021/210316.pdf

5. https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
https://www.insidehighered.com/digital-learning/blogs/online-trending-now/rising-threat-ransomware-and-other-malware
The Rise of
Ransomware

6. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

7. Back to Basics

8. Passwords and multifactor authentication
Use your institution's single sign-on (SSO)
Have an inventory of the systems you operate
Know what software runs on those systems
Patch your systems and software regularly
Limit access to the things that people truly need
Turn off systems when they are no longer used
Turn off access when people leave the org
Monitor your systems for changes from "normal"
Educate users/patrons to risks on ongoing basis
Newly Added!
"The Basics"

9. Maintain Security Proactively
(Not Just When Crisis Strikes)
Bake security into your other development and operations planning
Develop systems with commitments to 1 out of every X sprints being for longer term
security features, and Y% of each sprint being earmarked for tactical security fixes
Design the resiliency of systems to include patching requirements more than 2x/year
Share the idea that security costs much more (up to 100x*) to fix later than do earlier
Complexity increases security. Try to normalise on technologies whenever possible
Review source code before releasing technology and don't release with critical vulns
Know your suppliers and dig into how they are securing their systems (which are also
now also your systems)
Know (and practice) how you will respond when you get the call
The mean time from disclosure to impact continues to shrink;
be ready to react in a similar timeframe.
that a breach has taken place.
* Source: IBM System Science Institute: Relative Cost of Fixing Defects, 2010

10. Considerations on Data
Data collection does not necessarily equal a
privacy violation
Just because you can doesn't mean you should.
and ensure that it truly needs to do so
Know what data flows in and out,

11. TWITTER
@buddhake
LINKEDIN
/in/danielaayala
EMAIL
daniel@secratic.com
Contact Information