A few weeks ago, I presented for RSA APJ. This year, it was a free, virtual event. Thanks to all who attended, and to those who also came to the Q&A session afterward. For those of you who couldn't make it, click the below to see my talk, and read on to learn more about it.
Security Outgunned: Measuring Software Defined Attack Surface
Security is outgunned! The typical engineer to security ratio is 100:1 in many enterprises. Add cloud native development to the mix and security is left in the dust. It’s the emerging reality. And that reality is not waiting for security to play catchup.
This colossal mismatch is similar to the one between the New York Yankees and the Oakland A’s as described in the book and movie Moneyball. The A’s had a budget in the low tens of millions of dollars while the Yankees budget was several hundred of millions. The A’s were totally outgunned. What did they do? They optimized to win using data science. It was a type of modeling that used uncertain data to predict the best return on investment (ROI) on ball players in relation to winning games.
This talk takes a simplified approach to optimizing security. In this case, we consider technology investments as one of the best and most efficient ways to control software defined attack surface. But there is a twist. We view inefficient technology as a waste creating process that hinders security success. We look to optimize for winning by building a model that gamifies security products one against another. Our goal is to see which product produces the least error at the least cost over time. We look to do all that as quickly and as efficiently as possible.
We have included a lengthy blog post and code to go with this video. Both can be found here: