Presentation Material
Abstract
Discover how to lower cyber risk, satisfy users, and minimize operational interruptions. This session will show examples of successful and failed risk reduction initiatives and provide a framework to implement changes with minimal friction. Will aim to share a journey with IT leaders, CISOs, and professionals, equipping them to reduce cyber risk without disrupting business operations.
AI Generated Summary
The talk addresses the persistent challenge of balancing security controls with workforce productivity, using two primary case studies to illustrate a structured framework for implementation. The first case study examines managing unsanctioned application usage (shadow IT) at a SaaS company, where the autonomy of a technical workforce conflicts with the need to evaluate the security posture of numerous third-party tools, many of which require costly enterprise licenses for essential security features. The second case study details the enterprise-wide deployment of a zero-trust network access solution in a regulated environment, highlighting significant hurdles including legacy system integration, user experience friction, and operational scalability.
The speakers present a six-phase framework, termed DA Chimi (Discovery, Alignment, Communication, Implementation, Maturity, Improvement), to navigate such projects. Key techniques include: conducting thorough risk-based discovery to define scope and prioritize attack surfaces (e.g., focusing on Chrome extensions as a high-risk vector); performing comprehensive alignment across procurement, development, and leadership to address budget, integration, and business continuity; implementing over-communication strategies tailored to end-users to build trust and reduce pushback; and adopting a phased implementation approach, starting with internal IT/Security teams before expanding to revenue-generating units.
For the shadow IT problem, the team employed network-based discovery and AI-assisted tools to automate initial security reviews of thousands of applications against criteria like data risk, publisher reputation, and business criticality. For the zero-trust rollout, they established 24/7 monitoring, proactive alerting, and self-service portals to manage support burden. Practical takeaways emphasize that successful security initiatives require treating implementation as a change management problem, not just a technical one. Maturity is measured by team recomposition resilience and declining support tickets, while continuous improvement necessitates regular re-evaluation of risk registers and tool efficacy against an evolving threat landscape and technology stack. The core implication is that security must be positioned as an enabler of productive work, requiring early stakeholder engagement, clear communication, and pragmatic trade-off analysis.