A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


DREAMR - Obtain Business Partnerships - Jessica Hebenstreit (Central Ohio Infosec Summit 2015) (Hacking Illustrated Series InfoSec Tutorial Videos)

DREAMR - Obtain Business Partnerships
Jessica Hebenstreit

Executive - Session #5 - Jessica Hebenstreit The Security DREAMR presentation is focused on providing security practitioners with a roadmap to enable them to gain more traction within their organization so that security becomes part of the everyday conversation. The presentation will begin by describing the common theme of security being viewed as a roadblock to the business getting their everyday job done. From that backdrop, the DREAMR framework will be introduced. Each letter of DREAMR is a specific step within the process and each will be discussed briefly along with an example to help drive home practical uses of the framework. Determine Culture: This step will focus on the ways in which a company's culture and risk tolerance is shaped and how a security professional can determine that culture. Common cultures and risk appetites will be discussed along with key techniques for identifying them. Reach Out: This slide will focus on determining who to reach out to after the culture has been determined. For instance, in a tightly controlled culture, a Director level employee should be targeted whereas in a more entrepreneurial environment, the key people will be the technologists on the front line. Building this initial bond is the key in this step. Educate: Understanding how to educate the business at all levels should be done after determining the culture and reaching out to key security champions in the organization. Success, proven techniques will be shared along with communication strategies. Accommodate: Knowing how and when to accommodate the business is key. We will talk about the importance of finding the right balance and how to gain the traction necessary to more easily implement security initiatives. We will walk through the idea of the "quick-win" and how to get the business to buy in to your overall strategy by finding a low-impact, high-reward initiative that can be co-owned by the business and security. Metrics: In this section we will dissect metrics that matter and how to ensure the business gets what they need out of them. We,ll discuss who should lead these efforts as well as how to implement a communication strategy around them. Not all metrics are created equal. Recognition: Here we,ll talk about the importance of recognizing individuals outside of security who are "walking the walk". We,ll provide examples of how to recognize and what to recognize them for along with communicating that to the business so that everyone recognizes the importance of embedded security.

Bio: Jessica Hebenstreit is the manager of the Threat Analytics and Response Center under the Security Informatics group at Mayo Clinic. Ms. Hebenstreit is an experienced Information Security leader focused on balancing business needs with security risk in a pragmatic way. She is technically-minded with a business focus. She is a proven and capable leader, with an ability to build relationships and influence individuals at all levels. Successful and results-oriented, Ms. Hebenstreit has had hands-on information security experience in a variety of security disciplines and various industries over her nearly 15 year career. She is currently deploying an automated response architecture for responding to modern day security threats. Ms. Hebenstreit has worked at a number of large enterprises over the course of her career including Motorola, American Express and Principal Financial Group. This has given her a variety of experiences from which to draw. She holds numerous certifications including GCIH, GNFA, CISSP, CRISC, etc. Ms. Hebenstreit has a passion for security and firmly believes our role as security practioners is to enable capabilities for our business partners.

Back to Central Ohio Infosec Summit 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast