The Dystopian Dream Team

From Checkbox to Checkmate: Winning the Game for Security Budgets BSides Atlanta 2023

For many, IT security is still perceived as a sometimes-helpful nuisance, but an all-the-time cost center. The most common exception is in compliance, often disproportionately handled by IT staff due to the technical evidence gathering requirements. And it’s hard for security staff to argue the case, since you can draw a direct line from compliance reports to revenue. A clean SOC 2 report or PCI DSS certification can determine the outcome of multi-million-dollar deals. The same cannot usually be said for a clean vulnerability assessment, penetration test, or red team report (much less a not clean one). So how can security professionals compete with compliance for budgets, and how can IT professionals garner buy-in and internal support from executives and decision makers so they can affect organizational change and improvement? This session will cover how purple teaming activities can elevate an organization beyond exception management in revenue-generating deals, to providing multiple mechanisms for demonstrating substantial ROI, and quantifiably protecting existing and future revenues. I will detail actionable approaches – with real world examples – that showcase how purple team exercises can accomplish the following: - Establishing measurable security baselines and resilience across companies and supply chains - Validating the efficacy of security investments and identifying potential areas for greater efficiency. - Providing a blueprint for organizational advancement and agility via penetration tests and red teams - Evidence-based ROI communication to leadership and stakeholders - Demonstrable and continuous protection against headline grabbing, and investor rattling, emerging threats