Minimum viable security: reaching a realistic SMB security maturity?

Thursday 5 October 14:30 - 15:00, Red room

Claus Cramon Houmann (Peerlyst)

Through my time as CISO for a small bank - where security was non-existent when I first started there as a consultant - I discovered how regulatory and compliance requirements drive budgets in the financial industry. I also learned along the way that more was needed to give SMBs a real chance, and I learned that all the expensive toys you hear people talk about on Twitter or at conferences are often simply not possible on a SMB budget. So my team and I focused on the basics and getting good at them, and over a period of 3+ years we built a defensive posture that I am proud of. I have built a framework around this defensive posture called "Minimum Viable Security" - controls, mitigations and procedures that anyone can realistically put in place with even a small team. This framework represents the level of defence you can expect any SMB to be able to put up, but still falls horribly short of what you would want a real defensible infrastructure be able to put up. I will discuss why SMBs can probably never be expected to go much above this and the reality in which SMBs live.



Claus Cramon Houmann

Claus is a former bank CIO and CISO, who is now working as a community manager for Peerlyst Inc., a website dedicated to building a repository of knowledge for all information security professionals to help defenders everywhere do their jobs better, faster.

Claus is a volunteer for I am the Cavalry and spends most of his time trying to make connected things and companies safer and more secure.







Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.