Minimum viable security: reaching a realistic SMB security maturity?

Thursday 5 October 14:30 - 15:00, Red room

Claus Cramon Houmann (Peerlyst)

Through my time as CISO for a small bank - where security was non-existent when I first started there as a consultant - I discovered how regulatory and compliance requirements drive budgets in the financial industry. I also learned along the way that more was needed to give SMBs a real chance, and I learned that all the expensive toys you hear people talk about on Twitter or at conferences are often simply not possible on a SMB budget. So my team and I focused on the basics and getting good at them, and over a period of 3+ years we built a defensive posture that I am proud of. I have built a framework around this defensive posture called "Minimum Viable Security" - controls, mitigations and procedures that anyone can realistically put in place with even a small team. This framework represents the level of defence you can expect any SMB to be able to put up, but still falls horribly short of what you would want a real defensible infrastructure be able to put up. I will discuss why SMBs can probably never be expected to go much above this and the reality in which SMBs live.



Claus Cramon Houmann

Claus is a former bank CIO and CISO, who is now working as a community manager for Peerlyst Inc., a website dedicated to building a repository of knowledge for all information security professionals to help defenders everywhere do their jobs better, faster.

Claus is a volunteer for I am the Cavalry and spends most of his time trying to make connected things and companies safer and more secure.











Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…