information security

Information Security: "is it everyone's job...really?!"Arizona Technology Summit 2014

Brian Johnson, BISO

PayPal – September 17, 2014

CURRENCIES SUPPORTED

152MACTIVE REGISTERED ACCOUNTS

203MARKETS OFFER PAYPAL

EUROPEAN UNIONEURO

AUSTRALIANDOLLAR

CANADIANDOLLAR

NEW ZEALANDDOLLAR

HUNGARIANFORINT

MALAYSIANRINGGIT

UNITED KINGDOMPOUNDS STERLING

HONG KONGDOLLAR

UNITED STATESDOLLAR

TAIWANNEW DOLLAR

CHINESERMB

SWEDISHKRONA

SINGAPOREDOLLAR

PHILIPPINEPESO

BRAZILIANREAL

RUSSIANRUBLE

NORWEGIANKRONE

JAPANESEYEN

MEXICANPESO

TURKISHLIRA

SWISSFRANC

CZECHKORUNA

ISRAELINEW SHEKEL

DANISHKRONE

THAIBAHT

POLISHZLOTY

152MACTIVE

ACCOUNTS1

$7,001 IN PAYMENTS PROCESSEDEVERY SECOND 2

9.3M PAYMENTS PROCESSEDEVERY DAY 3 +6M NEW ACTIVE

ACCOUNTS 1

1. Active Registered Accounts: All registered accounts that successfully sent or received at least one payment or payment reversal through our PayPal payments networks, including Bill Me Later and Venmo, and excluding users of Braintree’s unbranded payment checkout solutions, within the last 12 months and which are currently able to transact., 2. Total Payment Volume: Total dollar volume of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. 3. Net Total Number of Payments: Total number of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses.Htt

ps://www.paypal-media.com/assets/pdf/fact_sheet/PayPal_Q2_2014_FastFacts_Final.pdf

Q2 2014 Financial Metrics

$1 .95B

PAYPAL REVENUES20% YOY

29% YOY

Compliant with PCI-DSS 2.0 StandardsCompliant with local country regulations

Compliance Statement: http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal

security• freedom from care, anxiety, or doubt; well-

founded confidence.

• something that secures or makes safe; protection; defense

job• a piece of work, especially a specific task done as part of the

routine of one's occupation or for an agreed price

• anything a person is expected or obliged to do;

duty; responsibilityhttp://www.dictionary.com

“…is security everyone's job?”

@ http://xkcd.com used with permission under Creative commons License

Cyber Attacks have no boundaries

http://www.digitalattackmap.com

7source: http://www.unisyssecurityindex.com/

So…"is it everyone's job...really?!"uh, yes!!! duh...

internal

> code deployment is now near-instantaneous

> "DevOps" = “welcome flood of privileged users!”

> time to market pressures for feature / function

> insider threats are an increasing concern

> much of IT stinks at basic hygiene

external

> cost of attack to hackers continues to drop significantly

> scale of loss and impact to business increases

dramatically

> bad guys don't have to play by the rules

> surface area : tools at scale disproportionate

Three Lines of DefenseResource request focused from the 2nd line on the performance of the 1st line

Line of Business1st Line of Defense Day-to-day Risk Management

Infosec & Tech Risk Mgmt., Tech Compliance, Engagement etc.2nd Line of Defense Risk Oversight

Internal Audit3rd Line of Defense Independent Assurance

guiding principles...

security must ENABLE the business

be as seamless & transparent as possible

treat credentials as highly valuable ASSETS

least privileged for all data access

data & information protection is in our DNA

classification and encryption are about way more than compliance

working tenants

compliant≠

secure

don't write & talk security speak just to sound cool

how about a neighborhood block watch, you got my back?

people lose stuff, let's plan accordingly!

secure is nota permanent

assess what you hope to never detect

inspect what you expect

Since security IS everyone's job...let's

share:

debate… decide…deliver

secure

Reproduced under rights by Twentieth Century-Foxhttps://archive.org/details/ItsEvery1945

For more information, please contact:

Brian Johnsonjohnsonbri@paypal.com

information security - is it everyone's job?

security everyones job

security freedom

talk security

security iseveryones

data information protection

s jodb

brian johnson

Documents

everyone's games

how to make sustainability everyone's job?

everyone's a mechanic

job security is possible

job security and job satisfaction as determinants of

everyone's treasure chest

why customer service is everyone's job

everyone's...everyone's aka everyone's: for train, tram,...

education for everyone's needs

ict security is everyone's business

espionage indicators updated 08/21/13 u.s. department of...

web accessibility is everyone's job

job security health

everyone's creative

everyone's smithsonian

tenure, job security, academic freedom, freedom … tenure,...

everyone's blogging

cyber-security - everyone's...

everyone's a winner

the perverse effects of job-security provisions on job...