information security

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

Information Security: "is it everyone's job...really?!"Arizona Technology Summit 2014

Brian Johnson, BISO

PayPal – September 17, 2014

26

CURRENCIES SUPPORTED

152MACTIVE REGISTERED ACCOUNTS

203MARKETS OFFER PAYPAL

EUROPEAN UNIONEURO

AUSTRALIANDOLLAR

CANADIANDOLLAR

NEW ZEALANDDOLLAR

HUNGARIANFORINT

MALAYSIANRINGGIT

UNITED KINGDOMPOUNDS STERLING

HONG KONGDOLLAR

UNITED STATESDOLLAR

TAIWANNEW DOLLAR

CHINESERMB

SWEDISHKRONA

SINGAPOREDOLLAR

PHILIPPINEPESO

BRAZILIANREAL

RUSSIANRUBLE

NORWEGIANKRONE

JAPANESEYEN

MEXICANPESO

TURKISHLIRA

SWISSFRANC

CZECHKORUNA

ISRAELINEW SHEKEL

DANISHKRONE

THAIBAHT

POLISHZLOTY

152MACTIVE

ACCOUNTS1

$7,001 IN PAYMENTS PROCESSEDEVERY SECOND 2

9.3M PAYMENTS PROCESSEDEVERY DAY 3 +6M NEW ACTIVE

ACCOUNTS 1

1. Active Registered Accounts: All registered accounts that successfully sent or received at least one payment or payment reversal through our PayPal payments networks, including Bill Me Later and Venmo, and excluding users of Braintree’s unbranded payment checkout solutions, within the last 12 months and which are currently able to transact., 2. Total Payment Volume: Total dollar volume of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. 3. Net Total Number of Payments: Total number of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses.Htt

ps://www.paypal-media.com/assets/pdf/fact_sheet/PayPal_Q2_2014_FastFacts_Final.pdf

Q2 2014 Financial Metrics

$1 .95B

PAYPAL REVENUES20% YOY

TPV2

29% YOY

$55B

https://www.paypal-media.com/assets/pdf/fact_sheet/PayPal_Q2_2014_FastFacts_Final.pdf





Compliant with PCI-DSS 2.0 StandardsCompliant with local country regulations

4

Compliance Statement: http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal

5© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

security• freedom from care, anxiety, or doubt; well-

founded confidence.

• something that secures or makes safe; protection; defense

job• a piece of work, especially a specific task done as part of the

routine of one's occupation or for an agreed price

• anything a person is expected or obliged to do;

duty; responsibilityhttp://www.dictionary.com

“…is security everyone's job?”


6

@ http://xkcd.com used with permission under Creative commons License

Cyber Attacks have no boundaries

http://www.digitalattackmap.com

http://www.digitalattackmap.com/


7source: http://www.unisyssecurityindex.com/


8

So…"is it everyone's job...really?!"uh, yes!!! duh...


9

internal

> code deployment is now near-instantaneous

> "DevOps" = “welcome flood of privileged users!”

> time to market pressures for feature / function

> insider threats are an increasing concern

> much of IT stinks at basic hygiene


10

external

> cost of attack to hackers continues to drop significantly

> scale of loss and impact to business increases

dramatically

> bad guys don't have to play by the rules

> surface area : tools at scale disproportionate

Three Lines of DefenseResource request focused from the 2nd line on the performance of the 1st line

Line of Business1st Line of Defense Day-to-day Risk Management

Infosec & Tech Risk Mgmt., Tech Compliance, Engagement etc.2nd Line of Defense Risk Oversight

Internal Audit3rd Line of Defense Independent Assurance


11


12

guiding principles...


13

security must ENABLE the business


14

be as seamless & transparent as possible


15

treat credentials as highly valuable ASSETS


16

least privileged for all data access


17

data & information protection is in our DNA


18

classification and encryption are about way more than compliance


19

working tenants


20

compliant≠

secure


21

don't write & talk security speak just to sound cool


22

how about a neighborhood block watch, you got my back?


23

people lose stuff, let's plan accordingly!


24

secure is nota permanent

state


25

assess what you hope to never detect


26

inspect what you expect


27

Since security IS everyone's job...let's

share:


28

debate… decide…deliver

secure


29

Reproduced under rights by Twentieth Century-Foxhttps://archive.org/details/ItsEvery1945


For more information, please contact:

Brian [email protected]

information security - is it everyone's job?

Documents

security everyones job

security freedom

talk security

security iseveryones

data information protection

s jodb

brian johnson