Level: Low Tech


Like in the memorable Matrix scene, we the CISOs and security leaders have to realize that our goal is not to bend organizations out of shape. There is no “organizational spoon” inherently resisting security changes. Instead, it is us who have to be flexible and adaptable, to be able to run our security programs in sync with the business goals – and in fact, “become one” with the business goals.

In this presentation, we’ll discuss the steps on the path to this “enlightenment”, how to strengthen the relationship with the business, and how to bring the “good message” to the Management. We’ll cover topics such as structuring a Security Program, and creating metrics frameworks for measuring – and proving – the effectiveness of your Security Program. We’ll talk about leveraging Threat Modeling as a conduit for a dialogue with the Business, about shaping a Security budget, but also about the subtle art of giving a frack and learning how to establish the networks of support with your peers in the organization. Ultimately, we’re advocating for the paradigm change that Security is not IT function, but a Business function.

The talk is targeted not only at CISOs and Security managers, but it’s also equally relevant to those who are just starting in Infosec, to give them a new, more rounded, perspective on the field, and thus hopefully make them more successful.

But if you’re yawning by now and your eyes are glazing over, fear not! The talk will be generously peppered with movie memes and catchy metaphors. The narrative will be structured as Neo’s evolution in the Matrix trilogy – with one of the underlying themes being, just like in the movies, the transition from the “us vs. them” into just “us”.


Currently working as Director for Security Advisory Services Europe at Wolters Kluwer, Sebastian Avarvarei has been in IT and Security for over 20 years, covering a multitude of roles ranging from Security Architect and Consultant, to Software Developer and Security Auditor, giving him a unique multi-faceted view on today’s Security challenges. He has led multiple security improvement programs, performed security governance assessments and designed the security architecture for a wide variety of environments – while continuously asking himself “Hmm, I wonder if we could do this in another way?”

Comments are closed.