attack vectors often take time to improve on accuracy by consistently incorporating feedback
and new research.
On the other hand, the marketability and the importance of chief information security
officer (CISO) role at corporations around the world is at an all-time high. Companies are wor-
ried about a spectrum of threat agents who may be able to exploit vulnerabilities to cause
them financial and reputational harm. Executives who are able to fill the role of the CISO to
guard large and complex infrastructures are in high demand, with salaries exceeding $1 mil-
lion.
This situation of high demand for and low availability of seasoned executives is leaving
corporations at risk of investing money and effort on security tools that may not be effective.
In this hypothetical scenario, we will take a look at how the emergence of the IoT, along with
the lack of understanding of a comprehensive corporate security strategy, can leave an organi-
zation at risk.
There’s a Party at Ruby Skye
The RSA conference held in San Francisco every year is the biggest cybersecurity conference
in the world. Besides the keynote lectures and speaking sessions, the conference is a great
opportunity to network and socialize with security professionals.
John Smith, newly appointed vice president and CISO at Acme Inc., had been particularly
looking forward to the conference. He had just started working at Acme Inc., where the board
of directors had already approved hiring 30 new full-time employees to work under him. John
was excited about his new role and wanted to share his excitement with his friends attending
RSA.
Sam Cronin, executive director and head of sales at Plunk, was also excited about RSA.
He had managed to successfully put a business case through to lease the entire dance floor at
Ruby Skye, a popular nightclub in San Francisco. (During the RSA conference, vendors are
known to rent out popular restaurants and bars to host free parties for conference attendees
with the hope that some of the people attending will be impressed enough by these parties to
convert to clients).
Plunk made a popular tool used to capture and correlate large amounts of log data that
can be analyzed to alert on anomalies to help identify suspicious events that may be related to
an attack. Smith RSVP’d to the Plunk party invitation. He was familiar with the product and
knew Ruby Skye would be a good time.
Smith showed up at Ruby Skye and flashed his RSA attendee badge at the entrance
counter. The Plunk representative immediately noticed the Vice President title on the badge
and whisked him to the VIP section, which included top-shelf beverages as well as access to a
larger private area reserved for potential clients in executive roles.
Cronin introduced himself to Smith as the head of sales, and they struck up a conversa-
tion about the security of IoT devices. Smith also talked about his new job and how he was
excited to have the chance to present to the board at Acme Inc. to ask for a higher operating
252 CHAPTER 9: TWO SCENARIOS—INTENTIONS AND OUTCOMES