Presentation on theme: "PAMELA FUSCO CISSP, CISM, CPP Executive Vice President Security Strategy & Solutions Influencing the Future of Security in Your Organization."— Presentation transcript:
PAMELA FUSCO CISSP, CISM, CPP Executive Vice President Security Strategy & Solutions Influencing the Future of Security in Your Organization
Effective Security Program Approach Security Program Compliance and Reporting Governance, Policies and Standards Asset Profile Technology Specifications People & Organizational Management Technical Security Architecture Processes and Operational Practices Business Drivers
Influencing the Future of Security in Your Organization Identify and validate the existing security program in support of building an enterprise wide Security & Risk Management Program Interview Stakeholders and Business Leaders Review previous assessments, reports, current and planned IS architectures and initiatives Enlist a phased approach Define tactical and strategic objectives BORING!!
State The Obvious And Back It Up With Reality Unknowingly accepting risk levels far beyond the organization’s risk tolerance Gaps in InfoSec capabilities have clear business impact Underinvestment results in unacceptable risk tolerance Security must become an enabler for business strategies-Current! Strategy! Innovation-have fun! Launch a comprehensive InfoSec program that meets the needs of today but looks to meet the future Business and IS leaders must own taking security to the next level
Security Program Compliance and Reporting Governance, Policies and Standards Asset Profile Technology Specifications People & Organizational Management Technical Security Architecture & Strategy Processes and Operational Practices Business Drivers Documented, consistent enterprise- wide controls, strong controls Documented processes, generally performed consistently, evolving controls Ad-Hoc Processes, performed inconsistently, minimal controls Informal security governance Inconsistent Security Posture throughout the Enterprise Ineffective vulnerability / patch management Lack of Security Influence for SDLC Accepted security risk inconsistent with risk culture No accountability; Limited business awareness of Information Security Lack of comprehensive asset inventory & classification/management Inconsistent repeatable practices or security controls Infrastructure Security Configuration Standards at times undefined and does not support the enterprise Information security significantly understaffed. Lack of security culture & governance model Lack of metrics and reporting, unable to show progress. No consequences for noncompliance Security program does not adequately support business strategies Unknowingly Accepting Risk
Gaps In Infosec Capabilities Have A Clear Impact: Meet The Needs Of Today But Seek To Meet The Future Understanding compliance requirements Meet with stakeholders: Listen to their requests Know your audience (terminology) Speak at their level Knowledge vs. understanding Delete vs. Deleted Stacks and racks full of laptops, desktops and servers Ask for volunteers, organize a sampling of users for a pilot group (POC)-fosters a sense of participation and encourages acceptance Internal Users External Users How many of you know someone who knows someone who knows how to write Test, evaluate and validate Document the experience
An Infosec Program That Meets The Needs Of Today But Strives To Meet The Future InfoWorld (Symantec) 93% of Bots and “issues” are unknowingly generated via consumers (i.e. the home users) As more consumer communications and devices enter the corporate enterprises security professionals need to consider the risks IM, gmail, iPhones etc. Working from home, often using home NWs that have been configured by home users Employees are consumers and as such use the technologies in office (approved or not) Simultaneously employers adopt consumer products to be used for business (USBs, smartphones etc.) Prohibiting blocking consumer activities is not a long term viable solution (I.e. cell phones w/cameras, etc) Mobile devices bypass traditional vectors
No! No Way! Not Happening! Not the answer to gaining support Implementing low $$ technology controls and practices will enable people, process and technology to function and will reduce the risks of data loss and increase inter-operability Deploy AUP & content monitoring, SSL VPNS Disable port tunneling of unmanaged systems Restrict download volumes or attachments Robust and early adopter solutions NAC, DRM or VM (laptops)
Who Is Making $ And Who Is Loosing $ CyberCrime is a Billion $ business Bot-herders, fraudsters and exploit writers all making lots of money "Super Trojan" selling on the net $600 address lists and log-in details for sites (offer discounts) 1-10 accounts $5 per account Discounted rates accounts $4.50 each and 50+ $3.50 each Hacked root server $100 to $150 Hosting services for a financial scam, $20 per day, or $80 per week 15,000 addresses All verified as genuine, on sale for $1,500
Underinvestment Results In Unacceptable Risk Tolerance Security Spending Percentage of IT Budget (Estimates) 0% 5% 10% 15% 20% 25% Risk ToleranceLowHigh Global bank Stock exchange Regional Telco Brake-liner manufacturer Low Risk Tolerance 12% to 18% of IT Budgets Medium Risk Tolerance 6% to 12% of IT Budgets High Risk Tolerance 1% to 6% of IT Budgets Our Co. Source: The Gartner Group
Take 1 Down And Pass It Around Approach Need metrics and reporting “Hard numbers” supporting the business Benchmarking, compare to peers and competitors Transactions have been growing at X rate over X time Monitoring & managing InfoSec Program Compliance & Oversight Too many projects, too much data Standards & common builds Making your own pizza can be more expensive than calling for a delivery
Introducing Security Changes: Change brings more change Set the expectations Don’t drink from the fire hose Value propositions There are risks - known and unknown Try not to over shoot or over commit Admit shortcomings Change brings errors and mistakes Change brings frustration, stress and finger pointing Change is usually viewed as negative before during and after due to fear of the unknown Explain why and define expected end state and outcomes Be positive Involve & collaborate Participate or accept the end result Celebrate successes and failures, communicate milestones
Look Forward Reminders from our recent past, imminent future, their impact and possible implications; Digital Music => Copyright => Music Industry Sales? Telecommunications => Offshore Outsourcing => Local White Collar Work? Voice over IP => Personal Communications => Phone Companies? RFID => Inventory Costs => Privacy & Security? Flat Screen TVs => Redesign of living space => Furniture Sales?
Where Do You Want Your Organization To Be In 5 Yrs Security Principles Security is a business issue to protect the company and enable the business strategies Access is based on need The Right People have The Right Access to The Right Information at The Right Time Mitigation cost aligned with risk A layered approach required for protection Consequences for non- compliance Vision Strategic Planning Enables Information access and business integration Risk reduction Regulatory compliance Innovation Migration from Reactive to Proactive to Predictive Security is People Process Technology Security Program Compliance and Reporting Governance, Policies and Standards Asset Profile Technology Specifications People & Organizational Management Technical Security Architecture Processes and Operational Practices BusinessDrivers Compliance Program Reports on Conformance to Security Standards, Monitors Metrics and Key Performance Indicators Reports on Value and Effectiveness of Security Program Executive management provides direction Stakeholders co-develop and share accountability for policies and standards TechnologyPhysicalInformation Assets and information are inventoried and classified Standards Maintained with evolving technology and risks Systems configured according to developed standards Security enables Business Integration Risk Reduction Regulatory Compliance Security Organization has enterprise reach Roles and responsibilities for information security clearly defined across the business and IS Consistent security processes defined and managed enterprise-wide Results are measurable and predictable Consistent Security Architectures Implemented for Access Models and Layered Defense-in-Depth enables: Partner Integration, Application Deployment, Managed Access, Incidents Prevention/Containment
Launching a Comprehensive Information Security Program Core Information Security Initiatives Organization and Communication Governance and Policy Incident Response & SOC Threat and Vulnerability Management Risk Mitigation Information Security Integration Dec ‘07 Dec ‘08 Dec ‘09 Dec ‘10 April ‘07
My Profound Visual Experience No reported incidents or disclosure: “How do you know?” Patches for everything Mountains of logs Data Information Owners (“Who are you?”) Key aspects of a holistic, sustainable, realistic and reliable compliance and security strategy P-I-T assessments May provide a false sense of security Measurable controls
M&A and R&D provide external partners with access to what they need without exposing to them assets that they should not access Plug and play in conference rooms Invest in innovation Catching the baseball, you don't go to where it is now, but to where it will be, when you finally get there Where do you want your organization to be in X years Where will the industry be in X years I.e. testing and evaluation of biometrics Partner with vendors Attend external events and participate in beta programs Knowledge Transfer Focusing on a single tool or methodology rarely exposes the big picture, implement solutions Innovation relies on the "human element“ Understanding the culture Early adopters vs. good followers Custom vs. open source vs. vendors Security Must Become An Enabler For Business Strategy and Innovation-have Fun!
What Does The Future Hold No by-way on the Internet Hi-Way without identification RFID & lots of satellite and GPS Legally binding digital signatures (bye-bye Mont Blanc) IM conversations may seem as casual as phone conversations, they must be treated as formal correspondence and, like , the communications must be captured and stored Anything and everything considered to be a mobile computing information mechanism Vehicles, baby monitors, jewelry Streamlined data architectures and storage systems with built-in intelligence to enforce the policies and procedures & manage data More regulation-legal actions Less paperwork
In Summary Starts at the top but must be adopted at all levels of the organization Create a “culture of compliance and risk thought” “People” and “behavior” are the key ingredients “Process” promotes reliability and repeatability Use facts and data to measure progress Best results occur when it’s part of annual performance and business objectives Security professionals can leverage numerous consortiums for advise and guidance ISSA, ISACA, CISSP, ASIS, Cert, CMU Cylab, Vendors