Presentation is loading. Please wait.

Presentation is loading. Please wait.

Influencing the Future of Security in Your Organization

Similar presentations

Presentation on theme: "Influencing the Future of Security in Your Organization"— Presentation transcript:

1 Influencing the Future of Security in Your Organization
PAMELA FUSCO CISSP, CISM, CPP Executive Vice President Security Strategy & Solutions

2 Effective Security Program Approach
Business Drivers Governance, Policies and Standards Asset Profile Technical Security Architecture Processes and Operational Practices People & Organizational Management Technology Specifications Security Program Compliance and Reporting

3 Influencing the Future of Security in Your Organization
Identify and validate the existing security program in support of building an enterprise wide Security & Risk Management Program Interview Stakeholders and Business Leaders Review previous assessments, reports, current and planned IS architectures and initiatives Enlist a phased approach Define tactical and strategic objectives BORING!!

4 State The Obvious And Back It Up With Reality
Unknowingly accepting risk levels far beyond the organization’s risk tolerance Gaps in InfoSec capabilities have clear business impact Underinvestment results in unacceptable risk tolerance Security must become an enabler for business strategies-Current! Strategy! Innovation-have fun! Launch a comprehensive InfoSec program that meets the needs of today but looks to meet the future Business and IS leaders must own taking security to the next level

5 Unknowingly Accepting Risk
Documented, consistent enterprise-wide controls, strong controls Unknowingly Accepting Risk Documented processes, generally performed consistently, evolving controls Ad-Hoc Processes, performed inconsistently, minimal controls Accepted security risk inconsistent with risk culture Business Drivers Security program does not adequately support business strategies Informal security governance Governance, Policies and Standards No accountability; Limited business awareness of Information Security Lack of comprehensive asset inventory & classification/management Asset Profile Inconsistent Security Posture throughout the Enterprise Inconsistent repeatable practices or security controls Technical Security Architecture & Strategy Ineffective vulnerability / patch management Infrastructure Security Configuration Standards at times undefined and does not support the enterprise Lack of Security Influence for SDLC Processes and Operational Practices People & Organizational Management Technology Specifications Information security significantly understaffed. Lack of security culture & governance model No consequences for noncompliance Security Program Compliance and Reporting Lack of metrics and reporting, unable to show progress.

6 Gaps In Infosec Capabilities Have A Clear Impact: Meet The Needs Of Today But Seek To Meet The Future Understanding compliance requirements Meet with stakeholders: Listen to their requests Know your audience (terminology) Speak at their level Knowledge vs. understanding Delete vs. Deleted Stacks and racks full of laptops, desktops and servers Ask for volunteers, organize a sampling of users for a pilot group (POC)-fosters a sense of participation and encourages acceptance Internal Users External Users How many of you know someone who knows someone who knows how to write Test, evaluate and validate Document the experience

7 An Infosec Program That Meets The Needs Of Today But Strives To Meet The Future
InfoWorld (Symantec) 93% of Bots and “issues” are unknowingly generated via consumers (i.e. the home users) As more consumer communications and devices enter the corporate enterprises security professionals need to consider the risks IM, gmail, iPhones etc. Working from home, often using home NWs that have been configured by home users Employees are consumers and as such use the technologies in office (approved or not) Simultaneously employers adopt consumer products to be used for business (USBs, smartphones etc.) Prohibiting blocking consumer activities is not a long term viable solution (I.e. cell phones w/cameras, etc) Mobile devices bypass traditional vectors Cross Site Scripting, SQL Injection. Power users access to upload scripts An InfoSec program that meets the needs of today but strives to meet the future

8 No! No Way! Not Happening! Not the answer to gaining support
Implementing low $$ technology controls and practices will enable people, process and technology to function and will reduce the risks of data loss and increase inter-operability Deploy AUP & content monitoring, SSL VPNS Disable port tunneling of unmanaged systems Restrict download volumes or attachments Robust and early adopter solutions NAC, DRM or VM (laptops)

9 Who Is Making $ And Who Is Loosing $
CyberCrime is a Billion $ business Bot-herders, fraudsters and exploit writers all making lots of money "Super Trojan" selling on the net $600 address lists and log-in details for sites (offer discounts) 1-10 accounts $5 per account Discounted rates accounts $4.50 each and 50+ $3.50 each Hacked root server $100 to $150 Hosting services for a financial scam, $20 per day, or $80 per week 15,000 addresses All verified as genuine, on sale for $1,500

10 Underinvestment Results In Unacceptable Risk Tolerance
Low Risk Tolerance 12% to 18% of IT Budgets Medium Risk Tolerance 6% to 12% of IT Budgets High Risk Tolerance 1% to 6% of IT Budgets Security Spending Percentage of IT Budget (Estimates) 25% Stock exchange 20% 15% Our Co. 10% Regional Telco Global bank 5% Baseline should increase to 6-12, in the near term – swing up in scale (13-18) to get in alignment Explain that Gartner looks at what they spend on information security – then relates to what people ‘typically’ spend based on risk tolerance Based on Merck’s spend they are more closely aligned w/ a company in manufacturing Pfizer and J&J moving into the blue – number is probably in the 6-12% range – near term target Brake-liner manufacturer 0% 1 2 3 4 5 6 7 8 9 10 Low Risk Tolerance High Source: The Gartner Group

11 Take 1 Down And Pass It Around Approach
Need metrics and reporting “Hard numbers” supporting the business Benchmarking, compare to peers and competitors Transactions have been growing at X rate over X time Monitoring & managing InfoSec Program Compliance & Oversight Too many projects, too much data Standards & common builds Making your own pizza can be more expensive than calling for a delivery

12 Introducing Security Changes:
Change brings more change Set the expectations Don’t drink from the fire hose Value propositions There are risks - known and unknown Try not to over shoot or over commit Admit shortcomings Change brings errors and mistakes Change brings frustration, stress and finger pointing Change is usually viewed as negative before during and after due to fear of the unknown Explain why and define expected end state and outcomes Be positive Involve & collaborate Participate or accept the end result Celebrate successes and failures, communicate milestones

13 Keeping Current Launch a comprehensive InfoSec program that meets the needs of today but looks to meet the future

14 Look Forward Reminders from our recent past, imminent future, their impact and possible implications; Digital Music => Copyright => Music Industry Sales? Telecommunications => Offshore Outsourcing => Local White Collar Work? Voice over IP => Personal Communications => Phone Companies? RFID => Inventory Costs => Privacy & Security? Flat Screen TVs => Redesign of living space => Furniture Sales?

15 Where Do You Want Your Organization To Be In 5 Yrs
Security Principles Security is a business issue to protect the company and enable the business strategies Access is based on need The Right People have The Right Access to The Right Information at The Right Time Mitigation cost aligned with risk A layered approach required for protection Consequences for non-compliance Vision Strategic Planning Enables Information access and business integration Risk reduction Regulatory compliance Innovation Migration from Reactive to Proactive to Predictive Security is People Process Technology Business Drivers Compliance Program Reports on Conformance to Security Standards, Monitors Metrics and Key Performance Indicators Reports on Value and Effectiveness of Security Program Executive management provides direction Stakeholders co-develop and share accountability for policies and standards Technology Physical Information Assets and information are inventoried and classified Standards Maintained with evolving technology and risks Systems configured according to developed standards Security enables Business Integration Risk Reduction Regulatory Compliance Security Organization has enterprise reach Roles and responsibilities for information security clearly defined across the business and IS Consistent security processes defined and managed enterprise-wide Results are measurable and predictable Consistent Security Architectures Implemented for Access Models and Layered Defense-in-Depth enables: Partner Integration, Application Deployment, Managed Access, Incidents Prevention/Containment Governance, Policies and Standards Asset Profile Technical Security Architecture FishNet Security offers each customer Our commitment to provide Our ability to leverage Our relationships we cultivate Our comprehensive portfolio Our reputation… Processes and Operational Practices Technology Specifications People & Organizational Management Security Program Compliance and Reporting

16 Launching a Comprehensive Information Security Program
Core Information Security Initiatives Organization and Communication Governance and Policy Incident Response & SOC Threat and Vulnerability Management Risk Mitigation Information Security Integration April ‘07 Dec ‘07 Dec ‘09 Dec ‘10 Dec ‘08

17 My Profound Visual Experience
No reported incidents or disclosure: “How do you know?” Patches for everything Mountains of logs Data Information Owners (“Who are you?”) Key aspects of a holistic, sustainable, realistic and reliable compliance and security strategy P-I-T assessments May provide a false sense of security Measurable controls

18 Security Must Become An Enabler For Business Strategy and Innovation-have Fun!
M&A and R&D provide external partners with access to what they need without exposing to them assets that they should not access Plug and play in conference rooms Invest in innovation Catching the baseball, you don't go to where it is now, but to where it will be, when you finally get there Where do you want your organization to be in X years Where will the industry be in X years I.e. testing and evaluation of biometrics Partner with vendors Attend external events and participate in beta programs Knowledge Transfer Focusing on a single tool or methodology rarely exposes the big picture, implement solutions Innovation relies on the "human element“ Understanding the culture Early adopters vs. good followers Custom vs. open source vs. vendors

19 What Does The Future Hold
No by-way on the Internet Hi-Way without identification RFID & lots of satellite and GPS Legally binding digital signatures (bye-bye Mont Blanc) IM conversations may seem as casual as phone conversations, they must be treated as formal correspondence and, like , the communications must be captured and stored Anything and everything considered to be a mobile computing information mechanism Vehicles, baby monitors, jewelry Streamlined data architectures and storage systems with built-in intelligence to enforce the policies and procedures & manage data More regulation-legal actions Less paperwork Impact on IT With new data retention policies, SOX necessitated the storage of more records and caused most corporations to re-evaluate their storage management systems. Any and all electronic records are subject to SOX requirements, including and Instant Messaging (IM) files. While IM conversations may seem as casual as phone conversations, they must be treated as formal correspondence and, like , the communications must be captured and stored. The new regulations stipulate the use of data storage technology that cannot be overwritten or altered in any fashion. Essentially, the rules call for WORM (write-once/read many) devices and companies that donÕt already will have to integrate their on-line disk storage with the WORM media. Different types of records will have different storage and retrieval requirements and no matter how or where the records are stored, a company must also demonstrate their authenticity and maintain an audit trail of any revisions. At the end of the SOX-mandated data life cycle, records also must be quickly and completely destroyed. To meet these requirements, IT buyers are looking for data architectures and storage systems with built-in intelligence to not only enforce the new policies and procedures but also manage the data in a way that continues to meet their business needs. While some corporations are able to implement their SOX-compliant data architectures without dramatically increasing the cost of maintaining their data, the impact on storage expenditures will be ongoing.

20 In Summary Starts at the top but must be adopted at all levels of the organization Create a “culture of compliance and risk thought” “People” and “behavior” are the key ingredients “Process” promotes reliability and repeatability Use facts and data to measure progress Best results occur when it’s part of annual performance and business objectives Security professionals can leverage numerous consortiums for advise and guidance ISSA, ISACA, CISSP, ASIS, Cert, CMU Cylab, Vendors

Download ppt "Influencing the Future of Security in Your Organization"

Similar presentations

Ads by Google