Presentation on theme: "Influencing the Future of Security in Your Organization"— Presentation transcript:
1 Influencing the Future of Security in Your Organization PAMELA FUSCO CISSP, CISM, CPP Executive Vice President Security Strategy & Solutions
2 Effective Security Program Approach BusinessDriversGovernance, Policies and StandardsAsset ProfileTechnical Security ArchitectureProcesses and Operational PracticesPeople &OrganizationalManagementTechnologySpecificationsSecurity Program Compliance and Reporting
3 Influencing the Future of Security in Your Organization Identify and validate the existing security program in support of building an enterprise wide Security & Risk Management ProgramInterview Stakeholders and Business LeadersReview previous assessments, reports, current and planned IS architectures and initiativesEnlist a phased approachDefine tactical and strategic objectivesBORING!!
4 State The Obvious And Back It Up With Reality Unknowingly accepting risk levels far beyond the organization’s risk toleranceGaps in InfoSec capabilities have clear business impactUnderinvestment results in unacceptable risk toleranceSecurity must become an enabler for business strategies-Current! Strategy! Innovation-have fun!Launch a comprehensive InfoSec program that meets the needs of today but looks to meet the futureBusiness and IS leaders must own taking security to the next level
5 Unknowingly Accepting Risk Documented, consistent enterprise-wide controls, strong controlsUnknowingly Accepting RiskDocumented processes, generally performed consistently, evolving controlsAd-Hoc Processes, performed inconsistently, minimal controlsAccepted security risk inconsistent with risk cultureBusinessDriversSecurity program does not adequately support business strategiesInformal security governanceGovernance, Policies and StandardsNo accountability; Limited business awareness of Information SecurityLack of comprehensive asset inventory & classification/managementAsset ProfileInconsistent Security Posture throughout the EnterpriseInconsistent repeatable practices or security controlsTechnical Security Architecture & StrategyIneffective vulnerability / patch managementInfrastructure Security Configuration Standards at times undefined and does not support the enterpriseLack of Security Influence for SDLCProcesses and Operational PracticesPeople &OrganizationalManagementTechnologySpecificationsInformation security significantly understaffed. Lack of security culture & governance modelNo consequences for noncomplianceSecurity Program Compliance and ReportingLack of metrics and reporting, unable to show progress.
6 Gaps In Infosec Capabilities Have A Clear Impact: Meet The Needs Of Today But Seek To Meet The FutureUnderstanding compliance requirementsMeet with stakeholders: Listen to their requestsKnow your audience (terminology)Speak at their levelKnowledge vs. understandingDelete vs. DeletedStacks and racks full of laptops, desktops and serversAsk for volunteers, organize a sampling of users for a pilot group (POC)-fosters a sense of participation and encourages acceptanceInternal UsersExternal UsersHow many of you know someone who knows someone who knows how to writeTest, evaluate and validateDocument the experience
7 An Infosec Program That Meets The Needs Of Today But Strives To Meet The Future InfoWorld (Symantec) 93% of Bots and “issues” are unknowingly generated via consumers (i.e. the home users)As more consumer communications and devices enter the corporate enterprises security professionals need to consider the risksIM, gmail, iPhones etc.Working from home, often using home NWs that have been configured by home usersEmployees are consumers and as such use the technologies in office (approved or not)Simultaneously employers adopt consumer products to be used for business (USBs, smartphones etc.)Prohibiting blocking consumer activities is not a long term viable solution (I.e. cell phones w/cameras, etc)Mobile devices bypass traditional vectorsCross Site Scripting, SQL Injection. Power users access to upload scriptsAn InfoSec program that meets the needs of today but strives to meet the future
8 No! No Way! Not Happening! Not the answer to gaining support Implementing low $$ technology controls and practices will enable people, process and technology to function and will reduce the risks of data loss and increase inter-operabilityDeploy AUP & content monitoring, SSL VPNSDisable port tunneling of unmanaged systemsRestrict download volumes or attachmentsRobust and early adopter solutionsNAC, DRM or VM (laptops)
9 Who Is Making $ And Who Is Loosing $ CyberCrime is a Billion $ businessBot-herders, fraudsters and exploit writers all making lots of money"Super Trojan" selling on the net $600address lists and log-in details for sites (offer discounts)1-10 accounts $5 per accountDiscounted rates accounts $4.50 each and 50+ $3.50 eachHacked root server $100 to $150Hosting services for a financial scam, $20 per day, or $80 per week15,000 addressesAll verified as genuine, on sale for $1,500
10 Underinvestment Results In Unacceptable Risk Tolerance Low Risk Tolerance12% to 18% of IT BudgetsMedium Risk Tolerance6% to 12% of IT BudgetsHigh Risk Tolerance1% to 6% of IT BudgetsSecurity Spending Percentage of IT Budget (Estimates)25%Stock exchange20%15%Our Co.10%Regional TelcoGlobal bank5%Baseline should increase to 6-12, in the near term – swing up in scale (13-18) to get in alignmentExplain that Gartner looks at what they spend on information security – then relates to what people ‘typically’ spend based on risk toleranceBased on Merck’s spend they are more closely aligned w/ a company in manufacturingPfizer and J&J moving into the blue – number is probably in the 6-12% range – near term targetBrake-liner manufacturer0%12345678910LowRisk ToleranceHighSource: The Gartner Group
11 Take 1 Down And Pass It Around Approach Need metrics and reporting“Hard numbers” supporting the businessBenchmarking, compare to peers and competitorsTransactions have been growing at X rate over X timeMonitoring & managing InfoSec ProgramCompliance & OversightToo many projects, too much dataStandards & common buildsMaking your own pizza can be more expensive than calling for a delivery
12 Introducing Security Changes: Change brings more changeSet the expectationsDon’t drink from the fire hoseValue propositionsThere are risks - known and unknownTry not to over shoot or over commitAdmit shortcomingsChange brings errors and mistakesChange brings frustration, stress and finger pointingChange is usually viewed as negative before during and after due to fear of the unknownExplain why and define expected end state and outcomesBe positiveInvolve & collaborateParticipate or accept the end resultCelebrate successes and failures, communicate milestones
13 Keeping CurrentLaunch a comprehensive InfoSec program that meets the needs of today but looks to meet the future
14 Look ForwardReminders from our recent past, imminent future, their impact and possible implications;Digital Music => Copyright => Music Industry Sales?Telecommunications => Offshore Outsourcing => Local White Collar Work?Voice over IP => Personal Communications => Phone Companies?RFID => Inventory Costs => Privacy & Security?Flat Screen TVs => Redesign of living space => Furniture Sales?
15 Where Do You Want Your Organization To Be In 5 Yrs Security PrinciplesSecurity is a business issue to protect the company and enable the business strategiesAccess is based on needThe Right People haveThe Right Access toThe Right Information atThe Right TimeMitigation cost aligned with riskA layered approach required for protectionConsequences for non-complianceVisionStrategic Planning EnablesInformation access and business integrationRisk reductionRegulatory complianceInnovationMigration fromReactive toProactive toPredictiveSecurity isPeopleProcessTechnologyBusinessDriversCompliance Program Reports on Conformance to Security Standards, Monitors Metrics and Key Performance Indicators Reports on Value and Effectiveness of Security ProgramExecutive management provides directionStakeholders co-develop and share accountability for policies and standardsTechnology Physical InformationAssets and information are inventoried and classifiedStandards Maintained with evolving technology and risksSystems configured according to developed standardsSecurity enablesBusiness IntegrationRisk ReductionRegulatory ComplianceSecurity Organization has enterprise reachRoles and responsibilities for information security clearly defined across the business and ISConsistent security processes defined and managed enterprise-wideResults are measurable and predictableConsistent Security Architectures Implemented for Access Models and Layered Defense-in-Depth enables:Partner Integration, Application Deployment, Managed Access, Incidents Prevention/ContainmentGovernance, Policies and StandardsAsset ProfileTechnical Security ArchitectureFishNet Security offers each customerOur commitment to provideOur ability to leverageOur relationships we cultivateOur comprehensive portfolioOur reputation…Processes and Operational PracticesTechnologySpecificationsPeople &OrganizationalManagementSecurity Program Compliance and Reporting
16 Launching a Comprehensive Information Security Program Core Information Security InitiativesOrganization and CommunicationGovernance and PolicyIncident Response & SOCThreat and Vulnerability ManagementRisk MitigationInformation Security IntegrationApril ‘07Dec ‘07Dec ‘09Dec ‘10Dec ‘08
17 My Profound Visual Experience No reported incidents or disclosure: “How do you know?”Patches for everythingMountains of logsData Information Owners (“Who are you?”)Key aspects of a holistic, sustainable, realistic and reliable compliance and security strategyP-I-T assessmentsMay provide a false sense of securityMeasurable controls
18 Security Must Become An Enabler For Business Strategy and Innovation-have Fun! M&A and R&D provide external partners with access to what they need without exposing to them assets that they should not accessPlug and play in conference roomsInvest in innovationCatching the baseball, you don't go to where it is now, but to where it will be, when you finally get thereWhere do you want your organization to be in X yearsWhere will the industry be in X yearsI.e. testing and evaluation of biometricsPartner with vendorsAttend external events and participate in beta programsKnowledge TransferFocusing on a single tool or methodology rarely exposes the big picture, implement solutionsInnovation relies on the "human element“Understanding the cultureEarly adopters vs. good followersCustom vs. open source vs. vendors
19 What Does The Future Hold No by-way on the Internet Hi-Way without identificationRFID & lots of satellite and GPSLegally binding digital signatures (bye-bye Mont Blanc)IM conversations may seem as casual as phone conversations, they must be treated as formal correspondence and, like , the communications must be captured and storedAnything and everything considered to be a mobile computing information mechanismVehicles, baby monitors, jewelryStreamlined data architectures and storage systems with built-in intelligence to enforce the policies and procedures & manage dataMore regulation-legal actionsLess paperworkImpact on IT With new data retention policies, SOX necessitated the storage of more records and caused most corporations to re-evaluate their storage management systems. Any and all electronic records are subject to SOX requirements, including and Instant Messaging (IM) files. While IM conversations may seem as casual as phone conversations, they must be treated as formal correspondence and, like , the communications must be captured and stored. The new regulations stipulate the use of data storage technology that cannot be overwritten or altered in any fashion. Essentially, the rules call for WORM (write-once/read many) devices and companies that donÕt already will have to integrate their on-line disk storage with the WORM media. Different types of records will have different storage and retrieval requirements and no matter how or where the records are stored, a company must also demonstrate their authenticity and maintain an audit trail of any revisions. At the end of the SOX-mandated data life cycle, records also must be quickly and completely destroyed. To meet these requirements, IT buyers are looking for data architectures and storage systems with built-in intelligence to not only enforce the new policies and procedures but also manage the data in a way that continues to meet their business needs. While some corporations are able to implement their SOX-compliant data architectures without dramatically increasing the cost of maintaining their data, the impact on storage expenditures will be ongoing.
20 In SummaryStarts at the top but must be adopted at all levels of the organizationCreate a “culture of compliance and risk thought”“People” and “behavior” are the key ingredients“Process” promotes reliability and repeatabilityUse facts and data to measure progressBest results occur when it’s part of annual performance and business objectivesSecurity professionals can leverage numerous consortiums for advise and guidanceISSA, ISACA, CISSP, ASIS, Cert, CMU Cylab, Vendors