Presentation on theme: "Security Governance 1."— Presentation transcript:
0 Security Governance Best Practices and Trends in State Government Workshop: Security Governance for the 21st Century Public Sector EnterpriseSecurity Governance Best Practices and Trends in State GovernmentBob Smock, CISSP, CISM, PMPVice President, Program LeadSecurity and Risk Management, Public Sector Gartner ConsultingGartner Catalyst ConferenceAugust 11-14, 2014Manchester Grand Hyatt San Diego, CABob SmockKim May
2 What is Governance?A theoretical concept referring to the actions and processes by which stable practices and organizations arise and persist. The term conveys the administrative and process-oriented elements of governing. [Wikipedia]A method or system of government or management; the exercise of authority and control. [Dictionary.com]The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. [IT Governance Institute]Security Governance exists to ensure that the Security Program adequately meets the strategic needs of the business. Security Management implements that Program. Security Operations executes the processes defined by that Program.2
3 Two Immutable TruthsMost security program failures are not technology-related; failures are due to a lack clear priorities, a lack of clear goals and objectives, and the lack of clear decision-making processesSecurity programs tend to be viewed as obstacles to business, not facilitators of businessGartner is seeing a growing trend in requests for governance assistance as enterprises attempt to migrate away from the traditional definition of strict IT security risk management that includes access control and vulnerability managementSecurity governance is beginning to take on the wider scope of business risk management that includes market protection and compliance.Most security program failures are not technology-related. Failure is more likely to occur because of poor governance or poor management of the overall program or individual projects.Many security programs lack clear priorities, goals and decision-making processes. As a result, they will likely or already suffer from cost overruns, timeline slippages, or reputational damage.The not-so-subtle transformation of the enterprise security model is being driven by today's highly competitive business climate with the emphasized need to contain costs, remove obstacles, and maintain a competitive edge.A competitive edge comes with new technology — and new threats. And many times, security controls are viewed as obstacles TO business, not facilitators OF business.
4 Clients SpeakHard and Crunchy: "This is not a democracy — personnel are expected to follow organizational security policies" Soft and Chewy: "Trust but verify — approach to an open business culture" Necessary Evil: "Security should not be a disruption to the business" Important but Not Urgent: "We (security) may be boring, but we’re predictably boring" Game Philosopher: "Security is a game of inches — change does not happen overnight" Auditor Antagonist: "Compliance is not equal to security" Ostrich: "We trust IT to have good judgment"
5 Objectives of Security Governance To coordinate and control protection within the enterprise commensurate with enterprise needsTo provide consistent management through the use of cohesive policies, processes, and decision rightsEstablish balanced and effective control of key components of business and information operationsCreate the internal business conditions that allow enterprise needs to be metMigrate away from traditional security risk management toward business risk managementTransform approaches that simply meet security objectives into those that achieve business objectivesbusinessClearly delivering the right balance of protection needed for the nature of the business risk is both important to do and hard to achieve.The goal of security governance is to coordinate and control protection within the enterprise so as to make the overall security program effective and efficient for the enterprise needsGovernance creates the internal business conditions that allow these needs to be met and balanced through effective control of key components of business and information operationsGovernance relates to consistent management and the use of cohesive policies, processes, and decision rights for a given area of responsibilityThere is a growing trend to migrate away from traditional security risk management toward business risk managementOrganizations need to transform approaches that simply meet security objectives into those that achieve business objectives
6 Maturity of Security Governance Identification and mitigation of infrastructure weaknessesSecurity posture maintenance and residual risk managementRegular and periodic measurement and communication of operational riskPeople, Process, & Technology commensurate with objectivesSystematic approach for integrating security protection and business processesDirection setting and prioritization commensurate with appropriate funding & resourcesEstablishing a culture of security: upward, downward, outwardPosition and reporting level with separation of governance and operationsLifecycle Management: planning, deployment, operations, feedbackEnvironmental feedback and adjustmentExpected behavior with implementation standards and guidelines6
7 What Do We Need To Do Security Governance Goals Organizational StructureRules and Rule SourcesThe [Chief] Information Security OfficerPower and InfluenceSupporting Functions and GroupsFundingAssessment and EnforcementMetrics and the Enterprise Security Control System7
8 The Goals of Security Governance Appropriate Examples for GoalsMeet due diligence, regulatory, and contractual requirementsEstablish minimum standards for complianceRespond to audit findingsMeet business needs for data integrity, availability, confidentiality, and accountabilityEnsure ongoing utility of data and systemsReact effectively to the business environMeet budget objectives, control costs, and manage mandatory compliance costsProtect and manage the organization’s reputation and constituent satisfactionProtect customer data & intellectual propertyMonitor adherence to code of conductProtect inside from outside and inside from insideThe TrendsMaturity of security governance varies due to program youth, size of the organization, and limited direct leadershipSecurity is viewed as a “business enabler” for organizations in highly regulated industries or with requirements to protect critical infrastructureOrganizations that have not experienced a recent intrusion or malware outbreak have reduced vigilancePrevention of a data breach and potential fines for compliance failure motivates organizationsNear-term security plans are made on an annual basisFailing to address strategic security planning which considers a 2 to 4 year horizonGovernance councils are important to formulate interactions between centralized and decentralized functions
9 Organizational Structure Best PracticesThe structure of the enterprise must be reflected in the structure of the security governance programAn independent structure for the security program is necessary to its function.Other enterprise governance councils provide a forum for security to provide input on riskMergers can result in cultures that need different approachesGovernance is about controlling organizational behavior; this is accomplished by applying change strategies to organizational structuresThe TrendsInfosec overwhelmingly still belongs to ITLeadership — At least one full time enterprise ISO; missing matrixed decentralized ISOReporting — More than one level removed from senior staffLack of separation between governance and operationsStaffing — Insufficient resources; security team size varies based on part-time functions, extent of operational involvement, and availability of necessary skillsSkills and certifications requirements growing but not always recognizedLacking coordination – Operational managers should coordinate via a security leadership councilsome to legal, finance/comptroller, or compliance; corporate or physical security is separate from IT security; internal audit may coordinate with security on testing.security organizations are often matrixed with functions distributed to operational groups or business units.there may be credibility issues with security managers not being at a senior level positionprofessional training should be specifically planned and funded to support skills and certificationsmany business units have own IT organizations and resources, including operational security teams.Centralized security works with de-centralized resources to coordinate on programs and standards
10 Rules and Rule Sources Best Practices The Trends Rules for governance come from regulatory and corporate driversThey also come from industry standards for due diligence and appropriate behaviorPolicies, standards, and processes are put in place to create the environment that fosters appropriate behaviorThe overall governance process is rarely successful without a systematic application of a set of governance rulesThe TrendsFailure to map controls to security objectivesFailure to establish a "minimum standard" or "best practices" approach to controls.Leverage NIST or other frameworks as a source for control standardsFailure to leverage frameworks such as ISO and ITIL as a program management benchmark for consistencyNo security policies defined as strategic to the enterpriseSecurity policies not integrated with overall enterprise policiesLacking comprehensive standards and guidelines to define acceptable implementations of policyData classification and protection, risk assessment and residual risk management, business continuity, identity and access management, incident response and vulnerability management, mobility and connectivity, audit, investigations.Encryption, platform security, application security and software development, telecommunications, change management with assurance, authentication.There are a variety of control frameworks in use with mapping of internal standards (often involving ISO or NIST)
11 The ISO Best Practices The Trends Exists to run the enterprise information protection functionHas visibility in senior oversight/governance councilsThe critical decision of where the function should be placed in the org hierarchy is directly related to how important information and security are to the businessThe need for direct communication about key issues to top management should be seriously considered in placementRarely owns or leads senior management review of enterprise business riskUses a mix of relationship-based ad hoc contacts and regularly scheduled cross- organization committee meetingsThe CISO should not be placed below other top management because of the need to mitigate insider threats at the highest levels of the enterprise and not be subject to undue internal political influenceThe TrendsRule of thumb: Successful security programs are run by strong characters; less successful programs flounder because of the weakness of the ISO; influence, not edict, is the key toolEstablish a security management framework; all feedback is assimilated into the frameworkThe Security Management Plan (SMP) — Describes the overall security program and provides foundational guidanceGenerally not responsible for defining privacy policies, business continuity, and IT disaster recovery, but may be involved in executionTypically provides baselines, templates or standards to leverage and build on.which often include executives and business leaders.responsible for representing IT and technology risk to senior business management; direct path for communicating risks to executives and to get insight on IT projects.Should be at a level in the organization comparable to the CFO or chief counsel, but can reside at one level lower depending on the criticality of the function to the business.Do your homework, identify executive concerns on security, accept the burden of dealing with them, and report results of security initiatives to build credibility.Overall SOX compliance is under CFO, but CISO is generally responsible for IT SOX (404).A role to "influence and inform" business decision makers and build relationships with people that can influence change
12 Funding Best Practices The Trends However, the funding influenced or indirectly controlled by security typically ranges from 5% to 10% of total IT expendituresFunding includes personnel, operations and maintenance, and security-specific projectsAbout half of funding is for personnelThese numbers increase during program development, compliance efforts, and for high assurance situationsMuch of the true cost of security is hidden due to accounting processes, indirect influence on business operations, mounting requirements, legal costs, etc.The costs associated with incidents and their resolutions are typically very hard to quantify… as are those with consequences that were NOT incurred because of the effectiveness of securityThe TrendsSecurity groups are required to reduce costs due to unrecognized business impact/valueOrganizations with strong regulatory pressure or high potential impact of data breaches are not cutting security spendingHiring restrictions, staff cuts, and low retention create trade-offs with just being able to do what is requiredInvestment in security awareness programs remains unrecognized as a priority to mitigate security risks in the face of deep cuts or leveled fundingSecurity-specific funding is rarely identified as a separate "line item" in the enterprise budgetSecurity may have direct funding of only $3 million to $6 million for governance in a large enterprise;Other costs associated with security are harder to codify; extra churn associated with additional security requirements, effect on employee morale and stress, barriers to entry, surveillance, error costs, and legal costs.Operational security is typically exempted from major reductions.defining separate lines of funding for governance and operations including personnel, security initiatives, and project supportSecurity organizations continue to be reduced and cost-constrained as stand-alone functions
13 Metrics and Enterprise Control Best PracticesFeedback must be acquired in a form that can be applied to make correctionsEffective control implies meaningful measurement and reporting with accuracy"Meaningful" means costs, consequences, and effectivenessEstablish metrics as meaningful and achievable by measuring progress over time relative to standardsRisk and threat metrics tend to be subjective and hard to quantifyMetrics used as a performance improvement objective are highly visible and effectiveTransition from tactical risk metrics from point solutions to strategic risk metrics from the security architecture (people, process, technology)The TrendsOrganizations vary in the focus of their metrics programs as does the maturity of metrics programsMoving toward greater automation in metrics programs.Tie enterprise key risk indicator (KRI) metrics to business key performance metrics (KPI).Effective KRI metrics expands beyond monitoring typical security vulnerabilitiesResults of risk assessments and audits are an important metric — demonstrates continuous improvement;Data breach metrics get assigned a dollar cost.Technical metrics are tracked and reported but are usually the least usefulSecurity still need methods to measure success; it remains difficult to demonstrate security's value to business or overall effectiveness of security programsKRI metrics that are associated with and can be shown to impact business KPI are most effective; enables transition away from tactical risk management through point solutions to strategic risk management through security architecture.Tactical operational metrics are reported on periodic basis but not necessarily useful to executives; security posture and project status are often visible to senior management and boards but don't show overall value.to monitoring the industry-specific security threat landscape.exceptions to controls are tracked.SLAs/Contracts establish some metrics that are tracked.; trend is to establish and staff formal metrics programs and review boards;to mature organizations; low level metrics are produced by security tools, such as SIEM, antivirus, filters, vulnerability scanning and penetration testing, DLP, audit findings, and so on.Security metrics programs are immature but becoming more common and seeking more useful and higher quality metrics
14 Pick-7 Key Points Review Communicate: Establish a security program that identifies, measures, and communicates the dangers and reasons for security initiatives and employee vigilance while allowing for exceptions and acceptance of business risk under specific conditionsInfluence: For ISO’s, collaboration, communication, and credibility are a must; influence, not edict, is the key toolLead: Security leadership needs participation in enterprise risk management process with senior managementCoordinate: Regular forums for coordination between security and other department and business unit stakeholders to cultivate credibility and influenceCulture: Use accepted standards and frameworks, then modify to suit the needs of the organizational cultureInvest: When budgets are tight or cut, focus available investments on security awareness and building the business case for projects when funding improvesValue: Track and report metrics as indicators of the effectiveness of protections as well as the value of security, not simply vulnerabilities mitigatedProgressive organizations are building effective security governance focused on good communication and collaboration practices, and a philosophy of helping others understand and manage risk
15 Q&AWhat are the pros and cons of your security governance structure?
16 Security Governance Best Practices and Trends in State Government Workshop: Security Governance for the 21st Century Public Sector EnterpriseSecurity Governance Best Practices and Trends in State GovernmentBob Smock, CISSP, CISM, PMPVice President, Program LeadSecurity and Risk Management, Public Sector Gartner ConsultingGartner Catalyst ConferenceAugust 11-14, 2014Manchester Grand Hyatt San Diego, CABob SmockKim May