The Evolution
of Corporate
Information Security
Daniel J Blander, CISM,CISSP
[ agenda ]
[ complaints ]
[ situation ]
[ why change ]
[ how to change ]
[ complaints ]
How many of you are well respected by the
Executives and Users at your company?
[ How many of you accept this as reality ]
[ complaints ]
How many of you struggle to get
management and users to take part in
security?
Do they seek out your advice?
Do they follow policy?
[ complaints ]
How comprehensive is the company’s view
of assets?
Digital Data
Physical Data
Intellectual Property
Company Culture
Physical Resources
Human Capital
Human Interaction & Words
[ complaints ]
How consistent is your security posture?
Policies
Risk Management & Planning
Security Organization
User Awareness
System Security
Network Security
Physical Asset Security
Operational Security
Monitoring
User Access
Legal Due-Diligence
[ complaints ]
How many of you are so well supported
that your budget was not cut this year?
[ complaints ]
How many of you who manage security
are still called Network Security?
Yuck!
[ complaints ]
How good is your organization’s security
awareness?
[ situations ]
Security is driven by:
• Company & Stakeholder awareness of risk
• “Its never happened to us before”
• Prevalent focus on: Profit, Cost, Opportunity
[ situations ]
Business Model + Business Culture
• Business model drives the view of Risk
• Have you ever noticed the types of organizations
that are more risk averse than others?
• Why do banks focus more on security vs. retail?
• Something to protect vs. Something to sell
• Loss is unacceptable vs. “Breakage” is common
• Security is Fraud vs. Security is Loss Prevention
[ situations ]
Organization Maturity drives the view of IT
• Information = Computers??
• CIO = Chief Information Technology Officer
Security = Network Security
• Only for computers
• Network Security Manager
• IT Security Manager
• IT Compliance
• 67% of Information Security is driven by IT
• 81% of Security Policies are written exclusively by IT
[ situations ]
Doom
Gloom
No Money
[ situations ]
The Perfect Storm:
• Cost cutting across the business
• Security is seen as a cost (no revenue generation)
• The view from above is not mature
• “We’re compliant now, so we are done”
(We don’t need you anymore)
• Security is restrictive to business
The result:
• Security is the first to be cut
• Security is marginalized
[ situations ]
How did we get here?
• Self Inflicted Wounds
• Techno-babble
• Fear mongering – FUD & Hype
• Troublesome list of risks that never happen
• Never-ending list of needs with $$$ attached
• Unfulfilled Prophecies
• Companies did not fail after a breach
• TJX – stock up 50% one year later
[ change ]
What if everyone participated in security?
What if security decisions were strategic and
business oriented?
What if security contributed to the business?
What if decisions made by the company
inherently increased security?
Wild? Crazy? Am I out of my mind?
[ change ]
Perception by Management:
• Risk is everywhere
• Recognize the full landscape of risk
• Risk isn’t just for computers anymore
Understanding by Security:
• Company culture & goals
• Business Model + Drivers + Risk Aversion
• Personalities and Culture
[ the future ]
Information
Network
Risk
Security
Management
[ change ]
Security is “Risk Management”
• Information Protection • Investigations
• Privacy • Insurance
• Business Continuity • Personnel Safety
• Physical Security • Counter Espionage
• Loss Prevention • Legal Counsel
Information is not just for Computers anymore…
[ the future ]
Chief Risk
Officer
Physical Information
Privacy
Security & IT Security
[ the future ]
What if you measured security by business
success?
• Consistent process = Save money
• Systems available = More Time Working
• Efficient methods to measure compliance
• Security == Efficiency
[ the future ]
Think how security can enhance real
business drivers…
• Security is easier in consistent environments
• Consistency begets stability
• Security = stability
• ITIL
• Process Improvement
• Predictability
[ the future ]
Security = The Company
It is not security for IT, it is security for the
protecting the company.
• Company is made up of people and processes.
• Computers support the process.
Security is not the end, it is a process contained in
larger processes.
• Security enables business – not through mitigating risk but
promoting best practices (ITIL).
• Look to give back to the company whenever you can. Be a
facilitator, and show that security can tag along for the ride, not
be the kick in the teeth.
[ change ]
What if Security included different business groups?
What if security responsibility was distributed?
What if Information Security was part of everyone’s job?
What if people understood the risks and the challenges?
What if people were invited & coerced into participating?
What if they were participants in the decisions?
Would Security still be needed?
Would it Information Security permeate the company?
[ the future ]
Decentralize Enforcement
• savings + shared responsibility
Information Security Team
• Consult, Guide, Monitor, Assess Network
Admin
Network Administrator
• Network Firewalls, Routers
Service Info System
System Administrator Desk Security Admin
• Anti-Virus
Service Desk Physical
Security
• User Access Setup
[ the future ]
Create a shared Governance Function
• Involve business stakeholders
• Address high level strategic issues
• Talk about opportunities and company future
• Unified effort for all risk management activities
• Awareness and consistency across the business
Make discussions strategic
[ the future ]
Coach the Team
Have clear goals
• Aligned with business goals
• Make the meeting meaningful with take away’s.
• Make subject matter relevant.
Do not let one area grab all the focus
• Risk across all business areas
• Risk of all types
[ the future ]
HR
Finance Sales
Security
IT Steering Legal
Committee
[ the future ]
How do you lead to achieve this?
• Have a New Attitude
• NO FUD
• Put your business hat on!
• Think of good business practices that reflect security
• Think of business opportunities
• Be a Team Player - Include everyone on the team
[ the future: sources ]