The Evolution of Corporate Information Security
Daniel J Blander, CISM,CISSP
�[ agenda ]
[ complaints ] [ situation ] [ why change ] [ how to change ]
�[ complaints ]
How many of you are well respected by the Executives and Users at your company?
[ How many of you accept this as reality ]
�[ complaints ]
How many of you struggle to get management and users to take part in security?
Do they seek out your advice? Do they follow policy?
�[ complaints ]
How comprehensive is the company’s view of assets?
Digital Data Physical Data Intellectual Property Company Culture Physical Resources Human Capital Human Interaction & Words
�[ complaints ]
How consistent is your security posture?
Policies Risk Management & Planning Security Organization User Awareness System Security Network Security Physical Asset Security Operational Security Monitoring User Access Legal Due-Diligence
�[ complaints ]
How many of you are so well supported that your budget was not cut this year?
�[ complaints ]
How many of you who manage security are still called Network Security?
Yuck!
�[ complaints ]
How good is your organization’s security awareness?
�[ situations ]
Security is driven by:
•
Company & Stakeholder awareness of risk
•
“Its never happened to us before”
•
Prevalent focus on: Profit, Cost, Opportunity
�[ situations ]
Business Model + Business Culture
• •
Business model drives the view of Risk Have you ever noticed the types of organizations that are more risk averse than others? Why do banks focus more on security vs. retail?
• • •
•
Something to protect vs. Something to sell Loss is unacceptable vs. “Breakage” is common Security is Fraud vs. Security is Loss Prevention
�[ situations ]
Organization Maturity drives the view of IT
• •
Information = Computers?? CIO = Chief Information Technology Officer
Security = Network Security
•
Only for computers
• • •
Network Security Manager IT Security Manager IT Compliance 67% of Information Security is driven by IT 81% of Security Policies are written exclusively by IT
• •
�[ situations ]
Doom Gloom No Money
�[ situations ]
The Perfect Storm:
• • •
Cost cutting across the business Security is seen as a cost (no revenue generation) The view from above is not mature
•
“We’re compliant now, so we are done” (We don’t need you anymore) Security is restrictive to business
•
The result:
• •
Security is the first to be cut Security is marginalized
�[ situations ]
How did we get here?
•
Self Inflicted Wounds
• • • •
Techno-babble Fear mongering – FUD & Hype Troublesome list of risks that never happen Never-ending list of needs with $$$ attached
•
Unfulfilled Prophecies
• •
Companies did not fail after a breach TJX – stock up 50% one year later
�[ change ]
What if everyone participated in security? What if security decisions were strategic and business oriented? What if security contributed to the business? What if decisions made by the company inherently increased security? Wild? Crazy? Am I out of my mind?
�[ change ]
Perception by Management:
• • •
Risk is everywhere Recognize the full landscape of risk Risk isn’t just for computers anymore Company culture & goals Business Model + Drivers + Risk Aversion Personalities and Culture
Understanding by Security:
• • •
�[ the future ]
Network Security
Information Risk Management
�[ change ]
Security is “Risk Management”
• • • • •
Information Protection Privacy Business Continuity Physical Security Loss Prevention
• • • • •
Investigations Insurance Personnel Safety Counter Espionage Legal Counsel
Information is not just for Computers anymore…
�[ the future ]
Chief Risk Officer Physical Security Privacy Information & IT Security
�[ the future ]
What if you measured security by business success?
• • • •
Consistent process = Save money Systems available = More Time Working Efficient methods to measure compliance Security == Efficiency
�[ the future ]
Think how security can enhance real business drivers…
• • •
Security is easier in consistent environments Consistency begets stability Security = stability ITIL Process Improvement Predictability
• • •
�[ the future ]
Security = The Company It is not security for IT, it is security for the protecting the company.
• •
Company is made up of people and processes. Computers support the process.
Security is not the end, it is a process contained in larger processes.
•
Security enables business – not through mitigating risk but promoting best practices (ITIL). Look to give back to the company whenever you can. Be a facilitator, and show that security can tag along for the ride, not be the kick in the teeth.
•
�[ change ]
What if Security included different business groups? What if security responsibility was distributed? What if Information Security was part of everyone’s job? What if people understood the risks and the challenges? What if people were invited & coerced into participating? What if they were participants in the decisions?
Would Security still be needed? Would it Information Security permeate the company?
�[ the future ]
Decentralize Enforcement
•
savings + shared responsibility
Consult, Guide, Monitor, Assess Network Firewalls, Routers
Service Desk Info Security System Admin
Information Security Team
•
Network Administrator
•
Network Admin
System Administrator
•
Anti-Virus User Access Setup
Physical Security
Service Desk
•
�[ the future ]
Create a shared Governance Function
• • • • •
Involve business stakeholders Address high level strategic issues Talk about opportunities and company future Unified effort for all risk management activities Awareness and consistency across the business
Make discussions strategic
�[ the future ]
Coach the Team Have clear goals
• • •
Aligned with business goals Make the meeting meaningful with take away’s. Make subject matter relevant.
Do not let one area grab all the focus
• •
Risk across all business areas Risk of all types
�[ the future ]
HR Finance
Security Steering Committee
Sales
IT
Legal
�[ the future ]
How do you lead to achieve this?
•
Have a New Attitude
•
NO FUD
•
Put your business hat on!
• •
Think of good business practices that reflect security Think of business opportunities
•
Be a Team Player - Include everyone on the team
�[ the future: sources ]
�