Your SlideShare is downloading. ×
0
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Changing the Mindset: Creating a Risk-Conscious Culture - Hacker Hotshots

574

Published on

In this Hacker Hotshot Hangout John explains: …

In this Hacker Hotshot Hangout John explains:
1. Key considerations when creating a risk aware and security conscious culture
2. How to use risk management as a concept and tool to remove the fear of security in organizations
3. The value and benefits of developing an information risk profile
4. Understanding of the current behaviors of organizations and whey they exist in regard to information security
5. Effective approaches to change behaviors and culture within organizations
6. How to leverage users effectively as an beneficial asset in supporting risk management and security activities
7. How to use threat and vulnerability analysis to identify and educate organizations on the highly probable and business impacting threats can effect them
8. Using control objectives as an approach to effectively manage information risk in a way that will be embraced by organizations.

For more Hacker Hotshots, please visit: http://www.concise-courses.com/

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
574
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Changing  the  Mindset:  Crea/ng  a   Risk  Conscious  and  Security  Aware   Culture   Presented  By:   John  P.  Piron*,     CGEIT,  CISA,  CISM,  CISSP,  CRISC,  ISSAP,  ISSMP   President,  IP  Architects,  LLC.     Hacker  Hotshots   July  30,  2013   Copyright  2013  -­‐    IP  Architects,  LLC.,  -­‐  All  Rights  Reserved  
  • 2. Agenda   •  Using  risk  management  to  remove  the  fear   of  security   •  What  is  a  Risk  Aware  and  Security  Conscious   Culture?   •  Approaches  to  changing  crea/ng  and   changing  culture   •  Final  Thoughts  
  • 3. What  is  a  Risk  Conscious  and  Security   Aware  Culture?   •  Risk  and  Security  ac/vi/es  are  business   as  usual  considera/ons   –  Embraced  as  benefit  to  business  and  not   an  obstacle  to  success   •  Threats  and  Risks  are  accurately   iden/fied,  an/cipated,  and  managed   –  Fear  Uncertainty  and  Doubt  (FUD)  no   longer  influences  decisions  or  ac/vi/es   •  Business  leaders  and  stakeholders  are   empowered     –  Able  to  make  informed  and  business   appropriate  risk  management  and   security  decisions   3  
  • 4. Benefits  of  a  Risk  Conscious  and   Security  Aware  Culture   •  Provides  enhanced  protec/on  to   informa/on  infrastructure  and   data  assets   –  Security  is  embraced  instead  of   avoided   •  Creates  a  force  mul/plier   –  Personnel  ac/vely  assist  in  risk   management  and  security   ac/vi/es   •  Security  awareness  empowers   the  organiza/on   –  Enables  informed  decision   making   –  Understand  business  benefits,   expecta/ons,  and  requirements   4  
  • 5. Using  Risk  Management  to  Remove   The  Fear  of  Security   •  Business  leaders  and  stakeholders  are   typically  afraid  of  or  annoyed  by   security   –  O^en  believe  it  will  create  obstacles  that   will  prevent  them  from  being  successful   –  Always  being  told  what  they  cannot  do  by   security   •  Risk  management  empowers  business   leaders  and  stakeholders  to  make   appropriate  decisions  about  security   –  Stop  telling  them  what  you  think  they   have  to  do   –  Help  them  appreciate  the  risks  associated   with  their  op/ons   5  
  • 6. Risk  Management  and  Security  vs.   Security  and  Risk  Management   •  Mind  of  business  person  -­‐   “Security”   –  Preven/on,  disablement,   disempowerment   •  Mind  of  business  person  -­‐  “Risk”   –  Understanding,  management,   control,  empowerment   •  Alignment  with  risk  leads  to   greater  acceptance  then   alignment  with  security   –  Both  terminology  and  approach   –  Changing  the  mindset  requires  risk   first  and  security  second  approach   6  
  • 7. Change  the  Percep/on  and  Ac/ons   •  Security  professionals  o^en  use   the  word  “Risk”  when  they  mean   “Threat  and/or  Vulnerability”   –  Iden/fy  and  quan/fy  probabili/es   and  impacts   •  Without  current  business   intelligence  risk  can  not  be   accurately  or  properly  calculated   –  Strategy,  financial,  business   priori/es,  etc.   •  Leading  prac/ces  instead  of  best   prac/ces   –  Only  you  know  what  is  “best”  for   your  environment   7  
  • 8. Business  and  Informa/on  Risk  Profiles   •  Iden/fy  risk  tolerances  of  business  leaders  and   stakeholders   –  Establish  bounds  of  acceptable  loss,  compromise,   distribu/on,  or  disablement  for  key  business  processes   and  assets   •  Informa/on  risk  management  and  security   should  assist  in  their  development   –  Assists  in  cul/va/ng  awareness  of  consulta/ve   approach   –  Iden/fy  informa/on  threats  and  and  vulnerabili/es  and   associated  likelihoods  and  business  impacts  if  realized   –  Iden/fy,  develop,  implement  and  maintain  risk  aligned   control  objec/ves  in  line  with  iden/fied  tolerances   •  Business  leaders  will  view  of  Informa/on  Risk   Management  and  Security  (IRMS)  will  change   –  Valuable  informa/on  resource   –  Protec/ve  and  suppor/ng  func/on   8  
  • 9. Security  by  Compliance  –  Fear  the   Auditor  More  Then  The  Aiacker   •  Compliance  always  intended  as  the  star/ng   point  not  the  endgame   –  Compliance  requirements  will  always  have  to   catch  up  to  aiackers  and  their  capabili/es   •  Audit  and  examina/on  findings  have  a   known  business  outcome  and  impact   –  Security  threats  and  vulnerabili/es  have   probabili/es  and  poten/ali/es   •  Compliance  provides  business  leaders  and   stakeholders  a  way  to  push  back  on  FUD   –  Believe  that  they  are  doing  what  can  be   reasonably  expected  of  them   9  
  • 10. Policies  and  Standards  First,  Controls   and  Technology  Second   •  Policies  and  standards  define  requirements   and  expecta/ons   –  Iden/fy  control  objec/ves   –  Approved  by  business  leaders  and  stakeholders   •  Controls  and  technologies  assist  in  mee/ng   policy  and  standard  requirements   –  Technologies  should  not  define  control   objec/ves  or  requirements   –  Controls  and  technologies  presented  as   requirements  without  suppor/ng  policies  and   standards  o^en  considered  op/onal  or  ignored   •  Proposed  requirements  and  control   objec/ves  should  be  socialized  to  affected   audience  in  advance  of  policy  development   –  Iden/fy  areas  of  discomfort  or  discontent   before  developing  policies  and  standards   10  
  • 11. Users  –  Your  Greatest  Asset  and     Most  Challenging  Adversaries   •  Many  security  professionals  incorrectly   assume  users  are  weakest  link   –  User  may  unknowingly  cause  damage  or   harm   –  Must  be  protected  from  themselves   •  User  intui/on  can  be  a  powerful  control   –  Both  detec/ve  and  preventa/ve   –  Technical  controls  based  on  “yes”  or  “no”,   user  knows  “Maybe”   •  User  trust  is  key  to  cultural  change   –  Work  with  users  not  against  them   •  Privileged  users  can  cause  the  most   damage   –  Business  leaders  o^en  unable  or  unwilling  to   accept  users  may  be  working  against  them   11  
  • 12. Trust  But  Verify   •  Ideal  way  to  protect  both  users   and  corporate  assets   –  Ensures  users  are  not  falsely   accused   –  Provides  effec/ve  oversight   control  for  corpora/on   •  Make  sure  users  are  made  aware   of  the  existence  of  monitoring   –  Existence  alone  may  prevent   malicious  user  from  taking  ac/on   •  Privileged  user  ac/vi/es  most   important  to  monitor   –  Highest  poten/al  for  material   business  impact   12  
  • 13. Embrace  but  Educate   Turning  “No”  Into  “Yes”   •  Security  known  for  its  ability  to  say  “No”   –  Drives  covert  behaviors  and  ac/ons   •  Embrace  but  educate  enables  security  to   say  “Yes”  more  o^en   –  Ensures  risks  and  expecta/ons  of  security   are  understood   –  Creates  posi/ve  percep/on  of  IRMS   –  Reinforces  advisory  and  consulta/ve   approach   •  Use  techniques  that  can  be  easily   understood  and  internalized   –  Simple  language   –  Case  studies   –  Examples   13  
  • 14. Personal  Benefits  Approach   •  Help  individuals  to  help  themselves   –  Make  them  want  to  change  their  behaviors   –  Change  both  personal  and  professional  behaviors   •  Controls  that  restrict  without  context  will   drive  covert  behaviors   –  Proac/ve  educa/on  and  personal  benefit  beier   and  o^en  cheaper  control   –  Educa/on  of  safe  social  networking  easy  example   to  use  to  champion  approach   •  Users  will  embrace  security  if  they  understand   the  universal  benefits   –  Remove  the  percep/on  of  security  as  only  a   requirement  of  the  business   –  Assist  users  in  deriving  personnel  benefit  and   value  from  security  knowledge  and  guidance   14  
  • 15. Final  Thoughts   •  Culture  of  an  organiza/on  ul/mately  determines   its  ability  to  protect  itself   •  Crea/ng  a  risk  conscious  and  security  aware   culture  is  a  journey  not  a  race   –  Requires  careful  aien/on  and  constant   reinforcement   –  Ul/mately  provides  highest  return  on  investment  for   protec/on  of  data  assets  and  informa/on   infrastructure   •  Change  in  culture  o^en  results  in   conversion  of  malicious  aiacks  from   incidents  to  anomalies   –  Liile  to  no  material  business  impact   –  Business  will  embrace  the  value  of   Informa/on  Risk  Management  and  Security   15  
  • 16. Thank  You  for  Your   Time!   John  P.  Piron*     CGEIT,  CISA,  CISM,  CISSP,  CRISC,  ISSAP,  ISSMP   President,  IP  Architects,  LLC.   jpiron/@iparchitects.com     Copyright  2013  -­‐    IP  Architects,  LLC.,  -­‐  All  Rights  Reserved  

×