Hi, my name is Ravila White, I’m excited to present today. Before we begin I wanted to share with you a couple of items. First everyone wants to know the origins of the Information Security Juggernaut. Well I use to hang out with my brothers as my sister was busy. When I finished reading Louisa May Alcott and my mystery novels I thought I’d find out what was so interesting about comic books. I got hooked. The juggernaut comes from The X-men. I decided to use it because infosec is broad, strong and an unstoppable force. When I wrote my first published article I thought I’d give an ode to yesterday. I sent a copy to my brother and he got it right away.
This is what we are covering today. I would like this to be as interactive as possible. If you have a question, please feel free to ask. If you have your own ideas, please share as this is a learning opportunity for everyone in the room.
Why is information security hard to sell to the business? There are many reasons, however in talking with my peers and non-information security professionals they seem to agree on these.
Many information security professionals continue to rely on a tactical approach to selling information security. When we are not beating management over the head with the latest malware outbreak, then we are pushing compliance. Management is interested in what information security can do for the business.
Here are some of the mistakes we’ve made. Would anyone care to share the mistakes they’ve made in building programs? What is associative thinking? The mental process of making associations between a given subject and all pertinent present factors without drawing on past experience. Free association. Associative thinking enables you to see possibilities where some may think there aren’t any. Linear thinking, the step-by-step gets you there but should not lead. Businesses are dynamic. When they change, we need to change. Holding on to long forgotten ideals will not help your organization.
In the past 4-5 years strategic planning has become all the rage. Ask someone for their strategic plan and get a nice long narrative with maybe a couple of charts associated with cost. Once someone maybe reads it, is it ever references again? Is the best method of driving strategy compiling all strategy in one documents? Is strategic planning a destination or journey?
There are five types of strategic plans. Which one would you chose to use for your organization? Typically you’ll the need to use at least 2 of the 5. More than likely you’ll need to blend all of them to develop a well crafted strategy. How can you do so without overloading your audience? In the previous slide, I asked if strategic planning is a destination or journey…when applied in the manner illustrated it’s a destination which might be ok. However for an enterprise mindset, we need to make strategic planning a journey.
Then there is information security. It’s a broad discipline which requires support from non-infosec professionals in order to succeed.
How many people have what is considered authoritative documentation in their organization? Authoritative documentation can support audits, business continuity, disaster recovery etc. It’s the policies, procedures, standards, business plans of your organization. We make them artificates because it infers historical references. We expect ourselves and the business to go back to these documents as a point of reference in understand decisions and direction.
As an exercise ask people in your organization what a procedure is. Then ask them what a policy is. If you cannot agree on terminology, don’t expect to agree on what it’ll take to make an enterprise strategic plan. Developing a simple taxonomy as part of your business plan (which in itself is a strategy) can facilitate communication when plans are discussed and developed. Setting the floor is to establish your baseline. It means you are working from an expected point. Setting the ceiling is establishing a baseline that provides no room for inference or adaptability and or extensibility. To set the floor of your taxonomy, use terms that are industry standard that can be built upon. This becomes especially important if your organization is global or international.
One method of addressing the challenges of information security is through diversification. Lets look at terminology to support our discussion.
Look the both definitions. Which has more value for a information security professional who has a job function with a strategic focus and why? Discuss it with the person next to you. If you are a information security professional who is in a matrix position then diversification is of more value to you. You must understand how your colleagues think and work to interact with them in a healthy way that promotes the organization’s mission.
Prior to analyzing which term would add the most value, how many of you have run programs that look like the left-side of the slide? How many of you here have integrated any of the disciplines and or practice in your portfolio? Let’s talk about why we should not just be aware of these disciplines but understand how integration can bring more value to our programs.
In software development, middleware is used to support interoperability between disparate systems. For information security innovation, non-infosec disciplines and practice can serve as the middleware to achieving success by supporting the business in a manner that is accepted. By learning at least two non-infosec practices in your organization, you can develop informational artifacts that are easily consumed and sustainable.
Now that we know what we can add to infosec we need to understand how to apply diversification.
We’ve got NIST, SANS CSI, ISACA, ISC2…with all the input we’ve been provided to shape our practice, why are we having such a hard time selling security to the business. Individualistic ratings systems and frameworks makes it all about me, not we. When we talk about the enterprise its about we. To make it about we, aggregate information as a point of reference will yield more accurate results rather than an individualistic point of view.
Theory is the start of creating a certain train of thought. Once solidified philosophy can be used to prove or disprove a the body of information derived from theory. Finally practice is the application of proven theory. Its an aggregation of thoughts (input) that end in a result (output). Design focused thinking offers a similar path. Associative thinking provides the vehicle for possibilities of a given solution. Linear thinking is applied to the associative to make it logical and the compliment of established principles. Cyclical thinking is applied to each solution to determine if a process or practice should occur at regular intervals.
If infosec is to operate as part of the business then repetitious patterns should be looked at from a value perspective. In investing, cyclical denotes a business or stock whose income, value, or earnings fluctuate widely according to variations in the economy or the cycle of the seasons. To stay afloat as a business proposition, infosec must constantly be aware of and communication its value.
In the last ten years I’ve been asked by many how I’m able to handle large scale initiatives with little resources. Other than the obvious of having great mentors and influencers, I have my own secret sauce in the forms of theorems. They are essentially the middleware solution to handle capacity challenges.
This goes back to what we discussed during the review of diversification. By diversifying thought you can understand the enterprise and deliver solutions that fit.
One of my most successful tools is the OMI tool. I use this whenever I’m approached about a solution that has a specific framework, guideline or methodology. O or overlapping is the default. Why? Because if I can overlay that means not much will change when I present the infocsec-side to the business. They will quickly comprehend intentions. If I cannot overlay, then a mapping occurs where infosec business planning or activities are used as a map to support the solution needs. Finally there is the integration layer where infosec practices are translated to activities that will occur within and parallel to the project.
In looking at various definitions of the word enterprise, lets agree that enterprise at its most basic, is the amalgamation of many concepts, disciplines, solutions etc. of a discipline. As relationship building relies upon the ability to quickly convey information in a manner that can be understand by neophytes, an iterative process can be applied through the duration of each engagement. This theorem supports the communication layer in a very simple manner.
Let’s put what we’ve discussed so far to the test.
This a logical drawing of Security in a 10 phase SDLC. Can you match the philophies we’ve discussed to the outcomes seen in this drawing Which elements of the drawing are information security centric? (only two of them, the security testing and overall phases of the Infosec activities) Which theorems are at use here? (OMI and Enterprise Thinking) Which mappings did I use (both O and M. M first to align infosec activities to the partner model, then O to communicate support of ITIL) Which elements are pulled from a policy methodology? (ITIL process level is used) How was diversification applied? (used ITIL as a driver to show the outcome while mapping to security activities) What non-infosec disciplines were used to develop this drawing (BPM, Information Design and Enterprise Architecture) Why is input driven from the SDLC rather than Infosec? (Its the business who sets direction, not infosec, its an intergrator and solution provider) Bonus Question: What middleware was used here (the ITIL process level framework)
Why do we need a toolkit? Well as we’ve discussed, strategy is a journey, not a destination. As such, we must have a way of getting there in an incremental fashion. That really is what the toolkit is about. It’s a process methodology for approaching strategic planning in a systemic, cyclical and phased manner.
This is the first layer of your strategy journey. Adjust the questions to fit your culture, organizational goals, and program maturity. This is the business model canvas adapted to fit an information security centric model. Its basically a prototyping tool that can be used to build relationships with your partners but also build a business plan that will integrate and align with the business. I used the Overlay and a bit of mapping from OMI to build in the logic.
This can be the 2 nd layer of your strategy journey. Its more a sanity check for yourself and a checkpoint for others who might want to know where you are headed. This is an example of how I used the OMI principle. To develop my security model, I performed an overlay with integration. As a point of diversification, notice the use of the spiral methodology as inspiration to this logic model as well.
As a designer of a security program and or architect, a logic model is a visual tool to present and share your understanding of the relationships among the resources you have to operate your program, the activities you plan, and the changes or results you hope to achieve in a systemic manner. Most of all it can verify and validate that your program is aligned to the business. You want your program to be systemic as it will have greater influence and extensibility which will result in sustainability.
This is the third leg in your strategy journey. This is the basis of building a more detail strategy artifact. This is a point of validation with your partners and some high-level stakeholders. This is fairly static strategy. It should not change unless there is significant evolution of mission and values associated with your role/team.
This is the 4 th leg of your strategy journey. This is where the rubber hits the road. In order to complete the Result Chain logic model, you’ll have engaged primary stakeholders, vendors and likely your project managers. It is all about capacity, ability to execute and deliver. This is the pie in the sky. This strategic plan is dynamic as you can expect it to evolve over time given priorities and change of direction from the organization.
As I mentioned at the outset, while we in practice are information security professionals, in philosophy, we are designers. As such we must build a tool set that will compliment our toolkit. Take the time to develop and share your taxonomy. Use a Raci/Rasci model to map resources to activities. These are both tools that are being used by non-infosec professionals and many of the influential technology consulting firms. Information design is probably one of the most important middlewares you can become proficient at. Why? You know the old saying…”A picture is worth a thousand words.” That is true. If you can present strategy using graphics as the backdrop, you’ll find your information more consumable.
This is the information security juggernauts toolkit. I’ve told you what middleware I used to make it functional. Use all or part, its your choice. I’d like to see you come up with your own. It’s a great way to communicate our concerns without loosing the audience. I built the toolkit using the concepts associated with building a logic model which is closely associated to business process modeling. You’ll notice as well that I’ve aligned to ITIL. This communicates to the business the effort is aligned to industry standards and practice. Using information design techniques, the toolkit flow is represented without becoming overly busy. I could have added more arrows, however through inference of shape flow and shape type I’ve captured a top-down feeling. I mentioned the need to answer the question posed by the business as to ‘What is Information Security?’ This is the answer in a nutshell from a graphical point-of-view. Its many elements with multiple strategies and diversification.
At the end the of the day, you are already an expert with information security. Now its time to expand your horizons and add capabilities that will communicate simply what your mission, goals and activities are to non-information security professionals. Diversify your skill set to accomplish more.
Consider investing in innovation cards from Xplane. Its also a great way to give yourself a sanity check if you are a team of one. You use the cards in third person against the first draft of your business model canvas. Remember, we don’t want to be myopic, we want to be adaptable and evolutionary. If your organization’s culture permits, attempt use to facilitate developing your business model with your business partners. It is a non-threatening method of illicit the feelings of others about subjects which can sometimes lead to heated debates and a simply translator to establish common ground and language with non-infosec professionals. Can be used for self, 1:1 or in a small group you will (1) Review the situation cards and action cards as they relate to the draft business model canvas, (2) Use the wild cards to address situations and actions not presented in the cards as they relate to the draft business model canvas , (3) Identify the Hits and Misses which to us means the Alignment and Gaps, (4) Identify what actions you need to take as they relate to your business model canvas draft and update. End result is developing a game plan that aligns with everyone’s thinking.
If you’d like to diversify your skill and mind set consider reading the books above. As we are information security practioners, start with The New School of Information Security. This will get you thinking in the right direction from an infosec perspective. Then read the rest. I hope this changes the way you present information security and brings you success.
Something I’d like to encourage all of you do to…when presenting in the future, list not only your online and book references, but also your people credits. We all meet people who are pivotal in growing or knowledge or professionalism. Don’t forget to mention them.
Information Security Juggernaut Toolkit for Security in the Enterprise By Ravila Helen White, CISSP, CISM, CISA, GCIH ij Making it better without making it complex
Strategic plans are not easily consumable, scalable or sustainable
Answers the questions without appropriate stakeholder buy-in
Doesn’t provide upfront negotiation of priorities
Does not answer “What is Information Security?”
Strategic Planning Models Followed by organizations that are extremely small, busy, and have not done much strategic planning before. This model requires continual reference to common values, discussing these values, and shared reflection of the process. Used to ensure that what the organization does is aligned with its mission statement. It is useful in fine-tuning strategies or exploring why strategies are not working. This model is a combination of the Basic model and more comprehensive planning such as setting a budget or executing a SWOT assessment. Used to identify different future organizational scenarios (including best case, worst case, and reasonable case) which might arise. Used to evoke strategic thinking Basic Issue Alignment Self Organizing Scenario