On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
James Beeson SOURCE Boston 2011Presentation Transcript
BRIDGING THE GAPS AND PREPARING FOR THE FUTURE! James Beeson Chief Informa0on Security Oﬃcer April 20, 2011
We Are Figh0ng The Same BaCle! Same Risks • Business Disrup0on • Unauthorized Access Don’t Reinvent the Wheel • Data Leakage/Loss Collaborate Use Exis0ng Frameworks • Data Integrity Issues ISO 27001 • Regulatory Non-‐Compliance COBIT NIST Standards Similar Threats • Mistakes/Accidents • Organized Crime (APT) • Vulnerabili0es (SW/HW/NW) • Unauthorized SoVware • Social Engineering (Phishing)
CIO & CISO Roles Similar • Need to understand what the business does • How does technology enable the business processes • Branding and marke0ng for the cause • Evangelist for the profession and importance • Salesperson to get things accomplished • Leader to mo0vate people to do the right thing Aren’t We All Just Used Car Salespeople?
Mix of Technical Exper0se and Leadership Informa0on Security Technical Exper0se • CISSP (Cer0ﬁed Informa0on Systems Security Professional) • CISA (Cer0ﬁed Informa0on Systems Auditor) • CRISC (Cer0ﬁed in Risk and Informa0on Systems Control) • CISM (Cer0ﬁed Informa0on Security Manager) Leadership • Team Building and Mo0va0on • Eﬀec0ve Speaking and Presenta0on Skills • Hiring and Management Skills • Style Flex – Understanding Mo0va0on • CAP (Change Accelera0on Process Training) • ITIL (Informa0on Technology Infrastructure Library) Skills • Six Sigma or similar Quality Training
Just Say “Yes” Approach • Works BeCer than Chicken LiCle or FUD • ShiVs the Ownership/Burden of Risk • As They Say “It’s All In The Spin” • Push for Data Driven Decisions IT and CISO DO NOT Own the Risk!
KNOW THE 2 MINUTE ELEVATOR SPEECH Key OperaAng Elements Top Risks InformaAon Security Risk Management Data Leakage/Loss IdenAty Management (Access Control) Unauthorized Access Monitoring & Incident Response Business Disrup0on Data Integrity Issues Strategic Approach Regulatory Non-‐Compliance Strong, Simple, Risk Based Policies Top Threats Phishing (Social Engineering) Layered, Measurable Approach Unauthorized SoVware Ongoing Risk Assessment & Quick IR Organized Crime (APT) SW/HW/NW Vulnerabili0es Con0nuous Educa0on and Awareness Mistakes/Accidents Tarnished Brand Name DRIVES Revenue Loss Added Costs (regulatory ﬁnes)
Security is an Enabler to Compliance and Reducing Risk • Leverage Compliance and Legal • Take Advantage of Opera0onal and Business Risk Knowledge • Mix Training, Educa0on, and Communica0ons • Embed Security in Technology and Business Processes • ShiV from Slowing-‐Down to Enabling
Measurement Drives Behavior As Lord Kelvin once said “If You Can’t Measure It, You Can’t Improve It” Typically Improvement is Measured by: <Reduced Cycle-‐Time <Reduced Cost <Reduced Defects Key Takeaways • Schedule Recurring Reviews • Know Your Audience • Tie Improvement Metrics to Performance • Don’t Reinvent the Wheel • Automate and Deﬁne Clear Ownership Threat x Opportunity = Risk
Trends • I Don’t Buy Your Shoes, Why Would I Buy Your PC • Cloud is the Preferred Way to Manage Data • Conundrum -‐ Digital Na0ves vs Baby Boomers • Power Portability/Mobility with No Perimeter • Organized Crime (APT) is “Big Business” • Focus on Compliance Not Security Posture • Social Engineering Rules – An Educa0on Issue
Things That Make You Go Hmm • 2 Billion People Internet Connected • YouTube >2B Views/Day • Over 22 Billion Tweets in 2010 • Facebook – Worlds 3rd Largest Country • Over 100 Million Users on LinkedIn • Internet Background Check Common • Tex0ng & Apps Overtake Voice • PC’s/Laptop’s Dropping in Sales • 1/5 Marriages from Internet Da0ng
Summary • Figh0ng the Same BaCle – Leverage Everyone! – Risks are basically the same • Know Your Business – Become an Enabler – Reduces the “Hindrance” factor • CIO and CISO Roles are Similar – Aren’t we all just Salespeople • Measurement Drives Behavior – “If you can’t measure it, you can’t improve it” • Digital Na0ves versus Digital Immigrant – Helping to “Bridge The Gap”