BRIDGING THE GAPS AND PREPARING FOR THE FUTURE! James Beeson Chief Informa0on Security Oﬃcer April 20, 2011
We Are Figh0ng The Same BaCle! Same Risks • Business Disrup0on • Unauthorized Access Don’t Reinvent the Wheel • Data Leakage/Loss Collaborate Use Exis0ng Frameworks • Data Integrity Issues ISO 27001 • Regulatory Non-‐Compliance COBIT NIST Standards Similar Threats • Mistakes/Accidents • Organized Crime (APT) • Vulnerabili0es (SW/HW/NW) • Unauthorized SoVware • Social Engineering (Phishing)
CIO & CISO Roles Similar • Need to understand what the business does • How does technology enable the business processes • Branding and marke0ng for the cause • Evangelist for the profession and importance • Salesperson to get things accomplished • Leader to mo0vate people to do the right thing Aren’t We All Just Used Car Salespeople?
Mix of Technical Exper0se and Leadership Informa0on Security Technical Exper0se • CISSP (Cer0ﬁed Informa0on Systems Security Professional) • CISA (Cer0ﬁed Informa0on Systems Auditor) • CRISC (Cer0ﬁed in Risk and Informa0on Systems Control) • CISM (Cer0ﬁed Informa0on Security Manager) Leadership • Team Building and Mo0va0on • Eﬀec0ve Speaking and Presenta0on Skills • Hiring and Management Skills • Style Flex – Understanding Mo0va0on • CAP (Change Accelera0on Process Training) • ITIL (Informa0on Technology Infrastructure Library) Skills • Six Sigma or similar Quality Training
Just Say “Yes” Approach • Works BeCer than Chicken LiCle or FUD • ShiVs the Ownership/Burden of Risk • As They Say “It’s All In The Spin” • Push for Data Driven Decisions IT and CISO DO NOT Own the Risk!
KNOW THE 2 MINUTE ELEVATOR SPEECH Key OperaAng Elements Top Risks InformaAon Security Risk Management Data Leakage/Loss IdenAty Management (Access Control) Unauthorized Access Monitoring & Incident Response Business Disrup0on Data Integrity Issues Strategic Approach Regulatory Non-‐Compliance Strong, Simple, Risk Based Policies Top Threats Phishing (Social Engineering) Layered, Measurable Approach Unauthorized SoVware Ongoing Risk Assessment & Quick IR Organized Crime (APT) SW/HW/NW Vulnerabili0es Con0nuous Educa0on and Awareness Mistakes/Accidents Tarnished Brand Name DRIVES Revenue Loss Added Costs (regulatory ﬁnes)
Security is an Enabler to Compliance and Reducing Risk • Leverage Compliance and Legal • Take Advantage of Opera0onal and Business Risk Knowledge • Mix Training, Educa0on, and Communica0ons • Embed Security in Technology and Business Processes • ShiV from Slowing-‐Down to Enabling
Measurement Drives Behavior As Lord Kelvin once said “If You Can’t Measure It, You Can’t Improve It” Typically Improvement is Measured by: <Reduced Cycle-‐Time <Reduced Cost <Reduced Defects Key Takeaways • Schedule Recurring Reviews • Know Your Audience • Tie Improvement Metrics to Performance • Don’t Reinvent the Wheel • Automate and Deﬁne Clear Ownership Threat x Opportunity = Risk
Trends • I Don’t Buy Your Shoes, Why Would I Buy Your PC • Cloud is the Preferred Way to Manage Data • Conundrum -‐ Digital Na0ves vs Baby Boomers • Power Portability/Mobility with No Perimeter • Organized Crime (APT) is “Big Business” • Focus on Compliance Not Security Posture • Social Engineering Rules – An Educa0on Issue
Things That Make You Go Hmm • 2 Billion People Internet Connected • YouTube >2B Views/Day • Over 22 Billion Tweets in 2010 • Facebook – Worlds 3rd Largest Country • Over 100 Million Users on LinkedIn • Internet Background Check Common • Tex0ng & Apps Overtake Voice • PC’s/Laptop’s Dropping in Sales • 1/5 Marriages from Internet Da0ng
Summary • Figh0ng the Same BaCle – Leverage Everyone! – Risks are basically the same • Know Your Business – Become an Enabler – Reduces the “Hindrance” factor • CIO and CISO Roles are Similar – Aren’t we all just Salespeople • Measurement Drives Behavior – “If you can’t measure it, you can’t improve it” • Digital Na0ves versus Digital Immigrant – Helping to “Bridge The Gap”