Bt 2012 Source Seattle
Upcoming SlideShare
Loading in...5
×
 

Bt 2012 Source Seattle

on

  • 584 views

Source Seattle

Source Seattle

Statistics

Views

Total Views
584
Views on SlideShare
584
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Security Maturity Continuum (SMC) The Evolution of Information Security in Large Organizations The evolution of Information Security within large organizations has followed a linear and predictable path. Organizations with prescriptive control requirements, rigid policies and arduous risk management practices were perfect candidates for “Outsourcing & Transformation” with little change in organizational governance or culture required. The next stage requires embracing standard service offerings (non-bespoke), innovation, compensating controls and the development of a trust management regime.
  • Organization: Disparate business units & splintered cultures Technology: Dedicated business unit owned assets, business unit specific systems/apps, multiple vendors within technology categories, decentralized access, compute & storage. Operations: Multiple groups with dedicated business unit management resources Governance: Business unit specific process, policy, finance and audit
  • Organization: Disparate business units > Internal customers & unified culture Technology: Dedicated enterprise assets, centrally owned assets, legacy & shared systems, vendors rationalization & standardization, centralized access, compute & storage. Operations: Centrally managed resources Governance: Dedicated process, policy, finance and audit teams
  • Organization: Defines & aligns business requirements Technology: Dedicated enterprise assets, centrally owned assets*, legacy & shared systems, vendor agnostic*, centralized access, compute & storage. Operations: Centrally managed oversight Governance: Dedicated process, policy, finance and audit teams
  • Organization: Defines & aligns business requirements Technology: Shared tenant environments, consumption based usage, instant provisioning, legacy system rationalization, vendor diversity, vendors agnostic, service focused, de-centralized access, compute & storage. Operations: Dashboards, SLA’s & escalation Governance: Mature, holistic, risk/reward aware & agile
  • How do you make the transition? Organization: Determine your organization’s appetite/tolerance for risk, promote a cultural move from a “Zero Risk/Zero Breach” mentality to a “Predict & Prevent” and ”Risk Resilient” mentality. Technology: Transition from infrastructure focus to application & service focus aligned with business functionality. Adopt architectural principles that assume an expanding perimeter. Operations: Adopt relevant & actionable Key Performance Indicators – Understand escalation path - Governance: Align with business objectives, develop effective forums, drive measured policy change and consider ITIL practices.

Bt 2012 Source Seattle Bt 2012 Source Seattle Presentation Transcript

  • Journey to the Clouds:Maturity, Agility, Risk and TrustBryan K. FiteUS&C Portfolio ManagerSOURCE SeattleSeptember 13, 2012
  • My Journey• Hacker/Researcher > Consultant > Policy Scribe > Architect > Risk Manager > Trusted Advisoror• From the guy that said no to the guy that facilitates yes• 31/2 years as Security & Compliance Director for fortune 50 company• Currently US&C Security & Mobility Portfolio Manager© British Telecommunications plc 2
  • Security Maturity Continuum Evolution Outsourcing, Partnering and Transformation Next Stage© British Telecommunications plc 3
  • Security Maturity Continuum Evolution Outsourcing, Partnering and Transformation Next Stage Internally Cost Externally Cloud Based Managed Center Managed Services and Estates Estate ApplicationsOrganization • Disparate • Splintered culturesTechnology • Dedicated & owned • Multiple vendors • DecentralizedOperations • Multiple groups • Dedicated resourcesGovernance • Business specific© British Telecommunications plc 4
  • Security Maturity Continuum Evolution Outsourcing, Partnering and Transformation Next Stage Internally Cost Externally Cloud Based Managed Center Managed Services and Estates Estate ApplicationsOrganization • Disparate • Internal customers • Splintered cultures • Unified cultureTechnology • Dedicated & owned • Dedicated & owned • Multiple vendors • Rationalized vendors • Decentralized • CentralizedOperations • Multiple groups • Centrally managed • Dedicated resources resourcesGovernance • Business specific • Consolidated process, policy, finance and audit teams© British Telecommunications plc 5
  • Security Maturity Continuum Evolution Outsourcing, Partnering and Transformation Next Stage Internally Cost Externally Cloud Based Managed Center Managed Services and Estates Estate ApplicationsOrganization • Disparate • Internal customers • Defines & aligns • Splintered cultures • Unified culture business requirementsTechnology • Dedicated & • Dedicated & owned • Dedicated & owned owned • Rationalized vendors • Legacy & shared • Multiple • Centralized • Vendor agnostic vendors • Centralized • Decentraliz edOperations • Multiple groups • Centrally managed • Centrally managed • Dedicated resources resources oversightGovernance • Business specific • Consolidated process, • Dedicated process, policy, finance and policy, finance and audit teams audit teams© British Telecommunications plc 6
  • Security Maturity Continuum Evolution Outsourcing, Partnering and Transformation Next Stage Internally Cost Externally Cloud Based Managed Center Managed Services and Estates Estate ApplicationsOrganization • Disparate • Internal customers • Defines & aligns • Defines & aligns • Splintered cultures • Unified culture business requirements business requirementsTechnology • Dedicated & owned • Dedicated & owned • Dedicated & owned • Shared • Multiple vendors • Rationalized vendors • Legacy & shared • Diverse • Decentralized • Centralized • Vendor agnostic • Agnostic • Centralized • De-centralizedOperations • Multiple groups • Centrally managed •Centrally managed • Dashboards • Dedicated resources resources • SLA’s • EscalationGovernance • Business specific • Consolidated process, • Dedicated process, • Mature & holistic policy, finance and policy, finance and • Risk/reward aware audit teams audit teams • Agile© British Telecommunications plc 7
  • Exploiting OpportunitiesHow do you make the transition?Organization Operations • Risk Tolerance • Key Performance • Maturity Level Indicators • Culture Change • Escalation Paths • Roles & ResponsibilitiesTechnology Governance • Architecture • Business Objectives • User Experience • Effective Forums • Application & Service • Policy Change • ITIL Practices© British Telecommunications plc 8
  • The Governance, Risk & Compliance Challenge (Adapt to evolving security threats (Ops (Control or reduce their costs (Business • Network boundaries are less defined as access • Increasing scarcity and growing cost of retaining IT adapts to meet changing business needs security talent • External attacks continue to become more • Security budgets are now subject to same rigour as sophisticated and change faster other IT spend • External attacks are targeted and financially • Solutions need to be flexible to adapt to changing motivated threats without needing to be replaced • Threats from inside the organization are growing • Rationalize solutions and suppliers to reduce costs • Integrate security management across their company to reduce costs and get the most out of what they’ve got (Comply with growing regulation (Audit • Volatile Cost of Compliance (TCO) • Continued market vertical regulations such as Basel II, SOX, HIPAA, SEC, PCI DSS • Increased growth and evolution of regulation • Local data protection laws place a greater focus on data security© British Telecommunications plc 9
  • Governance, Risk & Compliance Benefits• Facilitates: Agile and effective governance• Drives: Holistic Risk Management• Creates: Audit Ready Enterprises• Identifies: Redundant Cost Elements• Supports: Rapid Deployment Regardless of Maturity Level• Fosters: A Cost Effective and Business Reasonable Approach• Provides: Measurable Business Value Exploiting GRC Opportunities: • Alignment • Effective Forums • Measured Policy Change • Consider ITIL© British Telecommunications plc 10
  • Tools of The Trade Compensating Controls • Confidence = Control + Trust • Contractual Langue • Service Credits • Risk Reward Parity Agile & Effective Governance • Business Objectives • Develop Effective Forums • Drive Measured Policy Change • Adopt ITIL Practices • Discipline & Consistency© British Telecommunications plc 11
  • Tools of The Trade Rapid Risk Assessment • Rapid, Relevant & Repeatable • Answers A Specific Question Trust Management Metrics • Confidence = Control + Trust – Transparency – Previous Experience – Mutually Assured Destruction/Success “You have to trust someone!” Bruce Schneier© British Telecommunications plc 12
  • Trust Definition:RFC 2828 • “Trust [...] Information system usage: The extent to which someone who relies on a system can have confidence that the system meets its specifications, i.e., that the system does what it claims to do and does not perform unwanted functions.” • http://www.ietf.org/rfc/rfc2828.txt • trust = system[s] perform[s] as expected© British Telecommunications plc 13
  • Trust Definition:“Trust (or, symmetrically, distrust) is aparticular level of the subjective probabilitywith which an agent assesses that anotheragent or group of agents will perform aparticular action, both before he can monitorsuch action (or independently of his capacityever to be able to monitor it) and in a contextin which it affects his own action.”Diego Gambetta,“Can we trust trust?”1988© British Telecommunications plc 14
  • Trust Management MethodologyISECOM - http://www.isecom.org/(Disclaimer: I just became a CTA)What is Trust Analysis?• The use of logic and reason to make a trust decision• It is a new practice originally developed to explore operational trust• Identifies 10 trust properties© British Telecommunications plc 15
  • ISECOM Trust Properties• Size: “How many trust subjects are there?”• Symmetry: “What are the vectors of the trust?”• Transparency: “How much do we know about them?”• Consistency: “What happened in the past?”• Integrity: “How is change communicated?”• Value of Reward: “What do we gain?”• Components: “What are your resource dependencies?”• Porosity: “How much separation between the subject and environment exists?”• Control* and Offsets*© British Telecommunications plc 16
  • Dr. Piotr Cofta: Trust Governance & TERM• Literally wrote the book(s) on Trust• Recently launched http://trust-governance.com/ “With trust,• Collaborating on the development of companies can enjoy Trust Enhanced Risk Management (TERM) 10% increase in profit margin or• TERM can be introduced gradually, 40% cost savings… as it is backward-compatible with existing risk management methodologies …Without trust, technology has no business value.” Dr. Piotr Cofta© British Telecommunications plc 17
  • Trusted Business Partner Designation (work in progress)• Trust is considered a good thing because it reduces the cost to maintain security and controls• How can TERM help us? – Create a relative Trust Score to answer a specific “Security exists business question and rank entities accordingly to facilitate trust. Trust is the goal, – Define Trust Score thresholds for certain operational functions and security is how we enable it.” – Seek compensating controls to treat specific risk where trust does not exist. Bruce Schneier – Examples: MPLS & RSA Seed Escrow© British Telecommunications plc 18
  • Take Aways The “Clouds” are gathering and security professionals are uniquely positioned to facilitate the future. “Carpe diem”• Know where you are on the maturity continuum• Speak the language business understands• Communicate risk & reward in effective forums• Treat risk creatively and understand how, why and who you trust© British Telecommunications plc 19
  • http://day-con.org October 12th & 13th, 2012 Dayton, Ohio© British Telecommunications plc 20
  • Thank you Bryan K. Fite Bryan.Fite@BT.com© British Telecommunications plc 21
  • © British Telecommunications plc 22