From The Pillory To The Joneses Using Peer Pressure To Improve Your Security KPIs :: Metricon 6.5

  • 1,411 views
Uploaded on

There is a natural human desire to both not be punished as well as to covet that which thy neighbor has (hence the existence of the well known "thou shalt not…" Commandment). Humans also strongly …

There is a natural human desire to both not be punished as well as to covet that which thy neighbor has (hence the existence of the well known "thou shalt not…" Commandment). Humans also strongly desire to be rewarded for the accomplishments they make but at the same time would like to be as anonymous as possible. With such diverse characteristics, how could one possibly use something like security metrics to change/channel the right behaviours?

Since the most effective metrics programs have a measurable, reportable resulting action component, the way in which this is carried out must be designed in up-front. Given the limited resources in business units and IT areas, this design should focus on the most critical areas first and shift focus as progress is made in individual KPIs.

To that end, we present an approach that has an element of the medieval gallows (i.e. shame) as well as an element of "keeping up with the Joneses" (i.e. competition) to improve the effectiveness of concrete risk, security & compliance program goals/controls. We will demonstrate real-world improvements made in the area of policy/standard exceptions as well as anti-virus infections and propose other concrete areas organizations of all sizes can work on in 2012 & beyond to drive critical improvements in their programs.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,411
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. From The Pillory To The Joneses Using Peer Pressure To Improve Your Security KPIs Bob Rudis & Albert Yin Mini-Metricon 6.5 February 27, 2012Thursday, January 24, 13 1
  • 2. Thursday, January 24, 13 2
  • 3. http://www.historicalstockphotos.com/images/xsmall/1971_people_locked_in_a_pillory_while_awaiting_witch_trials.jpg Used With PermissionThursday, January 24, 13 2
  • 4. Thursday, January 24, 13 3
  • 5. http://gentlemanredux.com/blog/2011/11/24/keeping-up-with-the-joneses/ Used With PermissionThursday, January 24, 13 3
  • 6. Thursday, January 24, 13 4
  • 7. I know you all know this…Thursday, January 24, 13 4
  • 8. Thursday, January 24, 13 5
  • 9. But, it’s worth repeating…Thursday, January 24, 13 5
  • 10. Thursday, January 24, 13 6
  • 11. Metrics are supposed to be…Thursday, January 24, 13 6
  • 12. Thursday, January 24, 13 7
  • 13. Getty Images :: “Comping” & Preview Use LicenseThursday, January 24, 13 7
  • 14. Thursday, January 24, 13 8
  • 15. NBC News Footage :: Fair UseThursday, January 24, 13 8
  • 16. How To Pick An Area Of FocusThursday, January 24, 13 9
  • 17. How To Pick An Area Of Focus Do you even have data for it?Thursday, January 24, 13 9
  • 18. How To Pick An Area Of Focus Do you even have data for it? Is that data easy to get on a regular basis?Thursday, January 24, 13 9
  • 19. How To Pick An Area Of Focus Do you even have data for it? Is that data easy to get on a regular basis? Can you trust the data?Thursday, January 24, 13 9
  • 20. How To Pick An Area Of Focus Do you even have data for it? Is that data easy to get on a regular basis? Can you trust the data? Is it an area you can measure consistently over time?Thursday, January 24, 13 9
  • 21. How To Pick An Area Of Focus Do you even have data for it? Is that data easy to get on a regular basis? Can you trust the data? Is it an area you can measure consistently over time? Is it actually going to help reduce risk in your environment?Thursday, January 24, 13 9
  • 22. Candidate #1 : Policy ExceptionsThursday, January 24, 13 10
  • 23. Candidate #1 : Policy Exceptions We (Enterprise Security) controlled the process & dataThursday, January 24, 13 10
  • 24. Candidate #1 : Policy Exceptions We (Enterprise Security) controlled the process & data Policy exceptions inherently introduce risk into the environment, hence a great target to focus onThursday, January 24, 13 10
  • 25. OriginalThursday, January 24, 13 11
  • 26. Original S S (Mostly) L E T H O R WThursday, January 24, 13 11
  • 27. Thursday, January 24, 13 12
  • 28. “So what?”Thursday, January 24, 13 12
  • 29. Thursday, January 24, 13 13
  • 30. No consequences…Thursday, January 24, 13 13
  • 31. Thursday, January 24, 13 14
  • 32. Thursday, January 24, 13 14
  • 33. New & ImprovedThursday, January 24, 13 15
  • 34. New & ImprovedThursday, January 24, 13 15
  • 35. New & Improved Comparison Over TimeThursday, January 24, 13 15
  • 36. New & Improved Comparison Over Time Aligned To RiskThursday, January 24, 13 15
  • 37. New & ImprovedThursday, January 24, 13 16
  • 38. New & ImprovedThursday, January 24, 13 16
  • 39. New & Improved Show The Trend!Thursday, January 24, 13 16
  • 40. New & Improved Show The Trend! Focus On Risk!Thursday, January 24, 13 16
  • 41. New & Improved Show The Trend! Focus On Risk!Thursday, January 24, 13 16
  • 42. New & Improved Show The Trend! Focus On Risk!Thursday, January 24, 13 16
  • 43. Thursday, January 24, 13 17
  • 44. Thursday, January 24, 13 18
  • 45. http://www.geograph.org.uk/photo/630105 Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)Thursday, January 24, 13 18
  • 46. Thursday, January 24, 13 19
  • 47. http://hyperboleandahalf.blogspot.com/ Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States LicenseThursday, January 24, 13 19
  • 48. What Did It Take?Thursday, January 24, 13 20
  • 49. What Did It Take? ~6 monthsThursday, January 24, 13 20
  • 50. What Did It Take? ~6 months Constant contact with SBUsThursday, January 24, 13 20
  • 51. What Did It Take? ~6 months Constant contact with SBUs Tons of documentationThursday, January 24, 13 20
  • 52. What Did It Take? ~6 months Constant contact with SBUs Tons of documentation Senior management visibility & supportThursday, January 24, 13 20
  • 53. What are next candidates?Thursday, January 24, 13 21
  • 54. What are next candidates? Repeat virus offenders per-SBU, per-monthThursday, January 24, 13 21
  • 55. What are next candidates? Repeat virus offenders per-SBU, per-month “So what?” => What are these folks doing to keep getting infected? Do the infected users handle/have access to sensitive data? (Loss of Integrity/ Confidentiality)Thursday, January 24, 13 21
  • 56. What are next candidates?Thursday, January 24, 13 22
  • 57. What are next candidates? # Windows 7 Systems Deployed & % With Encryption Enabled (per SBU)Thursday, January 24, 13 22
  • 58. What are next candidates? # Windows 7 Systems Deployed & % With Encryption Enabled (per SBU) “So what?” => Primary Concern Of Corporate Legal & OCC (safe harbor loss); Doing a migration to Win 7 and off of competing technology at same timeThursday, January 24, 13 22
  • 59. What are next candidates?Thursday, January 24, 13 23
  • 60. What are next candidates? Internet-facing Vulnerability/Pen-test Metrics (per SBU)Thursday, January 24, 13 23
  • 61. What are next candidates? Internet-facing Vulnerability/Pen-test Metrics (per SBU) “So what?” => For us, Board-level initiative Ref: CIS Security Metrics – Quick Start Guide : https:// benchmarks.cisecurity.org/en-us/? route=downloads.form.metrics_guide.100Thursday, January 24, 13 23
  • 62. Bob Rudis Albert Yin bob@rud.is albert.yin@libertymutual.com @hrbrmstr @maximumyinThursday, January 24, 13 24