Your SlideShare is downloading. ×
0
Wednesday, October 12, 11
Protecting the Information                                 Infrastructure:                             Why CIOs and CSOs a...
DISCLAIMER                            The materials, thoughts, comments, ideas                            and opinions exp...
AGENDA                            • Information..the lifeblood of an organization                            • Events invo...
Information                     is the                            lifeblood of organizations, and considered              ...
Information                   is not only                            valuable to an organization…but also to...Wednesday, ...
WHAT ARE WE TRYING TO                                       PROTECT?                            Regulated information is t...
Setting the Stage - Recent Attacks                             – Defense Contractors                                    »L...
It gets worse...                             Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011Wednesday,...
Change in Tactics                            • Highlighted that in 2010,                             the largest number of...
Will your organization be on this list?                            • University of Texas: 688 students and prospective stu...
Organizations are                                sloppyWednesday, October 12, 11
Overly Confident?                            Ninth Annual Global Information Security Survey                              ...
Source: Information Security Magazine, October 2010Wednesday, October 12, 11
CIOs: Call to Action                            •   Delivery of effective   •   Maximizing the                            ...
Roles of the CSO                             • ENABLE                             • AUDIT                             • EN...
Influencing Behavior                            • Education is critical                            • Security awareness is...
Wednesday, October 12, 11
Overly Confident?                              To a fault...                             •   “...we haven’t been attacked ...
Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011Wednesday, October 12, 11
...in fact, we are spending more                            on security solutions to protect                              ...
...but we’re not making                            investments in our processes                                          M...
COMPLIANCEWednesday, October 12, 11
Compliance                      Security                            •   This isn’t about checking the box                 ...
CSOs tend to fixate on building an                                     “EXCELLENT”                              informatio...
Where does the CSO fit in?Wednesday, October 12, 11
•   Security is new to the                                            executive table                                     ...
But, Security is often viewed as a                                     BOTTLENECKWednesday, October 12, 11
The “R” Word                            •   Developing those critical                                RELATIONSHIPS within ...
Wednesday, October 12, 11
Current Environment                            • Regulations and compliance requirements are                             d...
Management Differences                             CIO                              CSO                                   ...
Effective Risk Managers?                            •   Generally, human beings struggle at managing                      ...
Assessing Risk                            • Engagement of business                            • Top-Down Approach,        ...
Understanding Risk                            Risk Management involves identifying threats                            and ...
Calculating Loss Expectancy                            • The annualized loss expectancy (ALE) is the                      ...
Applying Countermeasures                                   Our Approach is CRITICAL                                       ...
Defense By Layer                            •   Acknowledges that reliance on any single                                co...
Paradigm Shift                                         Information-Centric Security                            •    Emphas...
Developing A Strategy                            • Creating an information protection strategy                            ...
Summary                            • Educate by establishing a foundation for                              communication (...
Be Prepared                            The future ain’t what it                            used to be.                    ...
QUESTIONS?Wednesday, October 12, 11
THANK YOU                            linkedin.com/in/mclaughlinjay                               @jaymclaughlinWednesday, ...
Upcoming SlideShare
Loading in...5
×

Protecting the Information Infrastructure

354

Published on

Remember not so long ago when breaches created shocking headlines? Today, they’re so frequent that we’re becoming de-sensitized when we hear that household-name companies are robbed of customer data. While the news feels less shocking, the problem is actually getting worse. The bad guys are not only getting more sophisticated, they’re becoming better financed — so protecting corporate data has never been more crucial. In this session, hear how companies must improve how their data moves in an information-centric security environment, and how it’s no longer about the CIO aligning business and technology, but aligning business, technology and security.

Published in: Technology, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
354
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Protecting the Information Infrastructure"

  1. 1. Wednesday, October 12, 11
  2. 2. Protecting the Information Infrastructure: Why CIOs and CSOs are Becoming Mission-Critical Business Partners SNW Fall 2011 Jay McLaughlin, CISSP Chief Security Officer, Q2ebankingWednesday, October 12, 11
  3. 3. DISCLAIMER The materials, thoughts, comments, ideas and opinions expressed throughout this presentation are entirely my own and do not necessarily represent the thoughts or opinions of my employer (past or present).Wednesday, October 12, 11
  4. 4. AGENDA • Information..the lifeblood of an organization • Events involving loss of data are rising - who is to blame? • Mitigating our vulnerabilities • A shift to Information-Centric Security • Developing critical partnerships across the organizationWednesday, October 12, 11
  5. 5. Information is the lifeblood of organizations, and considered a critical factor in a company’s effective pursuit of its business goals and success.Wednesday, October 12, 11
  6. 6. Information is not only valuable to an organization…but also to...Wednesday, October 12, 11
  7. 7. WHAT ARE WE TRYING TO PROTECT? Regulated information is the type of data most often thought of when the subject of information protection is raised. • Includes personally identifiable information (PII) of individuals, such as social security numbers, bank and credit card numbers and medical records. A great deal of public outrage, lawsuits, fines and loss of brand trust can accompany the compromising of this information. Confidential information may involve marketing plans, financial projections, sales reports and M&A discussions. • Breaches on this information can range from public embarrassment to catastrophe Intellectual property (IP) is arguably the most critical type of information. • According to the FBI, $600 billion worth of intellectual property is stolen every year in the U.S • Companies tend to focus on regulated data while doing comparatively little to secure the IP that is critical to their business.Wednesday, October 12, 11
  8. 8. Setting the Stage - Recent Attacks – Defense Contractors »Lockheed Martin »Northrop Grumman »L-3 – Commercial Organizations »SONY »GOOGLE – Security Firms »RSA »Barracuda Networks »HB Gary Federal »Comodo / Digitar – Government »United States DoD »Texas Comptroller’s OfficeWednesday, October 12, 11
  9. 9. It gets worse... Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011Wednesday, October 12, 11
  10. 10. Change in Tactics • Highlighted that in 2010, the largest number of data breach incidents occurred, yet the volume of records dropped significantly • Criminals are engaging in small, opportunistic attacks rather than large- scale, difficult attacks using relatively low sophistication attacks to penetrate organizations.Wednesday, October 12, 11
  11. 11. Will your organization be on this list? • University of Texas: 688 students and prospective students personal information accessed by employees after configuration error made data available on intranet • Blackpool Coastal Housing: 80 tenants names, addresses, national insurance numbers, telephone numbers and confidential care plans transferred to employees home computer where they were accessible to others • Guilford County Tax Dept: 1,000 taxpayers SSNs, names and addresses, and images of checks paid were accessible on internet • Bright House Networks: Customer names, addresses, phone numbers and account numbers exposed in unauthorized access • California State Assembly: 50 employees personal information may have been acquired by hacker • Montgomery County Dept of Job and Family Svcs: Names and Social Security numbers of 1,200 individuals seeking agency assistance were on lost thumb driveWednesday, October 12, 11
  12. 12. Organizations are sloppyWednesday, October 12, 11
  13. 13. Overly Confident? Ninth Annual Global Information Security Survey 9,600-plus business and technology execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively. http://www.pwc.com/gx/en/information-security-survey/giss.jhtmxWednesday, October 12, 11
  14. 14. Source: Information Security Magazine, October 2010Wednesday, October 12, 11
  15. 15. CIOs: Call to Action • Delivery of effective • Maximizing the technology solutions value of technology to external customers investments to and internal improve business constituents performance • Reducing related • Increasing agility of operational costs the organization, across business enabling it to adapt units to changing needsWednesday, October 12, 11
  16. 16. Roles of the CSO • ENABLE • AUDIT • ENFORCE • EDUCATEWednesday, October 12, 11
  17. 17. Influencing Behavior • Education is critical • Security awareness is a start...but not good enough • “Behavioral change” is requiredWednesday, October 12, 11
  18. 18. Wednesday, October 12, 11
  19. 19. Overly Confident? To a fault... • “...we haven’t been attacked before” • “...why would someone target our company?” • “...we undergo routine internal/external audits” Why do we remiss security? • CIOs and C-Level executives often don’t hear about security until an incident occurs • CIOs are value-focused managers • is security NOT viewed AS value-adding?Wednesday, October 12, 11
  20. 20. Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011Wednesday, October 12, 11
  21. 21. ...in fact, we are spending more on security solutions to protect our information systemsWednesday, October 12, 11
  22. 22. ...but we’re not making investments in our processes Management Security Physical OperationalWednesday, October 12, 11
  23. 23. COMPLIANCEWednesday, October 12, 11
  24. 24. Compliance Security • This isn’t about checking the box • Compliance Defined : conformity in fulfilling official requirements. standard It is the that is the problem, not the compliance with the standard.Wednesday, October 12, 11
  25. 25. CSOs tend to fixate on building an “EXCELLENT” information security programWednesday, October 12, 11
  26. 26. Where does the CSO fit in?Wednesday, October 12, 11
  27. 27. • Security is new to the executive table • Security discussions in today’s enterprise tend to The Business be focused on the qualitative aspects Problem instead of the quantitative Topology • CSOs speak a language that is NOT understood by others executives • CSOs struggle with creating awareness and changing behaviorsWednesday, October 12, 11
  28. 28. But, Security is often viewed as a BOTTLENECKWednesday, October 12, 11
  29. 29. The “R” Word • Developing those critical RELATIONSHIPS within the organization • WALK A MILE • Breaking down the walls...we’re all fighting the same battleWednesday, October 12, 11
  30. 30. Wednesday, October 12, 11
  31. 31. Current Environment • Regulations and compliance requirements are demanding more time and attention • Regulators and auditors including PCI-DSS, GLBA, SOX/ 404, HIPAA, etc. are demanding more executive time and attention • Greater interest from CIOs and other business stakeholders regarding information security • Routine communication around information security, compliance, investment and risk is critical...but challenging.Wednesday, October 12, 11
  32. 32. Management Differences CIO CSO Value- Risk- focused focused managers managers LEADERSHIP PHILOSOPHIES RISK MITIGATION translates to VALUEWednesday, October 12, 11
  33. 33. Effective Risk Managers? • Generally, human beings struggle at managing risk • We often overestimate risks that are highly visible or catastrophic and underestimate the risks that are slower to develop or not easily seen • CIOs tend to overestimate risks that they have less control over, and underestimate the risks that they have more control over ex: flying an airplane vs driving a carWednesday, October 12, 11
  34. 34. Assessing Risk • Engagement of business • Top-Down Approach, ranking information assets • Business Impact Analysis • Quantitative vs. QualitativeWednesday, October 12, 11
  35. 35. Understanding Risk Risk Management involves identifying threats and applying mitigating controls to effectively reduce the risk of those threats: • RISK=(THREAT x VULNERABILITY) COUNTERMEASURES • Multiple by VALUE for quantitative • Controls can mitigate risk… ...but can rarely fully eliminate riskWednesday, October 12, 11
  36. 36. Calculating Loss Expectancy • The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE) Mathematically expressed: ALE = ARO * SLE -> calculating SLE SLE = AV * EF • Suppose than an asset is valued at $100,000, and the exposure factor (EF) for this asset is 25%. The SLE then, is (25% * $100,000), or $25,000. • For an annual rate of occurrence of 1, the annualized loss expectancy is (1 * $25,000)Wednesday, October 12, 11
  37. 37. Applying Countermeasures Our Approach is CRITICAL COUNTERMEASURES RONG W THREATS • Focus efforts on the mitigating the ACTUAL vulnerabilities that are specific to the organization • Avoid industry marketing FUDWednesday, October 12, 11
  38. 38. Defense By Layer • Acknowledges that reliance on any single control or mitigating factor is not sufficient • This approach is commonly recommended Scenario: Protecting Hosted Customer Data from an external attacker • Database tables are encrypted • Role-based access levels are applied • Data Storage EncryptionWednesday, October 12, 11
  39. 39. Paradigm Shift Information-Centric Security • Emphasizes security of the INFORMATION itself...rather than the security of networks, systems, and applications. • 4 Principles: 1. Information (data) must be self describing and defending. 2. Policies and controls must account for business context. 3. Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business context. 4. Policies must work consistently through the different defensive layers and technologies we implement. Source: Rich Mogull, CEO/Principal Analyst, SecurosisWednesday, October 12, 11
  40. 40. Developing A Strategy • Creating an information protection strategy – understanding the business and its specific needs for information protection. – defining a set of objectives to deliver quick wins and address long- term goals. • Locating and classifying the information that means the most – An impact analysis should be performed to identify the information with the greatest impact to strategic, tactical and operational objectives. • Weaving information protection into the fabric of the organization • Developing the necessary capabilities to protect their information assets – Organizations need to determine the technologies and processes that best support their information protection objectives Source: Dr. Alastair MacWillson, Security Week Aug 2011Wednesday, October 12, 11
  41. 41. Summary • Educate by establishing a foundation for communication (e.g. metrics, scorecards) • Embrace an information-centric approach • Play offense (ACT vs. REACT) • Leverage leading edge technology that enables agility within the organization • Security is NOT perfect, and it requires ACCOUNTABILITY • START with the BASICSWednesday, October 12, 11
  42. 42. Be Prepared The future ain’t what it used to be. - Yogi Berra, New York YankeesWednesday, October 12, 11
  43. 43. QUESTIONS?Wednesday, October 12, 11
  44. 44. THANK YOU linkedin.com/in/mclaughlinjay @jaymclaughlinWednesday, October 12, 11
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×