Building an effective Information Security Roadmap

6,908 views
6,776 views

Published on

As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.

Published in: Technology

Building an effective Information Security Roadmap

  1. 1. Creating an Effective Security Roadmap Elliott Franklin, CISSP, CISM
  2. 2. Who Am I? •  15 Yrs in IT •  9 Yrs in Info Sec •  7 Yrs in Mgmt •  Alamo ISSA •  San Antonio Security Leaders Forum •  Texas CISO Council •  @elliottfranklin
  3. 3. Standard Disclaimer These are my own thoughts
  4. 4. Mission Impossible •  Info Sec roles continue to expand •  The CISO faces a new test of leadership –  Planning and Communication are essential •  Manage the crucial links between –  information security –  operational performance –  brand protection –  shareholder value
  5. 5. What is Changing? •  53% of CISOs now report to C-level execs •  74% of CISOs struggled to balance strategy and operations in 2012 –  “If I need to do strategic planning, I need to come in during the weekends because ops takes 100% of my time”
  6. 6.   To  be  an  informa,on  security  leader,   companies  need: 1.  An  informa,on  security  strategy   2.  A  chief  security  officer  who  reports  directly  to   organiza,onal  leadership   3.  An  annual  measurement  and  review  process   4.  An  understanding  of  past  security  events  
  7. 7. Types of Security Organizations •  Operations-focused •  Governance, Risk and Strategy-focused
  8. 8. Ops Focused •  Limited business interaction •  Deploying, managing and monitoring security tools •  Vulnerability and Threat Management •  Anti-malware •  Encryption •  Firewalls •  Blocking and tackling
  9. 9. Risk, Governance and Strategy •  Supports business objectives •  Relationship management •  Manages security priorities •  Forward looking •  Anticipates threats and business needs
  10. 10. What Works? •  A Flexible Organization with a Centralized Core –  Security Oversight –  Information Risk –  Security Architecture and Engineering –  Security Operations
  11. 11. Corporate Culture •  What do your executives expect from security? •  If not strategy, then focus on operations •  Build trust and demonstrate value •  Reporting Inside or Outside IT? •  Centralized or Decentralized?
  12. 12. Mind Shift
  13. 13. Start with the ABC’s •  Assess your assets, risks, resources •  Build your policy •  Choose your controls •  Deploy the controls •  Educate employees, execs, vendors •  Further assess, audit, test *From welivesecurity.com
  14. 14. Assess, Risks and Resources •  What are you protecting? –  What is important to the business? •  What are the main threats to these systems/data? •  Who can help you? –  Never enough resources –  Leverage Others
  15. 15. Assess, Risks and Resources •  Fraud –  How could business processes, manual or automated be exploited? •  Physical Security –  32% of CISOs cover both •  Now is the time to pick a framework –  One that covers all regulations
  16. 16. Build your Policy •  Policies –  AUP –  BYOD –  Passwords –  Vendors/Cloud Providers •  Procedures –  Patching –  Anti-Virus –  Group Policies •  Screensaver Timeout
  17. 17. Controls to enforce policies •  “Log all access to data by unique identifier” –  Requires log management or SIEM •  “Limit access to specific data to specific individuals” –  Require unique system username and password •  “Sensitive data shall not be emailed outside the organization” –  DLP or email encryption system
  18. 18. Deploy and test controls •  A phased approach –  DLP –  Email Encryption •  Test not only if the solution works technically but also that it does not impose too great a burden on employees or processes
  19. 19. Educate employees, vendors, etc •  What are our policies? •  How to comply? •  Consequences of failure to comply
  20. 20. Further assess, audit, test… •  Once policies, controls and education are under way, it’s time to re-assess •  Audit •  Monitor change control •  New vendor relationships •  Marketing initiatives •  Employee terminations
  21. 21. Common Approach •  A top 10 list based on Gartner and Trustwave •  Death by PowerPoint, Of course •  One per slide •  No business input •  Present to executive leadership multiple times –  Review and revise quarterly
  22. 22. Strategic Planning •  Determine the direction of the business •  Understand security's current position –  What do we do? –  For whom do we do it? –  How do we excel?
  23. 23. Definitions •  Vision –  A descriptive picture of a desired future state –  “Where do we want to be?” •  Objectives –  High-level achievement •  “Improve customer loyalty” •  “Grow market share” •  Goals –  Anything that is measured to help fulfill an objective
  24. 24. Definitions •  Strategies –  Those actions we implement on a day-to-day basis to achieve our objectives •  Projects –  The concrete actions a business takes to execute its strategic plan •  Capabilities –  An organization’s ability, by virtue of its IT assets, to create business value
  25. 25. Start with Vision To provide advanced information security services and expert security guidance to all members of the Harvard community and to ensure confidentiality, integrity, and availability of the information assets and resources according to University Enterprise Security Policy, State and Federal laws.
  26. 26. Build Top-Down
  27. 27. Objectives •  Maintain Information Security Policy •  Build and Maintain a Secure Network •  Protect Customer and Corporate Data •  Implement Strong Access Control Measures
  28. 28. Goals •  Reduced time to investigate security incidents •  Maintain 90% compliance for all systems •  Audit 25% of information security policies •  Reduce number of security incidents caused by employees •  Reduce time required to create new user accounts •  Maintain 80% coverage of critical security patch installation within 30 days of release
  29. 29. Strategy •  Multiple projects can point to a single strategy –  Actively monitor and audit logs, threats and incidents –  Make security easy to use and understand –  Implement strong identity and access management –  Create a layered security architecture
  30. 30. Projects •  SIEM •  Vulnerability & Threat Mgmt •  Policy & Procedures Review •  Security Awareness •  Identity & Access Mgmt •  Incident Management
  31. 31. Capabilities •  Log Monitoring •  Intrusion Detection •  Access Management •  Identity Management •  Remote Access •  Architecture Review •  Data Loss Prevention
  32. 32. Next Steps…
  33. 33. Meaningful Metrics •  Security metrics need to demonstrate business alignment •  Are we more secure today than yesterday? –  Number of machines reimaged –  Number of phishing attempts blocked •  How do we compare to our peers? •  Not limited to what your tools provide •  Ask the business
  34. 34. Effective Metrics •  Consistently measured –  Benchmarks and opportunities for continuous improvement •  Cheap to gather –  If metrics are expensive to gather, they will not be gathered •  Use numbers that show relationships –  Are these numbers relevant to decision makers? •  Show trends •  Pretty graphs!
  35. 35. Any Good News? •  80% of attacks rely on exploits that we can readily defend against –  Focus on security awareness –  Properly maintained IT Infrastructure –  Effective monitoring •  15% of the attacks can be mitigated with a solid security strategy •  5% are Sophisticated/Nation State * Key Findings from the 2013 US State of Cybercrime Survey - PWC
  36. 36. Critical for a Competitive Posture •  Information security now plays a critical role in enabling the exchange of sensitive information •  What are your competitors doing in this space? •  “If you can’t talk ROI, the boardroom isn’t listening” •  Transforming from asset guardian to strategic business enabler
  37. 37. Call to Action Stay Flexible Assess Risk Begin with the business’s plan
  38. 38. Resources •  Forrester –  Building A Strategic Security Program And Organization – April 2013 –  Information Security Metrics – Present Information that Matters to the Business – July 2011 •  PWC –  Key findings from the 2013 US State of Cybercrime Survey – June 2013 –  How to align security with your strategic business objectives •  ESET –  Cyber security road map for businesses – May 2013
  39. 39. Elliott Franklin, CISSP,CISM elliott@elliottfranklin.com @elliottfranklin http://www.linkedin.com/in/elliottfranklin/

×