Presentation by CSO Brian Foster to audience from Hewlett Packard - Gold Coast Australia, November 17 2016

1. Brian Foster
Chief Security Officer – CSO as a Service
There is no bigger law firm in Australia
than (Herbert Smith) Freehills and
between 1996 and April 2016 Brian was
responsible for the IT Security strategy
and requirements of the firm.
ISO27001 is becoming the de-facto
standard required for any large law firm
– Brian led the HSF team to certification
Targa Tasmania 2016 – 2nd in Early Modern Category
The theme of this presentation is FOCUS. A Security Manager can spend
hundreds of thousands of dollars on the best security devices money can buy –
but if he has focussed on the wrong thing/wrong direction, then the expenditure
can be effectively wasted. FOCUS on what it is you are setting out to protect
Brian knows all about FOCUS – that’s him in the Co-Drivers seat in this rally car in
which he competes. If Brian loses Focus then the result can be catastrophic….
www.csoaas.com.au

2. CSO - THE ROLE AND RESPONSIBILITIES
• CSO – Chief Security Officer
The CSO is a senior level executive who deals with aligning areas such as security and business objectives and ensuring
that there is proper protection in place for information assets and technology.
Regulatory compliance, data privacy, implementing security strategy and designing security architecture, as well as
handling data privacy and working with others in the organisation to focus on business continuity are all key elements of
the role.
But most important of all, Security policies, standards and procedures (“PSPs”) form the backbone of any Information
Security Management System (ISMS). Although these PSPs are the most basic elements of an ISMS, they are also one of
the most challenging for many organisations to implement effectively. It is important that there is a structured approach
taken to the development, implementation and governance of a framework to ensure that it is effective
For growing enterprises, the need to keep costs to a minimum is understandable and many assume that their small size
means that they are likely under the radar for any passing cyber criminals looking to profit from a hack and they don’t
yet have anything much to protect. However, the reality is that every business has data from the minute it starts up and it
is the responsibility of the CSO to ensure that this message is not only relayed to the Board of Directors but that they
fully understand the implications to the business.

3. CSO - THE CHALLENGES
• Six Phases of Resilience
The convergence of people, business and things creates digital forces that is transforming business models. With much IT
activity now happening outside the IT department, organizations face critical issues regarding privacy, security, safety,
and risk.
The digital crime rate continues to climb as the bad guys innovate quickly and siphon massive amounts of private
information out of enterprises via their infrastructure. Traditional defenses such as antivirus and network firewalls have
failed to stop the continuous stream of breaches. Furthermore, regulatory and compliance standards are reactive and
too prescriptive...
It is the CSO’s role to lead the business in facing up to the challenge – and to do this, the CSO must adapt to a different
way of thinking

4. CSO - THE CHALLENGES
• Six Phases of Resilience
1. Move from Check-Box compliance to Risk-based thinking
Following a regulation, or a framework, or just doing what your auditors tell you to do, has never resulted in
appropriate or sufficient protection for an organization. “Risk-based thinking” is about understanding the major
risks the business is facing and prioritising controls and investments in security to achieve business outcomes. It
should be remembered (and understood) that being Compliant does not mean the business is Secure
2. Move from protecting the infrastructure to supporting organisational outcomes
It is still necessary to protect the infrastructure but the CSO also has to elevate the security strategy to protect the
things the business actually cares about.
3. Move from being the defender of the organisation to be the facilitator
The CSO must resist the temptation to tell the business what to do and decide how much risk is good for the
organisation. Instead of pushing back on business requests to move workloads to the cloud, for example, work
effectively with your business counterparts to negotiate appropriate levels of security

5. CSO - THE CHALLENGES
4. Move from controlling the flow of information to understanding how information flows
Digital business has introduced massive new volumes and types of information that must be understood and
appropriately protected. You cannot apply appropriate controls to protect information when you don’t know
where it is
5. Move from a technology focus to a people focus
Security technology has its limits and, therefore, it’s necessary to shape behaviour and motivate people to do the
right thing, not just try to force people to do what we want. A strategic approach to information security called,
“People-centric security,” emphasises individual accountability and trust, and de-emphasises restrictive,
preventative security controls.
For example, phishing is the initial infection vector of 80% of breaches. However, there are no totally effective
technical controls to this problem. When employees are motivated and understand the limitations of trust, the click
through rate on phishing emails dramatically drops.
6. Move from protection only to detect and respond
The disparity between the speed of compromise and the speed of detection is one of the starkest failures
discovered in breach investigations. In the digital world the pace of change is too fast to anticipate and defend
against every type of attack. Security professionals should acknowledge that compromise is inevitable.
It’s time to invest in technical, procedural and human capabilities to detect when a compromise occurs.

6. SECURITY BUDGETS – BANG FOR YOUR BUCK
What’s Important – What are you trying to protect…
Security budgets, just like any other budget, are under pressure. Given the present cyber security climate it is probably
easier than ever to convince a Board of Directors that there needs to be increased spending on cyber security but the
problem then is what to spend the $$s on.
To SIEM or not to SIEM, that is the question
Cyber Security is a 24x7x365 problem. Just about every organisation needs some form of cooperation to be effective
in this field. Don’t try and do it all yourself or you will most probably fail…
A Monitoring regime which cast a wide net, allied to a well trained response plan/team is the
most bang for your buck in 2016
Hewlett Packard’s Arcsight was the SIEM of choice of my Monitoring service but it is the task of a specialist to configure
the tool and the environment. Even as a fully experienced security professional, I do not consider myself sufficiently
skilled to be the sole authority on what Arcsight should be looking at in my environment.
Network devices generate H-U-G-E amounts of data, the majority of which is false positive. It is essential to
tune-out the noise or you will be paying too much (Events per Second is the usual licence model)

7. SECURITY BUDGETS – BANG FOR YOUR BUCK
IDS/IPS
So we just bought the latest and greatest IDS/IPS devices – phew. The initial configuration and tune is critical to the
success of IDS.
IDS/IPS is not a “Set and Forget” technology and these devices need two things to provide an effective layer of
security. The devices must be tuned to the network they monitor and tuned-in to the latest threats. It is a specialised field
which a good Managed Security Provider will include. IDS should be tuned at least once per month…
Remediation Plan
No matter how much an organisation spends on security technology and tools the adversaries lined up will almost
certainly find a way through and penetrate the network – if they have not already done so. Most organisations will
have a fully documented DRP (Disaster Recovery Plan) and or BCP (Business Continuity Plan) but how effective will the
plans be in a crisis. Part of the Security Budget should included the testing of the plans – you don’t want to discover a
deficiency in the plan when it is most needed

8. SECURITY BUDGETS – BANG FOR YOUR BUCK
Awareness Training
Cyber attackers have shifted their focus away from targeting computers and now they target PEOPLE.
Much has been written about “The Human Firewall” – I have written a whole series of blogs on my own web site
highlighting that people are the easiest of targets for an adversary (http://www.csoaas.com.au/blog/16-the-human-
firewall-the-human-o-s) and it is money well spent to promote Security Awareness Training in any organisation. But it
can’t be the old method of talking to the staff – telling them what they can’t do. The training has to be informative and
interactive because it is the Behaviour of the Staff that needs to be changed and you don’t get that result by following
yesterday’s doctrine.

9. THE INTERNET OF THINGS
The Internet of Things (IoT)
In an industry renowned for its “Buzz Phrases” and acronyms – here is another, The Internet of Things. I included my
Managed Print Solution when I think of an Internet of Things.
An MFP has an Operating System (now nearly always Windows based), huge computing power, huge storage, huge
memory. It’s always on, usually operates with a range of Administrator credentials, is LDAP aware and connects to
multiple VLANs at any one time. It has an email address and connects to the internet and very few people will give it a
second glance (unless it fails to print).
Well after all it is “Just a Printer”.
Nothing could be further from the truth. Because of its capabilities and because of how most people view them, an MFP
is one of the most potentially dangerous pieces of equipment on any network. They are seldom patched, have minimal
configuration applied to them and almost “Access all Areas”… It is not specifically the data on an MFP that may be
targeted, it is an entry point to the wider network
Fortunately there is a solution…