SlideShare a Scribd company logo

Toolkit For Security in the Enterprise

Download as PPT, PDF
R
Ravila White

Strategy is a journey not a destination. This presentation will help you speak to the business on their terms. Cheers, Ravila

Business
1 of 45
Information Security Science Toolkit for Security in the Enterprise Ravila White | CISSP, CISM, CISA, GCIH Making it better without making it complex
Disclaimer This presentation and the concepts herein are my opinions through private research, practice and chatting with other professionals. It is not the opinion of past, present or future employers. Now lets have fun…..
Agenda  Overview – The current state of affairs…  Psychology – The mindset for getting it done right…  Diversification – It really does take a village…  Theorems – Thought middleware for getting it done…  Toolkit – How to harness security in the enterprise…
Overview The current state of affairs….
How Did We Get Here?  When in Rome…Treating Information Security as a ‘specialty’ rather than a business investment  Cart before the horse syndrome…ROI for antivirus, firewalls and other technologies is proactive rather an reactive  Introducing Chicken Little….too much FUD vs. not enough tangible business data  Forgetting the K.I.S.S principle….lack of judicious countermeasures and controls has created complexity
Tactical Overdose  Information Security has relied on a more tactical approach to gain traction  The tactical side of Information Security is fairly mature due to the reactive nature of dealing with intruders and malware  Information Security is no longer ‘siloed’ part of the business and requires alignment to organizational objectives
Mistakes We’ve Made  Forgetting support of dynamic environments.  Applying linear thinking to largely associative practices.  Becoming myopic and forgetting business drives strategy.  Not evolving with the business.
The Flaw in Strategic Plans  Strategic plans are not easily consumable, scalable or sustainable  Answers the questions without appropriate stakeholder buy-in  Doesn’t provide upfront negotiation of priorities  Does not answer “What is Information Security?”
Strategic Planning Models Followed by companies who are extremely small, busy, and have not done much strategic planning before. This model requires continual reference to common values, discussing these values, and shared reflection of the process. Used to ensure that what the organization does is aligned with its mission statement. It is useful in fine-tuning strategies or exploring why strategies are not working. This model is a combination of the Basic model and more comprehensiv e planning such as setting a budget or executing a SWOT assessment. Used to identify different future organizational scenarios (including best case, worst case, and reasonable case) which might arise. Used to evoke strategic thinking Basic Issue Alignment Self OrganizingScenario
Multidimensional Challenges Programs/Activities Vision - Mission -Values Objective - Strategies/Targets - Goals Width Depth Length  Compliance issues  Human issues  Technology issues  Cross department business integration
Lack of Authoritative Artifacts  Documentation which… ◦ sets the direction ◦ the business validates its decisions ◦ the business executes against ◦ the business captures resource requirements ◦ the business verifies the activities necessary to support a solution
Tortuous Taxonomy  Not setting the floor around business definitions.  Setting the ceiling around business definitions.
DIVERSIFICATION It really does take a village…
Which has more value? *-centric diversification  With the sense of ‘having a (specified) center’  Spread (investment) over several enterprises or products, especially to reduce the risk of loss
Security is a practice within the business/not the business Information Security Portfolio Enterprise Portfolio  IAPP  ISACA  ISC2  ISF  ISO  NIST  OWASP  SANS  Business Process Modeling  Economics  Enterprise Architecture  Information Design  Investing
How to apply as middleware  Business Process Modeling – it translates what you have to offer in terms and techniques used by the business.  Economics – translates the production, distribution, and consumption of goods and services you offer.  Enterprise Architecture – aligns IT initiatives to business needs.  Information Design – a communication tool that takes the complex and makes it consumable.  Investing – ties solutions to value
Challenge Are you an associative thinker or a didactic thinker? Research both terms to understand how you process information. It will help you understand how to diversify your knowledge base
Psychology The mindset for getting it done right…
Observations  Its as much how you think, how you interpret the information and how its used.  Individualistic derivations of information do not compliment enterprise environments.  Aggregate derivations results in ‘real’ multi- data sets with a 360 degree rendering of an organization.
Aggregation of Thought Scientific Focus Design Focus  Theory  Philosophy  Practice  Associative  Linear (Didactic)  Cyclical (Iterative)
Teaser Which term is better suited to denote repetitious patterns in information security and why? Cyclical or Iterative
THEOREMS Thought middleware for getting it done
Enterprise Thinking Solution a2 + l2 + c = t(e)  a2 = associative and adaptable  l2 = logical and linear  c = cyclical  t(e) = thinking enterprise
Engagement (OMI) Solution O or M, then I  O = Overlay  M = Map  I = Integrate
Relationship Building Solution v2 + c + u = r  v2 = verify and validate  c = communicate  u = update  r = relationship building
PRACTICUM Where the rubber meets the road….
Analyze This
Toolkit How to harness security in the enterprise…
K.I.S.S.  Adopt traditional business methods ◦ Business modeling vs. information warfare  Start with basic planning ◦ Business logic modeling  Identify and involve major stakeholders at the beginning  Find your logic model ◦ Logic models make your strategy easy to consume and present.
Designing a Business Model (example) By Alex Osterwalder
Business Modeling w/Innovation Adapted from Alex Osterwalder’s Business Model Canvas
Additional Elements for Modeling  Review strategic models ◦ At least three of the five models are used  Logic models ◦ Theory of Change – used to set strategic direction over a long period of time and identify issues ◦ Result Chain – provide a mid-level roadmap of intentions, activities, and end state results  Software Development Methods ◦ Spirial ◦ Agile ◦ Waterfall
Designing a Information Security Business Model (example)
Logic Model Overview  Outlines how program is supposed to work to achieve intended changes and outcomes  A simple method for engaging stakeholders  Facilitates thinking, planning, communication and shared understanding about targets and intended outcomes
Your Blueprint
Your Framework
Your Strategy and Roadmap  Using the taxonomy the organization has developed, write a strategic narrative based on the results chain.  Using a Raci/Rasci model, map resources, activities, responsibilities etc.  Using information design, develop a strategic roadmap which shows each infosec project using the business projects as a backdrop facilitated via OMI.  Your strategy and roadmap are artifacts use your authoritative documentation taxonomy to select the most informational elements.
The Information Security Science Toolkit
Tips to Success  Set the floor of communication by establishing a common taxonomy.  Set the floor for artifacts by establishing authoritative documentation.  Set the floor for planning by establishing Business Process Modeling as the framework for driving strategy.  Set the floor for innovation by encouraging and supporting diversification of knowledge for yourself and your staff.  Aggregation not individualism is key to enterprise sustainability.
Stimulating Innovation  What – using discovery to identify strengths, opportunities, customers, partners  When – During business process modeling and strategy development.  How – XPLANE discovery cards
Xplane Discovery Cards  Can be used for self, 1:1 or in a small group  Review the situation cards and action cards  Identify the Hits and Misses  Identify what actions you need to take  End result is developing a game plan that aligns with everyone’s thinking
Recommended Reading  The New School of Information Security  Business Model Generation  The Information Design Handbook  Enterprise Security Architecture  Logic Model Development Guide ◦ http://www.wkkf.org/Pubs/Tools/Evaluation/Pub3 669.pdf  Enterprise Architecture ◦ http://www.opengroup.org/togaf/
Credits & References General Personal Influencers  Business Model Design: http://business-model- design.blogspot.com/  Business Model Generation  www.dictionary.com  Information Security: A Strategic Approach  ISACA: www.isaca.org  Logic Model Development Guide: http://www.wkkf.org/Pubs/Tools/E valuation/Pub3669.pdf  Oxford Dictionary  Wikipedia: www.wikipedia.com  Xplane: www.xplane.com  Alex Osterwalder  Carolyn Trapp  Deanna Locke  Ernie Hayden  John Clouse  Kirk Bailey  Myles Conley  Mom & Family  Stewart Stremel
Copyright Information Some works in this presentation have been licensed under the Creative Common license (CC). Please respect the license when using the concepts or adapting them. For more information please go here:  www.creativecommons.org
Thank you… Questions and Comments Contact me on LinkedIn

Recommended

Giving Organisations new Capabilities to ask the Right Business Questions
Giving Organisations new Capabilities to ask the Right Business QuestionsGiving Organisations new Capabilities to ask the Right Business Questions
Giving Organisations new Capabilities to ask the Right Business QuestionsOReillyStrata
 
How to Build an HR Analytics Center of Excellence
How to Build an HR Analytics Center of ExcellenceHow to Build an HR Analytics Center of Excellence
How to Build an HR Analytics Center of ExcellenceAPEX Global
 
ROI For HR Practice Toolkit
ROI For HR Practice ToolkitROI For HR Practice Toolkit
ROI For HR Practice Toolkitdmdk12
 
1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptop1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptopRising Media, Inc.
 
1440 horrobin using our laptop
1440 horrobin using our laptop1440 horrobin using our laptop
1440 horrobin using our laptopRising Media, Inc.
 
900 keynote gottshall
900 keynote gottshall900 keynote gottshall
900 keynote gottshallRising Media, Inc.
 
Hr Analytics Certification
Hr Analytics CertificationHr Analytics Certification
Hr Analytics CertificationGautamPandey056
 
Praxophy at Palisade Regional Risk Conference in DC
Praxophy at Palisade Regional Risk Conference in DCPraxophy at Palisade Regional Risk Conference in DC
Praxophy at Palisade Regional Risk Conference in DCPraXophy
 

Recommended

Giving Organisations new Capabilities to ask the Right Business Questions
Giving Organisations new Capabilities to ask the Right Business QuestionsGiving Organisations new Capabilities to ask the Right Business Questions
Giving Organisations new Capabilities to ask the Right Business QuestionsOReillyStrata
 
How to Build an HR Analytics Center of Excellence
How to Build an HR Analytics Center of ExcellenceHow to Build an HR Analytics Center of Excellence
How to Build an HR Analytics Center of ExcellenceAPEX Global
 
ROI For HR Practice Toolkit
ROI For HR Practice ToolkitROI For HR Practice Toolkit
ROI For HR Practice Toolkitdmdk12
 
1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptop1340 keynote minkowski_using our laptop
1340 keynote minkowski_using our laptopRising Media, Inc.
 
1440 horrobin using our laptop
1440 horrobin using our laptop1440 horrobin using our laptop
1440 horrobin using our laptopRising Media, Inc.
 
900 keynote gottshall
900 keynote gottshall900 keynote gottshall
900 keynote gottshallRising Media, Inc.
 
Hr Analytics Certification
Hr Analytics CertificationHr Analytics Certification
Hr Analytics CertificationGautamPandey056
 
Praxophy at Palisade Regional Risk Conference in DC
Praxophy at Palisade Regional Risk Conference in DCPraxophy at Palisade Regional Risk Conference in DC
Praxophy at Palisade Regional Risk Conference in DCPraXophy
 
Sas business analytics
Sas business analyticsSas business analytics
Sas business analyticsNaveen Kumar M K
 
Agile budget v1.01
Agile budget v1.01Agile budget v1.01
Agile budget v1.01Johan Oskarsson
 
Service zen1
Service zen1Service zen1
Service zen1Lee Marshall
 
Think better using “Descriptive-Prescriptive” Approach
Think better using “Descriptive-Prescriptive” ApproachThink better using “Descriptive-Prescriptive” Approach
Think better using “Descriptive-Prescriptive” ApproachSTAG Software Private Limited
 
Culmsee Cio 248 How To Roi
Culmsee Cio 248 How To RoiCulmsee Cio 248 How To Roi
Culmsee Cio 248 How To RoiPaul Culmsee
 
Hr analytics whywhathow
Hr analytics whywhathowHr analytics whywhathow
Hr analytics whywhathowvikrant dayala
 
Business Analytics to solve your Business Problems
Business Analytics to solve your Business ProblemsBusiness Analytics to solve your Business Problems
Business Analytics to solve your Business ProblemsVishal Pawar
 
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...Pearson Partners International
 
What to consider when preparing the business case for HR Analytics?
What to consider when preparing the business case for HR Analytics?What to consider when preparing the business case for HR Analytics?
What to consider when preparing the business case for HR Analytics?Hendrik Feddersen
 
HR Analytics
HR AnalyticsHR Analytics
HR AnalyticsHenner Schliebs
 
Hr analytics overview
Hr analytics overviewHr analytics overview
Hr analytics overviewSynapse Information Ltd
 
The Softer Skills that analysts need (beyond Data Visualisation)
The Softer Skills that analysts need (beyond Data Visualisation)The Softer Skills that analysts need (beyond Data Visualisation)
The Softer Skills that analysts need (beyond Data Visualisation)Paul Laughlin
 
Identifying And Prototyping Data Science Use Cases
Identifying And Prototyping Data Science Use CasesIdentifying And Prototyping Data Science Use Cases
Identifying And Prototyping Data Science Use CasesAmbrus Vancso
 
Today and how to succeed tomorrow
 - HR Analytics
Today and how to succeed tomorrow
 - HR AnalyticsToday and how to succeed tomorrow
 - HR Analytics
Today and how to succeed tomorrow
 - HR AnalyticsHendrik Feddersen
 
Wicked Problems and SharePoint - Rethinking the Approach
Wicked Problems and SharePoint - Rethinking the ApproachWicked Problems and SharePoint - Rethinking the Approach
Wicked Problems and SharePoint - Rethinking the ApproachPaul Culmsee
 
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMS
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMSDATA ANALYTICS FOR SOLVING BUSINESS PROBLEMS
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMSAlexander Kolker
 
Introduction to Business Analytics Part 1
Introduction to Business Analytics Part 1Introduction to Business Analytics Part 1
Introduction to Business Analytics Part 1Beamsync
 
Building Stronger HR Partnerships Through Talent Analytics
Building Stronger HR Partnerships Through Talent AnalyticsBuilding Stronger HR Partnerships Through Talent Analytics
Building Stronger HR Partnerships Through Talent AnalyticsHuman Capital Media
 
Predictive project analytics: Will your project be successful?
Predictive project analytics: Will your project be successful?Predictive project analytics: Will your project be successful?
Predictive project analytics: Will your project be successful?Deloitte Canada
 
Putting the Business in Enterprise Information Security Architecture
Putting the Business in Enterprise Information Security ArchitecturePutting the Business in Enterprise Information Security Architecture
Putting the Business in Enterprise Information Security ArchitectureRavila White
 
Knowledge Management for 2018
Knowledge Management for 2018Knowledge Management for 2018
Knowledge Management for 2018Jose Carlos Tenorio Favero
 
The Softer Skills Analysts need to make an impact
The Softer Skills Analysts need to make an impactThe Softer Skills Analysts need to make an impact
The Softer Skills Analysts need to make an impactPaul Laughlin
 

More Related Content

What's hot

Think better using “Descriptive-Prescriptive” Approach
Think better using “Descriptive-Prescriptive” ApproachThink better using “Descriptive-Prescriptive” Approach
Think better using “Descriptive-Prescriptive” ApproachSTAG Software Private Limited
 
Culmsee Cio 248 How To Roi
Culmsee Cio 248 How To RoiCulmsee Cio 248 How To Roi
Culmsee Cio 248 How To RoiPaul Culmsee
 
Hr analytics whywhathow
Hr analytics whywhathowHr analytics whywhathow
Hr analytics whywhathowvikrant dayala
 
Business Analytics to solve your Business Problems
Business Analytics to solve your Business ProblemsBusiness Analytics to solve your Business Problems
Business Analytics to solve your Business ProblemsVishal Pawar
 
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...Pearson Partners International
 
What to consider when preparing the business case for HR Analytics?
What to consider when preparing the business case for HR Analytics?What to consider when preparing the business case for HR Analytics?
What to consider when preparing the business case for HR Analytics?Hendrik Feddersen
 
The Softer Skills that analysts need (beyond Data Visualisation)
The Softer Skills that analysts need (beyond Data Visualisation)The Softer Skills that analysts need (beyond Data Visualisation)
The Softer Skills that analysts need (beyond Data Visualisation)Paul Laughlin
 
Identifying And Prototyping Data Science Use Cases
Identifying And Prototyping Data Science Use CasesIdentifying And Prototyping Data Science Use Cases
Identifying And Prototyping Data Science Use CasesAmbrus Vancso
 
Today and how to succeed tomorrow
 - HR Analytics
Today and how to succeed tomorrow
 - HR AnalyticsToday and how to succeed tomorrow
 - HR Analytics
Today and how to succeed tomorrow
 - HR AnalyticsHendrik Feddersen
 
Wicked Problems and SharePoint - Rethinking the Approach
Wicked Problems and SharePoint - Rethinking the ApproachWicked Problems and SharePoint - Rethinking the Approach
Wicked Problems and SharePoint - Rethinking the ApproachPaul Culmsee
 
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMS
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMSDATA ANALYTICS FOR SOLVING BUSINESS PROBLEMS
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMSAlexander Kolker
 
Introduction to Business Analytics Part 1
Introduction to Business Analytics Part 1Introduction to Business Analytics Part 1
Introduction to Business Analytics Part 1Beamsync
 
Building Stronger HR Partnerships Through Talent Analytics
Building Stronger HR Partnerships Through Talent AnalyticsBuilding Stronger HR Partnerships Through Talent Analytics
Building Stronger HR Partnerships Through Talent AnalyticsHuman Capital Media
 
Predictive project analytics: Will your project be successful?
Predictive project analytics: Will your project be successful?Predictive project analytics: Will your project be successful?
Predictive project analytics: Will your project be successful?Deloitte Canada
 

What's hot (19)

Sas business analytics
Sas business analyticsSas business analytics
Sas business analytics
 
Agile budget v1.01
Agile budget v1.01Agile budget v1.01
Agile budget v1.01
 
Service zen1
Service zen1Service zen1
Service zen1
 
Think better using “Descriptive-Prescriptive” Approach
Think better using “Descriptive-Prescriptive” ApproachThink better using “Descriptive-Prescriptive” Approach
Think better using “Descriptive-Prescriptive” Approach
 
Culmsee Cio 248 How To Roi
Culmsee Cio 248 How To RoiCulmsee Cio 248 How To Roi
Culmsee Cio 248 How To Roi
 
Hr analytics whywhathow
Hr analytics whywhathowHr analytics whywhathow
Hr analytics whywhathow
 
Business Analytics to solve your Business Problems
Business Analytics to solve your Business ProblemsBusiness Analytics to solve your Business Problems
Business Analytics to solve your Business Problems
 
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...
Strategies to Enhance Brain Health - - A Pearson Partners HR Roundtable Pres...
 
What to consider when preparing the business case for HR Analytics?
What to consider when preparing the business case for HR Analytics?What to consider when preparing the business case for HR Analytics?
What to consider when preparing the business case for HR Analytics?
 
HR Analytics
HR AnalyticsHR Analytics
HR Analytics
 
Hr analytics overview
Hr analytics overviewHr analytics overview
Hr analytics overview
 
The Softer Skills that analysts need (beyond Data Visualisation)
The Softer Skills that analysts need (beyond Data Visualisation)The Softer Skills that analysts need (beyond Data Visualisation)
The Softer Skills that analysts need (beyond Data Visualisation)
 
Identifying And Prototyping Data Science Use Cases
Identifying And Prototyping Data Science Use CasesIdentifying And Prototyping Data Science Use Cases
Identifying And Prototyping Data Science Use Cases
 
Today and how to succeed tomorrow
 - HR Analytics
Today and how to succeed tomorrow
 - HR AnalyticsToday and how to succeed tomorrow
 - HR Analytics
Today and how to succeed tomorrow
 - HR Analytics
 
Wicked Problems and SharePoint - Rethinking the Approach
Wicked Problems and SharePoint - Rethinking the ApproachWicked Problems and SharePoint - Rethinking the Approach
Wicked Problems and SharePoint - Rethinking the Approach
 
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMS
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMSDATA ANALYTICS FOR SOLVING BUSINESS PROBLEMS
DATA ANALYTICS FOR SOLVING BUSINESS PROBLEMS
 
Introduction to Business Analytics Part 1
Introduction to Business Analytics Part 1Introduction to Business Analytics Part 1
Introduction to Business Analytics Part 1
 
Building Stronger HR Partnerships Through Talent Analytics
Building Stronger HR Partnerships Through Talent AnalyticsBuilding Stronger HR Partnerships Through Talent Analytics
Building Stronger HR Partnerships Through Talent Analytics
 
Predictive project analytics: Will your project be successful?
Predictive project analytics: Will your project be successful?Predictive project analytics: Will your project be successful?
Predictive project analytics: Will your project be successful?
 

Similar to Toolkit For Security in the Enterprise

Putting the Business in Enterprise Information Security Architecture
Putting the Business in Enterprise Information Security ArchitecturePutting the Business in Enterprise Information Security Architecture
Putting the Business in Enterprise Information Security ArchitectureRavila White
 
The Softer Skills Analysts need to make an impact
The Softer Skills Analysts need to make an impactThe Softer Skills Analysts need to make an impact
The Softer Skills Analysts need to make an impactPaul Laughlin
 
Scientific Evolution LLS Services Catalog v5.0 (2020)
Scientific Evolution LLS Services Catalog v5.0 (2020)Scientific Evolution LLS Services Catalog v5.0 (2020)
Scientific Evolution LLS Services Catalog v5.0 (2020)📡 Vincent Isoz
 
How to sustain analytics capabilities in an organization
How to sustain analytics capabilities in an organizationHow to sustain analytics capabilities in an organization
How to sustain analytics capabilities in an organizationSAS Canada
 
BEST Practices - Testing & Optimization | Bredan Rendan
BEST Practices - Testing & Optimization | Bredan RendanBEST Practices - Testing & Optimization | Bredan Rendan
BEST Practices - Testing & Optimization | Bredan RendanCaleb Whitmore
 
Business analytics workshop presentation final
Business analytics workshop presentation finalBusiness analytics workshop presentation final
Business analytics workshop presentation finalBrian Beveridge
 
Digital Innovation Management
Digital Innovation ManagementDigital Innovation Management
Digital Innovation ManagementGeorge Fankhauser
 
BA Overview.pptx
BA Overview.pptxBA Overview.pptx
BA Overview.pptxSuKuTurangi
 
Success Through an Actionable Data Science Stack
Success Through an Actionable Data Science StackSuccess Through an Actionable Data Science Stack
Success Through an Actionable Data Science StackDomino Data Lab
 
Big Data LA 2016: Backstage to a Data Driven Culture
Big Data LA 2016: Backstage to a Data Driven CultureBig Data LA 2016: Backstage to a Data Driven Culture
Big Data LA 2016: Backstage to a Data Driven CulturePauline Chow
 
Optimization Group What We Do
Optimization Group What We DoOptimization Group What We Do
Optimization Group What We Dorcameron55
 
Technology Consulting by Prasanna
Technology Consulting by PrasannaTechnology Consulting by Prasanna
Technology Consulting by PrasannaSupportGCI
 
Business & consulting toolkits free sample in powerpoint
Business & consulting toolkits free sample in powerpointBusiness & consulting toolkits free sample in powerpoint
Business & consulting toolkits free sample in powerpointDonald Gest
 
Planning your analytics journey - webinar slides
Planning your analytics journey - webinar slidesPlanning your analytics journey - webinar slides
Planning your analytics journey - webinar slidesSprout Labs
 
Build your business analyst career the smarter way
Build your business analyst career the smarter wayBuild your business analyst career the smarter way
Build your business analyst career the smarter wayBusiness Change Academy
 
Career Conversation Technology Consulting
Career Conversation Technology ConsultingCareer Conversation Technology Consulting
Career Conversation Technology ConsultingSupportGCI
 

Similar to Toolkit For Security in the Enterprise (20)

Putting the Business in Enterprise Information Security Architecture
Putting the Business in Enterprise Information Security ArchitecturePutting the Business in Enterprise Information Security Architecture
Putting the Business in Enterprise Information Security Architecture
 
Knowledge Management for 2018
Knowledge Management for 2018Knowledge Management for 2018
Knowledge Management for 2018
 
The Softer Skills Analysts need to make an impact
The Softer Skills Analysts need to make an impactThe Softer Skills Analysts need to make an impact
The Softer Skills Analysts need to make an impact
 
Scientific Evolution LLS Services Catalog v5.0 (2020)
Scientific Evolution LLS Services Catalog v5.0 (2020)Scientific Evolution LLS Services Catalog v5.0 (2020)
Scientific Evolution LLS Services Catalog v5.0 (2020)
 
Predictive Model
Predictive ModelPredictive Model
Predictive Model
 
How to sustain analytics capabilities in an organization
How to sustain analytics capabilities in an organizationHow to sustain analytics capabilities in an organization
How to sustain analytics capabilities in an organization
 
BEST Practices - Testing & Optimization | Bredan Rendan
BEST Practices - Testing & Optimization | Bredan RendanBEST Practices - Testing & Optimization | Bredan Rendan
BEST Practices - Testing & Optimization | Bredan Rendan
 
Case Study Method
Case Study MethodCase Study Method
Case Study Method
 
Business analytics workshop presentation final
Business analytics workshop presentation finalBusiness analytics workshop presentation final
Business analytics workshop presentation final
 
Digital Innovation Management
Digital Innovation ManagementDigital Innovation Management
Digital Innovation Management
 
BA Overview.pptx
BA Overview.pptxBA Overview.pptx
BA Overview.pptx
 
Success Through an Actionable Data Science Stack
Success Through an Actionable Data Science StackSuccess Through an Actionable Data Science Stack
Success Through an Actionable Data Science Stack
 
Big Data LA 2016: Backstage to a Data Driven Culture
Big Data LA 2016: Backstage to a Data Driven CultureBig Data LA 2016: Backstage to a Data Driven Culture
Big Data LA 2016: Backstage to a Data Driven Culture
 
Optimization Group What We Do
Optimization Group What We DoOptimization Group What We Do
Optimization Group What We Do
 
Technology Consulting by Prasanna
Technology Consulting by PrasannaTechnology Consulting by Prasanna
Technology Consulting by Prasanna
 
Business & consulting toolkits free sample in powerpoint
Business & consulting toolkits free sample in powerpointBusiness & consulting toolkits free sample in powerpoint
Business & consulting toolkits free sample in powerpoint
 
Planning your analytics journey - webinar slides
Planning your analytics journey - webinar slidesPlanning your analytics journey - webinar slides
Planning your analytics journey - webinar slides
 
1-210217184339.pptx
1-210217184339.pptx1-210217184339.pptx
1-210217184339.pptx
 
Build your business analyst career the smarter way
Build your business analyst career the smarter wayBuild your business analyst career the smarter way
Build your business analyst career the smarter way
 
Career Conversation Technology Consulting
Career Conversation Technology ConsultingCareer Conversation Technology Consulting
Career Conversation Technology Consulting
 

Recently uploaded

Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptxBanana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptxgeorgebrinton95
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadAyesha Khan
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfOrient Homes
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...Khaled Al Awadi
 
Investment analysis and portfolio management
Investment analysis and portfolio managementInvestment analysis and portfolio management
Investment analysis and portfolio managementJunaidKhan750825
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCRsoniya singh
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckHajeJanKamps
 
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherA.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherPerry Belcher
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756dollysharma2066
 

Recently uploaded (20)

Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptxBanana Powder Manufacturing Plant Project Report 2024 Edition.pptx
Banana Powder Manufacturing Plant Project Report 2024 Edition.pptx
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
 
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdfCatalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
Catalogue ONG NƯỚC uPVC - HDPE DE NHAT.pdf
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Investment analysis and portfolio management
Investment analysis and portfolio managementInvestment analysis and portfolio management
Investment analysis and portfolio management
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
 
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In BELLMONT HOTEL ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry BelcherA.I. Bot Summit 3 Opening Keynote - Perry Belcher
A.I. Bot Summit 3 Opening Keynote - Perry Belcher
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
 

Toolkit For Security in the Enterprise

  • 1. Information Security Science Toolkit for Security in the Enterprise Ravila White | CISSP, CISM, CISA, GCIH Making it better without making it complex
  • 2. Disclaimer This presentation and the concepts herein are my opinions through private research, practice and chatting with other professionals. It is not the opinion of past, present or future employers. Now lets have fun…..
  • 3. Agenda  Overview – The current state of affairs…  Psychology – The mindset for getting it done right…  Diversification – It really does take a village…  Theorems – Thought middleware for getting it done…  Toolkit – How to harness security in the enterprise…
  • 4. Overview The current state of affairs….
  • 5. How Did We Get Here?  When in Rome…Treating Information Security as a ‘specialty’ rather than a business investment  Cart before the horse syndrome…ROI for antivirus, firewalls and other technologies is proactive rather an reactive  Introducing Chicken Little….too much FUD vs. not enough tangible business data  Forgetting the K.I.S.S principle….lack of judicious countermeasures and controls has created complexity
  • 6. Tactical Overdose  Information Security has relied on a more tactical approach to gain traction  The tactical side of Information Security is fairly mature due to the reactive nature of dealing with intruders and malware  Information Security is no longer ‘siloed’ part of the business and requires alignment to organizational objectives
  • 7. Mistakes We’ve Made  Forgetting support of dynamic environments.  Applying linear thinking to largely associative practices.  Becoming myopic and forgetting business drives strategy.  Not evolving with the business.
  • 8. The Flaw in Strategic Plans  Strategic plans are not easily consumable, scalable or sustainable  Answers the questions without appropriate stakeholder buy-in  Doesn’t provide upfront negotiation of priorities  Does not answer “What is Information Security?”
  • 9. Strategic Planning Models Followed by companies who are extremely small, busy, and have not done much strategic planning before. This model requires continual reference to common values, discussing these values, and shared reflection of the process. Used to ensure that what the organization does is aligned with its mission statement. It is useful in fine-tuning strategies or exploring why strategies are not working. This model is a combination of the Basic model and more comprehensiv e planning such as setting a budget or executing a SWOT assessment. Used to identify different future organizational scenarios (including best case, worst case, and reasonable case) which might arise. Used to evoke strategic thinking Basic Issue Alignment Self OrganizingScenario
  • 10. Multidimensional Challenges Programs/Activities Vision - Mission -Values Objective - Strategies/Targets - Goals Width Depth Length  Compliance issues  Human issues  Technology issues  Cross department business integration
  • 11. Lack of Authoritative Artifacts  Documentation which… ◦ sets the direction ◦ the business validates its decisions ◦ the business executes against ◦ the business captures resource requirements ◦ the business verifies the activities necessary to support a solution
  • 12. Tortuous Taxonomy  Not setting the floor around business definitions.  Setting the ceiling around business definitions.
  • 13. DIVERSIFICATION It really does take a village…
  • 14. Which has more value? *-centric diversification  With the sense of ‘having a (specified) center’  Spread (investment) over several enterprises or products, especially to reduce the risk of loss
  • 15. Security is a practice within the business/not the business Information Security Portfolio Enterprise Portfolio  IAPP  ISACA  ISC2  ISF  ISO  NIST  OWASP  SANS  Business Process Modeling  Economics  Enterprise Architecture  Information Design  Investing
  • 16. How to apply as middleware  Business Process Modeling – it translates what you have to offer in terms and techniques used by the business.  Economics – translates the production, distribution, and consumption of goods and services you offer.  Enterprise Architecture – aligns IT initiatives to business needs.  Information Design – a communication tool that takes the complex and makes it consumable.  Investing – ties solutions to value
  • 17. Challenge Are you an associative thinker or a didactic thinker? Research both terms to understand how you process information. It will help you understand how to diversify your knowledge base
  • 18. Psychology The mindset for getting it done right…
  • 19. Observations  Its as much how you think, how you interpret the information and how its used.  Individualistic derivations of information do not compliment enterprise environments.  Aggregate derivations results in ‘real’ multi- data sets with a 360 degree rendering of an organization.
  • 20. Aggregation of Thought Scientific Focus Design Focus  Theory  Philosophy  Practice  Associative  Linear (Didactic)  Cyclical (Iterative)
  • 21. Teaser Which term is better suited to denote repetitious patterns in information security and why? Cyclical or Iterative
  • 23. Enterprise Thinking Solution a2 + l2 + c = t(e)  a2 = associative and adaptable  l2 = logical and linear  c = cyclical  t(e) = thinking enterprise
  • 24. Engagement (OMI) Solution O or M, then I  O = Overlay  M = Map  I = Integrate
  • 25. Relationship Building Solution v2 + c + u = r  v2 = verify and validate  c = communicate  u = update  r = relationship building
  • 26. PRACTICUM Where the rubber meets the road….
  • 28. Toolkit How to harness security in the enterprise…
  • 29. K.I.S.S.  Adopt traditional business methods ◦ Business modeling vs. information warfare  Start with basic planning ◦ Business logic modeling  Identify and involve major stakeholders at the beginning  Find your logic model ◦ Logic models make your strategy easy to consume and present.
  • 30. Designing a Business Model (example) By Alex Osterwalder
  • 31. Business Modeling w/Innovation Adapted from Alex Osterwalder’s Business Model Canvas
  • 32. Additional Elements for Modeling  Review strategic models ◦ At least three of the five models are used  Logic models ◦ Theory of Change – used to set strategic direction over a long period of time and identify issues ◦ Result Chain – provide a mid-level roadmap of intentions, activities, and end state results  Software Development Methods ◦ Spirial ◦ Agile ◦ Waterfall
  • 33. Designing a Information Security Business Model (example)
  • 34. Logic Model Overview  Outlines how program is supposed to work to achieve intended changes and outcomes  A simple method for engaging stakeholders  Facilitates thinking, planning, communication and shared understanding about targets and intended outcomes
  • 37. Your Strategy and Roadmap  Using the taxonomy the organization has developed, write a strategic narrative based on the results chain.  Using a Raci/Rasci model, map resources, activities, responsibilities etc.  Using information design, develop a strategic roadmap which shows each infosec project using the business projects as a backdrop facilitated via OMI.  Your strategy and roadmap are artifacts use your authoritative documentation taxonomy to select the most informational elements.
  • 38. The Information Security Science Toolkit
  • 39. Tips to Success  Set the floor of communication by establishing a common taxonomy.  Set the floor for artifacts by establishing authoritative documentation.  Set the floor for planning by establishing Business Process Modeling as the framework for driving strategy.  Set the floor for innovation by encouraging and supporting diversification of knowledge for yourself and your staff.  Aggregation not individualism is key to enterprise sustainability.
  • 40. Stimulating Innovation  What – using discovery to identify strengths, opportunities, customers, partners  When – During business process modeling and strategy development.  How – XPLANE discovery cards
  • 41. Xplane Discovery Cards  Can be used for self, 1:1 or in a small group  Review the situation cards and action cards  Identify the Hits and Misses  Identify what actions you need to take  End result is developing a game plan that aligns with everyone’s thinking
  • 42. Recommended Reading  The New School of Information Security  Business Model Generation  The Information Design Handbook  Enterprise Security Architecture  Logic Model Development Guide ◦ http://www.wkkf.org/Pubs/Tools/Evaluation/Pub3 669.pdf  Enterprise Architecture ◦ http://www.opengroup.org/togaf/
  • 43. Credits & References General Personal Influencers  Business Model Design: http://business-model- design.blogspot.com/  Business Model Generation  www.dictionary.com  Information Security: A Strategic Approach  ISACA: www.isaca.org  Logic Model Development Guide: http://www.wkkf.org/Pubs/Tools/E valuation/Pub3669.pdf  Oxford Dictionary  Wikipedia: www.wikipedia.com  Xplane: www.xplane.com  Alex Osterwalder  Carolyn Trapp  Deanna Locke  Ernie Hayden  John Clouse  Kirk Bailey  Myles Conley  Mom & Family  Stewart Stremel
  • 44. Copyright Information Some works in this presentation have been licensed under the Creative Common license (CC). Please respect the license when using the concepts or adapting them. For more information please go here:  www.creativecommons.org
  • 45. Thank you… Questions and Comments Contact me on LinkedIn

Editor's Notes

  1. Presented at Secureworld Expo Seattle
  2. This is what we are covering today. I would like this to be as interactive as possible. If you have a question, please feel free to ask. If you have your own ideas, please share as this is a learning opportunity for everyone in the room.
  3. Why is information security hard to sell to the business? There are many reasons, however in talking with my peers and non-information security professionals they seem to agree on these.
  4. Many information security professionals continue to rely on a tactical approach to selling information security. When we are not beating management over the head with the latest malware outbreak, then we are pushing compliance. Management is interested in what information security can do for the business.
  5. Here are some of the mistakes we’ve made. Would anyone care to share the mistakes they’ve made in building programs? What is associative thinking? The mental process of making associations between a given subject and all pertinent present factors without drawing on past experience. Free association. Associative thinking enables you to see possibilities where some may think there aren’t any. Linear thinking, the step-by-step gets you there but should not lead. Businesses are dynamic. When they change, we need to change. Holding on to long forgotten ideals will not help your organization.
  6. In the past 4-5 years strategic planning has become all the rage. Ask someone for their strategic plan and get a nice long narrative with maybe a couple of charts associated with cost. Once someone maybe reads it, is it ever references again? Is the best method of driving strategy compiling all strategy in one documents? Is strategic planning a destination or journey?
  7. There are five types of strategic plans. Which one would you chose to use for your organization? Typically you’ll the need to use at least 2 of the 5. More than likely you’ll need to blend all of them to develop a well crafted strategy. How can you do so without overloading your audience? In the previous slide, I asked if strategic planning is a destination or journey…when applied in the manner illustrated it’s a destination which might be ok. However for an enterprise mindset, we need to make strategic planning a journey.
  8. Then there is information security. It’s a broad discipline which requires support from non-infosec professionals in order to succeed.
  9. How many people have what is considered authoritative documentation in their organization? Authoritative documentation can support audits, business continuity, disaster recovery etc. It’s the policies, procedures, standards, business plans of your organization. We make them artificates because it infers historical references. We expect ourselves and the business to go back to these documents as a point of reference in understand decisions and direction.
  10. As an exercise ask people in your organization what a procedure is. Then ask them what a policy is. If you cannot agree on terminology, don’t expect to agree on what it’ll take to make an enterprise strategic plan. Developing a simple taxonomy as part of your business plan (which in itself is a strategy) can facilitate communication when plans are discussed and developed. Setting the floor is to establish your baseline. It means you are working from an expected point. Setting the ceiling is establishing a baseline that provides no room for inference or adaptability and or extensibility. To set the floor of your taxonomy, use terms that are industry standard that can be built upon. This becomes especially important if your organization is global or international.
  11. One method of addressing the challenges of information security is through diversification. Lets look at terminology to support our discussion.
  12. Look the both definitions. Which has more value for a information security professional who has a job function with a strategic focus and why? Discuss it with the person next to you. If you are a information security professional who is in a matrix position then diversification is of more value to you. You must understand how your colleagues think and work to interact with them in a healthy way that promotes the organization’s mission.
  13. Prior to analyzing which term would add the most value, how many of you have run programs that look like the left-side of the slide? How many of you here have integrated any of the disciplines and or practice in your portfolio? Let’s talk about why we should not just be aware of these disciplines but understand how integration can bring more value to our programs.
  14. In software development, middleware is used to support interoperability between disparate systems. For information security innovation, non-infosec disciplines and practice can serve as the middleware to achieving success by supporting the business in a manner that is accepted. By learning at least two non-infosec practices in your organization, you can develop informational artifacts that are easily consumed and sustainable.
  15. Now that we know what we can add to infosec we need to understand how to apply diversification.
  16. We’ve got NIST, SANS CSI, ISACA, ISC2…with all the input we’ve been provided to shape our practice, why are we having such a hard time selling security to the business. Individualistic ratings systems and frameworks makes it all about me, not we. When we talk about the enterprise its about we. To make it about we, aggregate information as a point of reference will yield more accurate results rather than an individualistic point of view.
  17. Theory is the start of creating a certain train of thought. Once solidified philosophy can be used to prove or disprove a the body of information derived from theory. Finally practice is the application of proven theory. Its an aggregation of thoughts (input) that end in a result (output). Design focused thinking offers a similar path. Associative thinking provides the vehicle for possibilities of a given solution. Linear thinking is applied to the associative to make it logical and the compliment of established principles. Cyclical thinking is applied to each solution to determine if a process or practice should occur at regular intervals.
  18. If infosec is to operate as part of the business then repetitious patterns should be looked at from a value perspective. In investing, cyclical denotes a business or stock whose income, value, or earnings fluctuate widely according to variations in the economy or the cycle of the seasons. To stay afloat as a business proposition, infosec must constantly be aware of and communication its value.
  19. In the last ten years I’ve been asked by many how I’m able to handle large scale initiatives with little resources. Other than the obvious of having great mentors and influencers, I have my own secret sauce in the forms of theorems. They are essentially the middleware solution to handle capacity challenges.
  20. This goes back to what we discussed during the review of diversification. By diversifying thought you can understand the enterprise and deliver solutions that fit.
  21. One of my most successful tools is the OMI tool. I use this whenever I’m approached about a solution that has a specific framework, guideline or methodology. O or overlapping is the default. Why? Because if I can overlay that means not much will change when I present the infocsec-side to the business. They will quickly comprehend intentions. If I cannot overlay, then a mapping occurs where infosec business planning or activities are used as a map to support the solution needs. Finally there is the integration layer where infosec practices are translated to activities that will occur within and parallel to the project.
  22. In looking at various definitions of the word enterprise, lets agree that enterprise at its most basic, is the amalgamation of many concepts, disciplines, solutions etc. of a discipline. As relationship building relies upon the ability to quickly convey information in a manner that can be understand by neophytes, an iterative process can be applied through the duration of each engagement. This theorem supports the communication layer in a very simple manner.
  23. Let’s put what we’ve discussed so far to the test.
  24. This a logical drawing of Security in a 10 phase SDLC. Can you match the philophies we’ve discussed to the outcomes seen in this drawing Which elements of the drawing are information security centric? (only two of them, the security testing and overall phases of the Infosec activities) Which theorems are at use here? (OMI and Enterprise Thinking) Which mappings did I use (both O and M. M first to align infosec activities to the partner model, then O to communicate support of ITIL) Which elements are pulled from a policy methodology? (ITIL process level is used) How was diversification applied? (used ITIL as a driver to show the outcome while mapping to security activities) What non-infosec disciplines were used to develop this drawing (BPM, Information Design and Enterprise Architecture) Why is input driven from the SDLC rather than Infosec? (Its the business who sets direction, not infosec, its an intergrator and solution provider) Bonus Question: What middleware was used here (the ITIL process level framework)
  25. Why do we need a toolkit? Well as we’ve discussed, strategy is a journey, not a destination. As such, we must have a way of getting there in an incremental fashion. That really is what the toolkit is about. It’s a process methodology for approaching strategic planning in a systemic, cyclical and phased manner.
  26. This is the first layer of your strategy journey. Adjust the questions to fit your culture, organizational goals, and program maturity. This is the business model canvas adapted to fit an information security centric model. Its basically a prototyping tool that can be used to build relationships with your partners but also build a business plan that will integrate and align with the business. I used the Overlay and a bit of mapping from OMI to build in the logic.
  27. This can be the 2nd layer of your strategy journey. Its more a sanity check for yourself and a checkpoint for others who might want to know where you are headed. This is an example of how I used the OMI principle. To develop my security model, I performed an overlay with integration. As a point of diversification, notice the use of the spiral methodology as inspiration to this logic model as well.
  28. As a designer of a security program and or architect, a logic model is a visual tool to present and share your understanding of the relationships among the resources you have to operate your program, the activities you plan, and the changes or results you hope to achieve in a systemic manner. Most of all it can verify and validate that your program is aligned to the business. You want your program to be systemic as it will have greater influence and extensibility which will result in sustainability.
  29. This is the third leg in your strategy journey. This is the basis of building a more detail strategy artifact. This is a point of validation with your partners and some high-level stakeholders. This is fairly static strategy. It should not change unless there is significant evolution of mission and values associated with your role/team.
  30. This is the 4th leg of your strategy journey. This is where the rubber hits the road. In order to complete the Result Chain logic model, you’ll have engaged primary stakeholders, vendors and likely your project managers. It is all about capacity, ability to execute and deliver. This is the pie in the sky. This strategic plan is dynamic as you can expect it to evolve over time given priorities and change of direction from the organization.
  31. As I mentioned at the outset, while we in practice are information security professionals, in philosophy, we are designers. As such we must build a tool set that will compliment our toolkit. Take the time to develop and share your taxonomy. Use a Raci/Rasci model to map resources to activities. These are both tools that are being used by non-infosec professionals and many of the influential technology consulting firms. Information design is probably one of the most important middlewares you can become proficient at. Why? You know the old saying…”A picture is worth a thousand words.” That is true. If you can present strategy using graphics as the backdrop, you’ll find your information more consumable.
  32. This is the information security juggernauts toolkit. I’ve told you what middleware I used to make it functional. Use all or part, its your choice. I’d like to see you come up with your own. It’s a great way to communicate our concerns without loosing the audience. I built the toolkit using the concepts associated with building a logic model which is closely associated to business process modeling. You’ll notice as well that I’ve aligned to ITIL. This communicates to the business the effort is aligned to industry standards and practice. Using information design techniques, the toolkit flow is represented without becoming overly busy. I could have added more arrows, however through inference of shape flow and shape type I’ve captured a top-down feeling. I mentioned the need to answer the question posed by the business as to ‘What is Information Security?’ This is the answer in a nutshell from a graphical point-of-view. Its many elements with multiple strategies and diversification.
  33. At the end the of the day, you are already an expert with information security. Now its time to expand your horizons and add capabilities that will communicate simply what your mission, goals and activities are to non-information security professionals. Diversify your skill set to accomplish more.
  34. Consider investing in innovation cards from Xplane. Its also a great way to give yourself a sanity check if you are a team of one. You use the cards in third person against the first draft of your business model canvas. Remember, we don’t want to be myopic, we want to be adaptable and evolutionary. If your organization’s culture permits, attempt use to facilitate developing your business model with your business partners. It is a non-threatening method of illicit the feelings of others about subjects which can sometimes lead to heated debates and a simply translator to establish common ground and language with non-infosec professionals. Can be used for self, 1:1 or in a small group you will (1) Review the situation cards and action cards as they relate to the draft business model canvas, (2) Use the wild cards to address situations and actions not presented in the cards as they relate to the draft business model canvas , (3) Identify the Hits and Misses which to us means the Alignment and Gaps, (4) Identify what actions you need to take as they relate to your business model canvas draft and update. End result is developing a game plan that aligns with everyone’s thinking.
  35. If you’d like to diversify your skill and mind set consider reading the books above. As we are information security practioners, start with The New School of Information Security. This will get you thinking in the right direction from an infosec perspective. Then read the rest. I hope this changes the way you present information security and brings you success.
  36. Something I’d like to encourage all of you do to…when presenting in the future, list not only your online and book references, but also your people credits. We all meet people who are pivotal in growing or knowledge or professionalism. Don’t forget to mention them.