2. Disclaimer
This presentation and the concepts herein are my
opinions through private research, practice and
chatting with other professionals.
It is not the opinion of past, present or future
employers.
Now lets have fun…..
3. Agenda
Overview – The current state of affairs…
Psychology – The mindset for getting it
done right…
Diversification – It really does take a
village…
Theorems – Thought middleware for
getting it done…
Toolkit – How to harness security in the
enterprise…
5. How Did We Get Here?
When in Rome…Treating Information
Security as a ‘specialty’ rather than a
business investment
Cart before the horse syndrome…ROI for
antivirus, firewalls and other technologies is
proactive rather an reactive
Introducing Chicken Little….too much FUD
vs. not enough tangible business data
Forgetting the K.I.S.S principle….lack of
judicious countermeasures and controls
has created complexity
6. Tactical Overdose
Information Security has relied on a more
tactical approach to gain traction
The tactical side of Information Security is
fairly mature due to the reactive nature of
dealing with intruders and malware
Information Security is no longer ‘siloed’
part of the business and requires alignment
to organizational objectives
7. Mistakes We’ve Made
Forgetting support of dynamic
environments.
Applying linear thinking to largely
associative practices.
Becoming myopic and forgetting business
drives strategy.
Not evolving with the business.
8. The Flaw in Strategic Plans
Strategic plans are not easily consumable,
scalable or sustainable
Answers the questions without appropriate
stakeholder buy-in
Doesn’t provide upfront negotiation of
priorities
Does not answer “What is Information
Security?”
9. Strategic Planning Models
Followed by
companies
who are
extremely
small, busy,
and have
not done
much
strategic
planning
before.
This model
requires
continual
reference to
common
values,
discussing
these values,
and shared
reflection of
the process.
Used to
ensure that
what the
organization
does is
aligned with
its mission
statement. It
is useful in
fine-tuning
strategies or
exploring why
strategies are
not working.
This model is
a combination
of the Basic
model and
more
comprehensiv
e planning
such as
setting a
budget or
executing a
SWOT
assessment.
Used to
identify
different future
organizational
scenarios
(including best
case, worst
case, and
reasonable
case) which
might arise.
Used to evoke
strategic
thinking
Basic Issue Alignment
Self
OrganizingScenario
10. Multidimensional Challenges
Programs/Activities
Vision - Mission -Values
Objective -
Strategies/Targets -
Goals
Width
Depth
Length
Compliance issues
Human issues
Technology issues
Cross department business
integration
11. Lack of Authoritative Artifacts
Documentation which…
◦ sets the direction
◦ the business validates its decisions
◦ the business executes against
◦ the business captures resource
requirements
◦ the business verifies the activities
necessary to support a solution
12. Tortuous Taxonomy
Not setting the floor around business
definitions.
Setting the ceiling around business
definitions.
14. Which has more value?
*-centric diversification
With the sense of
‘having a (specified)
center’
Spread (investment)
over several
enterprises or
products, especially
to reduce the risk of
loss
15. Security is a practice within the
business/not the business
Information Security Portfolio Enterprise Portfolio
IAPP
ISACA
ISC2
ISF
ISO
NIST
OWASP
SANS
Business Process Modeling
Economics
Enterprise Architecture
Information Design
Investing
16. How to apply as middleware
Business Process Modeling – it translates
what you have to offer in terms and
techniques used by the business.
Economics – translates the production,
distribution, and consumption of goods and
services you offer.
Enterprise Architecture – aligns IT initiatives
to business needs.
Information Design – a communication tool
that takes the complex and makes it
consumable.
Investing – ties solutions to value
17. Challenge
Are you an associative thinker or a
didactic thinker?
Research both terms to understand how
you process information. It will help you
understand how to diversify your
knowledge base
19. Observations
Its as much how you think, how you
interpret the information and how its used.
Individualistic derivations of information do
not compliment enterprise environments.
Aggregate derivations results in ‘real’ multi-
data sets with a 360 degree rendering of an
organization.
20. Aggregation of Thought
Scientific Focus Design Focus
Theory
Philosophy
Practice
Associative
Linear (Didactic)
Cyclical (Iterative)
21. Teaser
Which term is better suited to denote
repetitious patterns in information
security and why?
Cyclical or Iterative
29. K.I.S.S.
Adopt traditional business methods
◦ Business modeling vs. information warfare
Start with basic planning
◦ Business logic modeling
Identify and involve major
stakeholders at the beginning
Find your logic model
◦ Logic models make your strategy easy to
consume and present.
32. Additional Elements for Modeling
Review strategic models
◦ At least three of the five models are used
Logic models
◦ Theory of Change – used to set strategic
direction over a long period of time and identify
issues
◦ Result Chain – provide a mid-level roadmap of
intentions, activities, and end state results
Software Development Methods
◦ Spirial
◦ Agile
◦ Waterfall
34. Logic Model Overview
Outlines how program is supposed to work
to achieve intended changes and outcomes
A simple method for engaging stakeholders
Facilitates thinking, planning,
communication and shared understanding
about targets and intended outcomes
37. Your Strategy and Roadmap
Using the taxonomy the organization has
developed, write a strategic narrative based
on the results chain.
Using a Raci/Rasci model, map resources,
activities, responsibilities etc.
Using information design, develop a
strategic roadmap which shows each
infosec project using the business projects
as a backdrop facilitated via OMI.
Your strategy and roadmap are artifacts use
your authoritative documentation taxonomy
to select the most informational elements.
39. Tips to Success
Set the floor of communication by
establishing a common taxonomy.
Set the floor for artifacts by establishing
authoritative documentation.
Set the floor for planning by establishing
Business Process Modeling as the
framework for driving strategy.
Set the floor for innovation by encouraging
and supporting diversification of knowledge
for yourself and your staff.
Aggregation not individualism is key to
enterprise sustainability.
40. Stimulating Innovation
What – using discovery to identify
strengths, opportunities, customers,
partners
When – During business process modeling
and strategy development.
How – XPLANE discovery cards
41. Xplane Discovery Cards
Can be used for self, 1:1 or in a small group
Review the situation cards and action cards
Identify the Hits and Misses
Identify what actions you need to take
End result is developing a game plan that
aligns with everyone’s thinking
42. Recommended Reading
The New School of Information Security
Business Model Generation
The Information Design Handbook
Enterprise Security Architecture
Logic Model Development Guide
◦ http://www.wkkf.org/Pubs/Tools/Evaluation/Pub3
669.pdf
Enterprise Architecture
◦ http://www.opengroup.org/togaf/
43. Credits & References
General Personal Influencers
Business Model Design:
http://business-model-
design.blogspot.com/
Business Model Generation
www.dictionary.com
Information Security: A Strategic
Approach
ISACA: www.isaca.org
Logic Model Development Guide:
http://www.wkkf.org/Pubs/Tools/E
valuation/Pub3669.pdf
Oxford Dictionary
Wikipedia: www.wikipedia.com
Xplane: www.xplane.com
Alex Osterwalder
Carolyn Trapp
Deanna Locke
Ernie Hayden
John Clouse
Kirk Bailey
Myles Conley
Mom & Family
Stewart Stremel
44. Copyright Information
Some works in this presentation have been
licensed under the Creative Common
license (CC). Please respect the license
when using the concepts or adapting them.
For more information please go here:
www.creativecommons.org
This is what we are covering today. I would like this to be as interactive as possible. If you have a question, please feel free to ask. If you have your own ideas, please share as this is a learning opportunity for everyone in the room.
Why is information security hard to sell to the business? There are many reasons, however in talking with my peers and non-information security professionals they seem to agree on these.
Many information security professionals continue to rely on a tactical approach to selling information security. When we are not beating management over the head with the latest malware outbreak, then we are pushing compliance.
Management is interested in what information security can do for the business.
Here are some of the mistakes we’ve made. Would anyone care to share the mistakes they’ve made in building programs?
What is associative thinking? The mental process of making associations between a given subject and all pertinent present factors without drawing on past experience. Free association. Associative thinking enables you to see possibilities where some may think there aren’t any. Linear thinking, the step-by-step gets you there but should not lead.
Businesses are dynamic. When they change, we need to change. Holding on to long forgotten ideals will not help your organization.
In the past 4-5 years strategic planning has become all the rage. Ask someone for their strategic plan and get a nice long narrative with maybe a couple of charts associated with cost. Once someone maybe reads it, is it ever references again? Is the best method of driving strategy compiling all strategy in one documents? Is strategic planning a destination or journey?
There are five types of strategic plans. Which one would you chose to use for your organization? Typically you’ll the need to use at least 2 of the 5. More than likely you’ll need to blend all of them to develop a well crafted strategy. How can you do so without overloading your audience?
In the previous slide, I asked if strategic planning is a destination or journey…when applied in the manner illustrated it’s a destination which might be ok. However for an enterprise mindset, we need to make strategic planning a journey.
Then there is information security. It’s a broad discipline which requires support from non-infosec professionals in order to succeed.
How many people have what is considered authoritative documentation in their organization? Authoritative documentation can support audits, business continuity, disaster recovery etc. It’s the policies, procedures, standards, business plans of your organization. We make them artificates because it infers historical references. We expect ourselves and the business to go back to these documents as a point of reference in understand decisions and direction.
As an exercise ask people in your organization what a procedure is. Then ask them what a policy is. If you cannot agree on terminology, don’t expect to agree on what it’ll take to make an enterprise strategic plan. Developing a simple taxonomy as part of your business plan (which in itself is a strategy) can facilitate communication when plans are discussed and developed.
Setting the floor is to establish your baseline. It means you are working from an expected point. Setting the ceiling is establishing a baseline that provides no room for inference or adaptability and or extensibility.
To set the floor of your taxonomy, use terms that are industry standard that can be built upon. This becomes especially important if your organization is global or international.
One method of addressing the challenges of information security is through diversification. Lets look at terminology to support our discussion.
Look the both definitions. Which has more value for a information security professional who has a job function with a strategic focus and why?
Discuss it with the person next to you. If you are a information security professional who is in a matrix position then diversification is of more value to you. You must understand how your colleagues think and work to interact with them in a healthy way that promotes the organization’s mission.
Prior to analyzing which term would add the most value, how many of you have run programs that look like the left-side of the slide? How many of you here have integrated any of the disciplines and or practice in your portfolio? Let’s talk about why we should not just be aware of these disciplines but understand how integration can bring more value to our programs.
In software development, middleware is used to support interoperability between disparate systems. For information security innovation, non-infosec disciplines and practice can serve as the middleware to achieving success by supporting the business in a manner that is accepted. By learning at least two non-infosec practices in your organization, you can develop informational artifacts that are easily consumed and sustainable.
Now that we know what we can add to infosec we need to understand how to apply diversification.
We’ve got NIST, SANS CSI, ISACA, ISC2…with all the input we’ve been provided to shape our practice, why are we having such a hard time selling security to the business.
Individualistic ratings systems and frameworks makes it all about me, not we. When we talk about the enterprise its about we.
To make it about we, aggregate information as a point of reference will yield more accurate results rather than an individualistic point of view.
Theory is the start of creating a certain train of thought. Once solidified philosophy can be used to prove or disprove a the body of information derived from theory. Finally practice is the application of proven theory. Its an aggregation of thoughts (input) that end in a result (output). Design focused thinking offers a similar path. Associative thinking provides the vehicle for possibilities of a given solution. Linear thinking is applied to the associative to make it logical and the compliment of established principles. Cyclical thinking is applied to each solution to determine if a process or practice should occur at regular intervals.
If infosec is to operate as part of the business then repetitious patterns should be looked at from a value perspective. In investing, cyclical denotes a business or stock whose income, value, or earnings fluctuate widely according to variations in the economy or the cycle of the seasons. To stay afloat as a business proposition, infosec must constantly be aware of and communication its value.
In the last ten years I’ve been asked by many how I’m able to handle large scale initiatives with little resources. Other than the obvious of having great mentors and influencers, I have my own secret sauce in the forms of theorems. They are essentially the middleware solution to handle capacity challenges.
This goes back to what we discussed during the review of diversification. By diversifying thought you can understand the enterprise and deliver solutions that fit.
One of my most successful tools is the OMI tool. I use this whenever I’m approached about a solution that has a specific framework, guideline or methodology. O or overlapping is the default. Why? Because if I can overlay that means not much will change when I present the infocsec-side to the business. They will quickly comprehend intentions. If I cannot overlay, then a mapping occurs where infosec business planning or activities are used as a map to support the solution needs. Finally there is the integration layer where infosec practices are translated to activities that will occur within and parallel to the project.
In looking at various definitions of the word enterprise, lets agree that enterprise at its most basic, is the amalgamation of many concepts, disciplines, solutions etc. of a discipline. As relationship building relies upon the ability to quickly convey information in a manner that can be understand by neophytes, an iterative process can be applied through the duration of each engagement.
This theorem supports the communication layer in a very simple manner.
Let’s put what we’ve discussed so far to the test.
This a logical drawing of Security in a 10 phase SDLC. Can you match the philophies we’ve discussed to the outcomes seen in this drawing
Which elements of the drawing are information security centric? (only two of them, the security testing and overall phases of the Infosec activities)
Which theorems are at use here? (OMI and Enterprise Thinking)
Which mappings did I use (both O and M. M first to align infosec activities to the partner model, then O to communicate support of ITIL)
Which elements are pulled from a policy methodology? (ITIL process level is used)
How was diversification applied? (used ITIL as a driver to show the outcome while mapping to security activities)
What non-infosec disciplines were used to develop this drawing (BPM, Information Design and Enterprise Architecture)
Why is input driven from the SDLC rather than Infosec? (Its the business who sets direction, not infosec, its an intergrator and solution provider)
Bonus Question: What middleware was used here (the ITIL process level framework)
Why do we need a toolkit? Well as we’ve discussed, strategy is a journey, not a destination. As such, we must have a way of getting there in an incremental fashion. That really is what the toolkit is about. It’s a process methodology for approaching strategic planning in a systemic, cyclical and phased manner.
This is the first layer of your strategy journey. Adjust the questions to fit your culture, organizational goals, and program maturity.
This is the business model canvas adapted to fit an information security centric model. Its basically a prototyping tool that can be used to build relationships with your partners but also build a business plan that will integrate and align with the business. I used the Overlay and a bit of mapping from OMI to build in the logic.
This can be the 2nd layer of your strategy journey. Its more a sanity check for yourself and a checkpoint for others who might want to know where you are headed.
This is an example of how I used the OMI principle. To develop my security model, I performed an overlay with integration. As a point of diversification, notice the use of the spiral methodology as inspiration to this logic model as well.
As a designer of a security program and or architect, a logic model is a visual tool to present and share your understanding of the relationships among the resources you have to operate your program, the activities you plan, and the changes or results you hope to achieve in a systemic manner. Most of all it can verify and validate that your program is aligned to the business.
You want your program to be systemic as it will have greater influence and extensibility which will result in sustainability.
This is the third leg in your strategy journey. This is the basis of building a more detail strategy artifact. This is a point of validation with your partners and some high-level stakeholders.
This is fairly static strategy. It should not change unless there is significant evolution of mission and values associated with your role/team.
This is the 4th leg of your strategy journey. This is where the rubber hits the road. In order to complete the Result Chain logic model, you’ll have engaged primary stakeholders, vendors and likely your project managers. It is all about capacity, ability to execute and deliver. This is the pie in the sky.
This strategic plan is dynamic as you can expect it to evolve over time given priorities and change of direction from the organization.
As I mentioned at the outset, while we in practice are information security professionals, in philosophy, we are designers. As such we must build a tool set that will compliment our toolkit.
Take the time to develop and share your taxonomy. Use a Raci/Rasci model to map resources to activities. These are both tools that are being used by non-infosec professionals and many of the influential technology consulting firms.
Information design is probably one of the most important middlewares you can become proficient at. Why? You know the old saying…”A picture is worth a thousand words.” That is true. If you can present strategy using graphics as the backdrop, you’ll find your information more consumable.
This is the information security juggernauts toolkit. I’ve told you what middleware I used to make it functional. Use all or part, its your choice. I’d like to see you come up with your own. It’s a great way to communicate our concerns without loosing the audience. I built the toolkit using the concepts associated with building a logic model which is closely associated to business process modeling. You’ll notice as well that I’ve aligned to ITIL. This communicates to the business the effort is aligned to industry standards and practice. Using information design techniques, the toolkit flow is represented without becoming overly busy. I could have added more arrows, however through inference of shape flow and shape type I’ve captured a top-down feeling.
I mentioned the need to answer the question posed by the business as to ‘What is Information Security?’ This is the answer in a nutshell from a graphical point-of-view. Its many elements with multiple strategies and diversification.
At the end the of the day, you are already an expert with information security. Now its time to expand your horizons and add capabilities that will communicate simply what your mission, goals and activities are to non-information security professionals. Diversify your skill set to accomplish more.
Consider investing in innovation cards from Xplane. Its also a great way to give yourself a sanity check if you are a team of one. You use the cards in third person against the first draft of your business model canvas. Remember, we don’t want to be myopic, we want to be adaptable and evolutionary. If your organization’s culture permits, attempt use to facilitate developing your business model with your business partners. It is a non-threatening method of illicit the feelings of others about subjects which can sometimes lead to heated debates and a simply translator to establish common ground and language with non-infosec professionals.
Can be used for self, 1:1 or in a small group you will (1) Review the situation cards and action cards as they relate to the draft business model canvas, (2) Use the wild cards to address situations and actions not presented in the cards as they relate to the draft business model canvas , (3) Identify the Hits and Misses which to us means the Alignment and Gaps, (4) Identify what actions you need to take as they relate to your business model canvas draft and update.
End result is developing a game plan that aligns with everyone’s thinking.
If you’d like to diversify your skill and mind set consider reading the books above. As we are information security practioners, start with The New School of Information Security. This will get you thinking in the right direction from an infosec perspective. Then read the rest. I hope this changes the way you present information security and brings you success.
Something I’d like to encourage all of you do to…when presenting in the future, list not only your online and book references, but also your people credits. We all meet people who are pivotal in growing or knowledge or professionalism. Don’t forget to mention them.