3 Executive Strategies to Reduce Your IT Risk


Published on

Do you want to know how ‘best-of-breed’ enterprises prioritize their IT risk? Join Richard Mason, Vice President & Chief Security Officer at Honeywell, whose team is responsible for global security, during a roundtable discussion with Pat Clawson, Chairman & CEO of Lumension and Roger Grimes, Security Columnist & Author. Uncover strategies beyond traditional antivirus signatures and learn a more holistic approach to effective risk management. Find out ‘how’ and ‘why’ you can make security a prioritized function within your organization.

Join this expert panel webcast to learn how to:
1)Understand your business audiences and evaluate their risk tolerance
2)Leverage reputation management services that are appropriate for your organization
3)Utilize realistic change management to secure prioritized data depositories

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

3 Executive Strategies to Reduce Your IT Risk

  1. 1. 3 Executive Strategiesto Prioritize Your IT Risk• Roger A. Grimes• Rich Mason• Pat ClawsonPROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION1
  2. 2. Today’s AgendaHow to Evaluate Risk ToleranceLeveraging Reputation Management ServicesHow to Secure Prioritized Data DepositoriesRecommendations
  3. 3. 3Rich MasonVP & Chief Security OfficerHoneywellPat ClawsonChairman & CEOLumensionRoger A. GrimesSecurityConsultant, Author andColumnistToday’s Panelists
  4. 4. How to Evaluate RiskTolerance
  5. 5. False understanding of risk tolerance:» IT and management accepts little to no riskor» Only accepts risks that do not lead to compromiseof critical assetsHow to Evaluate Risk Tolerance
  6. 6. The Truth:» Every company accepts some level of risk» Too expensive to eliminate all risks» Acceptable risk is not even across all asset classes» Security is not just a technology problem» What is the acceptable risk tolerance?How to Evaluate Risk Tolerance
  7. 7. “It’s a boardroom issue”» Let senior management be the risk deciders» IT should supply the facts so senior managementcan make the best decisions» Real life: Picking battles vs. productivity,prioritizing, making choices, and then followingthroughHow to Evaluate Risk Tolerance
  8. 8. » Compliance does not always equal security» Checklist security doesn’t always equal security» All security solutions will have weaknessesHow to Evaluate Risk Tolerance
  9. 9. How to Evaluate Risk Tolerance» Must know your threats and risks» Job #1 is Inventory: What assets are you protecting• Not as easy as it first appears» Who is attacking you and why?» Malware, APT, DDoS, Financial gain, etc.• History is a great indicator of future attacks» Attacker personas
  10. 10. How to Evaluate Risk Tolerance» Not all assets and data should be protectedequally» What are your “golden egg” assets?» Often defined by physical assets» Better to define by application, service, anddatabase» Must consider all the supporting infrastructure• Often contains your most valuable data
  11. 11. Leveraging ReputationManagement Services
  12. 12. Leveraging Reputational Mgmt. Services» In the real world, we often rely upon a person orcompany’s reputation before we interact with them» Same concept is becoming more true in the digitalworld» Another way to say it is “trust” or assurance
  13. 13. Leveraging Reputational Mgmt. Services» We should allow greater access and haveless investigative controls on processesand users we trust more
  14. 14. Leveraging Reputational Mgmt. ServicesExamples» Content FilteringInspection» PKI and Digital Certificates» Trusted Publishers/Application Trust vs Reputation
  15. 15. How to Secure PrioritizedData Depositories
  16. 16. How to Secure Prioritized Data Depositories» You can’t secure everything equally, so betterprotect your most valuable assets» Inventory» Identify owners» Identify related infrastructure» Identify threats and risks to all involved assets» Build strong controls for these assets
  17. 17. How to Secure Prioritized Data Depositories» Two-factor authentication» Separate networks» Separate forestdomains» Computer hardening» Computer and port isolation» Faster patching» Less access to the Internet and other systems» Strong auditing and alerting
  18. 18. Recommendations
  19. 19. Recommendations» Clearly define your critical infrastructure» Work with end users and with senior managementto set risk tolerances» Communicate the possible threats» Focus on Attack Vectors, Not Malware FamilyNames» Don’t try to protect everything equally» Plan for security control failure» Plan for unequal application of controls and gaps
  20. 20. Recommendations» Measure and Improve Consistency» Create Reports With Actionable Metrics
  21. 21. Questions?