Developing excellence in information security from corporate enterprise to homeland security
1. From Corporate Enterprise To Homeland Security
Ahmed M. Al Enizy
IT Security Manager
International Systems Engineering
2. Understanding The Problem
Defining “Information Security Excellence”
Key Attribute To Achieving Superiority In
Information Security
2 12/26/2012
4. Why big companies with huge resources got
hacked?
◦ 96% of the attacks not highly difficult
◦ 97% of breaches were avoidable through simple or
intermediate controls
Why CISOs with big guns failed to prevent the
hack?
Why hackers are always able to hit their
targets?
Why hackers are always one step ahead?
4 12/26/2012
5. Excellence
◦ A talent or quality which is unusually good and so
surpasses ordinary standards.
◦ Aristotle once said. "We are what we repeatedly do .
. . excellence, then, is not an act, but a habit.“
◦ The equivalent concept in Muslim philosophy is
Ihsan
5 12/26/2012
6. ≠
Knowledge Knowledge
Time Tools Time Tools
Money Money
Opportunity Opportunity
? Motivation
? ? Cause Passion
? Habit
? ? Pride Freedom
6 12/26/2012
7. Excellence covers the next mile that is giving
hackers the tactical advantage.
◦ There is “something” that ignites hackers minds and
makes it reach new levels of creativity and dig
deeper and deeper to find or create this tactical
advantage which at the end is translated to means
to hit their targets without any resistance.
◦ Does your security capability has this?
7 12/26/2012
8. Excellence
Quality
With Standards and Frameworks
Without Standards and Frameworks
8 12/26/2012
9. Acquiring and maintaining talented
employees
◦ Security talents
Habit
Research
Curiosity
Discipline
◦ Finding and acquiring (Interview and recruitment)
◦ Challenging
◦ Maintaining
9 12/26/2012
10. Center of excellence
◦ Refers to a team, a shared facility or an entity that
provides leadership, evangelization, best practices,
research, support and/or training for a focus area.
(Wikipedia)
Responsibilities
◦ Support
◦ Guidance
◦ Shared Learning
◦ Measurements
◦ Governance
(Jon Strickler, agileelements.wordpress.com)
10 12/26/2012
11. Excellence in one field depends on excellence
in other fields
◦ Quality
◦ Process
◦ Project Management
◦ Service
◦ Assurance
◦ Business Analysis
◦ Risk and Compliance
◦ Human Resources
11 12/26/2012
12. Excellence needs a lighthouse to guide it.
The key element of excellence is the right
people in the right place.
Patch the gap between business motivation
for security (which is reducing money lose)
and the motivations that ignites security
specialists to match hackers
12 12/26/2012