Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2006 issa journal-organizingand-managingforsuccess


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2006 issa journal-organizingand-managingforsuccess

  1. 1. Information Security: Organizing and Managing for Success By Aurobindo Sundaram Introduction ▼ Corporate governance, including reporting relationships, clear delineation of roles and responsibilities (and most important, The Information Security industry has suffered historically from 4 differ- accountability) ent mindsets of executives: ▼ Recognizing that a coherent, execution-based strategy is critical to success. 1. Security is firewalls—the techie model ▼ Setting staffing levels and expectations with peers and business 2. Security is a destination—the project model owners 3. Security must be perfect—the purist model ▼ Evolving an information security program from immature (few 4. Security is an engagement—the consultant model policies, no business support, little security infrastructure—we call this Evolution v1.0) to the Risk Management Approach (substantial In this article, we discuss the challenges facing our industry and the management support, mature policies, robust network security CISO role and discuss how an aspiring security professional can achieve infrastructure—we call this Evolution 3.0) incrementally and over the success out of these scenarios by focusing her efforts on: period of a few years. ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006
  2. 2. In sum, we guide the new information secu- The Wrong Way The Right Way rity manager into making the right strategic deci- sions to create a successful program, and point ▼ Initiate a vulnerability management ▼ Initiate a vulnerability management her towards robust, but incremental execution program program as a tool to enable this success. ▼ Create SLA of level 4 and 5 issues to be ▼ Create desired SLA of level 4 and 5 fixed in a week issues to be fixed in 1 month/1 week Historical Problems with ▼ Perform first scan, find 74 level 5, 223 ▼ Perform first scan, find 74 level 5, 223 Information Security level 4 level 4 ▼ Open tickets for operations ▼ Open the top 20 level 5 tickets every Some of the historical problems with week after consulting with operations Information Security revolve around how CISOs ▼ Progress to level 4 when level 5 tickets have positioned the department. The three are at manageable level most common (and generally wrong) para- Figure 1: The Wrong and Right Ways to Implement a Version 2.0 Initiative digms have been: Privacy Information Legal Human Operations Business 1. Security is firewalls–the techie model: Office security Counsel Resources unit This has generally been perpetrated by IT Security Policy/Assess Approve Approve Execute Execute system and network administrators who have been promoted into the CISO role. Fraud/incident Execute Policy/ Initiate response/law Co-ordinate Although the technical side of security is enforcement well handled under this model, the major issues with it are that business management DR/BCP Consult Policy Consult Execute does not understand that information Regulatory Policy/ Execute Consult Execute security is more than just firewalls and compliance Assess technical controls. The mapping between Customer audits Execute Execute Execute Execute technology and risk is unclear to them. To them, security is implemented by preventing hackers from accessing websites. The CISO Physical security Policy/Execute is ineffective at communicating risk. Figure 2: Sample Governance Matrix. This is by no means supposed to be a real-world matrix, Eventually, Security is sidelined, made to because the reader will notice that there are several rows (focus areas) without any columns (account- report to the CTO, Operations, or Internal able departments) having the “Execute” function. The CISO should ensure that Policy, Execute, and Audit and effectively made irrelevant. Assess are owned by at least one department for every focus area. 2. Security is a destination–the project model: inflexible because it does not account for managed consultant can actually provide CISOs who have moved up through risk mitigation and compensating controls. value by documenting operational gaps Internal Audit and Project Management Security is either black or white, and there and prioritizing goals. All too often, this can sometimes propagate this model, is no scope for compromise. This model does not happen. where it is believed that if a set of projects results in business management overriding is completed, Security is achieved. Information Security in most cases, and the Challenges Facing the CISO Role Unfortunately, this is not true of Security, entire department getting a reputation for as the threat landscape is continuously being hard to work with. Recovering from Quite separate from the mistakes CISOs make, evolving. Unfortunately, because of the this model can take years because of the there are also inherent challenges in the role promises made to business management, tarnished reputation to overcome. itself. Over the last several years, the role of the the department goes through a boom to 4. Security is an engagement–the CISO has become short and rocky, with higher bust cycle; boom when project funding is consultant model: risk and lower reward. Consider the following: requested and received, and bust when In this unfortunate model, the new projects are completed. Security is not CISO brings in a consultant to perform a 1. The average CISO tenure is shorter than cyclical – effective programs depend on risk assessment to make the department ever and often considered a transition staff continuity and a stable environment. look as inept as possible, so that she can role. An average CISO serves 2-3 years in When these are not present, the security gain headcount. What generally happens is her job1 before moving on. At this rate, culture is hard to implement. that the consultant spits out a the CISO is always thinking in short-term 3. Security must be perfect–the purist comprehensive strategic plan involving mode, trying to make sure she pads her model: large service-intensive projects. The CISO is resume as much as possible. This is the In this model, the CISO believes that a rebuffed by his superiors on his additional worst strategy for the organization, but it situation is either secure or insecure, and resource requests and only implements a does make the CISO look good to create to make an insecure situation secure, there portion of the projects without studying and execute several new programs in the must be a certain set of steps followed, their inter-relations. This, in fact, makes the first 2-3 years and not have to stay with no deviation of any sort. This model is situation worse, rather than better. A well around to complete the job. THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  3. 3. 2. The position involves greater risk than in for the successful implementation of a manda- members with good project management and the past (California’s SB1386 has been tory security awareness testing for 75,000 users, communication skills rather than just superb especially responsible for amplifying this vulnerability remediation for over 2,500 sys- technical skills. It is also important to associate risk). However, the rewards have not kept tems, placement and training for 400 security headcount with services, and incrementally pace with the elevated risk. This could be coordinators internationally, and updated anti- build the case for headcount. another reason for the quicker turnover virus software for 75,000 desktops. Along with the governance matrix, the CISO among CISOs. Sometimes, support is shown by the report- should try to create SLAs with business units and 3. The CISO is continuously pulled between ing structure and the power given to the CISO. operations. These should be gradually phased in contradictory objectives. Budgets are low, This can involve reporting up to business opera- (the following sections discuss this) rather than security products are expensive, integration tions so that the traditional problem of CISOs pushed through all at once. is difficult, and business managers want (security department is stigmatized as a “tech- The CISO should also realize that there are time to market to be small, which means nology cost center”) is somewhat mitigated. three areas of concentration—People, Process, security is often asked to rubberstamp a There is a lot of buzz around the topic of and Technology – that can be used to secure a decision that has already been made. “convergence”—where a CISO manages both computing system. Depending on the culture of 4. Regulations such as SOX, customer physical and logical security. The CISO should be the company, the budget available to her, and compliance requirements, and ever- careful about being sucked into thinking conver- the maturity of the security program, the CISO expanding federal and state regulations gence makes sense, without a very careful should focus on one area. For instance, in an keep the CISO constantly modifying her analysis of the corporation. It is much more immature organization where building a secu- game plan and having to do much more important that a clear documentation of roles rity awareness culture will be a challenge, the work with the same resources. This can and responsibilities is performed. CISO should initially concentrate on using quickly lead to burnout both at the staff It is wiser for the CISO to work with business automation (i.e. technology) to protect users and executive levels. management, Legal Counsel, HR, Operations, from viruses and other threats. As another 5. It is difficult for the CISO to create a and other departments to create a governance example, in a mature organization where a corporate security governance matrix and matrix for the organization. A sample matrix is budget is hard to find, the CISO should use the execute on it successfully within 2-3 shown in Figure 2. By working with these differ- security culture to help protect against threats years. It takes time to learn the corporate ent stakeholders, a clear sense of accountability (e.g. social engineering, phishing, viruses, etc.). culture, build a security culture, and build is created, and if that involves convergence, so the relationships required for successfully be it. Information Security Version 1.0 implementing a culture of accountability … and Beyond within the entire organization. Strategy, Staffing and Program Positioning In my experience, there are three distinct lev- Organization and Support2 els of Information Security Program maturity. The CISO should decide on a portfolio of serv- There are different challenges in each level, and There are many thoughts on how security ices she will provide to the enterprise. Care the aspiring CISO would do well to quickly iden- should report into management. While there is should be taken to not tread into operations, tify which level she is in, and make the appro- no sure way to gain the support of your man- since that will violate the separation of privileges priate managerial adjustments to succeed at agement, here is one common myth. doctrine. The portfolio should be risk based and that level. address defenses in depth. A portfolio would Myth: Security must report to Business include services in the following areas: Evolution Version 1.0 Management to be effective. This is the profile of an extremely immature Corollary: Security is best served by reporting to ▼ Network and System Security organization with respect to Information Information Technology. ▼ Data and Application Security Security. Small startups and even some larger ▼ Identity and Access Management companies that have had bad experiences with These are both somewhat inaccurate. While it ▼ Business Support Services one of the defective models above can often be is certainly advantageous to report to business ▼ Policy and Compliance in this level. Some of the characteristics of this management, without business management version are: support, this reporting is not useful. It is important to position these initiatives as scalable, repeatable, services. The CISO should ▼ Few documented policies or procedures Truth: Reporting is not as important as support emphasize their longevity and demonstrate and ▼ Security is an afterthought and high-level commitment. quantitatively prove their value. ▼ No business support for security The CISO should realize that her team will ▼ Little or no existing security infrastructure I have been at different organizations where make or break her career. It is critical to hire the support has been demonstrated in different right people into the high-performing team. While the new CISO maybe tempted to create ways. At a large oilfield services firm that I While education and certifications are impor- a strategic plan to address the deficiencies, this worked at (in IT, no less!), commitment was tant, it is even more important that team mem- is often not the appropriate thing to do. The shown by setting information security objectives bers be able to communicate to business enterprise is at too great a risk, and immediate from the CEO down (accounting for 20% of their management in terms that they can understand. action is required. The CISO should create and annual bonus). This executive support allowed Therefore, it is more important to hire team ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006
  4. 4. immediately execute on a very tactical, network security-centric plan. The management support for the security program. elements of such a plan should include: 5. Ignore Data and Application Security. This may seem surprising, but, again, the security program, while well developed, is not yet at the ▼ Robust perimeter protection using firewalls and intrusion detection level of maturity that can support application security scans, secure systems: There are thousands of targeted and random (script kiddie coding, and data encryption (except in special cases). based) attacks propagated across the Internet every day. It is critical that the enterprise protect against this by using access controls and The CISO should pursue a methodical, reasonable approach to embed- detection mechanisms. ding security into the operations mindset, keeping in mind that operations ▼ An anti-virus implementation: Viruses and worms are the single largest is generally lightly staffed and heavily loaded to start with. While putting her source of damage for enterprises. Implementing up-to-date virus foot down on critical risks, the CISO should provide a level of flexibility to protections on all systems is critical to ensuring business continuity. win over the hearts and minds of the different operations groups. In the ▼ A patch management implementation: New vulnerabilities are released long run, operating as partners leads to far more effective security programs. every week, sometimes by the day. An enterprise that does not manage Figure 1 demonstrates the dangers of trying to do too much too soon. these patches, even manually, will be compromised at some point. In “The Wrong Way,” a CISO sets unreasonable expectations, and can move the program backwards by losing credibility with her peers. In “The Right The sharp reader will notice that there is nothing mentioned about user Way,” however, she sets reasonable expectations, focuses on risk-based awareness or security policy. This is precisely because in such an early remediation, and manages the program as a partnership. stage of the evolution, policies do not appreciably reduce risk. In addition, there is no business support for security and thus no driver to build secu- Evolution Version 3.0 rity awareness and culture. Few organizations reach the plateau of Version 3.0. This is because suc- The emphasis for the CISO should be on ensuring some quick “wins”— cessfully executing through Version 2.0 takes a few years; the discontinuity building credibility and support within the organization, while quickly reduc- between successive CISOs generally leads to a one-step-forward, one-step- ing major risk issues to a more manageable level. To this end, the CISO may back scenario for the program. Some characteristics of this level, however, are: want to outsource some of the tasks at this level – managed security serv- ices can be a cost-effective way to do this when headcount is at a premium. ▼ There is substantial management awareness of, appreciation of, and support for the Information Security Program. Evolution Version 2.0 ▼ Policies are mature, well maintained, and control items Assuming our intrepid CISO makes it through Version 1.0, she will land implemented and assessed for most policy items. into the challenging Version 2.0 of an Information Security Program’s evo- ▼ The network security infrastructure is very robust and completely lution. Most organizations are at this level of maturity. Some characteristics fleshed out in implementation. of this version are: Successful CISOs at this level generally should do the following: ▼ There is headcount available with the proper justification ▼ There is adequate staff to handle current needs ▼ Flesh out their enterprise encryption strategy and execute on it. ▼ There is some (but limited) management support ▼ Build Application and Data Protection programs including ▼ Policies and procedures exist but are immature and not always classification, web application scanning, secure coding standards, etc. complete ▼ Start measuring and enforcing compliance standards and SLAs. ▼ Start reporting risk metrics to business units. The great danger at this phase is that the CISO tries to do too much. ▼ Drive accountability for mitigating risks through business management. From the exit of level 1, the CISO has many choices, both tactical and strategic. Her success in version 1 may embolden her to attempt sweeping Conclusion new initiatives. Caution is recommended – the support systems for a robust security program are not yet completely developed. We suggest that The CISO has a thankless and difficult job. Depending on the state of the the CISO perform the following strategic tasks: organization, there are various pitfalls she can encounter; I hope this arti- cle gave the reader some essential things to do (and NOT to do) depend- 1. Start building a comprehensive policy umbrella and related ing on the maturity of the security program. The CISO should: compliance programs. 2. Build Network and System Security programs, such as vulnerability ▼ Build the governance model for execution early on management. This is the next stage in the evolution of the program, ▼ Implement a service/program-based approach and is important because script kiddies and malicious insiders often ▼ Staff up with the best resources possible target vulnerable systems. ▼ Set reasonable expectations with business management and 3. Build Identity and Access Management programs, such as for user operations and achieve them provisioning, access controls, and security awareness. These are the ▼ Evolve the program incrementally, eventually integrating risk building blocks for ensuring the correct controls around access to management and accountability data/systems, and ensuring that a security culture is established. 4. Build Business Support Services, such as enabling the business to The thoughtful, execution-focused CISO who incrementally implements create revenue (RFP responses, customer audits, etc.). This is change is far more likely to be successful than the flashy, buzzword-com- important because creating a business value is crucial for future pliant CISO who tries to bring in an entirely new system. ¡ THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  5. 5. Aurobindo Sundaram, CISSP, CISM, has worked in the Information Security industry for over 10 years. 1 From: 2 This section is largely excerpted from a previous article “Risk Management Returns Results” in The ISSA Journal’s July 2005 issue by the author and a colleague. ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006