This document discusses Manning InfoSec's strategy and key considerations. It begins with an agenda covering an open discussion on drivers, challenges, the evolving infosec role, responsibilities, and concluding with a bigger picture view. Key points discussed include adopting a risk-based approach, infosec being a board responsibility, recognizing responsibilities like protecting information assets, and presenting a global cybersecurity landscape map. The document advocates developing a security strategy that keeps things simple, is endorsed by management, and takes a proactive, risk-based approach to infosec efforts.
2. Agenda
Intro: Open discussion: drivers, challenges, issues
Infosec Role Evolution – where do we sit?
Recognition and responsibilities
Strategy - Bringing it together
Gauging – Making sense of it all
Conclusion: The bigger Picture!
4. Where do we start?
Compliance
Legal &
Regulatory
Brand
reputation
Hacks/blackmail
Cloud
computing
Quantum
computing
Disruptive
Tech
Complacency
Resistance to
Change /
mindsets
Governance
(or lack of)
Volume of
information
Ethics Negligence Autonomy
Misuse/abuse
of information
Trust Commitment Rapid growth Privacy
Identity
Management
Threat
Intelligence
DevOps <?> <?>
DRIVERS
CHALLENGES
5. DevSecOps
Greater value delivered to the
business
Through quicker deployments
of secure software)
DevOps
SecOps
DevSecOps
Security gets baked into the SDLC – meaning Security
gets baked in the whole software development
lifecycle
https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project
TRANSFORMATIVE SHIFT
6. DevSecOps – OWASP Highlights
Source: https://stackify.com/devsecops-automate-security-testing/
Easy
implementation
Security as
code
Compliance as
code (Inspec)
Infrastructure
as code
OS hardening
(Ansible)
QA Security
(ZAP)
Static Tools
(Bandit)
Security
Monitoring
7. Recognising Responsibilities
Protecting information – a board responsibility?
Risk-based approach has
Strategic benefits
Financial benefits
Operational benefits
High-level critical objectives:
Protection of key information assets
Discovering who might compromise our information & why
Pro-active management of (cyber) risk
Source: https://www.ncsc.gov.uk/guidance/10-steps-board-level-responsibility
Truth is – Security is everyone’s responsibility
9. At a glance
Source: https://www.ncsc.gov.uk/guidance/10-steps-executive-summary
Risk
Management
regime
Secure
Configurations
Network
Security
User privilege
management
User education
& awareness
Incident
management
Malware
prevention
controls
Monitoring
Removable
media
Mobile
teleworking
10. What’s my preferred approach
Policies
Awareness
Technical Controls
RiskAssessments
Information
Security
Requirements
Management Commitment
PeriodicReviews
Implementing an
information security
strategy
Develop skill propensities within a team
12. Mapping it out
Policies Awareness Technical Controls
1 Risk Management Regime
supported by management
Risk methodology for risk based approach
2 Secure Configuration Secure by default System hardening, vulnerability
assessments, patch management
3 Network Security Concentrate on where data is stored and
processed
Develop technical responses
4 Managing user privileges Adopt the concept of least privilege Identity Access Management,
regular user access reviews
5 User education and awareness User education and awareness programmes
– develop a security conscious culture
6 Incident Management How to report and log incidents
7 Malware prevention Defence in depth approach AV, endpoint security
8 Monitoring Acceptable Use Policy (AUP) Have the ability to detect
abnormalities / attacks on systems
9 Removable media controls Acceptable Use Policy (AUP) Endpoint DLP protection
10 Home and mobile working Secure teleworking capabilities Verify endpoints and trusted access
points
13. A model to gauge infosec maturity
Lv1
• Unorganised
processes
• Unstructured
processes
• Dependence on
individuals
• Processes are
not repeatable or
scalable
• Processes
documentation
lacking
Lv2
• IS Efforts are
repeatable
• Basic PM
techniques
defined
• Repeatable
successes
• Processes
established,
defined and
documented
Lv3
• IS Efforts have
greater attention
to
documentation
• Standardisation
• Maintenance
support
Lv4
• Monitoring
• Controls IS
processes
• Through data
collection and
analysis
Lv5
• Optimised level
• Processes
constantly being
improved
• Through
monitoring
feedback
REACTIVE PROACTIVE
Blocking &
Tackling
Compliance
Driven
Risk Based
Approach
16. Cyber Security World Map
Source: Henry Jiang, https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/
17. In conclusion
Changing landscape triggers change in mindset
Infosec efforts are only as good as much as it is
endorsed by management
The keep-it-simple rule to strategy still applies
Risk based approaches work!
Gauging security maturity is not difficult
Tech Legal Compliance
In fact, there is an ongoing debate over the actual definition of what constitutes DevOps.
Is it a movement, a philosophy, a framework, or synonymous with continuous delivery?
Is it more about culture or more about tools?
Is it better than Agile for software development or ITIL for managing changes, incidents, problems, and requests?
Is it more efficient than Lean?
Lack Executive support
Underfunded
Understaffed
Lack of metrics for reporting
Set up for failure
Control-based security approach
Alignment to mandatory regulations – EU/PII/GDPR/ISO2700x/PCI
Multi-layered security and risk based approach
Using behaviour analytics and evaluating new technologies frequently
Linking events across multiple disciplines