SlideShare a Scribd company logo

2006 issa journal-organizingand-managingforsuccess

A
asundaram1

The document discusses challenges facing information security professionals and provides advice for achieving success. It outlines 4 common but flawed mindsets executives have about security and recommends focusing on governance, strategy, staffing levels, and evolving the security program incrementally over time. The author describes 3 levels of security program maturity - Version 1.0 (immature), Version 2.0 (risk management approach), and Version 3.0 (mature policies and infrastructure). For a Version 1.0 program, the priorities are perimeter protection, antivirus, and patch management. For long-term success, the security professional should gain management support, implement services incrementally, and partner with operations.

1 of 5
Download to read offline
Information Security: Organizing and Managing for Success By Aurobindo Sundaram Introduction ▼ Corporate governance, including reporting relationships, clear delineation of roles and responsibilities (and most important, The Information Security industry has suffered historically from 4 differ- accountability) ent mindsets of executives: ▼ Recognizing that a coherent, execution-based strategy is critical to success. 1. Security is firewalls—the techie model ▼ Setting staffing levels and expectations with peers and business 2. Security is a destination—the project model owners 3. Security must be perfect—the purist model ▼ Evolving an information security program from immature (few 4. Security is an engagement—the consultant model policies, no business support, little security infrastructure—we call this Evolution v1.0) to the Risk Management Approach (substantial In this article, we discuss the challenges facing our industry and the management support, mature policies, robust network security CISO role and discuss how an aspiring security professional can achieve infrastructure—we call this Evolution 3.0) incrementally and over the success out of these scenarios by focusing her efforts on: period of a few years. ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006
In sum, we guide the new information secu- The Wrong Way The Right Way rity manager into making the right strategic deci- sions to create a successful program, and point ▼ Initiate a vulnerability management ▼ Initiate a vulnerability management her towards robust, but incremental execution program program as a tool to enable this success. ▼ Create SLA of level 4 and 5 issues to be ▼ Create desired SLA of level 4 and 5 fixed in a week issues to be fixed in 1 month/1 week Historical Problems with ▼ Perform first scan, find 74 level 5, 223 ▼ Perform first scan, find 74 level 5, 223 Information Security level 4 level 4 ▼ Open tickets for operations ▼ Open the top 20 level 5 tickets every Some of the historical problems with week after consulting with operations Information Security revolve around how CISOs ▼ Progress to level 4 when level 5 tickets have positioned the department. The three are at manageable level most common (and generally wrong) para- Figure 1: The Wrong and Right Ways to Implement a Version 2.0 Initiative digms have been: Privacy Information Legal Human Operations Business 1. Security is firewalls–the techie model: Office security Counsel Resources unit This has generally been perpetrated by IT Security Policy/Assess Approve Approve Execute Execute system and network administrators who have been promoted into the CISO role. Fraud/incident Execute Policy/ Initiate response/law Co-ordinate Although the technical side of security is enforcement well handled under this model, the major issues with it are that business management DR/BCP Consult Policy Consult Execute does not understand that information Regulatory Policy/ Execute Consult Execute security is more than just firewalls and compliance Assess technical controls. The mapping between Customer audits Execute Execute Execute Execute technology and risk is unclear to them. To them, security is implemented by preventing hackers from accessing websites. The CISO Physical security Policy/Execute is ineffective at communicating risk. Figure 2: Sample Governance Matrix. This is by no means supposed to be a real-world matrix, Eventually, Security is sidelined, made to because the reader will notice that there are several rows (focus areas) without any columns (account- report to the CTO, Operations, or Internal able departments) having the “Execute” function. The CISO should ensure that Policy, Execute, and Audit and effectively made irrelevant. Assess are owned by at least one department for every focus area. 2. Security is a destination–the project model: inflexible because it does not account for managed consultant can actually provide CISOs who have moved up through risk mitigation and compensating controls. value by documenting operational gaps Internal Audit and Project Management Security is either black or white, and there and prioritizing goals. All too often, this can sometimes propagate this model, is no scope for compromise. This model does not happen. where it is believed that if a set of projects results in business management overriding is completed, Security is achieved. Information Security in most cases, and the Challenges Facing the CISO Role Unfortunately, this is not true of Security, entire department getting a reputation for as the threat landscape is continuously being hard to work with. Recovering from Quite separate from the mistakes CISOs make, evolving. Unfortunately, because of the this model can take years because of the there are also inherent challenges in the role promises made to business management, tarnished reputation to overcome. itself. Over the last several years, the role of the the department goes through a boom to 4. Security is an engagement–the CISO has become short and rocky, with higher bust cycle; boom when project funding is consultant model: risk and lower reward. Consider the following: requested and received, and bust when In this unfortunate model, the new projects are completed. Security is not CISO brings in a consultant to perform a 1. The average CISO tenure is shorter than cyclical – effective programs depend on risk assessment to make the department ever and often considered a transition staff continuity and a stable environment. look as inept as possible, so that she can role. An average CISO serves 2-3 years in When these are not present, the security gain headcount. What generally happens is her job1 before moving on. At this rate, culture is hard to implement. that the consultant spits out a the CISO is always thinking in short-term 3. Security must be perfect–the purist comprehensive strategic plan involving mode, trying to make sure she pads her model: large service-intensive projects. The CISO is resume as much as possible. This is the In this model, the CISO believes that a rebuffed by his superiors on his additional worst strategy for the organization, but it situation is either secure or insecure, and resource requests and only implements a does make the CISO look good to create to make an insecure situation secure, there portion of the projects without studying and execute several new programs in the must be a certain set of steps followed, their inter-relations. This, in fact, makes the first 2-3 years and not have to stay with no deviation of any sort. This model is situation worse, rather than better. A well around to complete the job. THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
2. The position involves greater risk than in for the successful implementation of a manda- members with good project management and the past (California’s SB1386 has been tory security awareness testing for 75,000 users, communication skills rather than just superb especially responsible for amplifying this vulnerability remediation for over 2,500 sys- technical skills. It is also important to associate risk). However, the rewards have not kept tems, placement and training for 400 security headcount with services, and incrementally pace with the elevated risk. This could be coordinators internationally, and updated anti- build the case for headcount. another reason for the quicker turnover virus software for 75,000 desktops. Along with the governance matrix, the CISO among CISOs. Sometimes, support is shown by the report- should try to create SLAs with business units and 3. The CISO is continuously pulled between ing structure and the power given to the CISO. operations. These should be gradually phased in contradictory objectives. Budgets are low, This can involve reporting up to business opera- (the following sections discuss this) rather than security products are expensive, integration tions so that the traditional problem of CISOs pushed through all at once. is difficult, and business managers want (security department is stigmatized as a “tech- The CISO should also realize that there are time to market to be small, which means nology cost center”) is somewhat mitigated. three areas of concentration—People, Process, security is often asked to rubberstamp a There is a lot of buzz around the topic of and Technology – that can be used to secure a decision that has already been made. “convergence”—where a CISO manages both computing system. Depending on the culture of 4. Regulations such as SOX, customer physical and logical security. The CISO should be the company, the budget available to her, and compliance requirements, and ever- careful about being sucked into thinking conver- the maturity of the security program, the CISO expanding federal and state regulations gence makes sense, without a very careful should focus on one area. For instance, in an keep the CISO constantly modifying her analysis of the corporation. It is much more immature organization where building a secu- game plan and having to do much more important that a clear documentation of roles rity awareness culture will be a challenge, the work with the same resources. This can and responsibilities is performed. CISO should initially concentrate on using quickly lead to burnout both at the staff It is wiser for the CISO to work with business automation (i.e. technology) to protect users and executive levels. management, Legal Counsel, HR, Operations, from viruses and other threats. As another 5. It is difficult for the CISO to create a and other departments to create a governance example, in a mature organization where a corporate security governance matrix and matrix for the organization. A sample matrix is budget is hard to find, the CISO should use the execute on it successfully within 2-3 shown in Figure 2. By working with these differ- security culture to help protect against threats years. It takes time to learn the corporate ent stakeholders, a clear sense of accountability (e.g. social engineering, phishing, viruses, etc.). culture, build a security culture, and build is created, and if that involves convergence, so the relationships required for successfully be it. Information Security Version 1.0 implementing a culture of accountability … and Beyond within the entire organization. Strategy, Staffing and Program Positioning In my experience, there are three distinct lev- Organization and Support2 els of Information Security Program maturity. The CISO should decide on a portfolio of serv- There are different challenges in each level, and There are many thoughts on how security ices she will provide to the enterprise. Care the aspiring CISO would do well to quickly iden- should report into management. While there is should be taken to not tread into operations, tify which level she is in, and make the appro- no sure way to gain the support of your man- since that will violate the separation of privileges priate managerial adjustments to succeed at agement, here is one common myth. doctrine. The portfolio should be risk based and that level. address defenses in depth. A portfolio would Myth: Security must report to Business include services in the following areas: Evolution Version 1.0 Management to be effective. This is the profile of an extremely immature Corollary: Security is best served by reporting to ▼ Network and System Security organization with respect to Information Information Technology. ▼ Data and Application Security Security. Small startups and even some larger ▼ Identity and Access Management companies that have had bad experiences with These are both somewhat inaccurate. While it ▼ Business Support Services one of the defective models above can often be is certainly advantageous to report to business ▼ Policy and Compliance in this level. Some of the characteristics of this management, without business management version are: support, this reporting is not useful. It is important to position these initiatives as scalable, repeatable, services. The CISO should ▼ Few documented policies or procedures Truth: Reporting is not as important as support emphasize their longevity and demonstrate and ▼ Security is an afterthought and high-level commitment. quantitatively prove their value. ▼ No business support for security The CISO should realize that her team will ▼ Little or no existing security infrastructure I have been at different organizations where make or break her career. It is critical to hire the support has been demonstrated in different right people into the high-performing team. While the new CISO maybe tempted to create ways. At a large oilfield services firm that I While education and certifications are impor- a strategic plan to address the deficiencies, this worked at (in IT, no less!), commitment was tant, it is even more important that team mem- is often not the appropriate thing to do. The shown by setting information security objectives bers be able to communicate to business enterprise is at too great a risk, and immediate from the CEO down (accounting for 20% of their management in terms that they can understand. action is required. The CISO should create and annual bonus). This executive support allowed Therefore, it is more important to hire team ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006
immediately execute on a very tactical, network security-centric plan. The management support for the security program. elements of such a plan should include: 5. Ignore Data and Application Security. This may seem surprising, but, again, the security program, while well developed, is not yet at the ▼ Robust perimeter protection using firewalls and intrusion detection level of maturity that can support application security scans, secure systems: There are thousands of targeted and random (script kiddie coding, and data encryption (except in special cases). based) attacks propagated across the Internet every day. It is critical that the enterprise protect against this by using access controls and The CISO should pursue a methodical, reasonable approach to embed- detection mechanisms. ding security into the operations mindset, keeping in mind that operations ▼ An anti-virus implementation: Viruses and worms are the single largest is generally lightly staffed and heavily loaded to start with. While putting her source of damage for enterprises. Implementing up-to-date virus foot down on critical risks, the CISO should provide a level of flexibility to protections on all systems is critical to ensuring business continuity. win over the hearts and minds of the different operations groups. In the ▼ A patch management implementation: New vulnerabilities are released long run, operating as partners leads to far more effective security programs. every week, sometimes by the day. An enterprise that does not manage Figure 1 demonstrates the dangers of trying to do too much too soon. these patches, even manually, will be compromised at some point. In “The Wrong Way,” a CISO sets unreasonable expectations, and can move the program backwards by losing credibility with her peers. In “The Right The sharp reader will notice that there is nothing mentioned about user Way,” however, she sets reasonable expectations, focuses on risk-based awareness or security policy. This is precisely because in such an early remediation, and manages the program as a partnership. stage of the evolution, policies do not appreciably reduce risk. In addition, there is no business support for security and thus no driver to build secu- Evolution Version 3.0 rity awareness and culture. Few organizations reach the plateau of Version 3.0. This is because suc- The emphasis for the CISO should be on ensuring some quick “wins”— cessfully executing through Version 2.0 takes a few years; the discontinuity building credibility and support within the organization, while quickly reduc- between successive CISOs generally leads to a one-step-forward, one-step- ing major risk issues to a more manageable level. To this end, the CISO may back scenario for the program. Some characteristics of this level, however, are: want to outsource some of the tasks at this level – managed security serv- ices can be a cost-effective way to do this when headcount is at a premium. ▼ There is substantial management awareness of, appreciation of, and support for the Information Security Program. Evolution Version 2.0 ▼ Policies are mature, well maintained, and control items Assuming our intrepid CISO makes it through Version 1.0, she will land implemented and assessed for most policy items. into the challenging Version 2.0 of an Information Security Program’s evo- ▼ The network security infrastructure is very robust and completely lution. Most organizations are at this level of maturity. Some characteristics fleshed out in implementation. of this version are: Successful CISOs at this level generally should do the following: ▼ There is headcount available with the proper justification ▼ There is adequate staff to handle current needs ▼ Flesh out their enterprise encryption strategy and execute on it. ▼ There is some (but limited) management support ▼ Build Application and Data Protection programs including ▼ Policies and procedures exist but are immature and not always classification, web application scanning, secure coding standards, etc. complete ▼ Start measuring and enforcing compliance standards and SLAs. ▼ Start reporting risk metrics to business units. The great danger at this phase is that the CISO tries to do too much. ▼ Drive accountability for mitigating risks through business management. From the exit of level 1, the CISO has many choices, both tactical and strategic. Her success in version 1 may embolden her to attempt sweeping Conclusion new initiatives. Caution is recommended – the support systems for a robust security program are not yet completely developed. We suggest that The CISO has a thankless and difficult job. Depending on the state of the the CISO perform the following strategic tasks: organization, there are various pitfalls she can encounter; I hope this arti- cle gave the reader some essential things to do (and NOT to do) depend- 1. Start building a comprehensive policy umbrella and related ing on the maturity of the security program. The CISO should: compliance programs. 2. Build Network and System Security programs, such as vulnerability ▼ Build the governance model for execution early on management. This is the next stage in the evolution of the program, ▼ Implement a service/program-based approach and is important because script kiddies and malicious insiders often ▼ Staff up with the best resources possible target vulnerable systems. ▼ Set reasonable expectations with business management and 3. Build Identity and Access Management programs, such as for user operations and achieve them provisioning, access controls, and security awareness. These are the ▼ Evolve the program incrementally, eventually integrating risk building blocks for ensuring the correct controls around access to management and accountability data/systems, and ensuring that a security culture is established. 4. Build Business Support Services, such as enabling the business to The thoughtful, execution-focused CISO who incrementally implements create revenue (RFP responses, customer audits, etc.). This is change is far more likely to be successful than the flashy, buzzword-com- important because creating a business value is crucial for future pliant CISO who tries to bring in an entirely new system. ¡ THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
Aurobindo Sundaram, CISSP, CISM, has worked in the Information Security industry for over 10 years. 1 From: http://infosecuritymag.techtarget.com/articles/december01/columns_logoff.shtml 2 This section is largely excerpted from a previous article “Risk Management Returns Results” in The ISSA Journal’s July 2005 issue by the author and a colleague. ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006

Recommended

Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
CSCJournals
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
DFLABS SRL
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
Enterprise Security Risk Management
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
wdjohnson1
 
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...xKinAnx
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
 

Recommended

Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
CSCJournals
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
DFLABS SRL
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
Enterprise Security Risk Management
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
wdjohnson1
 
Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...Presentation crafting your active security management strategy 3 keys and 4...
Presentation crafting your active security management strategy 3 keys and 4...xKinAnx
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
DFLABS SRL
 
The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...OHS Leaders Summit
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
mhunter22
 
20[1].03.Simplified Security
20[1].03.Simplified Security20[1].03.Simplified Security
20[1].03.Simplified Security
ravichar
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
tbeckwith
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Security
eircom
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Margolis Healy
 
Symantec_2004_AnnualReport
Symantec_2004_AnnualReportSymantec_2004_AnnualReport
Symantec_2004_AnnualReportfinance40
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
wardell henley
 
Conversations oneffectiveit management
Conversations oneffectiveit managementConversations oneffectiveit management
Conversations oneffectiveit managementComputer Aid, Inc
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...OHS Leaders Summit
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
David McGuire
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Joseph Schorr
 
About Acumin
About AcuminAbout Acumin
About AcuminGemmaPaterson
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
Rogers Communications
 
Risk management
Risk managementRisk management
Risk managementkalli007
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
GFI Software
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
Cindy Kim
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluationasundaram1
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh ISSA
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstrationasundaram1
 

More Related Content

What's hot

The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...OHS Leaders Summit
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
mhunter22
 
20[1].03.Simplified Security
20[1].03.Simplified Security20[1].03.Simplified Security
20[1].03.Simplified Security
ravichar
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
tbeckwith
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Security
eircom
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Margolis Healy
 
Symantec_2004_AnnualReport
Symantec_2004_AnnualReportSymantec_2004_AnnualReport
Symantec_2004_AnnualReportfinance40
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
wardell henley
 
Conversations oneffectiveit management
Conversations oneffectiveit managementConversations oneffectiveit management
Conversations oneffectiveit managementComputer Aid, Inc
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...OHS Leaders Summit
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
David McGuire
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Joseph Schorr
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
Rogers Communications
 
Risk management
Risk managementRisk management
Risk managementkalli007
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
GFI Software
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
Cindy Kim
 

What's hot (19)

The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...The safety leadership challenge building soft skills for exemplary safety p...
The safety leadership challenge building soft skills for exemplary safety p...
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
 
20[1].03.Simplified Security
20[1].03.Simplified Security20[1].03.Simplified Security
20[1].03.Simplified Security
 
Fns Incident Management Powered By En Case
Fns Incident Management Powered By En CaseFns Incident Management Powered By En Case
Fns Incident Management Powered By En Case
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Security
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...
 
Symantec_2004_AnnualReport
Symantec_2004_AnnualReportSymantec_2004_AnnualReport
Symantec_2004_AnnualReport
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Conversations oneffectiveit management
Conversations oneffectiveit managementConversations oneffectiveit management
Conversations oneffectiveit management
 
Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...Putting safety to work the business case for psychology based safety training...
Putting safety to work the business case for psychology based safety training...
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
 
About Acumin
About AcuminAbout Acumin
About Acumin
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Risk management
Risk managementRisk management
Risk management
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security7 Things Every Ceo Should Know About Information Security
7 Things Every Ceo Should Know About Information Security
 

Viewers also liked

2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluationasundaram1
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh ISSA
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstrationasundaram1
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
asundaram1
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-managementasundaram1
 
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012 Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
eldercomlaw
 

Viewers also liked (6)

2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-management
 
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012 Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
 

Similar to 2006 issa journal-organizingand-managingforsuccess

Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
jjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
jjvdneut
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
111.pptx
111.pptx111.pptx
111.pptx
JESUNPK
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
Jose R
 
Information Security
Information SecurityInformation Security
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Security-Invest Where it Matters Most
Security-Invest Where it Matters MostSecurity-Invest Where it Matters Most
Security-Invest Where it Matters Most
InnoTech
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
Ben Rothke
 
Risk monitoring and response
Risk monitoring and responseRisk monitoring and response
Risk monitoring and response
ZyrellLalaguna
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Livingstone Advisory
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
Stacy Willis
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
Koen Maris
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 

Similar to 2006 issa journal-organizingand-managingforsuccess (20)

Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
111.pptx
111.pptx111.pptx
111.pptx
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
Information Security
Information SecurityInformation Security
Information Security
 
Security-Invest Where it Matters Most
Security-Invest Where it Matters MostSecurity-Invest Where it Matters Most
Security-Invest Where it Matters Most
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Risk monitoring and response
Risk monitoring and responseRisk monitoring and response
Risk monitoring and response
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 

Recently uploaded

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 

Recently uploaded (20)

Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 

2006 issa journal-organizingand-managingforsuccess

  • 1. Information Security: Organizing and Managing for Success By Aurobindo Sundaram Introduction ▼ Corporate governance, including reporting relationships, clear delineation of roles and responsibilities (and most important, The Information Security industry has suffered historically from 4 differ- accountability) ent mindsets of executives: ▼ Recognizing that a coherent, execution-based strategy is critical to success. 1. Security is firewalls—the techie model ▼ Setting staffing levels and expectations with peers and business 2. Security is a destination—the project model owners 3. Security must be perfect—the purist model ▼ Evolving an information security program from immature (few 4. Security is an engagement—the consultant model policies, no business support, little security infrastructure—we call this Evolution v1.0) to the Risk Management Approach (substantial In this article, we discuss the challenges facing our industry and the management support, mature policies, robust network security CISO role and discuss how an aspiring security professional can achieve infrastructure—we call this Evolution 3.0) incrementally and over the success out of these scenarios by focusing her efforts on: period of a few years. ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006
  • 2. In sum, we guide the new information secu- The Wrong Way The Right Way rity manager into making the right strategic deci- sions to create a successful program, and point ▼ Initiate a vulnerability management ▼ Initiate a vulnerability management her towards robust, but incremental execution program program as a tool to enable this success. ▼ Create SLA of level 4 and 5 issues to be ▼ Create desired SLA of level 4 and 5 fixed in a week issues to be fixed in 1 month/1 week Historical Problems with ▼ Perform first scan, find 74 level 5, 223 ▼ Perform first scan, find 74 level 5, 223 Information Security level 4 level 4 ▼ Open tickets for operations ▼ Open the top 20 level 5 tickets every Some of the historical problems with week after consulting with operations Information Security revolve around how CISOs ▼ Progress to level 4 when level 5 tickets have positioned the department. The three are at manageable level most common (and generally wrong) para- Figure 1: The Wrong and Right Ways to Implement a Version 2.0 Initiative digms have been: Privacy Information Legal Human Operations Business 1. Security is firewalls–the techie model: Office security Counsel Resources unit This has generally been perpetrated by IT Security Policy/Assess Approve Approve Execute Execute system and network administrators who have been promoted into the CISO role. Fraud/incident Execute Policy/ Initiate response/law Co-ordinate Although the technical side of security is enforcement well handled under this model, the major issues with it are that business management DR/BCP Consult Policy Consult Execute does not understand that information Regulatory Policy/ Execute Consult Execute security is more than just firewalls and compliance Assess technical controls. The mapping between Customer audits Execute Execute Execute Execute technology and risk is unclear to them. To them, security is implemented by preventing hackers from accessing websites. The CISO Physical security Policy/Execute is ineffective at communicating risk. Figure 2: Sample Governance Matrix. This is by no means supposed to be a real-world matrix, Eventually, Security is sidelined, made to because the reader will notice that there are several rows (focus areas) without any columns (account- report to the CTO, Operations, or Internal able departments) having the “Execute” function. The CISO should ensure that Policy, Execute, and Audit and effectively made irrelevant. Assess are owned by at least one department for every focus area. 2. Security is a destination–the project model: inflexible because it does not account for managed consultant can actually provide CISOs who have moved up through risk mitigation and compensating controls. value by documenting operational gaps Internal Audit and Project Management Security is either black or white, and there and prioritizing goals. All too often, this can sometimes propagate this model, is no scope for compromise. This model does not happen. where it is believed that if a set of projects results in business management overriding is completed, Security is achieved. Information Security in most cases, and the Challenges Facing the CISO Role Unfortunately, this is not true of Security, entire department getting a reputation for as the threat landscape is continuously being hard to work with. Recovering from Quite separate from the mistakes CISOs make, evolving. Unfortunately, because of the this model can take years because of the there are also inherent challenges in the role promises made to business management, tarnished reputation to overcome. itself. Over the last several years, the role of the the department goes through a boom to 4. Security is an engagement–the CISO has become short and rocky, with higher bust cycle; boom when project funding is consultant model: risk and lower reward. Consider the following: requested and received, and bust when In this unfortunate model, the new projects are completed. Security is not CISO brings in a consultant to perform a 1. The average CISO tenure is shorter than cyclical – effective programs depend on risk assessment to make the department ever and often considered a transition staff continuity and a stable environment. look as inept as possible, so that she can role. An average CISO serves 2-3 years in When these are not present, the security gain headcount. What generally happens is her job1 before moving on. At this rate, culture is hard to implement. that the consultant spits out a the CISO is always thinking in short-term 3. Security must be perfect–the purist comprehensive strategic plan involving mode, trying to make sure she pads her model: large service-intensive projects. The CISO is resume as much as possible. This is the In this model, the CISO believes that a rebuffed by his superiors on his additional worst strategy for the organization, but it situation is either secure or insecure, and resource requests and only implements a does make the CISO look good to create to make an insecure situation secure, there portion of the projects without studying and execute several new programs in the must be a certain set of steps followed, their inter-relations. This, in fact, makes the first 2-3 years and not have to stay with no deviation of any sort. This model is situation worse, rather than better. A well around to complete the job. THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  • 3. 2. The position involves greater risk than in for the successful implementation of a manda- members with good project management and the past (California’s SB1386 has been tory security awareness testing for 75,000 users, communication skills rather than just superb especially responsible for amplifying this vulnerability remediation for over 2,500 sys- technical skills. It is also important to associate risk). However, the rewards have not kept tems, placement and training for 400 security headcount with services, and incrementally pace with the elevated risk. This could be coordinators internationally, and updated anti- build the case for headcount. another reason for the quicker turnover virus software for 75,000 desktops. Along with the governance matrix, the CISO among CISOs. Sometimes, support is shown by the report- should try to create SLAs with business units and 3. The CISO is continuously pulled between ing structure and the power given to the CISO. operations. These should be gradually phased in contradictory objectives. Budgets are low, This can involve reporting up to business opera- (the following sections discuss this) rather than security products are expensive, integration tions so that the traditional problem of CISOs pushed through all at once. is difficult, and business managers want (security department is stigmatized as a “tech- The CISO should also realize that there are time to market to be small, which means nology cost center”) is somewhat mitigated. three areas of concentration—People, Process, security is often asked to rubberstamp a There is a lot of buzz around the topic of and Technology – that can be used to secure a decision that has already been made. “convergence”—where a CISO manages both computing system. Depending on the culture of 4. Regulations such as SOX, customer physical and logical security. The CISO should be the company, the budget available to her, and compliance requirements, and ever- careful about being sucked into thinking conver- the maturity of the security program, the CISO expanding federal and state regulations gence makes sense, without a very careful should focus on one area. For instance, in an keep the CISO constantly modifying her analysis of the corporation. It is much more immature organization where building a secu- game plan and having to do much more important that a clear documentation of roles rity awareness culture will be a challenge, the work with the same resources. This can and responsibilities is performed. CISO should initially concentrate on using quickly lead to burnout both at the staff It is wiser for the CISO to work with business automation (i.e. technology) to protect users and executive levels. management, Legal Counsel, HR, Operations, from viruses and other threats. As another 5. It is difficult for the CISO to create a and other departments to create a governance example, in a mature organization where a corporate security governance matrix and matrix for the organization. A sample matrix is budget is hard to find, the CISO should use the execute on it successfully within 2-3 shown in Figure 2. By working with these differ- security culture to help protect against threats years. It takes time to learn the corporate ent stakeholders, a clear sense of accountability (e.g. social engineering, phishing, viruses, etc.). culture, build a security culture, and build is created, and if that involves convergence, so the relationships required for successfully be it. Information Security Version 1.0 implementing a culture of accountability … and Beyond within the entire organization. Strategy, Staffing and Program Positioning In my experience, there are three distinct lev- Organization and Support2 els of Information Security Program maturity. The CISO should decide on a portfolio of serv- There are different challenges in each level, and There are many thoughts on how security ices she will provide to the enterprise. Care the aspiring CISO would do well to quickly iden- should report into management. While there is should be taken to not tread into operations, tify which level she is in, and make the appro- no sure way to gain the support of your man- since that will violate the separation of privileges priate managerial adjustments to succeed at agement, here is one common myth. doctrine. The portfolio should be risk based and that level. address defenses in depth. A portfolio would Myth: Security must report to Business include services in the following areas: Evolution Version 1.0 Management to be effective. This is the profile of an extremely immature Corollary: Security is best served by reporting to ▼ Network and System Security organization with respect to Information Information Technology. ▼ Data and Application Security Security. Small startups and even some larger ▼ Identity and Access Management companies that have had bad experiences with These are both somewhat inaccurate. While it ▼ Business Support Services one of the defective models above can often be is certainly advantageous to report to business ▼ Policy and Compliance in this level. Some of the characteristics of this management, without business management version are: support, this reporting is not useful. It is important to position these initiatives as scalable, repeatable, services. The CISO should ▼ Few documented policies or procedures Truth: Reporting is not as important as support emphasize their longevity and demonstrate and ▼ Security is an afterthought and high-level commitment. quantitatively prove their value. ▼ No business support for security The CISO should realize that her team will ▼ Little or no existing security infrastructure I have been at different organizations where make or break her career. It is critical to hire the support has been demonstrated in different right people into the high-performing team. While the new CISO maybe tempted to create ways. At a large oilfield services firm that I While education and certifications are impor- a strategic plan to address the deficiencies, this worked at (in IT, no less!), commitment was tant, it is even more important that team mem- is often not the appropriate thing to do. The shown by setting information security objectives bers be able to communicate to business enterprise is at too great a risk, and immediate from the CEO down (accounting for 20% of their management in terms that they can understand. action is required. The CISO should create and annual bonus). This executive support allowed Therefore, it is more important to hire team ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006
  • 4. immediately execute on a very tactical, network security-centric plan. The management support for the security program. elements of such a plan should include: 5. Ignore Data and Application Security. This may seem surprising, but, again, the security program, while well developed, is not yet at the ▼ Robust perimeter protection using firewalls and intrusion detection level of maturity that can support application security scans, secure systems: There are thousands of targeted and random (script kiddie coding, and data encryption (except in special cases). based) attacks propagated across the Internet every day. It is critical that the enterprise protect against this by using access controls and The CISO should pursue a methodical, reasonable approach to embed- detection mechanisms. ding security into the operations mindset, keeping in mind that operations ▼ An anti-virus implementation: Viruses and worms are the single largest is generally lightly staffed and heavily loaded to start with. While putting her source of damage for enterprises. Implementing up-to-date virus foot down on critical risks, the CISO should provide a level of flexibility to protections on all systems is critical to ensuring business continuity. win over the hearts and minds of the different operations groups. In the ▼ A patch management implementation: New vulnerabilities are released long run, operating as partners leads to far more effective security programs. every week, sometimes by the day. An enterprise that does not manage Figure 1 demonstrates the dangers of trying to do too much too soon. these patches, even manually, will be compromised at some point. In “The Wrong Way,” a CISO sets unreasonable expectations, and can move the program backwards by losing credibility with her peers. In “The Right The sharp reader will notice that there is nothing mentioned about user Way,” however, she sets reasonable expectations, focuses on risk-based awareness or security policy. This is precisely because in such an early remediation, and manages the program as a partnership. stage of the evolution, policies do not appreciably reduce risk. In addition, there is no business support for security and thus no driver to build secu- Evolution Version 3.0 rity awareness and culture. Few organizations reach the plateau of Version 3.0. This is because suc- The emphasis for the CISO should be on ensuring some quick “wins”— cessfully executing through Version 2.0 takes a few years; the discontinuity building credibility and support within the organization, while quickly reduc- between successive CISOs generally leads to a one-step-forward, one-step- ing major risk issues to a more manageable level. To this end, the CISO may back scenario for the program. Some characteristics of this level, however, are: want to outsource some of the tasks at this level – managed security serv- ices can be a cost-effective way to do this when headcount is at a premium. ▼ There is substantial management awareness of, appreciation of, and support for the Information Security Program. Evolution Version 2.0 ▼ Policies are mature, well maintained, and control items Assuming our intrepid CISO makes it through Version 1.0, she will land implemented and assessed for most policy items. into the challenging Version 2.0 of an Information Security Program’s evo- ▼ The network security infrastructure is very robust and completely lution. Most organizations are at this level of maturity. Some characteristics fleshed out in implementation. of this version are: Successful CISOs at this level generally should do the following: ▼ There is headcount available with the proper justification ▼ There is adequate staff to handle current needs ▼ Flesh out their enterprise encryption strategy and execute on it. ▼ There is some (but limited) management support ▼ Build Application and Data Protection programs including ▼ Policies and procedures exist but are immature and not always classification, web application scanning, secure coding standards, etc. complete ▼ Start measuring and enforcing compliance standards and SLAs. ▼ Start reporting risk metrics to business units. The great danger at this phase is that the CISO tries to do too much. ▼ Drive accountability for mitigating risks through business management. From the exit of level 1, the CISO has many choices, both tactical and strategic. Her success in version 1 may embolden her to attempt sweeping Conclusion new initiatives. Caution is recommended – the support systems for a robust security program are not yet completely developed. We suggest that The CISO has a thankless and difficult job. Depending on the state of the the CISO perform the following strategic tasks: organization, there are various pitfalls she can encounter; I hope this arti- cle gave the reader some essential things to do (and NOT to do) depend- 1. Start building a comprehensive policy umbrella and related ing on the maturity of the security program. The CISO should: compliance programs. 2. Build Network and System Security programs, such as vulnerability ▼ Build the governance model for execution early on management. This is the next stage in the evolution of the program, ▼ Implement a service/program-based approach and is important because script kiddies and malicious insiders often ▼ Staff up with the best resources possible target vulnerable systems. ▼ Set reasonable expectations with business management and 3. Build Identity and Access Management programs, such as for user operations and achieve them provisioning, access controls, and security awareness. These are the ▼ Evolve the program incrementally, eventually integrating risk building blocks for ensuring the correct controls around access to management and accountability data/systems, and ensuring that a security culture is established. 4. Build Business Support Services, such as enabling the business to The thoughtful, execution-focused CISO who incrementally implements create revenue (RFP responses, customer audits, etc.). This is change is far more likely to be successful than the flashy, buzzword-com- important because creating a business value is crucial for future pliant CISO who tries to bring in an entirely new system. ¡ THE ISSA JOURNAL ◆ June 2006 ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  • 5. Aurobindo Sundaram, CISSP, CISM, has worked in the Information Security industry for over 10 years. 1 From: http://infosecuritymag.techtarget.com/articles/december01/columns_logoff.shtml 2 This section is largely excerpted from a previous article “Risk Management Returns Results” in The ISSA Journal’s July 2005 issue by the author and a colleague. ©2006 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ June 2006