The document discusses the trends of technology, security risks, and the importance of having a clear security strategy and framework. It recommends converging security resources across an organization in a collaborative way to improve risk mitigation, operational effectiveness, and reduce costs. Key aspects include having a preventative security approach, leveraging security technologies, and ensuring security spending aligns with the most important business risks.

1. Convergence – Innovative Integration of Security Dave Tyson CISO Pacific Gas & Electric

2. Imagine!

3. Technology Trends Cloud Computing Virtualization Social media IT Transformation Device Ubiquity Industry specific Medical devices on the network Smart Grid Nanotechnology

4. Security Trends Organized Crime Advanced Persistent Threats Zero day attacks Cyber extortion Internal threats are back on the rise Security staff scarcity and competition

5. Why are Security trends important Because one person’s reactive event is another person pro-active indicator

6. Enterprise Security Risk Management Options Security Investment Analysis Utilize a security Mgt. framework Have a clear security strategy Level your risk structure Evaluate all security resources at your disposal for the best mitigation path

7. Understand your security Investment Are we spending our resources against the most important business challenges? Do we map investment to General, Sector, and Targeted threats appropriately? Do we understand the best strategy to resource against a threat portfolio in a manner that generates the highest ROI? Do we manage risks by relevant BU?

8. Linkages to other enterprise risk framework and processes 3 Vision and principles Security operations Organization & governance Change management and BU integration Business case (i.e., investments and ROI) Linkages to partners & suppliers Business environment (i.e., commercial and regulatory) Corporate and BU strategies Geopolitical trends and forces Input to framework Counter measure portfolio Design Evaluate risk – investment trade off Implement Compliance, metrics and reporting Risk exposure and prioritization Standards legislation and regulation Security practices and technologies 1 Utilize a Strategic Management Framework

9. Have a clear security strategy… Security Foundation Preventive Security Three Security Layers Secure Innovation Policies & Standards, Awareness & Training, Laptop Encryption; Secure Desktops; Compliance, Investigations, Incident Response, Security Monitoring, Vendor Security, Mobile Device Security, Security Tools Management, Security Testing & Monitoring Program, Security Architecture, Security Metrics, Security Risk Management, Business Continuity Planning, Crisis Management, Disaster Recovery Planning, Establish Security Technology Layer, Custom Security Solutions, Security Seeds (Partnerships) Cloud Computing, SOA Security Architecture, Fraud algorithms, secure coding 65% 10% 25%

10. Risk leveling Matrix May result in the costly loss of tangible assets or resources. May violate, harm, or impede an organization’s mission, reputation, or interest. Resulting or may result in human injury. May result in the highly costly loss of major tangible assets or resources. May significantly violate, harm, or impede an organization’s mission, reputation, or interest. Resulting or may result in human injury or death. Resulting or may result in major legal actions. Almost certain to result in the highly costly loss of major tangible assets or resources. Almost certain to significantly violate, harm, or impede an organization’s mission, reputation, or interest. Immediate Qualifying Factors (occurrences that would immediately qualify for this level) Information Resources may only be mildly affected. Non-critical information is vulnerable to exploit that is relatively easy to execute and there are no controls or weak controls currently to prevent or detect such an attack.. Important system has no disaster recovery environment or capacity does not meet operation requirement. Information Resources are vulnerable to exploit that is relatively easy to execute and there are no controls currently to prevent or detect such an attack. Systemic weakness that applies to the enterprise that may put a majority of Information Resources at risk. Some PII information is exposed. Critical system disaster recovery plan is not documented and or exercised. Active network attack Compromised system Breach of Personally Identifiable Information (PII) such as sensitive customer data or employee data. Other Regulatory violations (e.g., Environmental, FCC, etc.) as determined by an authoritative group. Qualifiers / Examples (events that would equate to this risk rating) May be or is happening now. Medium that a particular event will happen. May be or is happening now. High that a particular event will happen. Is happening now or incident has occurred. Very high that a particular event will happen soon. Likelihood (probability that a given event will occur) Information Resource has vulnerability, however, no publically known exploit exists, and our environment may be mildly affected Information Resource has vulnerability and a publicly known exploit exists. Company is non-compliant with regulatory or policy requirements and subject to fines or penalties. Exploitable attack in the wild Evidence that a breach has occurred Company is non-compliant with Regulation Impact Level Description (the level of affect on the organization) Severity Level 3 Severity Level 4 Severity Level 5

11. Drivers for change in security convergence Rapid expansion of enterprise ecosystem Value Migration from Physical to information based & intangible assets New protective technologies blurring functional boundaries New compliance and regulatory regimes Continuing pressure to reduce cost

12. Convergence Defined the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.

13. Security Intelligence Enterprise security intelligence is emerging as a comprehensive, holistic alternative to traditional disjointed security approaches –Gartner 2010

14. Thoughts If your going into the cloud be sure you have a clear security plan to manage the security issues Ensure your security spend is mitigating your most important risks Retain your best security talent

15. Associations ASIS International www.asisonline.org Information Systems Audit & Control Association http://www.isaca.org/ Alliance for Enterprise Security Risk Management www.aesrm.org Cloud Security Alliance www.cloudsecurityalliance.org

16. Dave Tyson CISO PG&E 415 973-5455 [email_address]