1. David A. Cass, CISO Cloud and SaaS Operations
October 5, 2015
Information Security and the
Innovator’s Dilemma

2. A notable quote
“Strategy without tactics is the slowest route to
victory.
Tactics without Strategy is the noise before defeat.”
- Sun Tzu

3. Agenda
3
We will review the external, internal factors, and
the threat landscape that is driving change.
We will discuss failure modes and how to
overcome them, and look at innovation drivers.
A framework for innovation
How to execute on an innovation strategy
What’s Changed?
Why CISO’s fail?
Enabling Innovation
Execution
Wrap Up

4. What’s changed – In the news
! 2015 as the year of escalating breaches
– Retail breaches
! 40 to 60 + million card holders impacted
! Cost of breaches estimated in the Billions of dollars
– Medical records
! 80 million social security numbers exposed
! the cost per record breached for healthcare
organizations is $363*
– Entertainment Industry
! Corporate network taken over
! Exfiltration of movies
! Loss of corp. emails, PII, and more..
– Government
! personnel data of 4.2 million current and former Federal government
employees had been stolen.
! background investigation records of current, former, and prospective
Federal employees and contractors.
! More than 21 million SSNs and 5.6 million finger print records

5. ! External Factors
– Emerging Markets
– Outsourcing
What’s Changed?

6. ! External Factors
– Privacy
! > 80 Countries
with Privacy Laws
! US vs. EU vs.
APAC definitions
! Opt in vs. Opt out
What’s Changed?

7. ! External Factors
– Law & Cyber
! HIPAA, GLBA, MA, CA…
– Cloud
! Fundamental change to the
way people work
– Mobile Apps
– BYOD
– Social
– Big Data
– IOT
What’s Changed?

8. ! Internal Factors
– Expectations of
workforce
– Insider threat
– Changes in IT staff
core competencies
– Increased focus on
Risk Management
What’s Changed?

9. Threat Landscape - Then
• Captive Workforce
• Desktops & Laptops
• Corporate Network with VPN for remote workers
• Corporate Owned Devices
Enterprises
• Rouge Individuals
• Motivated by the challenge
• Little or no financial gain
Attackers
• Noisy
• Server side/infrastructure vulnerabilities
• Noticeable
• Damaging & Costly but not complicated to remediate
Attacks

10. Threat Landscape - Now
• Highly Mobile Workforce
• Smartphones & Tablets
• Use of home Wi-Fi, free Wi-Fi, cellular
connections
• Corporate Owned Devices
Enterprises
• Organized
• Well funded
• Highly skilled
• Organized Crime
• Financial/Political gain
Attackers
• Stealthy
• Applications, Databases, and Social Engineering
• Hard to detect
• Goal is data exfiltration
Attacks

11. Why CISO’s fail?
Used to be:
Failure to help the business
with:

12. Innovation Drivers
! Companies are very vulnerable to disruption!
! Low barrier to entry
! Disruption defined:
– The same value delivered in different ways
! Time to market is critical
! Innovation allows companies to pivot

13. Guidelines / Framework for Innovation
1. Research first
2. Innovate process at small scales
– Improves ability to deliver
– Allow everyone to innovate
3. Share as much as you can
– Break down silos
– Transparency = Speed

14. Guidelines / Framework for Innovation
4. Sell it before you make it
– See what works
– Get traction
– Don’t build solutions in search of problems
5. Act Responsibly
– Reputation
– Say what you do and do what you say!
– Aspirational vs. attainable

15. How can Security Innovate?
! Understand what is the Critical Business Knowledge
! Business Transformation
! Policies, Standards, Training & Awareness
! Communications at the Board and Exec Level
! Privacy and Security by Design

16. Innovation
! Critical Business Knowledge
– Define it
! Is it a source of competitive advantage
! Is there a regulatory requirement
– Define a goal

17. Innovation
! Business Transformation
– What is the experience we want?
– How do we deliver what they want?
– Transparency

18. Innovation
! Policies & Standards
– Right size them
– 1 page with bullet points
! Training & Awareness
– Deliver the message in the way people consume
info today

19. Innovation
! Communications at the Board and Exec Level
– Become a better story teller
– Frame the conversation using FORR
! Financial
! Operational
! Reputational
! Regulatory

20. ! Practice Privacy by
Design
– Proactive not Reactive
– Privacy as the Default
Setting
– Privacy Embedded into
Design
Innovation

21. Innovation
! Practice Privacy by Design
– Full Functionality
– End-to-End Security – Full Life Cycle Protection
– Visibility and Transparency
– Respect for User Privacy

22. Innovation
! Security by Design
– Protect the data and application
– Security Awareness Training
– Partner with the business
! M&A process
! Cloud

23. Innovation
! Security by Design
– Risk & Assurance
– Application Security COE
– Security Architecture
– Incident Response

24. Execution - Focus on Four Principles
! Familiar
! Simple
! Impactful
! Measured

25. Execution - Putting Innovation to work
! Strategy is the starting point of execution
– Clear and relatively simple
– You need to know what really matters
! To execute you need:
– Alignment
– Agility
– Coordination

26. Executing Strategy
! Is low price a strategy?
! Strategy is not:
– A string of buzzwords
– Not a vision statement
– Not a financial projection

27. Executing Strategy
Alignment
AgilityCoordination

28. Wrap up
! Innovation requires you understand the way the
business works
! Apply the principles for innovation
! Use the strategy execution triad
! We win by accomplishing business goals

29. Questions?
David Cass
CISO, IBM Cloud & SaaS Operations
E-mail: dcass@us.ibm.com
Twitter: @dcass001
Linkedin: www.linkedin.com/in/dcass001/