Information security: importance of having defined policy & process
IS and the Innovator's Dilemma DCass_Final
1. David A. Cass, CISO Cloud and SaaS Operations
October 5, 2015
Information Security and the
Innovator’s Dilemma
2. A notable quote
“Strategy without tactics is the slowest route to
victory.
Tactics without Strategy is the noise before defeat.”
- Sun Tzu
3. Agenda
3
We will review the external, internal factors, and
the threat landscape that is driving change.
We will discuss failure modes and how to
overcome them, and look at innovation drivers.
A framework for innovation
How to execute on an innovation strategy
What’s Changed?
Why CISO’s fail?
Enabling Innovation
Execution
Wrap Up
4. What’s changed – In the news
! 2015 as the year of escalating breaches
– Retail breaches
! 40 to 60 + million card holders impacted
! Cost of breaches estimated in the Billions of dollars
– Medical records
! 80 million social security numbers exposed
! the cost per record breached for healthcare
organizations is $363*
– Entertainment Industry
! Corporate network taken over
! Exfiltration of movies
! Loss of corp. emails, PII, and more..
– Government
! personnel data of 4.2 million current and former Federal government
employees had been stolen.
! background investigation records of current, former, and prospective
Federal employees and contractors.
! More than 21 million SSNs and 5.6 million finger print records
7. ! External Factors
– Law & Cyber
! HIPAA, GLBA, MA, CA…
– Cloud
! Fundamental change to the
way people work
– Mobile Apps
– BYOD
– Social
– Big Data
– IOT
What’s Changed?
8. ! Internal Factors
– Expectations of
workforce
– Insider threat
– Changes in IT staff
core competencies
– Increased focus on
Risk Management
What’s Changed?
9. Threat Landscape - Then
• Captive Workforce
• Desktops & Laptops
• Corporate Network with VPN for remote workers
• Corporate Owned Devices
Enterprises
• Rouge Individuals
• Motivated by the challenge
• Little or no financial gain
Attackers
• Noisy
• Server side/infrastructure vulnerabilities
• Noticeable
• Damaging & Costly but not complicated to remediate
Attacks
10. Threat Landscape - Now
• Highly Mobile Workforce
• Smartphones & Tablets
• Use of home Wi-Fi, free Wi-Fi, cellular
connections
• Corporate Owned Devices
Enterprises
• Organized
• Well funded
• Highly skilled
• Organized Crime
• Financial/Political gain
Attackers
• Stealthy
• Applications, Databases, and Social Engineering
• Hard to detect
• Goal is data exfiltration
Attacks
12. Innovation Drivers
! Companies are very vulnerable to disruption!
! Low barrier to entry
! Disruption defined:
– The same value delivered in different ways
! Time to market is critical
! Innovation allows companies to pivot
13. Guidelines / Framework for Innovation
1. Research first
2. Innovate process at small scales
– Improves ability to deliver
– Allow everyone to innovate
3. Share as much as you can
– Break down silos
– Transparency = Speed
14. Guidelines / Framework for Innovation
4. Sell it before you make it
– See what works
– Get traction
– Don’t build solutions in search of problems
5. Act Responsibly
– Reputation
– Say what you do and do what you say!
– Aspirational vs. attainable
15. How can Security Innovate?
! Understand what is the Critical Business Knowledge
! Business Transformation
! Policies, Standards, Training & Awareness
! Communications at the Board and Exec Level
! Privacy and Security by Design
19. Innovation
! Communications at the Board and Exec Level
– Become a better story teller
– Frame the conversation using FORR
! Financial
! Operational
! Reputational
! Regulatory
21. Innovation
! Practice Privacy by Design
– Full Functionality
– End-to-End Security – Full Life Cycle Protection
– Visibility and Transparency
– Respect for User Privacy
24. Execution - Focus on Four Principles
! Familiar
! Simple
! Impactful
! Measured
25. Execution - Putting Innovation to work
! Strategy is the starting point of execution
– Clear and relatively simple
– You need to know what really matters
! To execute you need:
– Alignment
– Agility
– Coordination
26. Executing Strategy
! Is low price a strategy?
! Strategy is not:
– A string of buzzwords
– Not a vision statement
– Not a financial projection
28. Wrap up
! Innovation requires you understand the way the
business works
! Apply the principles for innovation
! Use the strategy execution triad
! We win by accomplishing business goals
29. Questions?
David Cass
CISO, IBM Cloud & SaaS Operations
E-mail: dcass@us.ibm.com
Twitter: @dcass001
Linkedin: www.linkedin.com/in/dcass001/