This document discusses bridging gaps in information security and preparing for the future. It notes that the CIO and CISO roles are similar, as both require an understanding of technology and business, branding, and leadership. It emphasizes that information security and IT do not own risk, and that a "just say yes" approach works better than fear, uncertainty, and doubt messaging. It also stresses the importance of measurement, education, and leveraging existing frameworks to improve security and reduce risks like data loss.

1. BRIDGING
THE
GAPS
AND
PREPARING
FOR
THE
FUTURE!
James
Beeson
Chief
Informa0on
Security
Officer
April
20,
2011

2. We
Are
Figh0ng
The
Same
BaCle!
Same
Risks
• Business
Disrup0on
• Unauthorized
Access
Don’t
Reinvent
the
Wheel
• Data
Leakage/Loss
Collaborate
Use
Exis0ng
Frameworks
• Data
Integrity
Issues
ISO
27001
• Regulatory
Non-­‐Compliance
COBIT
NIST
Standards
Similar
Threats
• Mistakes/Accidents
• Organized
Crime
(APT)
• Vulnerabili0es
(SW/HW/NW)
• Unauthorized
SoVware
• Social
Engineering
(Phishing)

3. CIO
&
CISO
Roles
Similar
• Need
to
understand
what
the
business
does
• How
does
technology
enable
the
business
processes
• Branding
and
marke0ng
for
the
cause
• Evangelist
for
the
profession
and
importance
• Salesperson
to
get
things
accomplished
• Leader
to
mo0vate
people
to
do
the
right
thing
Aren’t
We
All
Just
Used
Car
Salespeople?

4. Mix
of
Technical
Exper0se
and
Leadership
Informa0on
Security
Technical
Exper0se
• CISSP
(Cer0fied
Informa0on
Systems
Security
Professional)
• CISA
(Cer0fied
Informa0on
Systems
Auditor)
• CRISC
(Cer0fied
in
Risk
and
Informa0on
Systems
Control)
• CISM
(Cer0fied
Informa0on
Security
Manager)
Leadership
• Team
Building
and
Mo0va0on
• Effec0ve
Speaking
and
Presenta0on
Skills
• Hiring
and
Management
Skills
• Style
Flex
–
Understanding
Mo0va0on
• CAP
(Change
Accelera0on
Process
Training)
• ITIL
(Informa0on
Technology
Infrastructure
Library)
Skills
• Six
Sigma
or
similar
Quality
Training

5. Just
Say
“Yes”
Approach
• Works
BeCer
than
Chicken
LiCle
or
FUD
• ShiVs
the
Ownership/Burden
of
Risk
• As
They
Say
“It’s
All
In
The
Spin”
• Push
for
Data
Driven
Decisions
IT
and
CISO
DO
NOT
Own
the
Risk!

6. KNOW
THE
2
MINUTE
ELEVATOR
SPEECH
Key
OperaAng
Elements
Top
Risks

InformaAon
Security
Risk
Management
Data
Leakage/Loss

IdenAty
Management
(Access
Control)
Unauthorized
Access

Monitoring
&
Incident
Response
Business
Disrup0on
Data
Integrity
Issues
Strategic
Approach
Regulatory
Non-­‐Compliance
Strong,
Simple,
Risk
Based
Policies
Top
Threats
Phishing
(Social
Engineering)
Layered,
Measurable
Approach
Unauthorized
SoVware
Ongoing
Risk
Assessment
&
Quick
IR
Organized
Crime
(APT)
SW/HW/NW
Vulnerabili0es
Con0nuous
Educa0on
and
Awareness
Mistakes/Accidents
Tarnished
Brand
Name
DRIVES

Revenue
Loss
Added
Costs
(regulatory
fines)

7. Security
is
an
Enabler
to
Compliance
and
Reducing
Risk
• Leverage
Compliance
and
Legal
• Take
Advantage
of
Opera0onal
and
Business
Risk
Knowledge
• Mix
Training,
Educa0on,
and
Communica0ons
• Embed
Security
in
Technology
and
Business
Processes
• ShiV
from
Slowing-­‐Down
to
Enabling

8. Measurement
Drives
Behavior
As
Lord
Kelvin
once
said
“If
You
Can’t
Measure
It,
You
Can’t
Improve
It”
Typically
Improvement
is
Measured
by:
<Reduced
Cycle-­‐Time
<Reduced
Cost
<Reduced
Defects
Key
Takeaways
• Schedule
Recurring
Reviews
• Know
Your
Audience
• Tie
Improvement
Metrics
to
Performance
• Don’t
Reinvent
the
Wheel
• Automate
and
Define
Clear
Ownership
Threat
x
Opportunity
=
Risk

9. Trends
• I
Don’t
Buy
Your
Shoes,
Why
Would
I
Buy
Your
PC
• Cloud
is
the
Preferred
Way
to
Manage
Data
• Conundrum
-­‐
Digital
Na0ves
vs
Baby
Boomers
• Power
Portability/Mobility
with
No
Perimeter
• Organized
Crime
(APT)
is
“Big
Business”
• Focus
on
Compliance
Not
Security
Posture
• Social
Engineering
Rules
–
An
Educa0on
Issue

10. Things
That
Make
You
Go
Hmm
• 2
Billion
People
Internet
Connected
• YouTube
>2B
Views/Day
• Over
22
Billion
Tweets
in
2010
• Facebook
–
Worlds
3rd
Largest
Country
• Over
100
Million
Users
on
LinkedIn
• Internet
Background
Check
Common
• Tex0ng
&
Apps
Overtake
Voice
• PC’s/Laptop’s
Dropping
in
Sales
• 1/5
Marriages
from
Internet
Da0ng

11. Summary
• Figh0ng
the
Same
BaCle
–
Leverage
Everyone!
– Risks
are
basically
the
same
• Know
Your
Business
–
Become
an
Enabler
– Reduces
the
“Hindrance”
factor
• CIO
and
CISO
Roles
are
Similar
– Aren’t
we
all
just
Salespeople
• Measurement
Drives
Behavior
– “If
you
can’t
measure
it,
you
can’t
improve
it”
• Digital
Na0ves
versus
Digital
Immigrant
–
Helping
to
“Bridge
The
Gap”

12. QUESTIONS?
Contract
Informa0on:
Email:
James.Beeson@GE.com
Telephone:
01
203
205
5450