This is a follow-on from my 2008 article in the July Issue of Information Security Magazine discussing the concepts of Macro-Information Security and Micro-Information Security.
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.
This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.
This presentation will explore suggestions for ways Security people in Central Ohio can and do collaborate to improve Security practices within and external to organizations. This will explore ISACs, ISAOs, partnerships such as the Collaboratory, Internships, ISSA, etc.
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Cohesive Networks
Slides from Cohesive Networks' COO Dwight Koop at the April 2015 meeting of the Chicago Electronic Crimes Task Force, sponsored by Cohesive Networks and the United States Secret Service.
On April 30, 2015 Dwight Koop presented “The Chicago School of Cybersecurity Thinking: A Pragmatic Mid-Western Look at Cybersecurity Risk and Regulation”
About the ECTF:
CECTF represents a diverse membership of over 600 public and private security professionals, academia representatives and law enforcement officials throughout Illinois, Wisconsin, and Northern Indiana. The United States Secret Service contributes to the CECTF by bringing together experts in an interactive environment. These professionals bring experience, knowledge, and resources to support electronic and financial crimes investigations, computer forensic examinations, and judicial testimony. Many members are investigators trained as responders to IT-related incidents, including network intrusion. The CECTF is dedicated to sharing knowledge of cutting-edge technologies, identifying cyber-based vulnerabilities, developing strategies to combat cyber and financial crimes, and the protection of our nation's critical financial infrastructure.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Presented by Dr Sam De Silva, partner at Nabarro to over 100 CEOs and Executives in London.
Explains what leaders should do immediately after becoming aware of a cyber attack, from a legal perspective.
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.
This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.
This presentation will explore suggestions for ways Security people in Central Ohio can and do collaborate to improve Security practices within and external to organizations. This will explore ISACs, ISAOs, partnerships such as the Collaboratory, Internships, ISSA, etc.
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Cohesive Networks
Slides from Cohesive Networks' COO Dwight Koop at the April 2015 meeting of the Chicago Electronic Crimes Task Force, sponsored by Cohesive Networks and the United States Secret Service.
On April 30, 2015 Dwight Koop presented “The Chicago School of Cybersecurity Thinking: A Pragmatic Mid-Western Look at Cybersecurity Risk and Regulation”
About the ECTF:
CECTF represents a diverse membership of over 600 public and private security professionals, academia representatives and law enforcement officials throughout Illinois, Wisconsin, and Northern Indiana. The United States Secret Service contributes to the CECTF by bringing together experts in an interactive environment. These professionals bring experience, knowledge, and resources to support electronic and financial crimes investigations, computer forensic examinations, and judicial testimony. Many members are investigators trained as responders to IT-related incidents, including network intrusion. The CECTF is dedicated to sharing knowledge of cutting-edge technologies, identifying cyber-based vulnerabilities, developing strategies to combat cyber and financial crimes, and the protection of our nation's critical financial infrastructure.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Presented by Dr Sam De Silva, partner at Nabarro to over 100 CEOs and Executives in London.
Explains what leaders should do immediately after becoming aware of a cyber attack, from a legal perspective.
CEOs leading Recovery from Cyber AttackKevin Duffey
This presentation was given to senior representatives from the Cabinet Office (UK Government), Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, etc, at an event organised by Cyber Rescue on 29th June 2016.
Here's a look at what we discuss at an IANS Connector Event. We bring together a diverse group of high-level information security professionals for collective discussion and problem-solving. Participants will take away actionable insights which will allow them to become more effective leaders.
Strategies for cyber resilience - Everyone has a RoleKevin Duffey
Building on the observation that the significant majority of cyber-attacks succeed because of human error, this presentation explains how organisations can build, embed & sustain the resilient behaviours required across the whole workforce, regardless of their role or responsibility, to better protect their most valuable & commercially sensitive information.
Vulnerability management is one of the most important, yet most difficult and ‘boring’ information security processes I know. As it includes stakeholders from various business functions it requires delicate design and execution. I see VM as a big data and stakeholder management challenge.
Cyber Security Organizational Operating Model and GovernanceSrinidhi Aithal
Overview and Recommendations on operating models to mitigate risk factor in the governance model followed by organisations. Presented as part of the Deloitte challenge.
Here's a look at what we discuss at an IANS Connector Event. We bring together a diverse group of high-level information security professionals for collective discussion and problem-solving. Participants will take away actionable insights that will allow help them become more effective leaders.
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Dragos, Inc.
Key Considerations for Executives from Dragos Executive Year In Review on Industrial Cybersecurity Strategy by Robert M Lee
Addresses questions of :
- How do we know if we’re underspending or overspending on ICS/industrial cybersecurity?
- What is the best thing we can do to get started that will help move us forward in OT security?
- If a major attack happens, what is the role of the government?
More Info here:
https://dragos.com/resource/insights-to-build-an-effective-industrial-cybersecurity-strategy-for-your-organization/
https://www.linkedin.com/company/dragos-inc./
Twitter: https://twitter.com/dragosinc
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
This presentation is aimed at a technical security audience seeking to advance into a security leadership role. In this interactive presentation, attendees will learn how they need to apply their technical skills in a CISO or security director role. In addition, they will learn the fundamentals of leading people, managing budgets and projects, presenting to an executive audience, and dealing with other challenging issues security leaders face.
This case study shows how our solutions improved Accountability for Data protection; Visibility into timelines and implementation costs for a US Energy Enterprise
When it comes to Cyber Security it is no longer enough to adhere to regulations, to ensure protection against Cyber Intrusion we must constantly implement Best Practices.
CEOs leading Recovery from Cyber AttackKevin Duffey
This presentation was given to senior representatives from the Cabinet Office (UK Government), Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, etc, at an event organised by Cyber Rescue on 29th June 2016.
Here's a look at what we discuss at an IANS Connector Event. We bring together a diverse group of high-level information security professionals for collective discussion and problem-solving. Participants will take away actionable insights which will allow them to become more effective leaders.
Strategies for cyber resilience - Everyone has a RoleKevin Duffey
Building on the observation that the significant majority of cyber-attacks succeed because of human error, this presentation explains how organisations can build, embed & sustain the resilient behaviours required across the whole workforce, regardless of their role or responsibility, to better protect their most valuable & commercially sensitive information.
Vulnerability management is one of the most important, yet most difficult and ‘boring’ information security processes I know. As it includes stakeholders from various business functions it requires delicate design and execution. I see VM as a big data and stakeholder management challenge.
Cyber Security Organizational Operating Model and GovernanceSrinidhi Aithal
Overview and Recommendations on operating models to mitigate risk factor in the governance model followed by organisations. Presented as part of the Deloitte challenge.
Here's a look at what we discuss at an IANS Connector Event. We bring together a diverse group of high-level information security professionals for collective discussion and problem-solving. Participants will take away actionable insights that will allow help them become more effective leaders.
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Dragos, Inc.
Key Considerations for Executives from Dragos Executive Year In Review on Industrial Cybersecurity Strategy by Robert M Lee
Addresses questions of :
- How do we know if we’re underspending or overspending on ICS/industrial cybersecurity?
- What is the best thing we can do to get started that will help move us forward in OT security?
- If a major attack happens, what is the role of the government?
More Info here:
https://dragos.com/resource/insights-to-build-an-effective-industrial-cybersecurity-strategy-for-your-organization/
https://www.linkedin.com/company/dragos-inc./
Twitter: https://twitter.com/dragosinc
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
This presentation is aimed at a technical security audience seeking to advance into a security leadership role. In this interactive presentation, attendees will learn how they need to apply their technical skills in a CISO or security director role. In addition, they will learn the fundamentals of leading people, managing budgets and projects, presenting to an executive audience, and dealing with other challenging issues security leaders face.
This case study shows how our solutions improved Accountability for Data protection; Visibility into timelines and implementation costs for a US Energy Enterprise
When it comes to Cyber Security it is no longer enough to adhere to regulations, to ensure protection against Cyber Intrusion we must constantly implement Best Practices.
The Perspective of Today's Information Security LeaderRavila White
Overview: Security Leaders today have become the psychologist of the business. Part scientist, scholar, practitioner and professional, they must possess a multi-dimensional perspective to meet the competing business requirements. The Sacred Tao of information security is passé.
This presentation will provide you with the top four skills required by the business of security leaders. We will discuss:
-How the landscape has shifted
-How the aggregation of information is the key to success
-What the C-level wants
-How to become a Knowledge Worker
This presentation is for anyone who wants to move exit the world of rote knowledge and enter the universe of critical thinking.
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
WHY IS THIS IT RISK ASSESSMENT WORKSHOP IMPORTANT?
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the napier.ac.uk site.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
Cyber security practices involve preventing malicious attacks on computers, servers, mobile devices, electronic systems, networks, and data. It is also called information technology security or electronic information security.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
Learn the five steps all businesses must follow to protect themselves from costly data breaches. This will be the first of a monthly series to educational webinars for small business leaders. Knowing is the first step in protecting your business.
Learn the five steps all businesses must follow to protect themselves from costly data breaches. This will be the first of a monthly series to educational webinars for small business leaders. Knowing is the first step in protecting your business.
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
For every organization, effective cybersecurity is reliant on a careful deployment of technology, processes and people. The Global Knowledge cybersecurity perspective features a three-tiered organizational matrix, ranging from foundational to expert skills, coupled with eight functional specializations that encompass the features of a successful cybersecurity organization.
Cybersecurity isn’t a one-person job—it’s dependent on several different factors within an organization. This webinar will show you how to build a strong cyber defense by focusing on:
• The characteristics of winning cybersecurity teams
• The Crown – Organizational map and career progression
• The Castle – The eight functional specializations
• Architecture and data policy
• Data loss prevention
• Governance, risk and compliance
• Identity and access management
• Incident response and forensic analysis
• Penetration testing
• Secure DevOps
• Secure software development
• Building a winning cybersecurity organization
This presentation was delivered to Minnesota manufacturing CEOs who attended the April 2019 Enterprise Minnesota event. Manufacturing companies face real information security threats that they need to prepare for.
Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer)
17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin)
18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo)
18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)
Similar to The Art & Science of Simple Security (20)
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, you’ll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Falcon stands out as a top-tier P2P Invoice Discounting platform in India, bridging esteemed blue-chip companies and eager investors. Our goal is to transform the investment landscape in India by establishing a comprehensive destination for borrowers and investors with diverse profiles and needs, all while minimizing risk. What sets Falcon apart is the elimination of intermediaries such as commercial banks and depository institutions, allowing investors to enjoy higher yields.
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraAvirahi City Dholera
The Tata Group, a titan of Indian industry, is making waves with its advanced talks with Taiwanese chipmakers Powerchip Semiconductor Manufacturing Corporation (PSMC) and UMC Group. The goal? Establishing a cutting-edge semiconductor fabrication unit (fab) in Dholera, Gujarat. This isn’t just any project; it’s a potential game changer for India’s chipmaking aspirations and a boon for investors seeking promising residential projects in dholera sir.
Visit : https://www.avirahi.com/blog/tata-group-dials-taiwan-for-its-chipmaking-ambition-in-gujarats-dholera/
Personal Brand Statement:
As an Army veteran dedicated to lifelong learning, I bring a disciplined, strategic mindset to my pursuits. I am constantly expanding my knowledge to innovate and lead effectively. My journey is driven by a commitment to excellence, and to make a meaningful impact in the world.
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
🟢 Email Access
🟢 Bank Added
🟢 Card Verified
🟢 Full SSN Provided
🟢 Phone Number Access
🟢 Driving License Copy
🟢 Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1(218) 203-5951
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...BBPMedia1
Grote partijen zijn al een tijdje onderweg met retail media. Ondertussen worden in dit domein ook de kansen zichtbaar voor andere spelers in de markt. Maar met die kansen ontstaan ook vragen: Zelf retail media worden of erop adverteren? In welke fase van de funnel past het en hoe integreer je het in een mediaplan? Wat is nu precies het verschil met marketplaces en Programmatic ads? In dit half uur beslechten we de dilemma's en krijg je antwoorden op wanneer het voor jou tijd is om de volgende stap te zetten.
Business Valuation Principles for EntrepreneursBen Wann
This insightful presentation is designed to equip entrepreneurs with the essential knowledge and tools needed to accurately value their businesses. Understanding business valuation is crucial for making informed decisions, whether you're seeking investment, planning to sell, or simply want to gauge your company's worth.
RMD24 | Debunking the non-endemic revenue myth Marvin Vacquier Droop | First ...BBPMedia1
Marvin neemt je in deze presentatie mee in de voordelen van non-endemic advertising op retail media netwerken. Hij brengt ook de uitdagingen in beeld die de markt op dit moment heeft op het gebied van retail media voor niet-leveranciers.
Retail media wordt gezien als het nieuwe advertising-medium en ook mediabureaus richten massaal retail media-afdelingen op. Merken die niet in de betreffende winkel liggen staan ook nog niet in de rij om op de retail media netwerken te adverteren. Marvin belicht de uitdagingen die er zijn om echt aansluiting te vinden op die markt van non-endemic advertising.
Implicitly or explicitly all competing businesses employ a strategy to select a mix
of marketing resources. Formulating such competitive strategies fundamentally
involves recognizing relationships between elements of the marketing mix (e.g.,
price and product quality), as well as assessing competitive and market conditions
(i.e., industry structure in the language of economics).
1. Information Security
Science
The Art & Science of Simple Security
By Ravila White | CISSP, CISM, CISA, CIPP, GCIH
Making it better without making it complex
2. Disclaimer
This presentation and the concepts herein are my
opinions through private research, practice and
chatting with other professionals.
It is not the opinion of past, present or future
employers.
3. Overview
Information Security is a broad, deep and complex
discipline. The success of information security
requires succinct artful presentation and agile
scientific execution.
This discussion will focus on the aspects of Macro
and Micro Information security. What it is, Why
you need it, and how to use it.
4. Information Security is…..
“Knowing computer security and compliancy is like
knowing the law, everyone has their own opinion and
each judge interprets it differently.” [Bruce Lobree]
5. How do you get hurt skiing?
“Information Security and IT are a lot like skiing. You
only get hurt when you ski beyond your abilities, out of
control or out of bounds.” [Ravila H. White]
6. Learning from economist
“We can make information security more consumable
by taking a page from economics history and making it
divisible. Divide information security in the same
manner as economics.” [Ravila H. White]
Macro-Information
Security (the
business process and
resulting artifacts
designed to influence
business choices,
protect the business,
drive technology
selection)
Micro-Information
Security (the
technology, controls,
countermeasures
and tactical
solutions that protect
information assets)
Simple Security
(information security
driven by and from
the business)
Art Science
Emotional Right Logical Left
7. The ART of Macro-Information
Security
Art is the process or product of deliberately arranging
elements in a way to affect the senses or emotions.
8. What are the elements?
Dollars
Compounding Investments
Business Value & Concerns
Efficiency Gains
Asset Protection
Visualization
“Executives are strategists who should not focus on
the minutiae of operations, but rather look outward at
the competitive landscape.” [Baldwin & Curley]
9. How we arrange the elements
Business model analysis and mapping
Organizational dashboards
Authoritative Artifacts
Meaningful Visualizations
“Copy-Exactly accelerates the diffusion process and,
at the same time, it simplifies system maintenance and
user training.” [Baldwin & Curley]
12. The SCIENCE of Micro-
Information Security
Knowledge of a system or knowledge covering general
truths or the operation of general laws especially as
obtained and tested through scientific method.
14. How do we protect simply?
Our primary protection is…
If the primary fails then…
Our secondary protection is…
If the secondary fails then…
Tertiary protection contains
“Three Rules of Work: Out of clutter find simplicity;
From discord find harmony; In the middle of difficulty
lies opportunity.” [Einstein]
17. Protection is simple
In Scope
Asset core
Enterprise, point or hybrid
Primary, secondary and tertiary
18. Credits & References
General Professional Influencers
Business Model Generation
www.dictionary.com
Google: www.Google.com
Oxford Dictionary
Wikipedia: www.wikipedia.com
Managing IT Innovation for
Business Value
Nick Malick
19. Copyright Information
Some works in this presentation have been
licensed under the Creative Common license
(CC). Please respect the license when using
the concepts or adapting them.
For more information please go here:
www.creativecommons.org
Why has information security become so complex? In part the complexity has risen from its beginning in the military. You cannot protect a nation or lives without the best security.
The spawn of the dotcom boom made information/data readily accessible. The value of information and data created a new type of asset, intellectual property and information assets.
Traditional companies realize an internet presence is essential to their continued growth. Criminals of any echelon realize they can tap the internet commodities with anonymity to reap financial rewards.
The government begins providing some regulation around the protection of data through laws like COPA, HIPAA, PCI etc. The outcome is organizations respond using old school information security tactics.
Now we are faced with the quandary of what to protect? How much protection is necessary and how to make it mesh with the business.
When I learned to ski, my instructor told us how to avoid getting hurt. I took that to heart because shortly thereafter, my friends who were already great skiers tricked me into taking a black diamond run. I didn’t ski the run as skillfully as they did, but I stuck to the basics that I’d learned. Another factor was my physical condition. I had been strength training for an entire year prior to this so my legs didn’t tire out. The result was I survived a complex run and made it down the mountain safely.
This served as a very good learning lesson for me. (1) Our abilities will be tested usually in situations where you have little choice, however by sticking to the basics you can navigate safely and successfully. (2) When confronted with complexity, fall back on simple techniques, (3) You can manage the unexpected if you have conditioned yourself in a manner that will compliment the arenas you enter.
We are better information security professionals, when we first understand the boundaries. Boundaries are set by regulators and the business.
We provide value, when we understand how, when and where to apply security to the business. This reduces information security white noise.
Information security white noise is the next big ‘thing’ (e.g. threat or technology) that is on the horizon. Cloud computing has caused quite a stir. However, honestly do we have the secure the cloud any differently than an on-site data center? It’s secure using the same techniques and technology. The linchpin of cloud security lies with legal. Protection of assets entrusted to cloud vendors is managed through the contractual obligations your legal department agrees. Another example is the push by some vendors to sell technology that is suppose to protect Unified Communications (UC) technology. Do we really need ‘special’ technology to protect UC?
Buying into Information Security white noise results in technology/technique complexity. It will force you and the organization you work for to work beyond the organization’s abilities.
Condition yourself by reading non-information security material. It will help you as it can bridge the gap between you and the business because it will be a long run.
Economics is the social science that studies the production, distribution, and consumption of goods and services. Sounds simple but once you delve beneath the surface you realize why economics is a science. Look around the room we are sitting in and catalog the various goods you see: chairs, tables, windows, clothes, shoes, laptops, pen, Ethernet cables etc. Now think about who, when and how it is consumed or used. Next think about how it was distributed so that it could be consumed and finally how it was produced. There is much to be considered. If you were to mind map just what you’d observed in this room or even around your home, the end result is a fairly tortuous diagram. Consideration is simplified through maco/micro economics.
Information security is complex. We know that. We must possess business acumen, law enforcement understanding, legal awareness, technology savvy and the human connection. We can make it easy for the business if we simplify.
Macro-Information Security is the big picture and how we communicate to management using the terms of the business. Macro-information security also extends to external to an organization to support partners and customers as well as ensure compliance of regulations. Internal organization extension includes support of convergence programs and includes alignment to business goals and objectives.
Micro-Information Security is the nuts and bolts, the details that support an organization’s information security practice. It’s the technology, controls, countermeasures and tactical solutions that are employed on a day-to-day basis. Most important is how you implement micro-information security. A scientific approach provides greater success as techniques used to reduce the threat of computer crime are based on known observations, experimentation, testing of hypotheses and measurable evidence.
When presenting information security to the business, should it be presented as art or science? You have to present both eventually. However presenting what has meaning to the business will prove most effective.
Information security practioners cannot afford to offer knee jerk solutions to the business. Nor can they continue to apply militaristic styles which results in corporate revolt. Pandering to the latest threat be is social media such as FaceBook is not advised as well.
Talking to the business on its terms is what will gain you a seat at the table and support for current and future initiatives. That is how you appeal to the emotional right which takes artifice.
The Sagrada Familia is one of the best metaphors I can use to introduce the art of macro-information security. For anyone who has visited Barcelona and viewed it, it is unforgettable. I use it here as it truly does represent the definition of art. The deliberate nature by which Gaudi approached its design definitely affects ones senses. So deliberate was his approach that work has continued on using the techniques he developed.
In the spirit of keeping security simple lets apply the rule of 7-2 or no more than 10. This speaks to the amount of individual elements or points that the human mind can easily retain.
Recently I discussed with fellow professionals how to present the security portfolio to the business. The first recommendation was a framework that comprised of cross cutting concerns of: (1) Identity & Access Mgmt and Provisioning , (2) Baseline Security & Configuration Mgmt (3) Logging, Monitoring and Incident Response (4) Business Continuity & DR (5) Network Infrastructure & Zoning
By the end of the discussion it was agreed that the cross cutting concerns were Business Concerns, Efficiency Gains and Asset Protection. The list above, those are solutions and minutiae. It does not tell the business how it will continue to advance and survive in today's competitive market-place.
The other problem with the initial elements, they are solutions. Not interests. You want to present interests to the business first. This will show you are aligned to the business. You can discuss solutions once you’ve validated business alignment.
The list we have here demonstrates the choice of effective elements/interests to present to business.
Copy-exactly is a method employed to avoid tinkering. Tinkering results in systemic inefficiencies to the business and results in reactive solutions that do not reduce risk to the business. Additionally tinkering results in unexpected results to the enterprise.
Copy-exactly applied to information security in the business means the use of the same or similar tools that the business uses to communicate. Not information security centric tools. The result is the business understands how information security is supporting the business and how it is integrated within the business.
Copy-exactly supports the metaphor used at the beginning of this section. Had Gaudi not used a clear methodology for the Sagrada Familia his predecessors could not continue and ultimately finish the project he began.
Copy-exactly when you present business concepts to the business. Need a dashboard, then use the same dashboard as the CIO. Is there an ask around Risk? Why not start with a SWOT analysis before diving into a infosec centric risk assessment.
Avoid abuse of copy-exactly by understanding why the model in use was chosen. Otherwise you when changes are made to the model you may be left behind.
These are the major contributors and considerations for Macro-Information Security in the business.
Each vector interacts with the other vectors at any given time. Also depending on where the business is vectors may align or change position based on business priority.
The Regulator vector is on top because it is considered autonomous as it behavior cannot be changed by any of the other vectors. It will likely drive the other vectors at some point.
The Internal Partner vector anchors Macro-Information Security as it ensures internal convergence is addressed and customer concerns are vetted.
The content vectors of The Business and External Partners drive the business and support the business with guidance from the governance vectors of Regulators and Internal Partners.
The simple visualization of a one dimensional image enables the consumer easy processing and the opportunity to arrange the image visuals as they would like.
This triad is a simple yet effective visual for presenting the concepts of Simple Information Security, Macro-Information Security and Micro-Information Security without overloading the consumer.
Each component of this triad can stand alone as a unit, pair or a whole and still bring value to the business.
If science is about general truths testing to find new truths, what is the opposite of science?
What do we know about systems? We know that they can be vulnerable to attack.
How are they vulnerable to attack? The human error of insecure coding or configuration.
What happens if we don’t secure our systems? They system will be attacked and data exposed.
What happens when we secure our systems? Risk to the business is reduced; dollars can be spent growing the business, IT staff can spend time on innovation rather than band-aids and fire fighting.
Can most of the basic security software today protect emerging technologies? More than likely. We know how to protect ports, we know how software is developed and we know someone is going to develop malware to take advantage of unprotected ports and software.
We protect the business assets
We protect the business against itself
We protect the business against competitors
We protect the business against what they are not aware of (e.g. hackers)
We protect the asset core, peripheral services and the infrastructure.
Copy-exactly is a method employed to avoid tinkering. Tinkering results in systemic inefficiencies to the business and results in reactive solutions that do not reduce risk to the business.
Copy-exactly applied to information security in the business means the use of the same or similar tools that the business uses to communicate. Not information security centric tools. The result is the business understands how information security is supporting the business and how it is integrated within the business.
Copy-exactly supports the metaphor used at the beginning of this section. Had Gaudi not used a clear methodology for the Sagrada Familia his predecessors could not continue and ultimately finish the project he began.
Avoid abuse of copy-exactly by understanding why the model in use was chosen. Otherwise you when changes are made to the model you may be left behind.
There is much debate around where information security should reside in the business. As of late the comment has been as a vertical alongside other vertically-oriented domain architectures and also horizontally-oriented with infusion points into the domain architectures noted above.
Describing security has horizontal or vertical is does not represent its true intent. The intent of security is to protect the interest of the business.
In a nutshell, security is a wrapper or insulator that is driven by the enterprise to protect the interests of the enterprise. This drawing illustrates how EA drives architecture with Security as a wrapper. Business architecture is a back-plane to the domain architectures of data, information systems and technical.
We make better choices for protection when we think of them as compounding investments. That is an asset that can be reapplied to protect future business investments.
At its most basic, we protect by investing in (1) identities, (2) preventative technologies and (3) encryption. By referencing our solutions in this manner, non-information security professionals can easily identify where dollars will be spent and calculate reoccurring costs.
Of the solutions mentioned, security testing, code review and threat modeling is not mentioned. Why? Because these are one time investments that can only be applied to one project at any one time. An example is the deployment of a web-based application that is internet facing. A full-featured security test will ensure the application is deployed without vulnerabilities. However we know that a full-featured security test can cost more than $250K. To lower the cost of ownership investing in an application firewall will ensure the application remains safe when incremental features are added. Additionally risk to other applications is reduced by placing them behind the application firewall. When that zero-day hits, your application will remain protected.
The Chateau de Chenonceau is a castle located in the Loire Valley of France. It is a fitting metaphor to end our discussion. This ancient castle has survived over the years because each owner reflected on its strength and weaknesses. It has survived through principles of reapplication, copy exactly, understanding what portions of the rebuild were in-scope or what changes were necessary throughout the structure. The main castle is protected by a moat and guard house.
Before you being your next Information Security project, remember to first reflect on what is present then keep it simple by applying the art and science of simple security. The result is lasting value to the business.
Something I’d like to encourage all of you do to…when presenting in the future, list not only your online and book references, but also your people credits. We all meet people who are pivotal in growing or knowledge or professionalism. Don’t forget to mention them.