Defending the Digital Frontier

2

Rudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.

3

Digital Security Breach: The True Cost

Cost$15 to $20 million

or 1% to 1.5% of Sales per Incident

TangibleLosses

IntangibleLosses

• Lost Productivity• IT Support Costs• IT systems/software

• Damage to Brand• Third party liability• Loss of customer/ supplier confidence

The greatest loss as a result of an IT security breach is the intangible impact

4

Security drivers in Today’s complex environment

Industry/Regulatory Groups Standards

Economic D

riversC

ompl

ex T

echn

olog

ies

HIPAAGLBSarbanes OxleyPatriot ActHomeland Security Act

ROIRiskProfits

Homeland SecurityShareholder ValueProductivity

BS7799CBCPCISSP

ISO 17799ITILSANS/GIAC

Security ManagementNetwork ManagementOperational IntegrityManaged Security Services

AuthenticationAuthorizationAdministrationEncryptionFirewall/VPN

BAIDOCDOTFDICFederal ReserveFEIFFIEC

FSISACInfraguardISACAISF

ISSANCUANIST

5

Multiple Drivers Are Bringing Digital Security to the Boardroom

Privacy/Fraud(CA1386, GLB, HIPAA)

Sarbanes-Oxley

Homeland Defense(Homeland Security Act, USA Patriot Act)

Digital

Security

Triple Witching Event

6

• Feature• Productivity• Reliability

• Security• Predictability• Stability

Technical Advances & Increasing Regulation

IT Executives are increasingly focused on controls

ImprovingFunction

ImprovingControl

HIPAA

Sarbanes-Oxley

Homeland Security

7

What is the Digital Frontier?The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.

Relianceon IT

High

LowLow HighIT Usage

ProductivityImprovement

Mobile

Internet

Client/Server

1970s 1980s 1990s 2000s

MF

8

Increase Security RisksAs organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.

High

LowLow High

1970s 1980s 1990s 2000s

Mobile

Internet

Client/Server

MF

Impact of Failure

Increased Risk

Probability of Failure

9

The Security Frontier

ProductivityImprovement/Increased RiskReliance on IT

Impact of Failure

High

LowLow HighIT Usage

Probability of Failure

1970s 1980s 1990s 2000s

The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.

10

The Digital Security GapCaught up in the pursuit of productivity improvements, management apparently overlooked security.

TotalSpending

High

Low

1990’s 2000’sTime

Total Security Spending

Total IT Spending

DigitalSecurity

Gap

11

6 Key Security Characteristics6 Key Security Characteristics

12

1) AlignedBusiness

Objectives

DigitalAssets

ITOrganization

DigitalSecurity

Aligned

The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.

The distance between the top levels of management and the security team is known as the Security Management Gap.

79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation, and follow-through cycle for their information security policies was not being carried out completely.

13

2) Enterprise-Wide

Corporate

A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.

14

3) ContinuousReal-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.

46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.

Not occasionally. Not periodically.

Continuously.Continuously.

15

4) Proactive

Initial AssessmentOngoing Monitoring

Periodic Assessment

High

RiskIntelligence

LowTime

Proactive

Traditional

The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities.

16

5) Validated

Peer

3rd Party

Self

To a Unit

To a Business Objective

To a Standard

Rigor of Validation

Deployed

Validated

Tested

Achieving highly effective digital security requires third-party validation of critical security components and business objectives.

66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria, or other recognized models.

17

6) Formal

Doc

umen

ted

Minimally HighlyConfirmed

Min

imal

lyH

ighl

y

Documented

Formal

Experienced-

basedSituational

Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.

18

Technology and Business Objective Drives Requirements

Impact

High

LowLow HighProbability of Failure

Minimum Standards Zone

Security Requirements Zones

InformationKiosk

Managed Risk Zone

Trusted System Zone

Bank ATM Health CareSystem Financial

System

ElectricalPower

eCommerceSystem

PublicWeb Server

EmailServer

19

The Security AgendaThe Security Agenda

20

9 Strategic Areas of “The Security Agenda”

SecurityStrategy

Policies, Standards, & Guidelines

Intrusion & Virus Detection

Incident Response

Physical Security

Privacy

Asset & Service Management

Vulnerability Management

Entitlement Management

Business Continuity

21

Complex Organizational Transformation

TECHNOLOGY

PROCESSPEOP

LEAll 3

Components Needed

22

Intrusion

and Virus

Detection

Database

Router

Firewall

Web

Server

SNMP

Biometrics

Application

Operating

System

Intrusion and Virus Detection

23

Incident

Response

Program

Mobilize AdministerEvent

Lifecycle

Program

Lifecycle

Incident Response

24

Independent VerificationService Provider ComplianceData Registration

Ongoing MonitoringRe-certification

Stakeholder Expectations

Legislation Organization

Remediation Plans Training

Benchmarking/RoadmapsPeoplePolicies

OperationsTechnology

VERIFY

MAINTAIN

IMPROVE

DIAGNOSE

BASELINE

Privacy

25

Policies, Standards

and Guidelines

Policies, Standards, and Guidelines

26

Physical Security

PHYSICALSECURITY

Fences, Walls, GatesGuards, Cameras

Biometrics, Infrared,

Authentication, Surveillance

Biom

etric

s, In

frare

d,

Auth

entic

atio

n, S

urve

illanc

e

Structural

Proc

edur

al Digital

27

TECHNOLOGY

PROCESSPEOP

LECa

ble

and

Circ

uit

Portfolio

Financial

ProcurementContracts

Management and Track AssetsAutomate Processes Manage Asset Financial

Information

Budget AnalysisMana

ge C

onne

ctivi

tyan

d Ca

ble P

lant

Aid Decision-making

Streamline ProcessesManage and Track

Contracts

ASSETMANAGEMENT

Asset & Service Management

28

IT Process

CFO

Team

Expanding control

IT Audit

Team

CIO

Team

Security

Team

Accountability

Deployment

Knowledge

Expanding scope over critical infrastructure

Technology & People

Key

Assets

Team

Security

Systems

Team

Key

Assets

Team

Key

Assets

Team

Key

Assets

Team

Compliance

Audit Ability

Governance and Accountability

All Critical

Infrastructure

Workflow/Tracking

Feasible Deployment

Know Critical Assets

Serve and

Protect Systems

Configurations

Policies

Alerts

Just

Protect

Systems

Vulnerability Management

29

Entitlement

Management

Identity

Management

Access

ManagementSecure Portals

Data Model

Metadirectory

Authentication Management

Single Sign-On

Access Control

User Management

Policy Management

Entitlement Management

30

DEFINE

ANALYZE

DESIGN

IMPLEMENT

Business

Continuity

Roadmap

Business

Impact

AssessmentThreat

and Risk

Assessment

Recovery

Strategies

Business

Continuity

Plan

Plan

Maintenance

Program

Business Continuity

31

A Scorecard for Evaluation & Action

Policies, Standards, & Guidelines

Intrusion & Virus Detection

Incident Response

Physical Security

Privacy Asset & Service

Management

Vulnerability Management

Entitlement Management

Business Continuity

Alig

ned

Ente

rpris

e-wid

eCo

ntin

uous

Proa

ctive

Valid

ated

Form

al

High Risk Medium Risk Low Risk

32

Service Management

C E O

Public, Media,Government Relations Security Committee

Planning Architecture Operations Monitoring

Security OfficerAsset ManagementPhysical Security

Continuity Planning

Privacy Officer

Business Requirements Education Formal Communications Governance Policies Project Management Risk Assessment

Requests for Proposals (RFP)

Standards & Guidelines Technical

Requirements/Design Technical Security

Architecture Technology Solutions

Incident Response Access Control/ Account

Management Investigations Standards/Solutions

Deployment Training & Awareness Vulnerability Management

Auditing Reporting Systems Monitoring Security Testing

Security Organizational Framework

33

The Roadmap for SuccessThe Roadmap for Success

34

Executive management must understand

Scenario-based simulations – Table-Top Exercises

The organizations responseCritical roles and responsibilitiesActions plans to minimize the effect of an

incidentMonitor and test responses

35

Model and Define RiskEstablish consistent threat categories

Digital Impact/RiskDigital Impact/Risk

Risk toRisk toCustomer SegmentCustomer Segment

Risk to MultipleRisk to MultipleCustomersCustomers

Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies

Core Process orCore Process orSystem ShutdownSystem Shutdown

TacticalTacticalInefficienciesInefficiencies

Dept. of HomelandSecurity Risk

Severe

High

Elevated

Guarded

Low1

2

3

4

5

Green

Blue

Yellow

Orange

Red

HomelandLevel

Category

Level

36

Frequency of Occurrence

High

LowLow High

Impact of Occurrence

Understand Risk Posture Curve

Low,1

Impact LevelGuard

ed,2Elev

ated,3

High,4Severe

,5

Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization

You risk posture changes as the environment and technology changes

37

The Fulcrum of Control

Impact of Occurrence

High

LowLow High

Frequency of Occurrence

54

3

1

ImmediateAction

ROIDecision

Fulcrum of C

ontrol

The ability to control & contain digital security incidents is the key to success

Management must determine this tipping point or fulcrum and use it to drive their focus

2

38

Forces Affecting Risk Every time technology

is changed or deployed the risk posture curve moves

Management must recognize this and deploy security resources accordingly

Impact of Occurrence

High

LowLow High

Frequency of Occurrence

54

3

2

1

New or ChangedTechnology

RiskManagement

39

Manage Risk for a Competitive Advantage

Impact of Occurrence

High

Low

Low HighFrequency of Occurrence

1

2

3

4

5

Company AIndustry

Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success

40

6 Characteristicsby Industry

FORMAL

3.48

4.09

3.25

3.603.64

3.88

VALIDATED

3.82

3.483.29

3.84

PROACTIVE2.91

2.88

3.40

3.03

3.00

3.16

CONTINUOUS4.05

3.413.52

3.31

4.13ENTERPRISEWIDE

2.77

3.003.18

3.353.52

3.94

ALIGNED 2.772.95

3.413.59

3.724.15

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

4.15

3.95

3.75

3.55

3.35

3.15

2.95

2.75

2.55

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

2.55

2.75

2.95

3.15

3.35

3.55

3.75

3.95

4.15

Auto/ManEnergyFinancial ServicesLife SciencesTech/MediaTelecom

41

Security “Orbit of Regard”

CEO

Products/Services

MarketShare

CustomerService

Growth

DigitalSecurity

2000s DigitalSecurity

1990s

DigitalSecurity

1980s

Security is a top executive issue

Today, companies will compete on being able to respond to a digital threat

Top executives must close the digital security gap.

42

Highly Effective Security Cultures:

are chief executive-driven

maintain a heightened sense of awareness

utilize a digital security guidance council

establish timetables for success and monitor progress

drive an enterprise-wide approach

The level commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.

43

For More Information…

Sajay RaiCEO and Managing Partner, Securely Yours LLC248-723-5224Sajayrai@securelyyoursllc.com