pamela fusco cissp, cism, cpp executive vice president security strategy & solutions influencing...
TRANSCRIPT
PAMELA FUSCOCISSP, CISM, CPP
Executive Vice PresidentSecurity Strategy & Solutions
Influencing the Future of Security in Your Organization
Influencing the Future of Security in Your Organization
Identify and validate the existing security program in support of building an enterprise wide Security & Risk Management Program Interview Stakeholders and Business Leaders Review previous assessments, reports, current
and planned IS architectures and initiatives
Enlist a phased approach Define tactical and strategic objectives
BORING!!
State The Obvious And Back It Up With Reality
Unknowingly accepting risk levels far beyond the organization’s risk tolerance
Gaps in InfoSec capabilities have clear business impact
Underinvestment results in unacceptable risk tolerance
Security must become an enabler for business strategies-Current! Strategy! Innovation-have fun!
Launch a comprehensive InfoSec program that meets the needs of today but looks to meet the future
Business and IS leaders must own taking security to the next level
Security Program Compliance and Reporting
Governance, Policies and Standards
Asset Profile
TechnologySpecifications
People & OrganizationalManagement
Technical Security Architecture & Strategy
Processes andOperational Practices
BusinessDrivers
Documented, consistent enterprise-wide controls, strong controlsDocumented processes, generally performed consistently, evolving controls
Ad-Hoc Processes, performed inconsistently, minimal controls
Informal security governance
Inconsistent Security Posture throughout the Enterprise
Ineffective vulnerability / patch management
Lack of Security Influence for SDLC
Accepted security risk inconsistent with risk culture
No accountability; Limited business awareness of Information Security
Lack of comprehensive asset inventory & classification/management
Inconsistent repeatable practices or security controls
Infrastructure Security Configuration Standards at times undefined and does not support the enterprise
Information security significantly understaffed. Lack of security culture & governance model
Lack of metrics and reporting, unable to show progress.
No consequences for noncompliance
Security program does not adequately support business strategies
Unknowingly Accepting Risk
Gaps In Infosec Capabilities Have A Clear Impact: Meet The Needs Of Today But Seek To Meet The Future
Understanding compliance requirements Meet with stakeholders: Listen to their requests Know your audience (terminology)
Speak at their level Knowledge vs. understanding
Delete vs. Deleted Stacks and racks full of laptops, desktops and
servers Ask for volunteers, organize a sampling of users for a pilot
group (POC)-fosters a sense of participation and encourages acceptance Internal Users External Users How many of you know someone who knows someone who
knows how to write c@de? Test, evaluate and validate Document the experience
An Infosec Program That Meets The Needs Of Today But Strives To Meet The Future
InfoWorld (Symantec) 93% of Bots and “issues” are unknowingly generated via consumers (i.e. the home users)
As more consumer communications and devices enter the corporate enterprises security professionals need to consider the risks IM, gmail, iPhones etc. Working from home, often using home NWs that
have been configured by home users Employees are consumers and as such use the
technologies in office (approved or not) Simultaneously employers adopt consumer products
to be used for business (USBs, smartphones etc.) Prohibiting blocking consumer activities is not a
long term viable solution (I.e. cell phones w/cameras, etc)
Mobile devices bypass traditional vectors
No! No Way! Not Happening! Not the answer to gaining support
Implementing low $$ technology controls and practices will enable people, process and technology to function and will reduce the risks of data loss and increase inter-operability
Deploy AUP & content monitoring, SSL VPNS Disable port tunneling of unmanaged systems Restrict download volumes or attachments
Robust and early adopter solutions NAC, DRM or VM (laptops)
Who Is Making $ And Who Is Loosing $ CyberCrime is a Billion $ business
Bot-herders, fraudsters and exploit writers all making lots of money
"Super Trojan" selling on the net $600
E-mail address lists and log-in details for sites (offer discounts) 1-10 accounts $5 per account Discounted rates10 - 50 accounts $4.50 each and 50+ $3.50
each
Hacked root server $100 to $150
Hosting services for a financial scam, $20 per day, or $80 per week
15,000 e-mail addresses All verified as genuine, on sale for $1,500
Underinvestment Results In Unacceptable Risk Tolerance
Security Spending Percentage of IT Budget (Estimates)
0%
5%
10%
15%
20%
25%
Risk ToleranceLow High
1 2 3 4 5 6 7 8 9 10
Global bank
Stock exchange
Regional Telco
Brake-liner manufacturer
Low Risk Tolerance12% to 18% of IT Budgets
Medium Risk Tolerance6% to 12% of IT Budgets
High Risk Tolerance1% to 6% of IT Budgets
Our Co.Our Co.
Source: The Gartner Group
Take 1 Down And Pass It Around Approach• Need metrics and reporting
• “Hard numbers” supporting the business• Benchmarking, compare to peers and competitors
• Transactions have been growing at X rate over X time
• Monitoring & managing InfoSec Program• Compliance & Oversight• Too many projects, too much data• Standards & common builds• Making your own pizza can be more expensive than
calling for a delivery
Introducing Security Changes: Change brings more change
Set the expectations Don’t drink from the fire hose Value propositions There are risks - known and unknown
Try not to over shoot or over commit Admit shortcomings
Change brings errors and mistakes Change brings frustration, stress and finger pointing Change is usually viewed as negative before during and after
due to fear of the unknown Explain why and define expected end state and outcomes Be positive Involve & collaborate
Participate or accept the end result Celebrate successes and failures, communicate milestones
Keeping Current
Look ForwardReminders from our recent past, imminent future,
their impact and possible implications; Digital Music => Copyright => Music Industry
Sales? Telecommunications => Offshore Outsourcing
=> Local White Collar Work? Voice over IP => Personal Communications =>
Phone Companies? RFID => Inventory Costs => Privacy & Security? Flat Screen TVs => Redesign of living space =>
Furniture Sales?
Where Do You Want Your Organization To Be In 5 Yrs
Security Principles Security is a business issue to
protect the company and enable the business strategies
Access is based on needThe Right People haveThe Right Access toThe Right Information atThe Right Time
Mitigation cost aligned with risk
A layered approach required for protection
Consequences for non-compliance
Vision Strategic Planning Enables
Information access and business integration
Risk reductionRegulatory compliance Innovation
Migration fromReactive toProactive toPredictive
Security isPeopleProcessTechnology
Security Program Compliance and Reporting
Governance, Policies and Standards
Asset ProfileAsset Profile
TechnologySpecifications
People & OrganizationalManagement
Technical Security Architecture
Processes andOperational Practices
BusinessBusinessDriversDrivers
Compliance Program Reports on Conformance to Security Standards, Monitors Metrics and Key Performance Indicators Reports on Value and Effectiveness of Security Program
Executive management provides directionStakeholders co-develop and share accountability for policies and standards
Technology Physical Information
Assets and information are inventoried and classified
Standards Maintained with evolving technology and risksSystems configured according to developed standards
Security enablesBusiness IntegrationRisk ReductionRegulatory Compliance
Security Organization has enterprise reachRoles and responsibilities for information security clearly defined across the business and IS
Consistent security processes defined and managed enterprise-wideResults are measurable and predictable
Consistent Security Architectures Implemented for Access Models and Layered Defense-in-Depth enables:Partner Integration, Application Deployment, Managed Access, Incidents Prevention/Containment
Security Program Compliance and Reporting Security Program Compliance and Reporting
Governance,Governance,Policies and StandardsPolicies and Standards
Asset ProfileAsset Profile
TechnologyTechnologySpecificationsSpecifications
People & People & OrganizationalOrganizationalManagementManagement
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational Operational PracticesPractices
BusinessBusinessDriversDrivers
Launching a Comprehensive Information Security Program
Core Information Security Initiatives Organization and
Communication Governance and Policy Incident Response & SOC Threat and Vulnerability
Management Risk Mitigation
Information Security Integration
Security Program Compliance and Reporting Security Program Compliance and Reporting
Governance,Governance,Policies and StandardsPolicies and Standards
Asset ProfileAsset Profile
TechnologyTechnologySpecificationsSpecifications
People & People & OrganizationalOrganizationalManagementManagement
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational Operational PracticesPractices
BusinessBusinessDriversDrivers
Security Program Compliance and Reporting Security Program Compliance and Reporting
Governance,Governance,Policies and StandardsPolicies and Standards
Asset ProfileAsset Profile
TechnologyTechnologySpecificationsSpecifications
People & People & OrganizationalOrganizationalManagementManagement
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational Operational PracticesPractices
BusinessBusinessDriversDrivers
Security Program Compliance and Reporting Security Program Compliance and Reporting
Governance,Governance,Policies and StandardsPolicies and Standards
Asset ProfileAsset Profile
TechnologyTechnologySpecificationsSpecifications
People & People & OrganizationalOrganizationalManagementManagement
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational Operational PracticesPractices
BusinessBusinessDriversDrivers
Security Program Compliance and Reporting Security Program Compliance and Reporting
Governance,Governance,Policies and StandardsPolicies and Standards
Asset ProfileAsset Profile
TechnologyTechnologySpecificationsSpecifications
People & People & OrganizationalOrganizationalManagementManagement
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational Operational PracticesPractices
BusinessBusinessDriversDrivers
Security Program Compliance and Reporting Security Program Compliance and Reporting
Governance,Governance,Policies and StandardsPolicies and Standards
Asset ProfileAsset Profile
TechnologyTechnologySpecificationsSpecifications
People & People & OrganizationalOrganizationalManagementManagement
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational Operational PracticesPractices
BusinessBusinessDriversDrivers
Security Program Compliance and Reporting Security Program Compliance and Reporting
Governance,Governance,Policies and StandardsPolicies and Standards
Asset ProfileAsset Profile
TechnologyTechnologySpecificationsSpecifications
People & People & OrganizationalOrganizationalManagementManagement
Technical Security ArchitectureTechnical Security Architecture
Processes andProcesses andOperational Operational PracticesPractices
BusinessBusinessDriversDrivers
Dec ‘07
Dec ‘08
Dec ‘09 Dec ‘10
April ‘07
My Profound Visual Experience No reported incidents or disclosure: “How do you know?” Patches for everything Mountains of logs Data Information Owners (“Who are you?”) Key aspects of a holistic, sustainable, realistic and
reliable compliance and security strategy P-I-T assessments
May provide a false sense of security Measurable controls
M&A and R&D provide external partners with access to what they need without exposing to them assets that they should not access Plug and play in conference rooms
Invest in innovation Catching the baseball, you don't go to where it is now, but to
where it will be, when you finally get there Where do you want your organization to be in X years Where will the industry be in X years I.e. testing and evaluation of biometrics Partner with vendors Attend external events and participate in beta programs Knowledge Transfer
Focusing on a single tool or methodology rarely exposes the big picture, implement solutions
Innovation relies on the "human element“ Understanding the culture
Early adopters vs. good followers Custom vs. open source vs. vendors
Security Must Become An Enabler For Business Strategy and Innovation-have Fun!
What Does The Future Hold No by-way on the Internet Hi-Way without identification
RFID & lots of satellite and GPS
Legally binding digital signatures (bye-bye Mont Blanc)
IM conversations may seem as casual as phone conversations, they must be treated as formal correspondence and, like E-mail, the communications must be captured and stored
Anything and everything considered to be a mobile computing information mechanism
Vehicles, baby monitors, jewelry
Streamlined data architectures and storage systems with built-in intelligence to enforce the policies and procedures & manage data
More regulation-legal actions
Less paperwork
In Summary Starts at the top but must be adopted at all levels
of the organization Create a “culture of compliance and risk thought” “People” and “behavior” are the key ingredients “Process” promotes reliability and repeatability Use facts and data to measure progress Best results occur when it’s part of annual
performance and business objectives Security professionals can leverage numerous
consortiums for advise and guidance ISSA, ISACA, CISSP, ASIS, Cert, CMU Cylab,
Vendors