pamela fusco cissp, cism, cpp executive vice president security strategy & solutions influencing...

PAMELA FUSCOCISSP, CISM, CPP

Executive Vice PresidentSecurity Strategy & Solutions

Influencing the Future of Security in Your Organization

Influencing the Future of Security in Your Organization

Identify and validate the existing security program in support of building an enterprise wide Security & Risk Management Program Interview Stakeholders and Business Leaders Review previous assessments, reports, current

and planned IS architectures and initiatives

Enlist a phased approach Define tactical and strategic objectives

BORING!!

State The Obvious And Back It Up With Reality

Unknowingly accepting risk levels far beyond the organization’s risk tolerance

Gaps in InfoSec capabilities have clear business impact

Underinvestment results in unacceptable risk tolerance

Security must become an enabler for business strategies-Current! Strategy! Innovation-have fun!

Launch a comprehensive InfoSec program that meets the needs of today but looks to meet the future

Business and IS leaders must own taking security to the next level

Security Program Compliance and Reporting

Governance, Policies and Standards

Asset Profile

TechnologySpecifications

People & OrganizationalManagement

Technical Security Architecture & Strategy

Processes andOperational Practices

BusinessDrivers

Documented, consistent enterprise-wide controls, strong controlsDocumented processes, generally performed consistently, evolving controls

Ad-Hoc Processes, performed inconsistently, minimal controls

Informal security governance

Inconsistent Security Posture throughout the Enterprise

Ineffective vulnerability / patch management

Lack of Security Influence for SDLC

Accepted security risk inconsistent with risk culture

No accountability; Limited business awareness of Information Security

Lack of comprehensive asset inventory & classification/management

Inconsistent repeatable practices or security controls

Infrastructure Security Configuration Standards at times undefined and does not support the enterprise

Information security significantly understaffed. Lack of security culture & governance model

Lack of metrics and reporting, unable to show progress.

No consequences for noncompliance

Security program does not adequately support business strategies

Unknowingly Accepting Risk

Gaps In Infosec Capabilities Have A Clear Impact: Meet The Needs Of Today But Seek To Meet The Future

Understanding compliance requirements Meet with stakeholders: Listen to their requests Know your audience (terminology)

Speak at their level Knowledge vs. understanding

Delete vs. Deleted Stacks and racks full of laptops, desktops and

servers Ask for volunteers, organize a sampling of users for a pilot

group (POC)-fosters a sense of participation and encourages acceptance Internal Users External Users How many of you know someone who knows someone who

knows how to write c@de? Test, evaluate and validate Document the experience

An Infosec Program That Meets The Needs Of Today But Strives To Meet The Future

InfoWorld (Symantec) 93% of Bots and “issues” are unknowingly generated via consumers (i.e. the home users)

As more consumer communications and devices enter the corporate enterprises security professionals need to consider the risks IM, gmail, iPhones etc. Working from home, often using home NWs that

have been configured by home users Employees are consumers and as such use the

technologies in office (approved or not) Simultaneously employers adopt consumer products

to be used for business (USBs, smartphones etc.) Prohibiting blocking consumer activities is not a

long term viable solution (I.e. cell phones w/cameras, etc)

Mobile devices bypass traditional vectors

No! No Way! Not Happening! Not the answer to gaining support

Implementing low $$ technology controls and practices will enable people, process and technology to function and will reduce the risks of data loss and increase inter-operability

Deploy AUP & content monitoring, SSL VPNS Disable port tunneling of unmanaged systems Restrict download volumes or attachments

Robust and early adopter solutions NAC, DRM or VM (laptops)

Who Is Making $ And Who Is Loosing $ CyberCrime is a Billion $ business

Bot-herders, fraudsters and exploit writers all making lots of money

"Super Trojan" selling on the net $600

E-mail address lists and log-in details for sites (offer discounts) 1-10 accounts $5 per account Discounted rates10 - 50 accounts $4.50 each and 50+ $3.50

each

Hacked root server $100 to $150

Hosting services for a financial scam, $20 per day, or $80 per week

15,000 e-mail addresses All verified as genuine, on sale for $1,500

Underinvestment Results In Unacceptable Risk Tolerance

Security Spending Percentage of IT Budget (Estimates)

0%

5%

10%

15%

20%

25%

Risk ToleranceLow High

1 2 3 4 5 6 7 8 9 10

Global bank

Stock exchange

Regional Telco

Brake-liner manufacturer

Low Risk Tolerance12% to 18% of IT Budgets

Medium Risk Tolerance6% to 12% of IT Budgets

High Risk Tolerance1% to 6% of IT Budgets

Our Co.Our Co.

Source: The Gartner Group

Take 1 Down And Pass It Around Approach• Need metrics and reporting

• “Hard numbers” supporting the business• Benchmarking, compare to peers and competitors

• Transactions have been growing at X rate over X time

• Monitoring & managing InfoSec Program• Compliance & Oversight• Too many projects, too much data• Standards & common builds• Making your own pizza can be more expensive than

calling for a delivery

Introducing Security Changes: Change brings more change

Set the expectations Don’t drink from the fire hose Value propositions There are risks - known and unknown

Try not to over shoot or over commit Admit shortcomings

Change brings errors and mistakes Change brings frustration, stress and finger pointing Change is usually viewed as negative before during and after

due to fear of the unknown Explain why and define expected end state and outcomes Be positive Involve & collaborate

Participate or accept the end result Celebrate successes and failures, communicate milestones

Keeping Current

Look ForwardReminders from our recent past, imminent future,

their impact and possible implications; Digital Music => Copyright => Music Industry

Sales? Telecommunications => Offshore Outsourcing

=> Local White Collar Work? Voice over IP => Personal Communications =>

Phone Companies? RFID => Inventory Costs => Privacy & Security? Flat Screen TVs => Redesign of living space =>

Furniture Sales?

Where Do You Want Your Organization To Be In 5 Yrs

Security Principles Security is a business issue to

protect the company and enable the business strategies

Access is based on needThe Right People haveThe Right Access toThe Right Information atThe Right Time

Mitigation cost aligned with risk

A layered approach required for protection

Consequences for non-compliance

Vision Strategic Planning Enables

Information access and business integration

Risk reductionRegulatory compliance Innovation

Migration fromReactive toProactive toPredictive

Security isPeopleProcessTechnology

Security Program Compliance and Reporting

Governance, Policies and Standards

Asset ProfileAsset Profile

TechnologySpecifications

People & OrganizationalManagement

Technical Security Architecture

Processes andOperational Practices

BusinessBusinessDriversDrivers

Compliance Program Reports on Conformance to Security Standards, Monitors Metrics and Key Performance Indicators Reports on Value and Effectiveness of Security Program

Executive management provides directionStakeholders co-develop and share accountability for policies and standards

Technology Physical Information

Assets and information are inventoried and classified

Standards Maintained with evolving technology and risksSystems configured according to developed standards

Security enablesBusiness IntegrationRisk ReductionRegulatory Compliance

Security Organization has enterprise reachRoles and responsibilities for information security clearly defined across the business and IS

Consistent security processes defined and managed enterprise-wideResults are measurable and predictable

Consistent Security Architectures Implemented for Access Models and Layered Defense-in-Depth enables:Partner Integration, Application Deployment, Managed Access, Incidents Prevention/Containment

Security Program Compliance and Reporting Security Program Compliance and Reporting

Governance,Governance,Policies and StandardsPolicies and Standards


TechnologyTechnologySpecificationsSpecifications

People & People & OrganizationalOrganizationalManagementManagement

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational Operational PracticesPractices


Launching a Comprehensive Information Security Program

Core Information Security Initiatives Organization and

Communication Governance and Policy Incident Response & SOC Threat and Vulnerability

Management Risk Mitigation

Information Security Integration

















































Dec ‘07

Dec ‘08

Dec ‘09 Dec ‘10

April ‘07

My Profound Visual Experience No reported incidents or disclosure: “How do you know?” Patches for everything Mountains of logs Data Information Owners (“Who are you?”) Key aspects of a holistic, sustainable, realistic and

reliable compliance and security strategy P-I-T assessments

May provide a false sense of security Measurable controls

M&A and R&D provide external partners with access to what they need without exposing to them assets that they should not access Plug and play in conference rooms

Invest in innovation Catching the baseball, you don't go to where it is now, but to

where it will be, when you finally get there Where do you want your organization to be in X years Where will the industry be in X years I.e. testing and evaluation of biometrics Partner with vendors Attend external events and participate in beta programs Knowledge Transfer

Focusing on a single tool or methodology rarely exposes the big picture, implement solutions

Innovation relies on the "human element“ Understanding the culture

Early adopters vs. good followers Custom vs. open source vs. vendors

Security Must Become An Enabler For Business Strategy and Innovation-have Fun!

What Does The Future Hold No by-way on the Internet Hi-Way without identification

RFID & lots of satellite and GPS

Legally binding digital signatures (bye-bye Mont Blanc)

IM conversations may seem as casual as phone conversations, they must be treated as formal correspondence and, like E-mail, the communications must be captured and stored

Anything and everything considered to be a mobile computing information mechanism

Vehicles, baby monitors, jewelry

Streamlined data architectures and storage systems with built-in intelligence to enforce the policies and procedures & manage data

More regulation-legal actions

Less paperwork

In Summary Starts at the top but must be adopted at all levels

of the organization Create a “culture of compliance and risk thought” “People” and “behavior” are the key ingredients “Process” promotes reliability and repeatability Use facts and data to measure progress Best results occur when it’s part of annual

performance and business objectives Security professionals can leverage numerous

consortiums for advise and guidance ISSA, ISACA, CISSP, ASIS, Cert, CMU Cylab,

Vendors

pamela fusco cissp, cism, cpp executive vice president security strategy & solutions influencing...

Documents

future of security

existing security program

comprehensive infosec

experiencean infosec

noncompliancesecurity

risk levels

reporting governance

business strategiesunknowingly