technology executives club roundtable sig - nov 6 session summary
TRANSCRIPT
![Page 1: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/1.jpg)
Technology Executives Club Roundtable / SIG
Cyber Security & Risk Management
“How to Leverage Security Assessments to Identify & Control Risk”
Meeting Summary
November 6, 2015
![Page 2: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/2.jpg)
W. Capra Consulting Group
Topic Overview
1
Leverage security assessments to identify and control risk; assessments can be used to:
Increase organizational visibility of identified risks Define a baseline standard to measure organization
readiness against established framework(s) Conduct assessments with the end in mind Provide a basis for a security roadmap and budget Leverage third parties to provide credibility to initiatives
to business, senior management and boards Integrate into security/risk governance structure
![Page 3: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/3.jpg)
W. Capra Consulting Group
Discussion Points (1)
2
What comes to mind when you hear the words “security assessment”? What does it mean to you?
Predominant View – Security assessments should focus on managing risk rather than checking the box. Emphasis should be placed on understanding risk associated with valuable data assets.
Leadership Feedback1. Assessments can be different based on what you are trying to achieve2. Understand the valuable data assets that need protecting before
starting an assessment3. Think about what you want to get out of the assessment4. Security assessment should include vulnerability assessment,
penetration testing, and compromise investigations5. BIA (Business Impact Analysis) is needed to put findings in context
![Page 4: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/4.jpg)
W. Capra Consulting Group
Discussion Points (2)
3
How do you use assessments in your organization? Prioritize gaps? Independent perspective on threats (current and future) and existing vulnerabilities? Input to security roadmap and budget?
Predominant View – Assessments are used to obtain an independent view of gaps and provide input to prioritized roadmap. The independent view helps to justify budget.
Leadership Feedback1. All of the above apply to each organization2. Independent gives more validity to findings when meeting with
stakeholders – that’s what they are good at3. Use assessment to slow the business down – third party risk
assessment to manage shadow IT4. Assessment findings help to justify innovative solutions and
transformative initiatives (e.g., network re-architecture)
![Page 5: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/5.jpg)
W. Capra Consulting Group
Discussion Points (3)
4
Do you leverage a security framework to guide security within your environment? ISO27k, SANS, NIST, etc.? Does the framework influence how you approach the security assessment?
Predominant View – Frameworks are helpful in security and serve as a good reference. Organizations must understand how to ask the right questions and verify existing controls match the responses.
Leadership Feedback1. Each organization used/referenced a security framework to guide risk
management2. Frameworks are good and you also need to ensure the right questions
are asked3. Assessments must verify responses – obtain evidence controls are in
place4. Approach includes obtaining stakeholder sign-off on the findings
and remediation plan5. Assessments should be performed using tools to detect gaps and
conducting interviews with the right personnel
![Page 6: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/6.jpg)
W. Capra Consulting Group
Discussion Points (4)
5
How far do you go to get a good perspective on your risks? Technology (app – storage), security controls, architecture review, processes (e.g., Service Desk) susceptible to social engineering attacks?
Predominant View – Assessments must extend beyond technology to be effective. Investigation of security awareness and physical security practices are critical. Threat modeling is important to understand what’s relevant.
Leadership Feedback1. Focus on user/employee security awareness programs and education that
helps them in their personal life (e.g., safe at home program)2. Physical assessments becoming more important3. Push ownership of data to business stakeholders4. Get past OWASP to using Red Teams and threat modeling5. Follow up to measure social engineering risk (e.g., phishme)6. Identify an approach to hold users accountable for poor decisions
(e.g., tie to compensation)
![Page 7: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/7.jpg)
W. Capra Consulting Group
Discussion Points (5)
6
What is the right interval to perform assessments? Annual? Semi-annual?
Predominant View – The consensus view is an annual assessment. Organizations should perform activities throughout the year to understand changes to risk profile.
Leadership Feedback1. Interval is aligned with compliance requirements – annual assessment2. Objective is to perform formal assessment annually and maintain
updated view throughout the year3. Annual assessment with monthly follow up and continual external
scans4. Assessment followed up with monthly CIO, CISO meeting to review
progress
![Page 8: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/8.jpg)
W. Capra Consulting Group
Discussion Points (6)
7
Do you include Cloud Service Providers (CSPs) in the scope of security assessments? Why or why not?
Predominant View – Assessing all partners is critical in today’s IT environment. IT must work with these partners to ensure they have the right controls in place – don’t accept generic responses.
Leadership Feedback1. Question should include ALL providers and business partners2. Big issue – assessment of partners is critical 3. Include all service providers as this is a potential high risk source4. Don’t accept partner generic responses to assessment – hold them
accountable to demonstrate effective security5. Need to include important points that hold partners accountable in the
contract
![Page 9: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/9.jpg)
W. Capra Consulting Group
Discussion Points (7)
What are you not getting out of security assessments? What’s missing? How do you plug the gaps? Technologies? Processes?
Predominant View - Assessments must be more comprehensive and forward looking. Peer comparison would be helpful when communicating with business leadership.
Leadership Feedback Good perspective on how risk is evolving (e.g., emerging threats) Accurate view of risk in third party assessments A good perspective on class comparison – how do you compare with
other organizations in your industry (e.g., gaps, level of risk)
8
![Page 10: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/10.jpg)
W. Capra Consulting Group
Questions We Didn’t Get To
Ask…1. How do you know the security assessment was effective? What
gives you that comfort level? Is it possible to get that comfort level?
2. Do you use security assessments to manage/address business leadership/Board perceptions? For example, Target breach raised Board interest in security.
3. In general, what’s missing in security today? What should we pay more attention to?
9
![Page 11: Technology Executives Club Roundtable SIG - Nov 6 Session Summary](https://reader036.vdocuments.us/reader036/viewer/2022091122/58831a6f1a28ab31068b7059/html5/thumbnails/11.jpg)
W. Capra Consulting Group221 N. LaSalle, Suite 1325Chicago, Illinois 60601
Security SIG Chairperson: Matt Beale, Associate Partner, W. Capra [email protected](312)972-2433
Technology Executive Club Reference:www.technologyexecutivesclub.comwww.technologyexecutivesclub.com/securitychicago