Technology Executives Club Roundtable / SIG

Cyber Security & Risk Management

“How to Leverage Security Assessments to Identify & Control Risk”

Meeting Summary

November 6, 2015

W. Capra Consulting Group

Topic Overview

1

Leverage security assessments to identify and control risk; assessments can be used to:

Increase organizational visibility of identified risks Define a baseline standard to measure organization

readiness against established framework(s) Conduct assessments with the end in mind Provide a basis for a security roadmap and budget Leverage third parties to provide credibility to initiatives

to business, senior management and boards Integrate into security/risk governance structure

W. Capra Consulting Group

Discussion Points (1)

2

What comes to mind when you hear the words “security assessment”? What does it mean to you?

Predominant View – Security assessments should focus on managing risk rather than checking the box. Emphasis should be placed on understanding risk associated with valuable data assets.

Leadership Feedback1. Assessments can be different based on what you are trying to achieve2. Understand the valuable data assets that need protecting before

starting an assessment3. Think about what you want to get out of the assessment4. Security assessment should include vulnerability assessment,

penetration testing, and compromise investigations5. BIA (Business Impact Analysis) is needed to put findings in context

W. Capra Consulting Group

Discussion Points (2)

3

How do you use assessments in your organization? Prioritize gaps? Independent perspective on threats (current and future) and existing vulnerabilities? Input to security roadmap and budget?

Predominant View – Assessments are used to obtain an independent view of gaps and provide input to prioritized roadmap. The independent view helps to justify budget.

Leadership Feedback1. All of the above apply to each organization2. Independent gives more validity to findings when meeting with

stakeholders – that’s what they are good at3. Use assessment to slow the business down – third party risk

assessment to manage shadow IT4. Assessment findings help to justify innovative solutions and

transformative initiatives (e.g., network re-architecture)

W. Capra Consulting Group

Discussion Points (3)

4

Do you leverage a security framework to guide security within your environment? ISO27k, SANS, NIST, etc.? Does the framework influence how you approach the security assessment?

Predominant View – Frameworks are helpful in security and serve as a good reference. Organizations must understand how to ask the right questions and verify existing controls match the responses.

Leadership Feedback1. Each organization used/referenced a security framework to guide risk

management2. Frameworks are good and you also need to ensure the right questions

are asked3. Assessments must verify responses – obtain evidence controls are in

place4. Approach includes obtaining stakeholder sign-off on the findings

and remediation plan5. Assessments should be performed using tools to detect gaps and

conducting interviews with the right personnel

W. Capra Consulting Group

Discussion Points (4)

5

How far do you go to get a good perspective on your risks? Technology (app – storage), security controls, architecture review, processes (e.g., Service Desk) susceptible to social engineering attacks?

Predominant View – Assessments must extend beyond technology to be effective. Investigation of security awareness and physical security practices are critical. Threat modeling is important to understand what’s relevant.

Leadership Feedback1. Focus on user/employee security awareness programs and education that

helps them in their personal life (e.g., safe at home program)2. Physical assessments becoming more important3. Push ownership of data to business stakeholders4. Get past OWASP to using Red Teams and threat modeling5. Follow up to measure social engineering risk (e.g., phishme)6. Identify an approach to hold users accountable for poor decisions

(e.g., tie to compensation)

W. Capra Consulting Group

Discussion Points (5)

6

What is the right interval to perform assessments? Annual? Semi-annual?

Predominant View – The consensus view is an annual assessment. Organizations should perform activities throughout the year to understand changes to risk profile.

Leadership Feedback1. Interval is aligned with compliance requirements – annual assessment2. Objective is to perform formal assessment annually and maintain

updated view throughout the year3. Annual assessment with monthly follow up and continual external

scans4. Assessment followed up with monthly CIO, CISO meeting to review

progress

W. Capra Consulting Group

Discussion Points (6)

7

Do you include Cloud Service Providers (CSPs) in the scope of security assessments? Why or why not?

Predominant View – Assessing all partners is critical in today’s IT environment. IT must work with these partners to ensure they have the right controls in place – don’t accept generic responses.

Leadership Feedback1. Question should include ALL providers and business partners2. Big issue – assessment of partners is critical 3. Include all service providers as this is a potential high risk source4. Don’t accept partner generic responses to assessment – hold them

accountable to demonstrate effective security5. Need to include important points that hold partners accountable in the

contract

W. Capra Consulting Group

Discussion Points (7)

What are you not getting out of security assessments? What’s missing? How do you plug the gaps? Technologies? Processes?

Predominant View - Assessments must be more comprehensive and forward looking. Peer comparison would be helpful when communicating with business leadership.

Leadership Feedback Good perspective on how risk is evolving (e.g., emerging threats) Accurate view of risk in third party assessments A good perspective on class comparison – how do you compare with

other organizations in your industry (e.g., gaps, level of risk)

8

W. Capra Consulting Group

Questions We Didn’t Get To

Ask…1. How do you know the security assessment was effective? What

gives you that comfort level? Is it possible to get that comfort level?

2. Do you use security assessments to manage/address business leadership/Board perceptions? For example, Target breach raised Board interest in security.

3. In general, what’s missing in security today? What should we pay more attention to?

9

W. Capra Consulting Group221 N. LaSalle, Suite 1325Chicago, Illinois 60601

Security SIG Chairperson: Matt Beale, Associate Partner, W. Capra mbeale@wcapra.com(312)972-2433

Technology Executive Club Reference:www.technologyexecutivesclub.comwww.technologyexecutivesclub.com/securitychicago