Adversaries to allies

Adversaries to Allies

Turning

Robert KeeferCISSP, C|EH, Security+, MCSE16+ years experience in IT and InfoSecHealthcare, Automotive, Manufacturing, Software Development, and other verticals

Sound Familiar?• You’re told about a new project—as it’s being put in

place.• Security assessments are recycled more often than

read• Security initiatives go nowhere, slow• Every issue you bring up becomes an argument

Scenario OneHigher Ed• Each Department ran their own IT; only vaguely

reported to CIO• “Shadow IT” was the norm• Hard to get buy-in, Directors didn’t oversee IT well• Communication problems• Security awareness, but each group does their own

thing

Scenario TwoDevelopment house• ISO was in Detroit, but development team in Seattle• Remote location makes communication difficult (West

Coast)• Previous experience with InfoSec poor, setting up for

resistance• Need to develop quickly—Agile development• Customer heavily invested in security

Scenario threeHealthcare• Highly changeable• IT very resistant due to bad experience• Network team took over much of InfoSec duties• HIPAA sole guideline for InfoSec• Compliance-focused instead of security-focused

Common Issues• Information Security seen as additional cost or work• Previous bad experiences causing “bad blood”• Resistance to adopting InfoSec

requirements/initiatives• InfoSec not always related well to business goals• Little buy-in or support from management• Compliance focus instead of/priority over security

focus

Scenario OneApproach• Treat each department separately: what are their

needs/fears?• Keep programs small and flexible, customize as

needed• Work with each team as experts in their fields, do not

dictate solutions• Management buy-in is hard, but means greater ability

to act• Create opportunities for collaboration

Scenario TwoApproach• Leverage the customer need• Work with devs as experts; provide requirements and

let them solve• Many face-to-face meetings, don't be a voice on the

phone• Work towards a "yes" instead of from a "no"

Scenario ThreeApproach• Be approachable• Keep communication lines open• Adjust technical content to the audience• Transparent with methods as well as results• Prioritize on risk—Journey, not destination

Common Solutions• Clear requirements, goals, and reasons• Tie InfoSec requirements to business goals (Business

Enabled Security)• Stay reasonable; know when to say “yes”• Focus on good risk management• Gratitude!

Common PitfallsWatch Your Step

Dictating Solutions• Demanding specific solutions, “My way or the

highway”• Supply requests and requirements• Ask for solutions, let the SME’s supply them• Multiple solutions exist for any problem• Prepare to be flexible

The Bogeyman• Hackers, HIPAA, Government Audits• Fear as a motivator• Government standards are seen as a ceiling instead of

a floor• Remember that compliance !=secure, but secure is

usually compliant• Focus on business-enabled security, not fear-based

security

Gatekeeping• Similar to Dictating Solutions• Insisting that all risks must be resolved or project will

be blocked• Risk Management is key• Some risks are mitigated, some are accepted• Business must keep doing business!

Thank You!• Questions?

Robert [email protected]: @robbkeeferhttp://www.businessenabledsecurity.com