Inclusion & Empowerment: How Participation and Awareness Influence Security Daniel J Blander, CISM,CISSP
Inclusion & Empowerment:
How Participation and Awareness Influence Security
Daniel J Blander, CISM,CISSP
[ agenda ]
[ challenges ]
[ why ]
[ emerging strategies ]
[ challenges ]
Management buy-inUser Participation
[ challenges ]
How consistent is your security posture?Is it integrated in to your organization’s goals?
[ challenges ]
But I have tried!
[ why ]
Company & Stakeholder awareness of risk• “Its never happened to us before”
Stakeholder Focus: Profit, Cost, Opportunity
[ why ]
CIO = Chief IT Officer
Security is Only for Computers
[ why ]Self Inflicted Wounds• Techno-babble• Fear mongering – FUD & Hype
Security is a Cost Center• Security does not generate revenue
• Security is restrictive
F.U.D.
[ change ]
Create a shared Governance Function
SecuritySteering
CommitteeIT
Finance
HR
Sales
Legal
[ change ]
• Security is a process inside The Company
• People, Processes, Information
• Participate in the Business
Security as “Business Risk Management”
Chief Risk Officer
Physical Security Legal Information
& IT Security
[ change ]
Use security to enhance business
Give back to the business
Focus on:
• Efficiency & Effectiveness
• Availability
ITIL: Process Improvement, Predictability
[ change ]
Promote a security as a cultural and behavioral change.
Focus on changing long term patterns and attitudes about security.
Focus on security enabling people, not as restricting rules.
Make security something everyone can understand and act on.
Show how security applies to all parts of life- at work and home.
[ change ]
How do you lead to achieve this?
• Have a New Attitude
• NO FUD
• Put your business hat on!
• Think of good business practices that reflect security
• Think of business opportunities
• Be a Team Player - Include everyone on the team
[ change: sources ]