David A. Cass, CISO Cloud and SaaS Operations October 5, 2015 Information Security and the Innovator’s Dilemma
David A. Cass, CISO Cloud and SaaS Operations October 5, 2015
Information Security and the Innovator’s Dilemma
A notable quote
“Strategy without tactics is the slowest route to victory.
Tactics without Strategy is the noise before defeat.”
- Sun Tzu
Agenda
3
We will review the external, internal factors, and the threat landscape that is driving change. We will discuss failure modes and how to overcome them, and look at innovation drivers.
A framework for innovation
How to execute on an innovation strategy
What’s Changed?
Why CISO’s fail?
Enabling Innovation
Execution
Wrap Up
What’s changed – In the news
! 2015 as the year of escalating breaches – Retail breaches
! 40 to 60 + million card holders impacted ! Cost of breaches estimated in the Billions of dollars
– Medical records ! 80 million social security numbers exposed ! the cost per record breached for healthcare
organizations is $363* – Entertainment Industry
! Corporate network taken over ! Exfiltration of movies ! Loss of corp. emails, PII, and more..
– Government ! personnel data of 4.2 million current and former Federal government
employees had been stolen. ! background investigation records of current, former, and prospective
Federal employees and contractors. ! More than 21 million SSNs and 5.6 million finger print records
! External Factors – Privacy
! > 80 Countries with Privacy Laws
! US vs. EU vs. APAC definitions
! Opt in vs. Opt out
What’s Changed?
! External Factors – Law & Cyber
! HIPAA, GLBA, MA, CA… – Cloud
! Fundamental change to the way people work
– Mobile Apps – BYOD – Social – Big Data – IOT
What’s Changed?
! Internal Factors – Expectations of workforce
– Insider threat – Changes in IT staff core competencies
– Increased focus on Risk Management
What’s Changed?
Threat Landscape - Then
• Captive Workforce • Desktops & Laptops • Corporate Network with VPN for remote workers • Corporate Owned Devices
Enterprises
• Rouge Individuals • Motivated by the challenge • Little or no financial gain
Attackers
• Noisy • Server side/infrastructure vulnerabilities • Noticeable • Damaging & Costly but not complicated to remediate
Attacks
Threat Landscape - Now
• Highly Mobile Workforce • Smartphones & Tablets • Use of home Wi-Fi, free Wi-Fi, cellular
connections • Corporate Owned Devices
Enterprises
• Organized • Well funded • Highly skilled • Organized Crime • Financial/Political gain
Attackers
• Stealthy • Applications, Databases, and Social Engineering • Hard to detect • Goal is data exfiltration
Attacks
Innovation Drivers
! Companies are very vulnerable to disruption!
! Low barrier to entry
! Disruption defined: – The same value delivered in different ways
! Time to market is critical
! Innovation allows companies to pivot
Guidelines / Framework for Innovation
1. Research first
2. Innovate process at small scales – Improves ability to deliver – Allow everyone to innovate
3. Share as much as you can – Break down silos – Transparency = Speed
Guidelines / Framework for Innovation
4. Sell it before you make it – See what works – Get traction – Don’t build solutions in search of problems
5. Act Responsibly – Reputation – Say what you do and do what you say! – Aspirational vs. attainable
How can Security Innovate?
! Understand what is the Critical Business Knowledge
! Business Transformation
! Policies, Standards, Training & Awareness
! Communications at the Board and Exec Level
! Privacy and Security by Design
Innovation
! Critical Business Knowledge – Define it
! Is it a source of competitive advantage ! Is there a regulatory requirement
– Define a goal
Innovation
! Business Transformation – What is the experience we want?
– How do we deliver what they want?
– Transparency
Innovation
! Policies & Standards – Right size them
– 1 page with bullet points
! Training & Awareness – Deliver the message in the way people consume info today
Innovation
! Communications at the Board and Exec Level – Become a better story teller – Frame the conversation using FORR
! Financial ! Operational ! Reputational ! Regulatory
! Practice Privacy by Design
– Proactive not Reactive
– Privacy as the Default Setting
– Privacy Embedded into Design
Innovation
Innovation
! Practice Privacy by Design – Full Functionality
– End-to-End Security – Full Life Cycle Protection
– Visibility and Transparency
– Respect for User Privacy
Innovation
! Security by Design – Protect the data and application
– Security Awareness Training
– Partner with the business ! M&A process ! Cloud
Innovation
! Security by Design – Risk & Assurance
– Application Security COE
– Security Architecture
– Incident Response
Execution - Putting Innovation to work
! Strategy is the starting point of execution – Clear and relatively simple – You need to know what really matters
! To execute you need: – Alignment – Agility – Coordination
Executing Strategy
! Is low price a strategy?
! Strategy is not: – A string of buzzwords – Not a vision statement – Not a financial projection
Wrap up
! Innovation requires you understand the way the business works
! Apply the principles for innovation
! Use the strategy execution triad
! We win by accomplishing business goals
Questions?
David Cass CISO, IBM Cloud & SaaS Operations E-mail: [email protected] Twitter: @dcass001 Linkedin: www.linkedin.com/in/dcass001/