Emerging Trends in Security Governance: Making Security a Business Success Daniel J Blander, CISM,CISSP
Security Governance - Trends and Ideas
May 13, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Emerging Trends in Security Governance:
Making Security a Business Success
Daniel J Blander, CISM,CISSP
[ agenda ][ challenges ]
[ why ]
[ emerging changes ]
Presenter
Presentation Notes
This is going to be a little bit different than the other topics you’ll hear over these two days. This talk is about Security Governance – yes, that management stuff. It is about how we get our respective organizations, executives, and even the public to better understand security, and its big brother: Risk Management. Many of the things I will talk about apply across the board when you talk about Information Security and Risk Management. Some apply when trying to get people to understand the esoteric details of an attack, and others apply when justifying the validity of your group, your organization, and your work. I present this talk to this crowd for one purpose: To give you perspective on how to make your work and your efforts relevant and better understood by the world at large, and to show you ways to gain credibility, acceptance, and support when you work with the corporate world.
[ challenges ]
How many of you struggle to get management and users to take part in security?
Do they seek out your advice?Do they follow policy?Do have their respect?
Presenter
Presentation Notes
Amusingly enough, a survey that I ran of security professionals found that only 35% of security organizations had participation from outside of security and IT groups, and 53% of security organizations felt that their security policies were not well accepted by their organization. If your executives frequently dismiss security initiatives, you probably do not have their support. If users groan when security becomes part of a project, or consistently resist security controls, you probably do not have their respect and support. The respect and support is important to the support of your program. If executives and users respect what you are trying to achieve, they are more likely to listen.
[ challenges ]
How consistent is your security posture?
Policies Risk Management & Planning Security Organization User Awareness System Security Network Security Physical Asset Security Operational Security Monitoring User Access Legal Due-Diligence
Presenter
Presentation Notes
I have worked with several clients who tell me “just fix PCI” or “just fix this audit finding” with no real attention to what is at risk. Where is the understanding of risk in the organization? Is the organization made aware? How do you make sure management is aware of what real risks are? Is the approach to security balanced? Does the approach weighs risks with all possible threat vectors, and remediation tactics? Is it comprehensive? I cannot count the number of times I have met with security groups and find they are focused only on technology vulnerabilities, scanning, and DLP technology, but completely ignore basic concepts of user awareness, social engineering, physical security, and good, all around risk management.
[ challenges ]
How good is your organization’s security awareness?
Presenter
Presentation Notes
How many people on this call can say that they have made their executives aware of risks, and listened to their needs? How many security professionals actually consider their user’s needs? How many of us think that awareness is a two-way street?
[ why ]Security is driven by:• Company & Stakeholder awareness of risk
• “Its never happened to us before”
• Prevalent focus on: Profit, Cost, Opportunity
Presenter
Presentation Notes
What are the reasons security has these problems? One cause is the unwillingness of business owners/executives to look realistically at risk. We have a tendency to avoid the unknown when it is larger than our capacity to address it (or our perception that we have the capacity to address it). I love Bruce Schneier’s writings on the psychology of risk. But I would also argue it is just as much our own problem in Information Security. We often forget that a business is primarily about providing customer solutions, typically for a fee (or profit). You may say that is too obvious, but let me counter with examples where security and IT departments have conducted risk assessments and business impact assessments for business continuity – without ever talking to the business! This is just like when as teenagers we decided that 22” rims and a new stereo boom-box would go great with the family car, but never consulted mom and dad… We need to remember what the stakeholders care about and focus our efforts on alleviating their fears while making them aware of the real threats to their real business.
[ why ]Security is Only for Computers
• Network Security Manager• IT Security Manager• IT Compliance• CIO = Chief IT Officer
• 67% of Information Security is driven by IT• 81% of Security Policies are written
exclusively by IT
Presenter
Presentation Notes
I remember an article from 2003 where a CIO spoke of all information, and how it was handled being his purview. How many of your CIO’s think that way? How many of us talk about security outside the context of IT? What about the other elements of ISO 27002? What about Physical Security, or Human Resources practices, or those areas that include other parts of the business? Those are parts of the business that IT doesn’t have control. And how often do we try to change them. If we do, we will usually be pushed back.
[ why ]Security is a Cost Center• Security does not generate revenue
• Security is restrictive
• Security stops us from doing things
The result:• Security is marginalized
• Security is the first to be cut
[ why ]How did we get here?
• Self Inflicted Wounds• Techno-babble• Fear mongering – FUD & Hype
• Troublesome list of risks that never happen
• Unfulfilled Prophecies• Companies did not fail after a breach• TJX – stock up 50% one year later
Presenter
Presentation Notes
In a recent roundtable with major CIO’s from First American, Wellpoint/Anthem, Credit Suisse, HealthNet, Experian, Broadcom…the question was raised why information security had dropped in the collective conscience of executive management. It became apparent that the wounds were self inflicted. They included…(see slide) Bruce Schneier at RSA 2009 talked about the damage to security awareness that the hype around the Confiker worm caused. Over-hype by the media didn’t help us.
[ change ]
Create a shared Governance Function• Involve business stakeholders
• Address all department’s needs for Confidentiality, Integrity, and Availability
• Discuss strategic issues
• Talk about opportunities and company future
Result:• Unified awareness, vision and effort
• Awareness and consistency across the business
Presenter
Presentation Notes
This is the critical first step. I have watched many organizations operate without including the business owners. Security got nowhere. Once the business drivers were included in Security, things were accomplished. The Governance function – a Security Steering Committee – provides a forum for these discussions. The discussions should not be about IT issues, or technical attacks. They should be about risks in each business area, how Risk Management (and overall Security) can help or hinder the business. I compare it to an IT Steering Committee. The IT Steering Committee doesn’t care about the disk drives, or the data transfer rates. They only care about whether their business initiatives in IT are being delivered on, and if not, what should be the priorities and steps taken.
[ change ]
SecuritySteering
CommitteeIT
Finance
HR
Sales
Legal
[ change ]
Coach the Team
Have clear goals• Aligned with business goals
• Make the meeting meaningful with take away info and tasks
• Make subject matter relevant.
Do not let one area grab all the focus• Risk across all business areas
• Risk of all types
Presenter
Presentation Notes
There are some key points when you develop this committee… One piece of information from a not-so-scientific survey I did. When Security Policies were developed in a vacuum (in IT) the perceived success rate by the respondents was 36%. When the business was involved, that perceived success rate jumped to 75%. The statistical key: What groups were involved in the development.
[ change ]
• Information Protection
• Privacy
• Business Continuity
• Physical Security
• Loss Prevention
• Investigations
• Insurance
• Personnel Safety
• Counter Espionage
• Legal Counsel
Security as “Business Risk Management”
Chief Risk Officer
Physical Security Legal Information
& IT Security
Presenter
Presentation Notes
From this you may see some trends. Some of the concepts I have seen emerge: Make Security focus on Risk Management in general. Attempt to remove yourself from IT. A large organization I have met did exactly that. They created the position “Chief Risk Officer”. He managed all parts of the organization that were associated with Risk Management. This new structure reflected a view that risk is not just about IT. Information is not just for Computers anymore…
[ change ]
Think how security can enhance real business drivers…
• Consistent Process & Environments = Efficiency
• System Availability = More Time Working
• Security Systems = Consistent Environments + Availability
• Consistent Processes + Environments = Security
• ITIL• Process Improvement• Predictability
Presenter
Presentation Notes
We measure IT efficiency through techniques such as ITIL and process improvement. What we miss is that the same consistency also begets a level of security. Is it perfect security? No, but it creates a simple, basic framework to build on. We need to seize this opportunity. Show IT and the business that this consistency is a way to save money. Show that secure systems are not only safer from being broken in to (and thereby not available) but the nature of a standard configuration leads to easier to support systems, consistent builds, and better efficiency and availability to support cost efficiency. Just reach into your ITIL toolkit and you should be able to find the arguments to win this case. I have shown that at several companies after we created standard configurations, and measured compliance to them that support cases dropped, and availability went up. Another story is when a security need is better discussed as a business need. Discuss POS situation…
[ the future ]Security = The Company
It is not security for IT, it is security for the protecting the company.
• Company is made up of people and processes.
• Computers support the process.
Security is not the end, it is a process contained in larger processes.
• Security enables business – not through mitigating risk but promoting best practices (ITIL).
• Look to give back to the company whenever you can. Be a facilitator, and show that security can tag along for the ride, not be the kick in the teeth.
Presenter
Presentation Notes
Think of security as being for the company….not about IT, but about business risks. Reach out to the business, be part of the business.
[ change ]
Decentralize Enforcement
• savings + shared responsibility
Information Security Team• Consult, Guide, Monitor, Assess
Network Administrator• Network Firewalls, Routers
System Administrator• Anti-Virus
Service Desk• User Access Setup
Info Security
NetworkAdmin
System Admin
Physical Security
Service Desk
Presenter
Presentation Notes
There are more – partnerships with Internal Audit on SOX audits – better IT testing, less frustration from IT teams due to dealing with people who understand IT a little better. InfoSec team can roll testing into standard, frequent evaluations.
[ change ]
How do you lead to achieve this?
• Have a New Attitude
• NO FUD
• Put your business hat on!
• Think of good business practices that reflect security
• Think of business opportunities
• Be a Team Player - Include everyone on the team
Presenter
Presentation Notes
NO WEILDING SECURITY LIKE A BATTLEAXE, SECURITY is not to beat people over the head with. Take a risk approach – a real risk approach. What happened to TJX one year after the break in?
[ change: sources ]
Presenter
Presentation Notes
I also want to thank the over 100 people who answered my survey on LinkedIn, numerous security professionals around the world who I have talked to about this subject, and those few that beat me to the punch at invoking a Security Council - companies like InterMountain Healthcare, and AutoClub of Southern California who gave me permission to discuss their solutions in public.
Related Documents
