1. BRIDGING
THE
GAPS
AND
PREPARING
FOR
THE
FUTURE!
James
Beeson
Chief
Informa0on
Security
Officer
April
20,
2011
2. We
Are
Figh0ng
The
Same
BaCle!
Same
Risks
• Business
Disrup0on
• Unauthorized
Access
Don’t
Reinvent
the
Wheel
• Data
Leakage/Loss
Collaborate
Use
Exis0ng
Frameworks
• Data
Integrity
Issues
ISO
27001
• Regulatory
Non-‐Compliance
COBIT
NIST
Standards
Similar
Threats
• Mistakes/Accidents
• Organized
Crime
(APT)
• Vulnerabili0es
(SW/HW/NW)
• Unauthorized
SoVware
• Social
Engineering
(Phishing)
3. CIO
&
CISO
Roles
Similar
• Need
to
understand
what
the
business
does
• How
does
technology
enable
the
business
processes
• Branding
and
marke0ng
for
the
cause
• Evangelist
for
the
profession
and
importance
• Salesperson
to
get
things
accomplished
• Leader
to
mo0vate
people
to
do
the
right
thing
Aren’t
We
All
Just
Used
Car
Salespeople?
4. Mix
of
Technical
Exper0se
and
Leadership
Informa0on
Security
Technical
Exper0se
• CISSP
(Cer0fied
Informa0on
Systems
Security
Professional)
• CISA
(Cer0fied
Informa0on
Systems
Auditor)
• CRISC
(Cer0fied
in
Risk
and
Informa0on
Systems
Control)
• CISM
(Cer0fied
Informa0on
Security
Manager)
Leadership
• Team
Building
and
Mo0va0on
• Effec0ve
Speaking
and
Presenta0on
Skills
• Hiring
and
Management
Skills
• Style
Flex
–
Understanding
Mo0va0on
• CAP
(Change
Accelera0on
Process
Training)
• ITIL
(Informa0on
Technology
Infrastructure
Library)
Skills
• Six
Sigma
or
similar
Quality
Training
5. Just
Say
“Yes”
Approach
• Works
BeCer
than
Chicken
LiCle
or
FUD
• ShiVs
the
Ownership/Burden
of
Risk
• As
They
Say
“It’s
All
In
The
Spin”
• Push
for
Data
Driven
Decisions
IT
and
CISO
DO
NOT
Own
the
Risk!
6. KNOW
THE
2
MINUTE
ELEVATOR
SPEECH
Key
OperaAng
Elements
Top
Risks
InformaAon
Security
Risk
Management
Data
Leakage/Loss
IdenAty
Management
(Access
Control)
Unauthorized
Access
Monitoring
&
Incident
Response
Business
Disrup0on
Data
Integrity
Issues
Strategic
Approach
Regulatory
Non-‐Compliance
Strong,
Simple,
Risk
Based
Policies
Top
Threats
Phishing
(Social
Engineering)
Layered,
Measurable
Approach
Unauthorized
SoVware
Ongoing
Risk
Assessment
&
Quick
IR
Organized
Crime
(APT)
SW/HW/NW
Vulnerabili0es
Con0nuous
Educa0on
and
Awareness
Mistakes/Accidents
Tarnished
Brand
Name
DRIVES
Revenue
Loss
Added
Costs
(regulatory
fines)
7. Security
is
an
Enabler
to
Compliance
and
Reducing
Risk
• Leverage
Compliance
and
Legal
• Take
Advantage
of
Opera0onal
and
Business
Risk
Knowledge
• Mix
Training,
Educa0on,
and
Communica0ons
• Embed
Security
in
Technology
and
Business
Processes
• ShiV
from
Slowing-‐Down
to
Enabling
8. Measurement
Drives
Behavior
As
Lord
Kelvin
once
said
“If
You
Can’t
Measure
It,
You
Can’t
Improve
It”
Typically
Improvement
is
Measured
by:
<Reduced
Cycle-‐Time
<Reduced
Cost
<Reduced
Defects
Key
Takeaways
• Schedule
Recurring
Reviews
• Know
Your
Audience
• Tie
Improvement
Metrics
to
Performance
• Don’t
Reinvent
the
Wheel
• Automate
and
Define
Clear
Ownership
Threat
x
Opportunity
=
Risk
9. Trends
• I
Don’t
Buy
Your
Shoes,
Why
Would
I
Buy
Your
PC
• Cloud
is
the
Preferred
Way
to
Manage
Data
• Conundrum
-‐
Digital
Na0ves
vs
Baby
Boomers
• Power
Portability/Mobility
with
No
Perimeter
• Organized
Crime
(APT)
is
“Big
Business”
• Focus
on
Compliance
Not
Security
Posture
• Social
Engineering
Rules
–
An
Educa0on
Issue
10. Things
That
Make
You
Go
Hmm
• 2
Billion
People
Internet
Connected
• YouTube
>2B
Views/Day
• Over
22
Billion
Tweets
in
2010
• Facebook
–
Worlds
3rd
Largest
Country
• Over
100
Million
Users
on
LinkedIn
• Internet
Background
Check
Common
• Tex0ng
&
Apps
Overtake
Voice
• PC’s/Laptop’s
Dropping
in
Sales
• 1/5
Marriages
from
Internet
Da0ng
11. Summary
• Figh0ng
the
Same
BaCle
–
Leverage
Everyone!
– Risks
are
basically
the
same
• Know
Your
Business
–
Become
an
Enabler
– Reduces
the
“Hindrance”
factor
• CIO
and
CISO
Roles
are
Similar
– Aren’t
we
all
just
Salespeople
• Measurement
Drives
Behavior
– “If
you
can’t
measure
it,
you
can’t
improve
it”
• Digital
Na0ves
versus
Digital
Immigrant
–
Helping
to
“Bridge
The
Gap”