3. [ challenges ]
How many of you struggle to get
management and users to take part in
security?
Do they seek out your advice?
Do they follow policy?
Do have their respect?
4. [ challenges ]
How consistent is your security posture?
Policies
Risk Management & Planning
Security Organization
User Awareness
System Security
Network Security
Physical Asset Security
Operational Security
Monitoring
User Access
Legal Due-Diligence
6. [ why ]
Security is driven by:
• Company & Stakeholder awareness of risk
• “Its never happened to us before”
• Prevalent focus on: Profit, Cost, Opportunity
7. [ why ]
Security is Only for Computers
• Network Security Manager
• IT Security Manager
• IT Compliance
• CIO = Chief IT Officer
• 67% of Information Security is driven by IT
• 81% of Security Policies are written
exclusively by IT
8. [ why ]
Security is a Cost Center
• Security does not generate revenue
• Security is restrictive
• Security stops us from doing things
The result:
• Security is marginalized
• Security is the first to be cut
9. [ why ]
How did we get here?
• Self Inflicted Wounds
• Techno-babble
• Fear mongering – FUD & Hype
• Troublesome list of risks that never happen
• Unfulfilled Prophecies
• Companies did not fail after a breach
• TJX – stock up 50% one year later
10. [ change ]
Create a shared Governance Function
• Involve business stakeholders
• Address all department’s needs for
Confidentiality, Integrity, and Availability
• Discuss strategic issues
• Talk about opportunities and company future
Result:
• Unified awareness, vision and effort
• Awareness and consistency across the business
12. [ change ]
Coach the Team
Have clear goals
• Aligned with business goals
• Make the meeting meaningful with take away
info and tasks
• Make subject matter relevant.
Do not let one area grab all the focus
• Risk across all business areas
• Risk of all types
13. [ change ]
Security as “Business Risk Management”
• Information Protection • Investigations
• Privacy • Insurance
• Business Continuity • Personnel Safety
• Physical Security • Counter Espionage
• Loss Prevention • Legal Counsel
Chief Risk
Officer
Physical Information
Legal
Security & IT Security
14. [ change ]
Think how security can enhance real
business drivers…
• Consistent Process & Environments = Efficiency
• System Availability = More Time Working
• Security Systems = Consistent Environments +
Availability
• Consistent Processes + Environments = Security
• ITIL
• Process Improvement
• Predictability
15. [ the future ]
Security = The Company
It is not security for IT, it is security for the
protecting the company.
• Company is made up of people and processes.
• Computers support the process.
Security is not the end, it is a process contained in
larger processes.
• Security enables business – not through mitigating risk but
promoting best practices (ITIL).
• Look to give back to the company whenever you can. Be a
facilitator, and show that security can tag along for the ride, not
be the kick in the teeth.
16. [ change ]
Decentralize Enforcement
• savings + shared responsibility
Information Security Team
• Consult, Guide, Monitor, Assess Network
Admin
Network Administrator
• Network Firewalls, Routers
Service Info System
System Administrator Desk Security Admin
• Anti-Virus
Service Desk Physical
Security
• User Access Setup
17. [ change ]
How do you lead to achieve this?
• Have a New Attitude
• NO FUD
• Put your business hat on!
• Think of good business practices that reflect security
• Think of business opportunities
• Be a Team Player - Include everyone on the team