Doug Landoll, CEO, Lantego
Why Lead with Risk?
There are many approaches to establishing, maintaining and improving information security programs: technology-centric, policy-driven, framework-based, audit-driven, compliance-driven, or risk-based. Mr. Landoll will discuss these each of these approaches and give concrete examples of why the only effective approach is to lead with risk. The presentation will also give pointers on conducting an effective security risk assessment and establishing a risk management process. Many of these approaches are based on Mr. Landoll's book: The Security Risk Assessment Handbook (2011).
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
NTXISSACSC2 - Why Lead with Risk? by Doug Landoll
1. @NTXISSA
Why Lead with Risk?
Doug Landoll
CEO
Lantego
April 25, 2015
www.lantego.com
(512) 633-8405
dlandoll@lantego.com
2. @NTXISSA
CISO Priorities
Q: How do security organizations lead?
Q: How do you measure and demonstrate
success?
NTX ISSA Cyber Security Conference – April 24-25, 2015 2
4. @NTXISSA
Identifying Technology-led Strategies
• Technology-driven Strategies
• Symptoms
• No clear security strategy
• Vendors dictate security solution “map”
• Lack of integration with non-IT
• Minimal use of product functions
• Disorder
• Vendor-based spending (latest, greatest)
• Strategy defined without regard to mission
• Lack of leadership
• Technology heavy (picket fence)
NTX ISSA Cyber Security Conference – April 24-25, 2015 4
5. @NTXISSA
Identifying Audit-led Strategies
• Audit-driven Strategies
• Symptoms
• No clear security strategy
• Auditors as justification for security controls
• Thrashing
• Disorder
• Audit-based spending (priorities, minimum)
• Consistent state of catch-up
• Lack of focus
• Ineffective
NTX ISSA Cyber Security Conference – April 24-25, 2015 5
6. @NTXISSA
Identifying Hero-led Strategies
• Hero-based Strategies
• Symptoms
• Unclear roles and responsibilities
• No formal project plans
• Difficulty budgeting
• Move from fire to fire
• Disorder
• Initiatives = interests
• No repeatable processes
• Fail most non-technical areas of audits
• Extremely reliant on individuals
NTX ISSA Cyber Security Conference – April 24-25, 2015 6
7. @NTXISSA
INFOSEC Purpose
Q: What is the primary function of the Chief
Information Security Officer?
NTX ISSA Cyber Security Conference – April 24-25, 2015 7
• Prevent loss, fraud,
beaches
• Demonstrate compliance
• Manage policy
• Ensure continuity
• Plan response
• Prioritize initiatives
• Manage configurations
• Review logs
• Respond to incidents
8. @NTXISSA
INFOSEC Purpose
Q: What is the primary function of the Chief
Information Security Officer?
NTX ISSA Cyber Security Conference – April 24-25, 2015 8
Reduce
Information
Security Risk
9. @NTXISSA
That “DAM” Risk
If your primary function is to reduce information
security you must ensure that you:
1. Determine: accurately measure risk
2. Address: effectively manage risk
3. Monitor:
NTX ISSA Cyber Security Conference – April 24-25, 2015 9
10. @NTXISSA
Determine: Measure Risk
• Importance of measuring accurately
• Data Quality
• Data Quality Cube / GIGO
• RIIOT
• Risk Equation
• Valid analysis
• When “risk” isn’t Risk
• Invalid equations
NTX ISSA Cyber Security Conference – April 24-25, 2015 10
11. @NTXISSA
Determine: Importance of Accuracy
NTX ISSA Cyber Security Conference – April 24-25, 2015 11
Risk – basis of all security decisions therefore
it is important to determine it accurately.
Risk
metho
d
Risk Assessment
Risk Monitoring
Security Decisions
Common Risk Method Mistakes
1 Poor Data Quality?
2 Spreadsheets & Pen Tests?
3 Invalid Equations?
13. @NTXISSA
Determine: The RIIOT Approach
• Introduced in “Security Risk Assessment Handbook”
• Organizes the task of data gathering on all controls.
• Identifies the 5 methods to data gathering
• Review Documents
• Interview Key Staff
• Inspect Controls
• Observe Behavior
• Test Controls
14. @NTXISSA
Determine: Risk Equation
Risk = Assets * Threats * Vulnerabilities
Countermeasures (controls)
Valuation / Business Impact
Threat Classes / Capabilities
Likelihood of Existence /
Ease of Exploitation
Remediation / Cost Benefit
•Vulnerability Scan
•Penetration Test
•Security Audit
•Compliance Audit
Not Risk
Assessments
16. @NTXISSA
Determine: Invalid Equations (2)
• Ordinal Numbers
• Order but not scale or quantity
• Ex: 1st place, 2nd place, H, M, L
• Conclusion: Mathematical operations are invalid
• Cardinal Numbers
• Order and Scale (size)
• Ex: $3M, 4 times/yr, 1200 employees, 25 breaches
• Mathematical operations are valid
NTX ISSA Cyber Security Conference – April 24-25, 2015 16
17. @NTXISSA
Determine: Invalid Equations (3)
NTX ISSA Cyber Security Conference – April 24-25, 2015 17
• Invalid Approaches
1) Mathematical operations with ordinal
numbers
2) “Kitchen sink” approach
System
exposure
System
content
System
criticality
Compromise
impact
Combined
risk score
1-4 1-4 1-4 1-4 4-16
+ + + =
Design
Flaw
Bad
Practice
No
Mitigating
controls
Sensitive
data
Risk of
Accidental
Exploit
Risk of
Intentional
Exploit
Risk
Level
1-5 1-5 1-5 1-5 1-5 1-5 6-30
+ + + =+ + =
18. @NTXISSA
Address: Managing Risk Effectively
• Security is a business problem
• MBA not CISSP
• Risk Solutions
• Business drives
• Control interactions
• Its complicated
NTX ISSA Cyber Security Conference – April 24-25, 2015 18
19. @NTXISSA
Address: The business of reducing risk
Managing Risk is a Business Problem not a Security
Problem
• Understanding of the business mission
• Business management experience
• Proper role in organization
Implementing controls
• Not a technology only approach
• Requires management
NTX ISSA Cyber Security Conference – April 24-25, 2015 19
20. @NTXISSA
Address: Risk Solutions
NTX ISSA Cyber Security Conference – April 24-25, 2015 20
Reaction is NOT a Strategy
– Plan based on business drivers, then select controls
Governance
Operations
Productivity
Security
Flexibility
Integration of Technology is a Project
– Not an IT task
– Not an appointment
Technology is no substitute for understanding
your business
21. @NTXISSA
Address: Control Interaction
NTX ISSA Cyber Security Conference – April 24-25, 2015 21
Data
Center
Video
Recording
Access
control log
Access
Controls
SoD
LP
Intrusion
Detection
System
Administrative
Technical
Physical
Prevent Detect Correct
Response
Team
Who will respond?
Intrusion
Prevention
System
What will respond?
How will they respond?
Who has physical access?
Who has logical access?
Who oversees?
What training is needed?
Policy
What policy to enforce?
Training
How is it protected?
Log
Review
Incident
Response
Plan
BCP
How to spot an attack?
22. @NTXISSA
Monitor: Diligently Monitor Risk
• Responsibility & Ownership
• Are these separate?
• Capital “C” CISOs
• Seat at the table?
• Lasting Changes:
• Process not heros
NTX ISSA Cyber Security Conference – April 24-25, 2015 22
23. @NTXISSA
Monitor: Responsibility & Ownership
• Somebody “owns” Risk
• Not IT or Security Operations
• LoB owner, Product manager, CFO
• Somebody “owns” security risk management
• Security's role is to assist the risk owner
• Not IT or SecOps (part of security risk)
NTX ISSA Cyber Security Conference – April 24-25, 2015 23
24. @NTXISSA
Monitor: “Senior-most Security Position”
• Real CISO
• Management: “C level” means a fudiciary
responsibility, P&L responsibility, business
mindset.
• Test: To whom does the SSP report?
NTX ISSA Cyber Security Conference – April 24-25, 2015 24
25. @NTXISSA
Monitor: Implementing Lasting Changes
NTX ISSA Cyber Security Conference – April 24-25, 2015 25
Failed Approaches:
• Patch & Proceed / Test & Respond
1. incomplete knowledge = incomplete
implementation
2. Dynamic environments require process
• Hire & Forget
1. Improvement Comes Through Process
2. Hereos don't work 24x7, don't stay forever
26. @NTXISSA
Monitor: Lasting Changes
• Reward Improvements Not Saves
• Document process, train to process
• Implement Information Security
Management System (ISMS)
• Policy-defined
• Process-driven
• Independently verified
NTX ISSA Cyber Security Conference – April 24-25, 2015 26
27. @NTXISSA@NTXISSA
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – April 24-25, 2015 27
Thank you
Notas do Editor
ISC2 has made some major changes in the CISSP exam in the last few years. These changes include computer based training, “rag and drop” questions
The quality of the risk conclusions is based a lot on the quality of the data going into the model. Each of these 3 axis represent an important quality aspect of data:
Independence of the assessors: We don’t want the architects and operators judging themselves on the quality of the operational security.
Experience of the assessors. Although risk assessment and analysis can be taught, it is the experience of the assessor that provides the quality of the observation and analysis
Multiple data points. This is the RIIOT discussion (best illustrated on the next slide)
This is a conceptual risk equation that shows the important elements of risk. Any risk assessment will address all of these elements. Conversely, any “risk assessment” that does not address these elements is not a risk assessment.
[Discuss how v. scans, p. tests, etc are not risk assessments but customers and consultants have been known to pass them off as such.