21 st Century Security: Convergence Collaboration and Competition??

Page 1

21st Century Security: Convergence Collaboration and Competition??

April 5, 2005

Bill.Boni @ Motorola.com

Vice President and Chief Information Security Officer

IT Governance Page 2

Agenda• The “Warring Tribes” of Security• Convergence• Collaboration• Competition• Conclusions

IT Governance Page 3

Warring Tribes?

• Badges• Bytes• Beans

IT Governance Page 4

Badges – Corporate Security /Physical Security

• Typically drawn from law enforcement or military• Reports Administration, Facilities, Human Resources• Frames the issue as protection of people, facilities,

operations• Values authority and command• Contributes prevention skillsets

IT Governance Page 5

Bytes – IT or Information Security

• Typically drawn from technologist ranks• Reports to CIO or IT Operations• Frames the issue as availability, integrity,

confidentiality of information and systems• Values creativity and technology innovation• Contribution is continuity and availability of IT capacity

IT Governance Page 6

Beans – The Financial Wizards

• Typically drawn from financial community• Reports to Chief Financial Officer or • Frames the issue as “Risk Management”• Values financial efficiency and loss avoidance• Contribution is quantitative rigor

IT Governance Page 7

Convergence?

• What challenges are generally the same ?1. Extended enterprise risks

2. Diverse operational risks

3. Increased legal and regulatory scrutiny

4. Complexity

5. Common approach

6. Common philosophy

7. Mobility and choices

IT Governance Page 8

Dissolution of Perimeter Security

Joint Ventures

Parts

Servicess

Contract Manufacture

Contract Design

““Organization (Risk) Organization (Risk) Community”Community”

Customers

Un-trusted Un-trusted IntranetsIntranets

Transportation

1.Extended Enterprises

IT Governance Page 9

b

Hostile Internet

Every system must be secured

Inside is almost as risky as outside

Individual Individual systemssystems

Un-trusted Un-trusted IntranetIntranetData

Center

=

Data Center

Foundational Issues

• Ubiquitous connectivity• Microcomputers everywhere• Mobile workforce• Many assets not protected• “Contingent workers”

– Contractors and consultants• Links to partners / suppliers

2.Diverse Operational Risks

IT Governance Page 10

Web / Internet

Databases

Collaboration

Wireless

Mobile Devices

CustomersCompetitorsGovernmentsSuppliers/ PartnersEmployees

3.Legal and Regulatory Issues

Pressure mounting on organizations to prove compliance with an increasing array of laws and regulations. All elements of

security become ever more challenging.

Laws/Regulations Technologies Stakeholders

Sarbanes-Oxley

GLB/HIPAA/Patriot

EU Data Protection

U.S. Info Security Responsibility Act

IT Governance Page 11

4.Complexity of Protection Systems

• Many bits & pieces• Too few qualified security

personnel~.005% of employees

• Lack of standards• Integrated safeguards

– Smart cards– Digital forensics

Network AccessControl Interceptionand Enforcement

Facility

PKI ManagerCentralized

SecurityPolicy Manager

DigitalSignatureInterface

Other SecurityEntity Manager

Token CardManager

OS SecurityManagement

Tools

CertificateAuthorityInterface

Virus Interception& Correction

VPN Session orTunnel

Manager

Single Sign-onTools

Security EventReport

Writer(s)

EncryptionFacilities for

NetworkConnections

Security PolicyDistributor

Cyberwall/FirewallRule Base

ConnectionManager and

Logging

Application ProxyImplementations

Security TrafficEvent Analyzer

ApplicationLogging Facility

VPN IPSec andVPN

ConnectionManager

StatefulInspection

IntrusionLogging

IntrusionPrevention

ApplicationInspection

Security EventLogging

Security IntegrityManager

PacketInspection

Frame Inspection

SecurityFilter Engine

Real-timeFrame

Management

IntrusionDetection

Network

Host-based

Application-based

Authentication

Cryptography

Anti-Virus

Intrusion Detection

Auditing

Security Management

IT Governance Page 12

5. A Common Approach to Strategy?

• PROTECT – Key assets and capabilities

• DETECT– Attacks and malicious actions

• RESPOND– Rapid notification and reaction

• Recover– Disaster / business continuity planning

IT Governance Page 13

6. Common Philosophy : Security Must Be Rational

COST OF SECURITYCOUNTERMEASURES

COST OF SECURITYBREACHES

OPTIMAL LEVEL OF SECURITY AT MINIMUM

COSTCOST ($)

0%

SECURITY

LEVEL

100%

TOTAL COST

IT Governance Page 14

7a. IP Networking - Mobility

Terminals

Nomadic

IP Based PBX

Automobiles Hot Spot EnterpriseHome

COMMUNICATION DOMAINS

Subs Database

NetworkManagement

BROADBAND IP NETWORKS

Content ProvidersContent

Providers

Application DevelopersApplication Developers

Routers

PSTNPSTN

Gateway

INTERNETINTERNET

PoCServer

Access TechnologiesWireless | Cable | DSL

Middleware

SoftSwitch

IMS

Public Safety

InFiNet, IP Phone, Web Phone

IT Governance Page 15

7b. Securing the Mobile Users

As the person responsible for the organization you only have “control” in this space

But the mobile users moving throughout the entire set of possibilities

IT Governance Page 16

Competition

• Overall leadership• Staffing• Budget• Access to leadership

IT Governance Page 17

State of the Security Profession?

• Corporate – Physical security - CSO• IT – Information Security - CISO• The Security Alliance Initiative

– ASIS

– ISSA

– ISACA

• CRO• ERM : Revenge of the “bean counters” ?

IT Governance Page 18

Enterprise Risk Management

• Top Down - comprehensive risk management– Insurance

– Financial

– Strategic

– Operational

• Operational Risks Security Professionals• Financial Expertise benefits from metrics/data

IT Governance Page 19

The board should manage enterprise risk by: Ascertaining that there is transparencytransparency about the significant

risks to the organization Being aware that the final responsibilityresponsibility for risk management

rests with the board Considering that a proactive risk management approach creates

competitive advantagecompetitive advantage Insisting that risk management is embeddedembedded in the operation of

the enterprise Obtaining assuranceassurance that management has put processes and

technology in place for (information) security

Risk Management Risk Management

Source: IT Governance Institute

IT Governance Page 20

3 Generic Approaches to Organization Security

• Silo’s of independence– Little or no communication and coordination

• Councils of collaboration– Periodic, ad hoc, often incident focused

• Unified organization– Formal, structured, aligned

IT Governance Page 21

Protection Program Focus Areas

• Security Governance– Organization operations and partners

• Network Defense– Security strategy and architecture

• Protection Management– Projects and continuity program

IT Governance Page 22

Security Roles

Information Protection

Physical Security

Financial

Protect people, property and tangible assets

from loss, destruction, theft, alteration, or unauthorized

access

Enterpriserisks

Secure digital assets

Inspectionprocedures

Information securityDisaster/business continuity

Risk assessmentsSecurity technology Investigations

Independent controls

assessmentInternal / external

regulatory complianceRisk management

IncidentResponse

IT Governance Page 23

Changes Ahead for Security Professionals

• Cybercrime failures will result in major liability judgments

• Public / Private Sector formally share infrastructure protection roles

– Certification / licensing for (all?) security professionals

• CSO’s assume responsibility for operational risks

• Security is subsumed into ERM and Finance/CRO’s predominate

IT Governance Page 24

A Security Professional for All Seasons….

• Grounded in multiple protection disciplines• Capable project/program manager• Life long passion to learn• Business acumen• Diplomatic and adaptable• Adept at framing issues as risk management• Professional training / certifications

IT Governance Page 25

A Security Mantra

• Vision without Action is Imagination

• Action without Vision creates Chaos

Vision with Right Action is Transformation

See the Future and Plan Backwards