9/6/18 CONFIDENTIAL 1

Building Resiliency into Your Security

Program

CharlotteISSASummitMay10,2018

9/6/18 CONFIDENTIAL 2

Introduction

Gary SheehanAsCSOofASMGi,Garyhasresponsibilityforallsecuritymattersoftheorganizationandisresponsibleformanagingthedesign,deliveryandimplementationofGRCcustomersolutions.

linkedin.com/in/garyjsheehan/

Abstract

Areyousatisfiedwithyoursecurityprogramanditseffectiveness,orisittimetotakeanewapproachtoprotectingyourorganizationandyourorganization’sassets?

9/6/18 CONFIDENTIAL 3

Agenda, Overview and Objectives}UnderstandingResiliency}UsingResiliencyConceptsforSecurityandSecurityConceptsforResiliency} People} Process} Technology

}WrapUp

9/6/18 CONFIDENTIAL 4

Governance,RiskandCompliancearecriticalcomponentstoEnterpriseResiliency.

Understanding Enterprise Resiliency

Enterprise ResiliencyResiliencyistheabilityofanorganizationtoanticipate,preparefor,andrespondandadapttoincrementalorchronicchangeandsuddendisruptions,aswellasminoreverydayeventsandacuteshocksinordertosurviveandprosper.

} Resiliencyisastrategicobjectiveintendedtohelpanorganizationtosurviveandprosper.

} Resiliencyisagoal,notafixedactivityorstate.} Resiliencyisarelative,dynamicconceptand,assuch,anorganizationcanonlybemoreorlessresilient.

} Resiliencyisnotjustdisasterrecoveryandbusinesscontingencyplanning.

9/6/18 CONFIDENTIAL 5

Understanding Enterprise Resiliency

Enterprise | Organization | Company | Business}Notnecessarilyinterchangeable,butareoftenusedtomeanthesamething.

}Canrepresentahierarchywithinacompany.}Beawareofthesubtledifferenceinmeaningsbetweenorganizations.

9/6/18 CONFIDENTIAL 6

Understanding Enterprise Resiliency

EnterpriseResiliencyistheabilityanorganizationhastoquicklyadapttodisruptionswhilemaintainingcontinuousbusinessoperationsandsafeguardingpeople,assetsandoverallbrandequity.

Governance,RiskandCompliancearecriticalcomponentstoEnterpriseResiliency.

9/6/18 CONFIDENTIAL 7

Understanding Enterprise Resiliency

Security Program ResiliencyYouknowyourSecurityProgramisresilientwhen:

} Itcananticipate,preparefor,andrespondandadapttoincrementalorchronicchangeandsuddendisruptionsintheorganization

} Itcananticipate,preparefor,andrespondandadapttoincrementalorchronicchangesinyourorganization’sbusiness,securityandcompliancerequirements.

} Itcananticipate,preparefor,andrespondandadapttoincrementalorchronicchangesinthethreats,threatagentsandthreattrendsthataffectyourorganization.

9/6/18 CONFIDENTIAL 8

Understanding Enterprise Resiliency

Benefits / Challenges

9/6/18 CONFIDENTIAL 9

Each organization comes to its own decisions on

these issues according to the amount and type of

risk it is willing to pursue or retain, and the amount

it is willing to invest in resilience.

Understanding Enterprise Resiliency

Benefits of Resiliency}Competitiveness: Thebehaviorsthatanorganizationdevelopsaspartofaresilientculturecanalsohelptobuildinnovationandcommonvaluesandvision,anddevelopanabilitytoanticipateandadapttochangeandevolvethebusinessmodel.

}Coherence: Resiliencebothrequiresandallowsorganizationalsilostobecomemoreintegratedandinteroperable.

}EfficiencyandEffectiveness:Workingwithinacoherentandintegratedframeworkhastime- andcost-savingimplications.

9/6/18 CONFIDENTIAL 10

Understanding Enterprise Resiliency

Benefits of Resiliency (continued)}Reputation: Thecoherentframeworkbuiltbyresiliencesupportstheorganizationinunderstandingandactingontheinterdependencyofbrand,trustandreputation,therebymanagingandenhancingitsreputation.

}Societal/communityResilience: Resiliencycanalsogiveassurancetootherinterestedparties,suchasregulators,thirdparties,government,customers,partnersandshareholders.

9/6/18 CONFIDENTIAL 11

Understanding Enterprise Resiliency

Challenges}Understandingwhentotakeaction.}Resolvingpotentialtensionsbetweencostandresilienceinbuildingjust-in-timeprocessesandjust-in-caseredundancy.

}Determininganappropriatetrade-offbetweencontrollingcostsandachievinggreaterresilience.

} Identifyingwhentoembracenewvaluesratherthanpersistingwithexistingbehaviors.

9/6/18 CONFIDENTIAL 12

Understanding Enterprise Resiliency

Challenges (continued)}Resolvingconflictsbetweentheneedtokeepinformationfromcompetitorsandtheneedtoshareinformationforresiliencewhencollaboratingwithothers.

} Identifyinglegalandregulatoryconstraints,aswellasvoluntarycodesadoptedbydifferentsectors,thatcanlimitdesirableresilienceactions.

9/6/18 CONFIDENTIAL 13

Each organization comes to its own decisions on these issues according to the amount and type of risk it is willing to pursue

or retain, and the amount it is willing to invest in resilience.

RESILIENCYThe New Model For Security

Resiliency – The New Model For Security

BASEDONFRAMEWORKSAframeworkisanextensiblestructurefordocumentingandimplementingasetofconcepts,processes,methods,technologies,proceduresandculturalchangesnecessaryforacompleteproduct.

Byaligningtheframeworkobjectivestoenterprisestrategies,theframeworkhelpstokeepthefocusonachievingthegoalsoftheenterprise.

9/6/18 CONFIDENTIAL 15

Provides:Consistency

StandardizationMeasurement

Efficiencies

Resiliency – The New Model For Security

9/6/18 CONFIDENTIAL 16

PROCESS FUNCTION/TECHNOLOGY

PEOPLE

Resiliency – The New Model For Security

9/6/18 CONFIDENTIAL 17

BS65000 ISONIST

Team/Leadership

PROCESS FUNCTION/TECHNOLOGY

PEOPLE

Resiliency – The New Model For Security

Thismodelwillprovide:}Clarity}Commitment}Alignment}Collaboration}Standardization}Measurement

9/6/18 CONFIDENTIAL 18

Thismodelrequires:}CulturalChange}Commitment}Accountability}Leadership}Participation}Support

9/6/18 CONFIDENTIAL 19

Resiliency – The New Model For Security

EnterpriseResiliency GRC

WORKFLOWS

9/6/18 CONFIDENTIAL 20

Understanding Enterprise Resiliency

EnterpriseStrategy

EnterpriseMissionandVision

BusinessGoalsandObjectives

BusinessToolsandCriticalProcesses

Department’sGoalsandObjectives

Department’sToolsandCriticalProcesses

YourToolsandCriticalAssets

You

Are You Informed,

Alignedand

Engaged?

Resiliency – The New Model For Security

9/6/18 CONFIDENTIAL 21

BS65000 ISONIST

Team/Leadership

PROCESS TECHNOLOGY

PEOPLE

BS 65000:2014

BS65000:2014givesguidanceonbuildingenterpriseresilienceby:

}Clarifyingthenatureandscope.} Identifyingtheprincipalcomponentsofresilience.

} Identifyingandrecommendinggoodpractice.

9/6/18 CONFIDENTIAL 22

9/6/18 CONFIDENTIAL 23

BS 65000:2014Resiliencerequirestheabilitytomakegooddecisionsinformedbyanunderstandingofwhattheorganizationstandsforandwhereitistryingtogo,theorganization’senvironment,whatmatterstotheorganizationandwhatresourcesithasatitsdisposal.TheBritishStandards

Institute- 2014

Actions necessary to make the

organization more resilient.

BS 65000:2014

Building a Foundation for ResiliencyThefundamentalattributesdefinetheattitudesthatshapedecisionsandactions,andultimatelyunderpinresiliencyare:

} GovernanceandAccountability} Thesystemsofrules,structuresandprocessesthatdrivecoherentdecisionmakingwithinacceptableparametersofcost,riskandspeedcontributetoresilience.

} LeadershipandCulture} Staffshouldbeappropriatelyempoweredbyacultureoftrust,opennessandinnovation.

} CommonVisionandPurpose} Shouldberecognizedandsharedthroughouttheorganization.

9/6/18 CONFIDENTIAL 24

BS 65000:2014

Building ResiliencyResiliencyrequirestheabilitytomakegooddecisionsinformedbyanunderstandingofwhattheenterprisestandsforandwhereitistryingtogo,thebusinessenvironment,whatmatterstotheenterpriseandwhatresourcesithasatitsdisposal.}Actionsinclude:

} Beinformed} Setdirection} Bringcoherence} Developadaptivecapacity} Strengthentheorganization} Validateandreview

9/6/18 CONFIDENTIAL 25

Resiliency – The New Model For Security

9/6/18 CONFIDENTIAL 26

BS65000 ISONIST

Team/Leadership

PROCESS TECHNOLOGY

PEOPLE

Security Frameworks - ISO 27x

}Thestandard"establishedguidelinesandgeneralprinciplesforinitiating,implementing,maintaining,andimprovinginformationsecuritymanagementwithinanorganization“.

}Theactualcontrolslistedinthestandardareintendedtoaddressthespecificrequirementsidentifiedviaaformalriskassessment.

}Thestandardisalsointendedtoprovideaguideforthedevelopmentoforganizationalsecuritystandardsandeffectivesecuritymanagementpracticesandtohelpbuildconfidenceininter-organizationalactivities.

9/6/18 CONFIDENTIAL 27

Security Frameworks - NIST

International Harmonization and Context}TheFramework,createdthroughcollaborationbetweenindustryandgovernment,consistsofstandards,guidelines,andpracticestopromotetheprotectionofcriticalinfrastructure.

}Theprioritized,flexible,repeatable,andcost-effectiveapproachoftheFrameworkhelpsownersandoperatorsofcriticalinfrastructuretomanagecybersecurity-relatedrisk.

9/6/18 CONFIDENTIAL 28

Security Frameworks- NIST

InFebruary2013,PresidentObamaissuedExecutiveOrder(EO)13636,ImprovingCriticalInfrastructureCybersecurity,inFebruary2013.ItdirectedNISTtoworkwithstakeholderstodevelopavoluntaryframework– basedonexistingstandards,guidelines,andpractices- forreducingcybersecurityrisks.

9/6/18 CONFIDENTIAL 29

“Thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthemostseriousnationalsecuritychallengeswemustconfront.ThenationalandeconomicsecurityoftheUnitedStatesdependsonthereliablefunctioningoftheNation'scriticalinfrastructureinthefaceofsuchthreats”~SectionIoftheExecutiveorder~

Resiliency – The New Model For Security

9/6/18 CONFIDENTIAL 30

BS65000 ISONIST

Team/Leadership

PROCESS TECHNOLOGY

PEOPLE

7.0 - Building a Team for Resiliency

7.0 - Building a Team for Resiliency

}ACHIEVINGTRUST

• Trustisknowingthatwhenateammemberdoespushyou,they’redoingitbecausetheycareabouttheteam

• Goodintentions- noreasontobeprotectiveorcarefularoundthegroup

• Takerisksinofferingfeedbackandassistance• Appreciateandtapintooneanother’sskillsandexperiences• Focustimeandenergyonimportantissues,notpolitics

7.0 - Building a Team for Resiliency

}MASTERINGCONFLICT

• Thedesiretopreserveartificialharmonystiflestheoccurrenceofproductiveideologicalconflict

• Greatteamsdonotholdbackwithoneanother.Theyareunafraidtoairtheirdirtylaundry.Theyadmittheirmistakes,theirweaknesses,andtheirconcernswithoutfearofreprisal

• Havelively,interestingmeetings• Extractandexploittheideasofallteammembers• Solverealproblemsquickly

7.0 - Building a Team for Resiliency

}ACHIEVINGCOMMITMENT

• Thelackofclarityorbuy-inpreventsteammembersfrommakingdecisionstheywillstickto

• Organizationsneedtrustandconflictsopeoplecanfullycommit• Mostreasonablepeoplejustneedtobeheardandtoknowthattheirinput

wasconsideredandrespondedto• Createsclarityarounddirectionandpriorities• Alignstheentireteamaroundcommonobjectives• Developsanabilitytolearnfrommistakes• Leadersmustcommunicatetheresultstotheirteams

7.0 - Building a Team for Resiliency

}ACCOUNTABILITY

• Everyteammemberisresponsibleforholdingtheteamaccountable• AppliestoALLLEVELSoftheorganization• AccountabilitytoTrust,ConflictandCommit• Helpspoorperformersimprove• Identifiespotentialproblemsquickly• Establishesrespectamongteammembers• Avoidsexcessivebureaucracy

7.0 - Building a Team for Resiliency

}RESULTS

• Thepursuitcollectivesuccessmustbe#1• Clarity- Makeresultssoclearthatnoonewouldevenconsiderdoingsomethingpurelytoenhancehisorherindividualstatusorego

• Retainsachievement-orientedemployees• Minimizesindividualisticbehavior• Enjoyssuccessandsuffersfailureasateam

Wrap Up

9/6/18 CONFIDENTIAL 38

Resiliency/Securitymustbeembeddedthroughouttheorganization,cuttingacrosssilos,organizationalstructuresandhierarchies,withoperationalactivitiesalignedtostrategicpriorities.

9/6/18 CONFIDENTIAL 39

Buildingaresilientworkgroup,department,businessunit,organization,companyororganizationishardwork- forEVERYONE.

Resilience/Securityisinherentlyrelative,andnoorganization,person,networkorsystemcanbeabsolutelyresilientorsecure,astheyexperienceconstantchangeandoperateundervaryingdegreesofuncertaintyandrisk.

9/6/18 CONFIDENTIAL 40

9/6/18 CONFIDENTIAL 41

}Everyoneinanorganizationplaysaroleinresiliency/security.

}Youmustunderstandyourbusinessandtheroleyouplayinhelpingyourorganizationachieveresiliency/security.

}Allemployeesmustbeactiveparticipantsintheresiliencyplan/securityplan.

}Don’tbethemissingpiece!

9/6/18 CONFIDENTIAL 42

Questions?GarySheehangsheehan@asmgi.com