Upload
vuongtuyen
View
219
Download
3
Embed Size (px)
Citation preview
SESSION 407 Thursday November 3 1000 AM - 1100 AM
Track Security Risk and Vulnerability
Cyber-InfoSec Accelerating Next-Gen Threat Management
Gail Talbott Sr Cyber Security DirectorLockheed Martin gailmtalbottlmcocom
Session Description
This session provides detailed threat management platform (TMP) transformation project activities to help cyber information security (CIS) organizations design and implement appropriate cyber capabilities Learn about a tailored and proven industry best practice to help you move high performance CIS management and teams from strategic innovation assessment through the design and implementation phase Yoursquoll walk away with an approach thatrsquos successfully used with commercial cyber services and CIS organizations (Experience Level Advanced)
Speaker Background Gail Talbott is a senior IT and CyberInfoSec expert with over 25 yearsrsquo experience and recognition as a leader in organizational transformation and change with Lockheed Martin Gail has exceptional SW engineering technical and operations program management and process assessment (ITSM and ISO 27001) skills including organizational change management and strategic planning skills related to people process and technology and organizational development Gail is a proficient strategic thinker able to lead functional and process integration for transformation problem resolution and continuous improvement In addition Gail is a senior Lean Six Sigma Black Belt a certified as an ITSM Expert and in ISO 27001 standards implementation
Cyber Information SecurityAccelerating Next Generation Threat Management Platform Transformation and Change
Gail M Talbott
Agenda
bull Itrsquos Scary Out Therebull Commercialization of Targeted Attacks
bull Privacy and Trust Concerns are Affecting Business
bull Who Needs Threat Management
bull Information Security Management Ecosystem
bull Transformation and Change Process
bull Standard and Method Integration
bull Summary and Take Away
bull Questions
Gail M Talbott President and CEO HumaNex Inc
Board of Directors
Orlando Regional Board of Directors
38 Years 2013 2016
2004
1990
2000
Contact InformationGail M Talbott PresidentHumanexicloudcom321-799-8308
Itrsquos Scary Out There Commercialization of Targeted Attacks
Privacy Concerns Affect Business
Rise in Information Security Breaches
According to the Cisco 2016 Annual Security Report
ldquothe relentless rise in information security breaches underscores the deep need for enterprises to trust that their systems data business partners customers and citizens are
saferdquo
Trust but Verify
ldquoIn God we trust All others we virus scanrdquo
-Anonymous Corporate Information Security Officer (CISO)
Flaws in wireless keyboards let hackers snoop on everything you typeBy Anna E Kobylinska August 3 2016
Ransomware attacks strike hard 54 of businesses in the UK hitMarika Samarati 8th August 2016
Cicirsquos Pizza suffers payment card data breachLewis Morgan July 25 2016
15 million T-Mobile records hacked says ExperianMelanie Watson October 2 2015
Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SECMelanie Watson June 13 2016
New infographic exposes top US privacy concerns Melanie Watson August 10 2016
NIST Seeks Industry Govt Input on Cyber Trends ChallengesPosted By Jane Edwards August 11 2016
Politics New York TimesUS Wrestles With How to Fight Back Against CyberattacksBy DAVID E SANGERJULY 30 2016
290000 driverrsquos license records stolen from US government computersMelanie Watson June 10 2016 Report Yahoo confirms massive data breach -500M
Kim Hjelmgaard Elizabeth Weise USATODAY 9-22-16
Commercialized Cyber Crime ndash Go Phish
bull Zero day vulnerabilities opens the door to more targeted attacks
bull Spear phishing targeted campaigns are increasing
bull Ransomware victims have to pay for unlocks
bull Consumer Scams
bull Professionalization of Cyber Crime
bull Source Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
Top Three US Privacy Concerns ndash Affect Virtual Business
1 45 are more worried about their online privacy than one year ago2 92 of US Internet users worry about their privacy online3 Health care providers are most trusted (74) and advertisers are least
trusted (25)
bull The trust factor is what is desired- people do not want their healthcare data compromised- hence they believe that the Health care providers are protecting their information
bull 2016- 164 health care breaches compromised 46 million people (US Dept of HHS)
bull Mistrust in advertising affects willingness to shop online
SourceTruste and National Cyber Security Alliance Aug 10 2016
Data from surveys conducted by Ipsos on behalf ofTRUSTe NCSA from December 17-22 2015US 888 878 7830 wwwtrustecom | wwwstaysafeonlineorgcopy TRUSTe Inc 2016 All Rights Reserved
Top US Privacy Concerns Result in Behavior Changes
Sensitive Data Compromises
bullAnthem 80 million patient and employee records were compromisedbull JPMorgan Sensitive financial and personal information of 76 million
households and 7 million small businessesbullHome Depot 56 million credit card accounts and 53 million email
addresses exposed onlinebullTarget 40 million credit and debit card accounts as well as data on 70
million customers stolenbullAshley Madison 33 million user accounts exposedbullOffice of Personnel Management 265 million records stolen bullYahoo 500 million user accounts compromised
SourceTruste and National Cyber Security Alliance Aug 10 2016
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Cyber Information SecurityAccelerating Next Generation Threat Management Platform Transformation and Change
Gail M Talbott
Agenda
bull Itrsquos Scary Out Therebull Commercialization of Targeted Attacks
bull Privacy and Trust Concerns are Affecting Business
bull Who Needs Threat Management
bull Information Security Management Ecosystem
bull Transformation and Change Process
bull Standard and Method Integration
bull Summary and Take Away
bull Questions
Gail M Talbott President and CEO HumaNex Inc
Board of Directors
Orlando Regional Board of Directors
38 Years 2013 2016
2004
1990
2000
Contact InformationGail M Talbott PresidentHumanexicloudcom321-799-8308
Itrsquos Scary Out There Commercialization of Targeted Attacks
Privacy Concerns Affect Business
Rise in Information Security Breaches
According to the Cisco 2016 Annual Security Report
ldquothe relentless rise in information security breaches underscores the deep need for enterprises to trust that their systems data business partners customers and citizens are
saferdquo
Trust but Verify
ldquoIn God we trust All others we virus scanrdquo
-Anonymous Corporate Information Security Officer (CISO)
Flaws in wireless keyboards let hackers snoop on everything you typeBy Anna E Kobylinska August 3 2016
Ransomware attacks strike hard 54 of businesses in the UK hitMarika Samarati 8th August 2016
Cicirsquos Pizza suffers payment card data breachLewis Morgan July 25 2016
15 million T-Mobile records hacked says ExperianMelanie Watson October 2 2015
Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SECMelanie Watson June 13 2016
New infographic exposes top US privacy concerns Melanie Watson August 10 2016
NIST Seeks Industry Govt Input on Cyber Trends ChallengesPosted By Jane Edwards August 11 2016
Politics New York TimesUS Wrestles With How to Fight Back Against CyberattacksBy DAVID E SANGERJULY 30 2016
290000 driverrsquos license records stolen from US government computersMelanie Watson June 10 2016 Report Yahoo confirms massive data breach -500M
Kim Hjelmgaard Elizabeth Weise USATODAY 9-22-16
Commercialized Cyber Crime ndash Go Phish
bull Zero day vulnerabilities opens the door to more targeted attacks
bull Spear phishing targeted campaigns are increasing
bull Ransomware victims have to pay for unlocks
bull Consumer Scams
bull Professionalization of Cyber Crime
bull Source Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
Top Three US Privacy Concerns ndash Affect Virtual Business
1 45 are more worried about their online privacy than one year ago2 92 of US Internet users worry about their privacy online3 Health care providers are most trusted (74) and advertisers are least
trusted (25)
bull The trust factor is what is desired- people do not want their healthcare data compromised- hence they believe that the Health care providers are protecting their information
bull 2016- 164 health care breaches compromised 46 million people (US Dept of HHS)
bull Mistrust in advertising affects willingness to shop online
SourceTruste and National Cyber Security Alliance Aug 10 2016
Data from surveys conducted by Ipsos on behalf ofTRUSTe NCSA from December 17-22 2015US 888 878 7830 wwwtrustecom | wwwstaysafeonlineorgcopy TRUSTe Inc 2016 All Rights Reserved
Top US Privacy Concerns Result in Behavior Changes
Sensitive Data Compromises
bullAnthem 80 million patient and employee records were compromisedbull JPMorgan Sensitive financial and personal information of 76 million
households and 7 million small businessesbullHome Depot 56 million credit card accounts and 53 million email
addresses exposed onlinebullTarget 40 million credit and debit card accounts as well as data on 70
million customers stolenbullAshley Madison 33 million user accounts exposedbullOffice of Personnel Management 265 million records stolen bullYahoo 500 million user accounts compromised
SourceTruste and National Cyber Security Alliance Aug 10 2016
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Gail M Talbott President and CEO HumaNex Inc
Board of Directors
Orlando Regional Board of Directors
38 Years 2013 2016
2004
1990
2000
Contact InformationGail M Talbott PresidentHumanexicloudcom321-799-8308
Itrsquos Scary Out There Commercialization of Targeted Attacks
Privacy Concerns Affect Business
Rise in Information Security Breaches
According to the Cisco 2016 Annual Security Report
ldquothe relentless rise in information security breaches underscores the deep need for enterprises to trust that their systems data business partners customers and citizens are
saferdquo
Trust but Verify
ldquoIn God we trust All others we virus scanrdquo
-Anonymous Corporate Information Security Officer (CISO)
Flaws in wireless keyboards let hackers snoop on everything you typeBy Anna E Kobylinska August 3 2016
Ransomware attacks strike hard 54 of businesses in the UK hitMarika Samarati 8th August 2016
Cicirsquos Pizza suffers payment card data breachLewis Morgan July 25 2016
15 million T-Mobile records hacked says ExperianMelanie Watson October 2 2015
Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SECMelanie Watson June 13 2016
New infographic exposes top US privacy concerns Melanie Watson August 10 2016
NIST Seeks Industry Govt Input on Cyber Trends ChallengesPosted By Jane Edwards August 11 2016
Politics New York TimesUS Wrestles With How to Fight Back Against CyberattacksBy DAVID E SANGERJULY 30 2016
290000 driverrsquos license records stolen from US government computersMelanie Watson June 10 2016 Report Yahoo confirms massive data breach -500M
Kim Hjelmgaard Elizabeth Weise USATODAY 9-22-16
Commercialized Cyber Crime ndash Go Phish
bull Zero day vulnerabilities opens the door to more targeted attacks
bull Spear phishing targeted campaigns are increasing
bull Ransomware victims have to pay for unlocks
bull Consumer Scams
bull Professionalization of Cyber Crime
bull Source Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
Top Three US Privacy Concerns ndash Affect Virtual Business
1 45 are more worried about their online privacy than one year ago2 92 of US Internet users worry about their privacy online3 Health care providers are most trusted (74) and advertisers are least
trusted (25)
bull The trust factor is what is desired- people do not want their healthcare data compromised- hence they believe that the Health care providers are protecting their information
bull 2016- 164 health care breaches compromised 46 million people (US Dept of HHS)
bull Mistrust in advertising affects willingness to shop online
SourceTruste and National Cyber Security Alliance Aug 10 2016
Data from surveys conducted by Ipsos on behalf ofTRUSTe NCSA from December 17-22 2015US 888 878 7830 wwwtrustecom | wwwstaysafeonlineorgcopy TRUSTe Inc 2016 All Rights Reserved
Top US Privacy Concerns Result in Behavior Changes
Sensitive Data Compromises
bullAnthem 80 million patient and employee records were compromisedbull JPMorgan Sensitive financial and personal information of 76 million
households and 7 million small businessesbullHome Depot 56 million credit card accounts and 53 million email
addresses exposed onlinebullTarget 40 million credit and debit card accounts as well as data on 70
million customers stolenbullAshley Madison 33 million user accounts exposedbullOffice of Personnel Management 265 million records stolen bullYahoo 500 million user accounts compromised
SourceTruste and National Cyber Security Alliance Aug 10 2016
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Rise in Information Security Breaches
According to the Cisco 2016 Annual Security Report
ldquothe relentless rise in information security breaches underscores the deep need for enterprises to trust that their systems data business partners customers and citizens are
saferdquo
Trust but Verify
ldquoIn God we trust All others we virus scanrdquo
-Anonymous Corporate Information Security Officer (CISO)
Flaws in wireless keyboards let hackers snoop on everything you typeBy Anna E Kobylinska August 3 2016
Ransomware attacks strike hard 54 of businesses in the UK hitMarika Samarati 8th August 2016
Cicirsquos Pizza suffers payment card data breachLewis Morgan July 25 2016
15 million T-Mobile records hacked says ExperianMelanie Watson October 2 2015
Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SECMelanie Watson June 13 2016
New infographic exposes top US privacy concerns Melanie Watson August 10 2016
NIST Seeks Industry Govt Input on Cyber Trends ChallengesPosted By Jane Edwards August 11 2016
Politics New York TimesUS Wrestles With How to Fight Back Against CyberattacksBy DAVID E SANGERJULY 30 2016
290000 driverrsquos license records stolen from US government computersMelanie Watson June 10 2016 Report Yahoo confirms massive data breach -500M
Kim Hjelmgaard Elizabeth Weise USATODAY 9-22-16
Commercialized Cyber Crime ndash Go Phish
bull Zero day vulnerabilities opens the door to more targeted attacks
bull Spear phishing targeted campaigns are increasing
bull Ransomware victims have to pay for unlocks
bull Consumer Scams
bull Professionalization of Cyber Crime
bull Source Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
Top Three US Privacy Concerns ndash Affect Virtual Business
1 45 are more worried about their online privacy than one year ago2 92 of US Internet users worry about their privacy online3 Health care providers are most trusted (74) and advertisers are least
trusted (25)
bull The trust factor is what is desired- people do not want their healthcare data compromised- hence they believe that the Health care providers are protecting their information
bull 2016- 164 health care breaches compromised 46 million people (US Dept of HHS)
bull Mistrust in advertising affects willingness to shop online
SourceTruste and National Cyber Security Alliance Aug 10 2016
Data from surveys conducted by Ipsos on behalf ofTRUSTe NCSA from December 17-22 2015US 888 878 7830 wwwtrustecom | wwwstaysafeonlineorgcopy TRUSTe Inc 2016 All Rights Reserved
Top US Privacy Concerns Result in Behavior Changes
Sensitive Data Compromises
bullAnthem 80 million patient and employee records were compromisedbull JPMorgan Sensitive financial and personal information of 76 million
households and 7 million small businessesbullHome Depot 56 million credit card accounts and 53 million email
addresses exposed onlinebullTarget 40 million credit and debit card accounts as well as data on 70
million customers stolenbullAshley Madison 33 million user accounts exposedbullOffice of Personnel Management 265 million records stolen bullYahoo 500 million user accounts compromised
SourceTruste and National Cyber Security Alliance Aug 10 2016
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Flaws in wireless keyboards let hackers snoop on everything you typeBy Anna E Kobylinska August 3 2016
Ransomware attacks strike hard 54 of businesses in the UK hitMarika Samarati 8th August 2016
Cicirsquos Pizza suffers payment card data breachLewis Morgan July 25 2016
15 million T-Mobile records hacked says ExperianMelanie Watson October 2 2015
Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SECMelanie Watson June 13 2016
New infographic exposes top US privacy concerns Melanie Watson August 10 2016
NIST Seeks Industry Govt Input on Cyber Trends ChallengesPosted By Jane Edwards August 11 2016
Politics New York TimesUS Wrestles With How to Fight Back Against CyberattacksBy DAVID E SANGERJULY 30 2016
290000 driverrsquos license records stolen from US government computersMelanie Watson June 10 2016 Report Yahoo confirms massive data breach -500M
Kim Hjelmgaard Elizabeth Weise USATODAY 9-22-16
Commercialized Cyber Crime ndash Go Phish
bull Zero day vulnerabilities opens the door to more targeted attacks
bull Spear phishing targeted campaigns are increasing
bull Ransomware victims have to pay for unlocks
bull Consumer Scams
bull Professionalization of Cyber Crime
bull Source Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
Top Three US Privacy Concerns ndash Affect Virtual Business
1 45 are more worried about their online privacy than one year ago2 92 of US Internet users worry about their privacy online3 Health care providers are most trusted (74) and advertisers are least
trusted (25)
bull The trust factor is what is desired- people do not want their healthcare data compromised- hence they believe that the Health care providers are protecting their information
bull 2016- 164 health care breaches compromised 46 million people (US Dept of HHS)
bull Mistrust in advertising affects willingness to shop online
SourceTruste and National Cyber Security Alliance Aug 10 2016
Data from surveys conducted by Ipsos on behalf ofTRUSTe NCSA from December 17-22 2015US 888 878 7830 wwwtrustecom | wwwstaysafeonlineorgcopy TRUSTe Inc 2016 All Rights Reserved
Top US Privacy Concerns Result in Behavior Changes
Sensitive Data Compromises
bullAnthem 80 million patient and employee records were compromisedbull JPMorgan Sensitive financial and personal information of 76 million
households and 7 million small businessesbullHome Depot 56 million credit card accounts and 53 million email
addresses exposed onlinebullTarget 40 million credit and debit card accounts as well as data on 70
million customers stolenbullAshley Madison 33 million user accounts exposedbullOffice of Personnel Management 265 million records stolen bullYahoo 500 million user accounts compromised
SourceTruste and National Cyber Security Alliance Aug 10 2016
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Top Three US Privacy Concerns ndash Affect Virtual Business
1 45 are more worried about their online privacy than one year ago2 92 of US Internet users worry about their privacy online3 Health care providers are most trusted (74) and advertisers are least
trusted (25)
bull The trust factor is what is desired- people do not want their healthcare data compromised- hence they believe that the Health care providers are protecting their information
bull 2016- 164 health care breaches compromised 46 million people (US Dept of HHS)
bull Mistrust in advertising affects willingness to shop online
SourceTruste and National Cyber Security Alliance Aug 10 2016
Data from surveys conducted by Ipsos on behalf ofTRUSTe NCSA from December 17-22 2015US 888 878 7830 wwwtrustecom | wwwstaysafeonlineorgcopy TRUSTe Inc 2016 All Rights Reserved
Top US Privacy Concerns Result in Behavior Changes
Sensitive Data Compromises
bullAnthem 80 million patient and employee records were compromisedbull JPMorgan Sensitive financial and personal information of 76 million
households and 7 million small businessesbullHome Depot 56 million credit card accounts and 53 million email
addresses exposed onlinebullTarget 40 million credit and debit card accounts as well as data on 70
million customers stolenbullAshley Madison 33 million user accounts exposedbullOffice of Personnel Management 265 million records stolen bullYahoo 500 million user accounts compromised
SourceTruste and National Cyber Security Alliance Aug 10 2016
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Sensitive Data Compromises
bullAnthem 80 million patient and employee records were compromisedbull JPMorgan Sensitive financial and personal information of 76 million
households and 7 million small businessesbullHome Depot 56 million credit card accounts and 53 million email
addresses exposed onlinebullTarget 40 million credit and debit card accounts as well as data on 70
million customers stolenbullAshley Madison 33 million user accounts exposedbullOffice of Personnel Management 265 million records stolen bullYahoo 500 million user accounts compromised
SourceTruste and National Cyber Security Alliance Aug 10 2016
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Who Needs Threat ManagementOrganizations must have a sufficient cyberinformation security foundation
Utilities Oil amp GasChemical PharmaceuticalsMed Financial Services
All Industries and Government Agencies Must Manage the Threats
Health CareTelecom Government Agencies Aerospace and Defense
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Cyber Criminals do not Discriminate- Any Business will do
bull According to Symantec attacks targeting businesses with less than 250 employees have increased over the last 5 years
bull The number of spear-phishing campaigns targeting employees increased 55 in 2015
bull If there is money to be made ndashsize doesnrsquot matter
Information Security Management EcosystemModel People Capabilities- Processes- Platforms and Technology to Integrate Data for Transformation Planning and Execution
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Goal Focus Customer Relationship ManagementTrust
Customer Management System
bull Customer Centric ndashSecurity and data protection expectations
bull End User CRMAwareness
bull InfoSec Performance TransparencyVisibility via Communications
Goal Deliver High Quality Cost-
Effective CyberInfoSec Services and
Value through Service Lifecycle
InfoSec Service Excellence System
bull Continual Service Improvement (CSI)bull Information Security Service Operating Excellencebull Quality Control Method Integrationbull Transformation and Change Managementbull RiskOpportunity Management IntegrationPerformance Metrics
Management-SLAsOLAs
Goal Provide InfoSec Fulfillment
Corporate Information Security
Organizationbull OptimizedRight-sized Staffing Plan
Aligned with customer demandbull Repeatable bull Relevant Expertise Knowledge
Skillsbull Clearly Defined
RolesResponsibilities for all functional interface and process execution
Goal Provide Proactive End-to-End Threat Management
and Detection Capabilitiesbull Intel Capabilities- Malware Analysis Forensics
Incident Response Hunting bull Intel Collaboration and Analytics Platformsbull Date Platform and flow
Goal Integrate InfoSec Industry Best Practice with IT Service
Best Practices to Provide Continuity of Service Delivery
supporting Customer Needs
Commercial Service Management Systems
bullProject Management Best PracticesbullNISTISO 27001 Industry StandardsbullITSMITIL Service Management Lifecycle bullOperational amp Administrative SupportbullSituational AwarenessbullService Asset ManagementbullMaturity Assessment
Goal Ensure Seamless Service Delivery
Workforce Management System
bull Organizational Change Mgmt to Achieve Large Scale Transition without Disruption to cyberInfoSec service delivery
bull Sub Contractor performance Underpinning Contractsbull Common Security Capabilities and Processes across
Subcontractsbull Culture of Continuous Improvementbull Workforce Planning and Career Path Development
Strategic Direction and
Visionbull Strategic AssessmentSWOTbull Technology Trendsbull Social Attitudinal and Economic
trendsbull Market Description amp Competitive
Analysisbull Business Relationship
Managementbull Maturity and Risk Level
Threat Management Model
Goal Know the Ecosystem Needs Plan the
Future
CISO
Dir
IR Intel
Mgr
Support
Transformation Addresses the Entire InfoSec Management Ecosystem
Threat Management
Capabilities AlignedCyber Security Enabled
Business Agility Proactive Threat Management
Threat Management
Incident Response
Corporate InfoSec (CIS) Environment
SiloedDecentralized
Chaotic
Establish BusinessCISInfrastructure Fusion
Enable Proactive to Predictive Optimization
Begin Prioritized Transformation and Business Integration
Kick off Program Management Plan
Realign Org StructureRoles Responsibilities
Develop Transformation and Change Management Plan
Assess Current State Process Data Tools Integration (PIA)
Transformation Begins
Business Value-Driven
Execute Design to Excellence Events (DTE)
Identify Gaps Related to Current State Assessment
Complete Initial Threat Management Model
Continue Prioritized Transformation
Develop Strategic DirectionRisk Level
Improving Threat Management Maturity Enables Optimization and Business Value
Threat Management Maturity Continuum
Senior Management Assessment and Desired Transformation
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Transformation and Change ProcessArt and Science of Transformation
Foundational in Continuous Improvement (CI)
Transformation and Change Process
bull The art and science of managing a large-scale transformation within any organization is daunting but not impossible
bullA transformation and change leader is critical to ensuring that transformation and change are managed for success with minimal defects and resistance
bull Leaders must be willing to accept the sixteenth-century wisdom of Niccolograve Machiavelli who in his political treatise The Prince warned
ldquoThere is nothing more difficult to take in hand more perilous to conduct or more uncertain in its success than to take the lead in the introduction
of a new order of thingsrdquo
20
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
The Art and Science of Transformation
21
ART SCIENCE
Organizational CultureChange ManagementInnovation Approach
Risk ToleranceMarket Orientation
Management Role Models
StrategyDefined Strategic Direction
Value Generating InnovationsInnovation Goals and Incentives
CollaborationNetwork
Internal and External StakeholdersKnowledge Sharing
Expertise GapsOpen Collaboration
SystemsRepeatable Processes
InfrastructureMeasurements and Monitoring
Industry Best PracticesContinuous Improvement
Source Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the Transformation - Change the Behavior
bull The people doing the work play a critical role in any successful transformation
bull Changing the way people think about their future and the part they play in designing it guarantees buy-in
ldquoIt is not the strongest of the species who survive nor even the most intelligent
but the ones most responsive to changerdquo
- Charles Darwin
22
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Every InfoSec Transformational Engagement
bull Provides the opportunity to work with high-performing cyber security and information technology professionals
bull Ensures continuous refinement and testing of methodologies and approach to transformation and change of information security processes
bull Ensures organizational leaders listen to their people to optimize their skills develop their functional alignment and organize their cross-functional work
bull Develops and implements streamlined and integrated processes to support the needs of the enterprise
bull Helps leaders recognize that organizational governance-policy and guidance- is critical for continuity and compliance
Get to Excellence
Continuous Improvement
Strategic Direction
Risk Level
Design to Excellence
Future State Model
Process Innovation
Activity
Program-Project
Management Plan
Execution of Prioritized
Projects
Final Operating Capability (FOC)
Initial Operating Capability (IOC)
Transformation and Change
Management
Communication
Communication
Communication
Communication
Communication
Cycle of Change
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Senior Leader Engagement
Meet with senior leaders to
bullGenerate the transformational vision that describes their next-generation information security organization including desired performance maturity and risk levels
bull Discuss the use of their influence to support the transformation and change and seek their willingness to be involved in the transformation
bullObtain authorization for initial maturity assessment
bull Authorize and identify resources to handle the workload and the proposed changes
Determine Transformation Scope and Boundaries
bullCollaborate with information security and IT operations stakeholders to establish a holistic information security process view
bullDetermine the transformation scope boundaries
bullDefine a specific program and project management approach
bull Identify core team members that are empowered to ask the ldquohardrdquo questions
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Manage the People to Manage the Change
bullSimple efficient and structured are the most important attributes of any methodology used to understand and develop the desired future state
bullBuilds from the organizational leaderrsquos transformational vision and engages the people who perform the work to execute prioritized Process Innovation Activities (PIAs)
PIAs are Structured Engagements
bullExecuted in two days to bring subject matter and process experts together to
bullDefine process and platform customers and their valuesbullUnderstand the current statebullProvide a collective view of the issues challenges and risksbullRecommend the desired future state by identifying critical
attributes and functionality to mitigate current state issuesbullPresent summary outbriefs to allow leaders to understand
outcomes to then provide the authority to proceed with the next steps
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
CustomersCustomer
Value
Current State
Attributes
Current State
Execution
TeamCharter
Who ldquobuysrdquo the services
What value does the Customerderive
bull Interactionsbull Functionsbull Issues
bull Phasesbull Capabilitiesbull Functions
29
Systematic Methods for Innovation and ChangeProcess Innovation Activity (PIA) Design to Excellence (DTE) Get to Excellence (GTE)
Future State
Attributes
Future State Gaps
Implementation Activities Planning
Get to Excellence Monitoring
bull Current StateIssue Mitigation
bull Build outCapabilities
bull Innovation Models
bull People-Skillsbull Toolsbull Partnershipsbull Actions
bull Planningbull Steps to Achievebull Costbull Resourcesbull Approval
bull Manage Changebull Status
30
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Establish the Program Office and Manage the Projects
Program and Project Management
bullEnsures techniques are employed to ensures minimal resistance and smooth execution to obtain the desired future state
bullRequires standard templates for schedules status and integration across the Program ndash from conception and initiation planning execution performance and closure
bull Integrates people process technology and governance actions
bullEnsures accountability is known and dependencies are clear
Program and Project Management Ensures Dependencies are Known and Tasks are Integrated
Transformation Timeline ndash Notional
Month Month Month Month Month Month Month Month Month Month Month
Execute PIA
PIA Outbrief
ATP
Project Planning
Phase 2DTE PlanningExecutionStrategic Decisions
Strategy Session
DTE
Senior Leaders
DTE
Key Decision
Project Implementation PlanningExecution
ATP Implementation Approach
Project ExecutionPhase 4 Implementation
Sr Leaders
Metrics Training
Senior LeadersProject Status
Phase 1Innovation
PlanPhase 3Planning
~~
~~
~
32
Sr LeadersATP Project Presentation
DTE
DTE
DTE
DTE
DTE
Other PIAs
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
ProgramProjectManagement
OperatingExcellence
Transformation Change Management
bull Leaders own Strategy Garner Supportbull Sets Strategic Directionbull Establishes Goals and Objectivesbull Defines Plan and Schedulebull Manages Collaboration bull Performs Conflict Resolutionbull Provides People and Resourcesbull Defines Performance Metricsbull Establishes PMOProject Team Structurebull Defines Transformational Statebull Manages Issue Escalationbull Manages Risk and Opportunitybull Manages Business Rhythms
bull Supports and Enables Strategic Directionbull Builds and integrates Operational process and
systems design planbull Integrates Industry Standards bull DesignImplement Integrated Operations Modelbull Identifies Functional Integration Requiredbull Prioritizes functional operationsbull Validate Process OwnershipStakeholdersbull PlanExecute InnovationImprovementDesign
Activitiesbull Plan Execute Get to Excellencebull Enables Operational Readinessbull Continuously improves processes for product and
service deliverybull Supports and Enables Strategic Directionbull Understands Organizational Culture bull Manages Behavior to Mitigate ResistanceEnable Buy-Inbull Plans and Executes Communicationbull Ensure Training is Considered and Executed
Transformation Excellence Trifecta
Transformation Excellence
Standards and Methods IntegrationIndustry Standards can be overwhelming- Smart application is Key
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
35
Operating Excellence
OUTPUT
bull Process Innovation
Activities (PIA)
bull Design to Excellence
(DTE)
bull Get to Excellence (GTE)
bull ProgramProject
Management
bull System Architecture
DesignIntegration
bull Vendor Collaboration
bull Solution Management
bull Strategic Planningbull Gap Analysisbull Architecture Analysis amp
Definitionbull System Integrationbull ISO 27001
bull ISO 27002bull British Standard 7799 Part 3bull COBITbull ISOIEC 15408bull ITIL (ISOIEC 20000 series)bull National Information Security Technology (NIST)bull SANS Security Policybull Payment Card Industry Data Security
ComplianceStandards
Pro
cess
1
Repeatable Processes
INTEGRATED SOLUTIONS
OUTPUT
THREAT MANAGEMENT
EVOLUTION
INPUT
ST
D5
ST
D11
ST
D_27
ST
D 4
6
INPUT
Technology Advancement Government amp Commercial
Business NeedsSecurity Environment
March 2004 35
Standard and Method Integration
Pro
cess
2
Pro
cess
3
Pro
cess
4
Pro
cess
5
Pro
cess
9
Pro
cess
8
Pro
cess
6
Pro
cess
7
INPUT
ISO
27001
ComplianceNon Prescriptive Recommendations
ISO
27002
BS
7799
CO
BIT
ISO
IE
C
ITIL
NIS
T
SA
NS
PC
I
Summary and Take Away
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Summary and Take-Aways
bull Transformation and Change Management ensures integration of people process standards technology governance
bull Methodology is applicable to any industry or function
bull Maturity Assessments reveal depth of need
bull Senior Leaders provide strategic clarity must participate to show buy-in
bull Involvement of the People who perform the work improves buy-in tenfold
bull Process Innovation Activities (PIA) identify Issues and recommend future state changes
bull Future states are created using Design To Excellence Events (DTE)
bull All activities are managed and integrated using structured program and project planning
bull Communication is managed to mitigate resistance improve transformation success
bull Get to Excellence Plans (GTE) monitor projects-Initial Operating Capability (IOC) through FOC
bull Performance metrics lead the way toward continual improvement
Thank you for attending this session
Please donrsquot forget to complete an evaluation for this session
Evaluation forms can be completed electronically on the
FUSION 16 Conference App
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722
Sources
1 CISCO Annual Security Report-Achieving Attack Resilience httpwwwciscocomcmen_usofferssc042016-annual-security-reportindexhtml
2 Cicirsquos Pizza suffers payment card data breach Lewis Morgan July 25 2016 sourced from IT Governance Ltd httpwwwitgovernanceusacomblogcicis-pizza-suffers-payment-card-data-breachutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-07-26ampkmi=gailmtalbott40lmcocom
3 15 million T-Mobile records hacked says Experian Melanie Watson October 2 2015 IT Governance Ltd httpwwwitgovernanceusacomblog15-million-t-mobile-records-hacked-says-experian
4 Flaws in wireless keyboards let hackers snoop on everything you type IT Governance Ltd Anna E Kobylinskahttpwwwzdnetcomarticlemillions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack
5 US Wrestles With How to Fight Back Against Cyberattacksby Alex Nguyen CISSP CISAhttpwwwnytimescom20160731uspoliticsus-wrestles-with-how-to-fight-back-against-cyberattackshtml_r=0
6 New infographic exposes top US privacy concerns Melanie Watson August 10 2016 httpwwwitgovernanceusacomblognew-infographic-exposes-top-us-privacy-concernsutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-11ampkmi=gailmtalbott40lmcocom
7 290000 driverrsquos license records stolen from US government computers by Melanie Watson- June 10 2016httpwwwitgovernanceusacomblog290000-drivers-license-records-stolen-from-us-government-computersutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-13ampkmi=gailmtalbott40lmcocom
Sources
7 Cybersecurity is the lsquobiggest riskrsquo facing Wall Street says SEC Melanie Watson June 13 2016 source IT Governance Ltd httpwwwitgovernanceusacomblogcybersecurity-is-the-biggest-risk-facing-wall-street-says-secutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-06-14ampkmi=gailmtalbott40lmcocom
8 Ransomware attacks strike hard 54 of businesses in the UK hit Marika Samarati 8th August 2016 httpwwwitgovernancecoukblogransomware-attacks-strike-hard-54-of-businesses-in-the-uk-hitutm_source=Emailamputm_medium=Macroamputm_campaign=S01amputm_content=2016-08-09ampkmi=gailmtalbott40lmcocom
9 Symantec Internet Security Threat Report (via BrightTALK) Kevin Haley Director Symantec Security Response May 3 2016
10 Symantec Attackers Target both Large and Small Businesses httpswwwsymanteccomcontentdamsymantecdocsinfographicsistr-attackers-strike-large-business-enpdf
11 OPM Timeline - httpwwwtripwirecomstate-of-securitysecurity-data-protectioncyber-securitythe-opm-breach-timeline-of-a-hack opm timeline info char
12 Report Yahoo confirms massive data breach - 500M Kim Hjelmgaard Elizabeth Weise USA TODAY 9-22-16
13 Schroeder H 2013 Strategic Innovation For Business Performance The Art And Science Of Transformation Technology Innovation Management Review 3(9) 6-12 httptimreviewcaarticle722