Upload
educause
View
214
Download
0
Embed Size (px)
Citation preview
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 1/39
From No Seat to Multiple Hats:The Evolution of the
Information Security Function
April 1, 2015 (no fooling!)
David Sherry
CISO
Brown University
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 2/39
Today’s Agenda
• A brief history of information security
• How security used to be done
• Addressing security now
• The maturity of security
• Q&A
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 3/39
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 4/39
Why are we here?
4
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 5/39
To highlight that information
security continues to evolve (just
as the attacks and issues continue
to evolve) towards what isbecoming a mature,
risk-based model.
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 6/39
About 25 Years of
Computer Security(in 5 slides)
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 7/39
History, Chapter 1
Source: http://blog.trendmicro.com/threat-morphosis/
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 8/39
History, Chapter 2
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 9/39
History, Chapter 3
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 10/39
History, Chapter 4
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 11/39
History, Chapter 5
“The Media Era”
Heartbleed
XP end of life
Shellshock
Poodle
Target, Home Depot, JP Morgan Chase……pick
your poison.
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 12/39
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 13/39
“Exponential Times”
• Google searches in 2006: 12.6 billion/month
– Google searches in 2008: 31.2 billion/month
– Google searches in 2010: 66.3 billion/month
– Google searches in 2011: 116.1 billion/month – Google searches in 2014: 138.3 billion/month
• Text messages were introduced in 1994
– daily amount now exceeds Earth’s population
• Top 25 jobs in demand for 2013
– 19 didn’t even exist in 2005
• More information was produced and saved in 2014
than in all of human history
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 14/39
“Exponential growth”
Years to reach 50 million users:
• Radio = 38 years
•TV = 13 years
• Internet = 4 years
• iPod = 3 years
• Facebook = 2 years
• Twitter = two months (Jan/Feb 2012)
• Cloud adoption for email?????
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 15/39
Takeaways to this point
• Information threats have evolved andwill continue to.
• Threats are in the public eye, and
discussed in the board room.• The information security model must
continue to evolve as well, and mature
at a similar rapid pace.
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 16/39
Security in the Past
16
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 17/39
The early security model
• Security positions were rare
• Rarer was a security department
• Usually part of the network group• Put in a firewall, throw in some anti-
virus, and hope for the best
• No manager or security spokesperson
• FUD was the model of choice
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 18/39
The early security model: results
• Deep reliance on the firewall
• Reactionary posture
• “Good enough” was the benchmark
• Often an afterthought after an event
• Widespread attacks were prevalent
• An attack could impact operations
for lengthy periods of time
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 19/39
“The troglodytes at the end
of the hall….”
Early firewall management
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 20/39
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 21/39
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 22/39
Key Skill Sets for New Thinking
• Security pros see things differently• cameras, voting machines, boarding passes,
computer vulnerabilities
•engineers like to make things work; security pros like tosee how they can be broken
• Soft skills are increasingly important:
• persuasion, negotiation, business cases,
organizational value and legal mindset playing abigger role than bits and bytes
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 23/39
The maturing operational model
• Separate the business / risk aspects from thenetwork / architecture aspects
• At Brown, this means the ISG and the NTG
• Benefits:
– Separation of duties
– Engineers can concentrate on networks, not policy
– Information Security can lead (and deny) from thefront
23
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 24/39
So what do you focus on?
24
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 25/39
Where should an organization focus?
• Establish a security program
• Ensure a base policy set
•Establish the baseline posture
• Provide security awareness broadly
• Target compliance from the start
• Take privacy seriously
• Use risk assessments strategically
• Train for incident response
25
Part I: Managerial
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 26/39
Where should an organization focus?
• Build a secure architecture
• Use security solutions strategically
• Be zealous of secure access
• Set baselines (servers, mobile, BYOD, etc)
• Ensure secure use of the Cloud
• Target web apps security and continual
scanning
26
Part II: Technical
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 27/39
How to do this
27
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 28/39
What an organization can do
• Be proactive about security
• Assign executive responsibility
• Make security a business function
• Adopt a framework
• Partner with audit and legal
•Get the message out!
• Ensure that there is a senior security leader
28
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 29/39
The changing role of the CISO
• The proliferation of technology at every level of the business
has made Information Security less about technology
• Increasingly, Information Security is more about policy,
mitigation, education and process
• Privacy is the current new "thing" in Information Security
• Today CISOs are presented with issues that several years ago
would have gone directly to the Office of the General
Counsel
• State and Federal regulations require documented and
measurable compliance
• Often, the CISO is looked at to be a stakeholder in Risk
Management, requiring a different set of skills and thinking
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 30/39
Current Job Postings for a CISO
• 12-15 years of experience
• Leadership
• Vision
• Strategy
• Rapid analysis
•Presentation skills
• Articulation
• Business acumen
• Governance
•Compliance
• Risk Management
• Legal mindset
• MBA or Masters in Computer Science
• Certifications (CISSP, CISA, CRISK, CIPP)
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 31/39
The Result?
• Information Security is gaining as a contributor to the
success of the organization
• Not only attends risk management meetings, but
may also be leading them• Sometimes is speaking for conflicting priorities!
• Models also indicate a subtle shift towards the lead
information security person reporting to the Chief
Risk Officer
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 32/39
From “no seat at the table” to
“wearing multiple hats”
32
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 33/39
Does Anyone Want It?
“Pity the poor CISO” – A Tough Corporate Job Asks One Question: Can you Hack It?
• New York Times, 7/20/14
33
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 34/39
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 35/39
Was this a presentation?
35
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 36/39
Summary
• The threats to information security are increasingand evolving
• The role of information security has evolved aswell
• The information security function is now a keycomponent in the success and risk managementposture of an organization
• Security success is through managerial, technical
and awareness methods• Organizations need a security leader!
36
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 37/39
Pity the poor CISO? Atleast we are no longer
troglodytes
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 38/39
David Sherry, CISSP CISM
Chief Information Security Officer
Brown University
Campus Box 1885
Providence, RI 02912
401-863-7266
There is never enough time;thank you for some of yours.
8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)
http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 39/39