Inclusion & Empowerment:

How Participation and Awareness Influence Security

Daniel J Blander, CISM,CISSP

[ agenda ]

[ challenges ]

[ why ]

[ emerging strategies ]

[ challenges ]

Management buy-inUser Participation

[ challenges ]

How consistent is your security posture?Is it integrated in to your organization’s goals?

[ challenges ]

But I have tried!

[ why ]

Company & Stakeholder awareness of risk• “Its never happened to us before”

Stakeholder Focus: Profit, Cost, Opportunity

[ why ]

CIO = Chief IT Officer

Security is Only for Computers

[ why ]Self Inflicted Wounds• Techno-babble• Fear mongering – FUD & Hype

Security is a Cost Center• Security does not generate revenue

• Security is restrictive

F.U.D.

[ change ]

Create a shared Governance Function

SecuritySteering

CommitteeIT

Finance

HR

Sales

Legal

[ change ]

• Security is a process inside The Company

• People, Processes, Information

• Participate in the Business

Security as “Business Risk Management”

Chief Risk Officer

Physical Security Legal Information

& IT Security

[ change ]

Use security to enhance business

Give back to the business

Focus on:

• Efficiency & Effectiveness

• Availability

ITIL: Process Improvement, Predictability

[ change ]

Promote a security as a cultural and behavioral change.

Focus on changing long term patterns and attitudes about security.

Focus on security enabling people, not as restricting rules.

Make security something everyone can understand and act on.

Show how security applies to all parts of life- at work and home.

[ change ]

How do you lead to achieve this?

• Have a New Attitude

• NO FUD

• Put your business hat on!

• Think of good business practices that reflect security

• Think of business opportunities

• Be a Team Player - Include everyone on the team

[ change: sources ]