Upload
concise-ac
View
564
Download
0
Embed Size (px)
DESCRIPTION
In this Hacker Hotshot Hangout John explains: 1. Key considerations when creating a risk aware and security conscious culture 2. How to use risk management as a concept and tool to remove the fear of security in organizations 3. The value and benefits of developing an information risk profile 4. Understanding of the current behaviors of organizations and whey they exist in regard to information security 5. Effective approaches to change behaviors and culture within organizations 6. How to leverage users effectively as an beneficial asset in supporting risk management and security activities 7. How to use threat and vulnerability analysis to identify and educate organizations on the highly probable and business impacting threats can effect them 8. Using control objectives as an approach to effectively manage information risk in a way that will be embraced by organizations. For more Hacker Hotshots, please visit: http://www.concise-courses.com/
Citation preview
Changing the Mindset: Crea/ng a Risk Conscious and Security Aware
Culture
Presented By: John P. Piron*,
CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP President, IP Architects, LLC.
Hacker Hotshots July 30, 2013
Copyright 2013 -‐ IP Architects, LLC., -‐ All Rights Reserved
Agenda • Using risk management to remove the fear of security
• What is a Risk Aware and Security Conscious Culture?
• Approaches to changing crea/ng and changing culture
• Final Thoughts
What is a Risk Conscious and Security Aware Culture?
• Risk and Security ac/vi/es are business as usual considera/ons – Embraced as benefit to business and not an obstacle to success
• Threats and Risks are accurately iden/fied, an/cipated, and managed – Fear Uncertainty and Doubt (FUD) no longer influences decisions or ac/vi/es
• Business leaders and stakeholders are empowered – Able to make informed and business appropriate risk management and security decisions
3
Benefits of a Risk Conscious and Security Aware Culture
• Provides enhanced protec/on to informa/on infrastructure and data assets – Security is embraced instead of avoided
• Creates a force mul/plier – Personnel ac/vely assist in risk management and security ac/vi/es
• Security awareness empowers the organiza/on – Enables informed decision making
– Understand business benefits, expecta/ons, and requirements
4
Using Risk Management to Remove The Fear of Security
• Business leaders and stakeholders are typically afraid of or annoyed by security – O^en believe it will create obstacles that will prevent them from being successful
– Always being told what they cannot do by security
• Risk management empowers business leaders and stakeholders to make appropriate decisions about security – Stop telling them what you think they have to do
– Help them appreciate the risks associated with their op/ons
5
Risk Management and Security vs. Security and Risk Management
• Mind of business person -‐ “Security” – Preven/on, disablement, disempowerment
• Mind of business person -‐ “Risk” – Understanding, management, control, empowerment
• Alignment with risk leads to greater acceptance then alignment with security – Both terminology and approach – Changing the mindset requires risk first and security second approach
6
Change the Percep/on and Ac/ons
• Security professionals o^en use the word “Risk” when they mean “Threat and/or Vulnerability” – Iden/fy and quan/fy probabili/es and impacts
• Without current business intelligence risk can not be accurately or properly calculated – Strategy, financial, business priori/es, etc.
• Leading prac/ces instead of best prac/ces – Only you know what is “best” for your environment
7
Business and Informa/on Risk Profiles
• Iden/fy risk tolerances of business leaders and stakeholders – Establish bounds of acceptable loss, compromise,
distribu/on, or disablement for key business processes and assets
• Informa/on risk management and security should assist in their development – Assists in cul/va/ng awareness of consulta/ve
approach – Iden/fy informa/on threats and and vulnerabili/es and
associated likelihoods and business impacts if realized – Iden/fy, develop, implement and maintain risk aligned
control objec/ves in line with iden/fied tolerances • Business leaders will view of Informa/on Risk
Management and Security (IRMS) will change – Valuable informa/on resource – Protec/ve and suppor/ng func/on
8
Security by Compliance – Fear the Auditor More Then The Aiacker
• Compliance always intended as the star/ng point not the endgame – Compliance requirements will always have to catch up to aiackers and their capabili/es
• Audit and examina/on findings have a known business outcome and impact – Security threats and vulnerabili/es have probabili/es and poten/ali/es
• Compliance provides business leaders and stakeholders a way to push back on FUD – Believe that they are doing what can be reasonably expected of them
9
Policies and Standards First, Controls and Technology Second
• Policies and standards define requirements and expecta/ons – Iden/fy control objec/ves – Approved by business leaders and stakeholders
• Controls and technologies assist in mee/ng policy and standard requirements – Technologies should not define control objec/ves or requirements
– Controls and technologies presented as requirements without suppor/ng policies and standards o^en considered op/onal or ignored
• Proposed requirements and control objec/ves should be socialized to affected audience in advance of policy development – Iden/fy areas of discomfort or discontent before developing policies and standards
10
Users – Your Greatest Asset and Most Challenging Adversaries
• Many security professionals incorrectly assume users are weakest link – User may unknowingly cause damage or harm
– Must be protected from themselves • User intui/on can be a powerful control
– Both detec/ve and preventa/ve – Technical controls based on “yes” or “no”, user knows “Maybe”
• User trust is key to cultural change – Work with users not against them
• Privileged users can cause the most damage – Business leaders o^en unable or unwilling to accept users may be working against them
11
Trust But Verify • Ideal way to protect both users and corporate assets – Ensures users are not falsely accused
– Provides effec/ve oversight control for corpora/on
• Make sure users are made aware of the existence of monitoring – Existence alone may prevent malicious user from taking ac/on
• Privileged user ac/vi/es most important to monitor – Highest poten/al for material business impact
12
Embrace but Educate Turning “No” Into “Yes”
• Security known for its ability to say “No” – Drives covert behaviors and ac/ons
• Embrace but educate enables security to say “Yes” more o^en – Ensures risks and expecta/ons of security are understood
– Creates posi/ve percep/on of IRMS – Reinforces advisory and consulta/ve approach
• Use techniques that can be easily understood and internalized – Simple language – Case studies – Examples
13
Personal Benefits Approach • Help individuals to help themselves
– Make them want to change their behaviors – Change both personal and professional behaviors
• Controls that restrict without context will drive covert behaviors – Proac/ve educa/on and personal benefit beier and o^en cheaper control
– Educa/on of safe social networking easy example to use to champion approach
• Users will embrace security if they understand the universal benefits – Remove the percep/on of security as only a requirement of the business
– Assist users in deriving personnel benefit and value from security knowledge and guidance
14
Final Thoughts • Culture of an organiza/on ul/mately determines
its ability to protect itself • Crea/ng a risk conscious and security aware
culture is a journey not a race – Requires careful aien/on and constant reinforcement
– Ul/mately provides highest return on investment for protec/on of data assets and informa/on infrastructure
• Change in culture o^en results in conversion of malicious aiacks from incidents to anomalies – Liile to no material business impact – Business will embrace the value of Informa/on Risk Management and Security
15
Thank You for Your Time!
John P. Piron* CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP
President, IP Architects, LLC. jpiron/@iparchitects.com
Copyright 2013 -‐ IP Architects, LLC., -‐ All Rights Reserved