Upload
tripwire
View
1.629
Download
1
Embed Size (px)
DESCRIPTION
You know the old break-up line, “it’s not you, it’s me….”? As a CISO, what if when you get your few minutes to discuss security with the C-suite, board of directors or mission leadership, it really turns out to be you not them who failed in the communication? Lack of success in communicating with your C-suite could lead to a breakup sooner or later. I’ve had hundreds of conversations with and about CISOs communicating – - on topics ranging from security breach information, status, performance metrics, risk, visualizations, or overall security posture with their executive leadership. And largely, it turns out to be no surprise that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives. Success with SANS The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations. Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process. However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support. In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.
Citation preview
Connect Security to the Business/Mission
KATHERINE BROCKLEHURSTSANS CSC SUMMIT AUG 11-12, 2013
Connect Security to the Business/Mission
Katherine BrocklehurstSenior Product Marketing Manager
SANS CSC Summit Aug 11-12, 2013
• CONNECTING SECURITY TO THE BUSINESS/MISSION
• COMMITMENT TO THE SANS CSC FRAMEWORK
• AND COMING TECHNOLOGY…
AGENDA
GARTNER PREDICTS THAT BY 2014, 80% OF GLOBAL 2000 ORGANIZATIONS WILL
REPORT ON RISK AND SECURITY TO THEIR BOARDS OF DIRECTORS AT LEAST ANNUALLY.
-GARTNER, INC.“BUILDING AN EFFECTIVE IT RISK AND INFORMATION SECURITY
PRESENTATION FOR YOUR BOARD OF DIRECTORS” JUNE 2012
The CISO Challenge
“IN THIS RESTRICTIVE ECONOMIC ENVIRONMENT, CISOS HAVE AN OPPORTUNITY TO REFRAME THE RISK DISCUSSION [WITH MISSION
OWNERS] AND BUILD A STRATEGY…
…THIS MAY SEPARATE THE SUCCESSFUL SECURITY AND RISK PROFESSIONALS, WHO CAN ADAPT STRATEGICALLY TO THE
CURRENT CLIMATE, FROM THE UNSUCCESSFUL ONES, WHO STAY MIRED IN DAY-TO-DAY SECURITY FIREFIGHTING.”
-FORRESTER RESEARCH“UNDERSTANDING SECURITY AND RISK BUDGETING FOR 2013”
JANUARY 2013
The CISO Challenge
6
The Enterprise v. The Borg
“Understanding (IT Security) is Futile”
7
“Connect Security To the Business” (CSTB) Work-in-Progress~Two Years of Conversations
Over 1500 CISOs/CSOs and Execs and IT Mgt over nearly 2 years researching Volunteer, light touch, feedback loop “How Well Are You Doing at Connecting Security to the Business or Mission? Consistent set of questions:
Security Control Framework? Start/status/progress
Reporting Structure & Staff/Resources
Challenges & Successes
Budget (Overall + ITSec)
Company size, Industry, Annual Revenues
Job Tenure (and Staff Tenure)
What is working, what do you need?
IT SECURITY & COMPLIANCE AUTOMATION8
I need to…• Effectively govern the privacy and
security of our digital assets• Communicate the value of security to
my business/mission• Connect security to our mission• Establish relevance with my Board,
executives and colleagues• Gain insights into our information
security cyber-risks• Measure, compare and contrast our
risk posture• Get more visibility
[I don’t know what I don’t know]• Provide timely reports for many
different constituents
9
What’s the impact?“It’s not me, it’s you….”
Two-year CISO lifespan on the job (50%/CIO, 50%/CEO) 5-10% of IT budget on average Executive level needs increased visibility, but doesn’t understand Ineffective communication with executive levels. Why?
No understanding Only meet when there’s a crisis Silos – organizational and technical
Inability to demonstrate value to management Difficult to communicate and drive positive change across the organization Time and money wasted manually pulling in data and generating reports CISO doesn’t have what the CFO has in GAAP, EBDITA, P/E etc
10
The CISO’s Journey
11
The Three Types of CISOsBusiness Experience
Technical Experience
Strategic
“Technical” CISO
“Business”CISO
“Strategic”CISO
Operational
Focuses on security program that provides/guides to compliance
Has some manual, business-relevant security reporting
Thinks about metrics, starting small and establishing roadmaps
Partners with the business to manage risk
Understands how security meshes with the value chain
Aligned with all business priorities + calibrated suite of thematic metrics, some rolling up multiple security controls
Focuses on audit, security tools, ops & monitoring
Little roll up of of raw data, which don’t translate well to the business
12
The CISO needs what the CFO has….
Financial Reporting• Objective facts• Consistent definitions• Trending• Performance against goals• Performance against peers• Consistent rhythm of communication
(regardless of market conditions)• Clear communication to diverse
audiences interally and externally
A way to describe security performance like the CFO describes financial performance
Earnings Per Share
Revenues
Gross Margins
EBITDAOperating Income
Net Income
Current Assets
Accounts Receivable
Cash Flow
Current Liabilities
13
Common Strengths Verbally strong Trusted More directionality than technical precision Translates business priorities into security controls and
technical initiatives Works with executive team in non-crisis mode Predictable information – schedule + visualizations Articulates risk in terms of business consequences Forecast/predicts outcomes Demonstrates business value to other organizations Proactive, not reactive Knowledgable but not hands-on When presenting – knows the target outcome
14
What’s Been Working & SuggestionsEvery Organization Is Different
#1 – Exec buy-in, agreement, support (MBOs?)
#2 – Know your business/mission initiatives
#3 – Have the ‘risk’ discussion – especially re ‘consequences/impact’
#4 – Figure out what you can summarize in 2 slides and 5 minutes
#5 – Commit to helping the exec team understand – give business context Who’s your audience Skip the jargon, avoid technical ratholes and belly-bumping Who can help - coaches/mentors, other CISOs Meet frequently with peers, and other orgs to give valuable information Socialize your ideas, visuals, progress points, ask for input Check out both finance team & marketing/communications
#6 – Improve your public speaking
15
Great Milestone:Bringing Together the Best
Security configuration management
Best-of-breed file integrity monitoring
Log and security event management
IT Security and compliance platform
Security trending and visualization
Reporting for all audiences
Vulnerability management
Cloud based security services
Peer benchmarks
Asset management
WebApp scanning
Analytics and reporting
Agentless configuration auditing & file integrity monitoring
Best research – VERT
Wide Solution Span Integrated Partner to our customers “Connecting Security to
the Business/Mission”
Security Business Intelligence,Analytics, Visualizations, & Reporting
Tripwire Delivers Foundational Security Controls
Agent-based
Vulnerability Management & Log Management
Asset Discovery& Reconciliation
Agentless
CriticalData
Risk & Business Criticality Partners
Depth of Control
Low - Number of Devices - High
Security Configuration Management
Deep FIM
17
$150M+Annual Sales
400+Employees
$Profitable
7000+Customers
in 96 countries
Remain small enough to be nimble, innovative; Large enough to be the long-term leader in our market
18
New TripwireWorth a Roadmap Discussion
Vulnerability Management
Security Configuration Management
Log/Event Intelligence
Integrations ArcSight Remedy NetApp Core Security Skybox RSA Envision, etc
19
SANS 20 CSC – “Foundational Controls” 1-41, 2, 3, 4, 5, 6, 10, 11, 12, 14, 15, 16
r
21
FY 2013 FISMA Metrics-J.Michael Daniel, Special Assistant to the President and Cybersecurity CoordinatorCross-Agency Priority (CAP) Goal: Cybersecurity – FY2013 Q1 Update
http://my-goals.performance.gov/sites/default/files/images/Cybersecurity%20CAP%20Goal%20%20FY2013%20Quarter%201%20Update.pdf
You’ve got 2 slides and 5 minutes…Go!
25
Benchmarks, Metrics, and KPIsVM, CA, PM, AV, IAM, CIS
26
Benchmarks, Metrics, and KPIsVM, CA, PM, AV, IAM, CIS
27
Know Your Assets
“To know that I’ve got a device out there that’s not being monitored is even closer to my heart.”
-T/CISO, Telecom
SANS 1&2 Security Control Coverage
28
CSTB/M
“Once our remediation process is in place, we will roll in Vulnerability metrics.”
-ISSM, State/Local/Fed
“We aren’t good at vulnerability assessment right now. We will add the VA factor later.”
-VP IT Operations & Security, Industrials
Security Control Coverage
29
Set Goals, Track, Trend
“It doesn’t matter where you set the initial benchmark. Set it and run the data for 6 months, see how your Business Units behave.”
-CISO, Financial Services
“The math is irrelevant. Whether it goes up or down has the meaning.”
-VP, Big Oil
30
The Value of Comparison
“This is trending on steroids.”
-B/CISO, Banking
“I need flexible access to my organization’s deep hierarchy.”
-S/CISO, Big Oil
“I need to subdivide my categories.”
-Senior Security Architect, Healthcare
31
Multi-dimensional Views“That was a great chart if that was consistently what I could show senior leadership.”
-B/CISO, Retail
SANS 3 Performance for Business-Critical Assets
“Don't use Red/Amber/Green. Establish your risk tolerance and either you're compliant or you're not.”
-VP, Compliance
“I see a lot of benefits… it’s giving my execs access to see this data real time for themselves.”
-T/CISO, Tech
32
Measure, Communicate and Drive ActionAcross The Security and IT EcoSystem
Security Business
Intelligence Summary
Aggregated/Weighted
Across Business Context
SANS Controls
Operational Reports• Objective• Factual• Trustworthy• Consistent• Understandable• Actionable (or
demonstrated actions taken)
• Business Context
SANS 5: Malware
SANS 1&2: Asset Inventory
SANS 4: VA
SANS 3: SCM/CA
33
ObservationsIt’s Time We Figure Out Security Collaboration – Seriously….
Security Technology Community Information velocity Volunteering at SANS / help the Council on CyberSecurity Recruit youth/new talent into security Vendors – work and play well with others! Human Factor - People as Assets (SANS 1, 2, & ?) Metrics => KPIs => Benchmarks Mapping