1 / 13

Business/IT Partnership Summit 2016

Business/IT Partnership Summit 2016. IT Security Track: Creating an Effective Cybersecurity Program. * Agenda. Welcome & Intro Information Security Program – One Size Does Not Fit All! Successful Information Security Program Elements Steps and Battle Rhythm

zizi
Download Presentation

Business/IT Partnership Summit 2016

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business/IT Partnership Summit 2016 IT Security Track: Creating an Effective Cybersecurity Program

  2. * Agenda • Welcome & Intro • Information Security Program – One Size Does Not Fit All! • Successful Information Security Program Elements • Steps and Battle Rhythm • Monitoring, Measuring, Maturity • Summary and Q&A • Closing * Modified 10/20/30 presentation

  3. One size does not fit all! “Each organization has its own threats, risks, business drivers and compliance requirements, but even though every security program is different, they are usually made up of the same elements.” SOG - CISO

  4. Is it “top-down” or “bottom-up”? • A security program should use a top-down approach, meaning that the initiation, support and direction come from top management and work their way through middle management, and then to staff members. In contrast, a bottom-up approach refers to a situation in which the InfoSec department tries to develop a security program without getting proper management support and direction. • A bottom-up approach is always less effective, not broad enough and doomed to fail. It is also usually fully focused on technology, and many of the security management controls are missing. • A top-down approach makes sure that the people actually responsible for protecting the company's assets (senior management) are driving the program.

  5. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” -Bruce Schneider

  6. Successful security programs usually have… At least eight key elements to be considered when developing, implementing, reviewing, or seeking to improve the effectiveness of an information security program. • Information Security Governance • Strategic Information Security Planning (SP) • Policy and Compliance Management (PM) • IT/IS Risk Management (RM) • Cyber Incident Management (IR) • Security Awareness and Training (SATE) • Continuity of Operations Planning (COOP) • Measurement, Intel-gathering, Monitoring & Reporting

  7. Processes, Technology and People These eight components are best used as layers of defense as: • Processes • Technology • Awareness A layered architecture/layered defense or defense in-depth.

  8. Security Maturity

  9. Maturity Levels 0-5 • Level 0 – Non-Existent • 100% Reactive • Level 1 – Initial • Ad-Hoc activities • Initial Executive Awareness • IT-centric Approach • Level 2 – Developing • CISO Appointed • User Awareness Outreach • Formal Program initiated • Level 3 – Defined • Policies and Processes Defined • Security Organization Defined • Improving User Awareness • Level 4 – Managed • Governance Body Established • Info-centric approach • Effective Metrics • Security Organization Working Internally and Externally • Level 5 – Optimizing • Information Owners Accountable • Risk-aware culture • A Culture of Preparedness and Awareness

  10. InfoSec Program/Culture Maturity Where are you on the scale 0-5? How do you compare with other “public sector” organizations?

  11. Things to work on NOW! • Assess your program • Compare your organization to peers in public sector • Prioritize gaps • Develop recommendations to close gaps and improve maturity • Develop roadmap (sequence, timing, resources, etc.) for executing the recommendations • Summarize and socialize the findings, recommendations and roadmap

  12. "If you spend more on coffee than on cyber security, then you will be hacked. What's more, you deserve to be hacked.”-Richard Clarke

  13. The Road Ahead • The priority: • Gain senior management commitment to information security initiatives • Management understanding of information security issues • Integration between business and information security • Alignment of information security with the organization’s objectives • Risk management • Strategic security planning • Security Awareness, Training and Education • Additionally: • Appropriate employee awareness, training and education on information asset protection • Placement of information security within the organization hierarchy • Budget for information security strategy, tactical and operational plan • Consistent board/executive message with regard to information security priorities • Ability to cost-justify information security • State Cyber Academy

More Related