1 / 25

21 st Century Security: Convergence Collaboration and Competition??

Explore the dynamics between corporate security, IT security, and financial risk management in the modern security landscape. Understand the convergence of risks, legal issues, and the complexity of protecting systems. Delve into a common approach to security strategy and the importance of a rational security philosophy.

sykesd
Download Presentation

21 st Century Security: Convergence Collaboration and Competition??

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 21st Century Security: Convergence Collaboration and Competition?? April 5, 2005 Bill.Boni @ Motorola.com Vice President and Chief Information Security Officer

  2. Agenda • The “Warring Tribes” of Security • Convergence • Collaboration • Competition • Conclusions

  3. Warring Tribes? • Badges • Bytes • Beans

  4. Badges – Corporate Security /Physical Security • Typically drawn from law enforcement or military • Reports Administration, Facilities, Human Resources • Frames the issue as protection of people, facilities, operations • Values authority and command • Contributes prevention skillsets

  5. Bytes – IT or Information Security • Typically drawn from technologist ranks • Reports to CIO or IT Operations • Frames the issue as availability, integrity, confidentiality of information and systems • Values creativity and technology innovation • Contribution is continuity and availability of IT capacity

  6. Beans – The Financial Wizards • Typically drawn from financial community • Reports to Chief Financial Officer or • Frames the issue as “Risk Management” • Values financial efficiency and loss avoidance • Contribution is quantitative rigor

  7. Convergence? • What challenges are generally the same ? • Extended enterprise risks • Diverse operational risks • Increased legal and regulatory scrutiny • Complexity • Common approach • Common philosophy • Mobility and choices

  8. 1.Extended Enterprises Dissolution of Perimeter Security “Organization (Risk) Community” Contract Manufacture Joint Ventures Contract Design Un-trusted Intranets Parts Customers Services Transportation

  9. Data Center Data Center Un-trusted Intranet Individual systems = 2.Diverse Operational Risks • Foundational Issues • Ubiquitous connectivity • Microcomputers everywhere • Mobile workforce • Many assets notprotected • “Contingent workers” • Contractors and consultants • Links to partners / suppliers b Hostile Internet Every system must be secured Inside is almost as risky as outside

  10. Pressure mounting on organizations to prove compliance with an increasing array of laws and regulations. All elements of security become ever more challenging. 3.Legal and Regulatory Issues Laws/Regulations Web / Internet Databases Collaboration Wireless Mobile Devices Technologies Stakeholders Customers EU Data Protection Competitors GLB/HIPAA/Patriot Sarbanes-Oxley Governments U.S. Info Security Responsibility Act Suppliers/ Partners Employees

  11. 4.Complexity of Protection Systems • Many bits & pieces • Too few qualified security personnel ~.005% of employees • Lack of standards • Integrated safeguards • Smart cards • Digital forensics

  12. 5. A Common Approach to Strategy? • PROTECT • Key assets and capabilities • DETECT • Attacks and malicious actions • RESPOND • Rapid notification and reaction • Recover • Disaster / business continuity planning

  13. 6. Common Philosophy : Security Must Be Rational OPTIMAL LEVEL OF SECURITY AT MINIMUM COST COST ($) SECURITY LEVEL COST OF SECURITY COUNTERMEASURES TOTAL COST COST OF SECURITY BREACHES 0% 100%

  14. 7a. IP Networking - Mobility

  15. 7b. Securing the Mobile Users As the person responsible for the organization you only have “control” in this space But the mobile users moving throughout the entire set of possibilities

  16. Competition • Overall leadership • Staffing • Budget • Access to leadership

  17. State of the Security Profession? • Corporate – Physical security - CSO • IT – Information Security - CISO • The Security Alliance Initiative • ASIS • ISSA • ISACA • CRO • ERM : Revenge of the “bean counters” ?

  18. Enterprise Risk Management • Top Down - comprehensive risk management • Insurance • Financial • Strategic • Operational • Operational Risks Security Professionals • Financial Expertise benefits from metrics/data

  19. Risk Management • The board should manage enterprise risk by: • Ascertaining that there is transparency about the significant risks to the organization • Being aware that the final responsibility for risk management rests with the board • Considering that a proactive risk management approach creates competitive advantage • Insisting that risk management is embeddedin the operation of the enterprise • Obtaining assurance that management has put processes and technology in place for (information) security Source: IT Governance Institute

  20. 3 Generic Approaches to Organization Security • Silo’s of independence • Little or no communication and coordination • Councils of collaboration • Periodic, ad hoc, often incident focused • Unified organization • Formal, structured, aligned

  21. Protection Program Focus Areas • Security Governance • Organization operations and partners • Network Defense • Security strategy and architecture • Protection Management • Projects and continuity program

  22. Security Roles Information Protection Physical Security Protect people, property and tangible assets from loss, destruction, theft, alteration, or unauthorized access Incident Response Information security Disaster/business continuity Risk assessments Security technology Investigations Enterprise risks Inspection procedures Secure digital assets Independent controlsassessment Internal / external regulatory compliance Risk management Financial

  23. Changes Ahead for Security Professionals • Cybercrime failures will result in major liability judgments • Public / Private Sector formally share infrastructure protection roles • Certification / licensing for (all?) security professionals • CSO’s assume responsibility for operational risks • Security is subsumed into ERM and Finance/CRO’s predominate

  24. A Security Professional for All Seasons…. • Grounded in multiple protection disciplines • Capable project/program manager • Life long passion to learn • Business acumen • Diplomatic and adaptable • Adept at framing issues as risk management • Professional training / certifications

  25. A Security Mantra • Vision without Action is Imagination • Action without Vision creates Chaos • Vision with Right Action is Transformation See the Future and Plan Backwards

More Related