250 likes | 258 Views
Explore the dynamics between corporate security, IT security, and financial risk management in the modern security landscape. Understand the convergence of risks, legal issues, and the complexity of protecting systems. Delve into a common approach to security strategy and the importance of a rational security philosophy.
E N D
21st Century Security: Convergence Collaboration and Competition?? April 5, 2005 Bill.Boni @ Motorola.com Vice President and Chief Information Security Officer
Agenda • The “Warring Tribes” of Security • Convergence • Collaboration • Competition • Conclusions
Warring Tribes? • Badges • Bytes • Beans
Badges – Corporate Security /Physical Security • Typically drawn from law enforcement or military • Reports Administration, Facilities, Human Resources • Frames the issue as protection of people, facilities, operations • Values authority and command • Contributes prevention skillsets
Bytes – IT or Information Security • Typically drawn from technologist ranks • Reports to CIO or IT Operations • Frames the issue as availability, integrity, confidentiality of information and systems • Values creativity and technology innovation • Contribution is continuity and availability of IT capacity
Beans – The Financial Wizards • Typically drawn from financial community • Reports to Chief Financial Officer or • Frames the issue as “Risk Management” • Values financial efficiency and loss avoidance • Contribution is quantitative rigor
Convergence? • What challenges are generally the same ? • Extended enterprise risks • Diverse operational risks • Increased legal and regulatory scrutiny • Complexity • Common approach • Common philosophy • Mobility and choices
1.Extended Enterprises Dissolution of Perimeter Security “Organization (Risk) Community” Contract Manufacture Joint Ventures Contract Design Un-trusted Intranets Parts Customers Services Transportation
Data Center Data Center Un-trusted Intranet Individual systems = 2.Diverse Operational Risks • Foundational Issues • Ubiquitous connectivity • Microcomputers everywhere • Mobile workforce • Many assets notprotected • “Contingent workers” • Contractors and consultants • Links to partners / suppliers b Hostile Internet Every system must be secured Inside is almost as risky as outside
Pressure mounting on organizations to prove compliance with an increasing array of laws and regulations. All elements of security become ever more challenging. 3.Legal and Regulatory Issues Laws/Regulations Web / Internet Databases Collaboration Wireless Mobile Devices Technologies Stakeholders Customers EU Data Protection Competitors GLB/HIPAA/Patriot Sarbanes-Oxley Governments U.S. Info Security Responsibility Act Suppliers/ Partners Employees
4.Complexity of Protection Systems • Many bits & pieces • Too few qualified security personnel ~.005% of employees • Lack of standards • Integrated safeguards • Smart cards • Digital forensics
5. A Common Approach to Strategy? • PROTECT • Key assets and capabilities • DETECT • Attacks and malicious actions • RESPOND • Rapid notification and reaction • Recover • Disaster / business continuity planning
6. Common Philosophy : Security Must Be Rational OPTIMAL LEVEL OF SECURITY AT MINIMUM COST COST ($) SECURITY LEVEL COST OF SECURITY COUNTERMEASURES TOTAL COST COST OF SECURITY BREACHES 0% 100%
7b. Securing the Mobile Users As the person responsible for the organization you only have “control” in this space But the mobile users moving throughout the entire set of possibilities
Competition • Overall leadership • Staffing • Budget • Access to leadership
State of the Security Profession? • Corporate – Physical security - CSO • IT – Information Security - CISO • The Security Alliance Initiative • ASIS • ISSA • ISACA • CRO • ERM : Revenge of the “bean counters” ?
Enterprise Risk Management • Top Down - comprehensive risk management • Insurance • Financial • Strategic • Operational • Operational Risks Security Professionals • Financial Expertise benefits from metrics/data
Risk Management • The board should manage enterprise risk by: • Ascertaining that there is transparency about the significant risks to the organization • Being aware that the final responsibility for risk management rests with the board • Considering that a proactive risk management approach creates competitive advantage • Insisting that risk management is embeddedin the operation of the enterprise • Obtaining assurance that management has put processes and technology in place for (information) security Source: IT Governance Institute
3 Generic Approaches to Organization Security • Silo’s of independence • Little or no communication and coordination • Councils of collaboration • Periodic, ad hoc, often incident focused • Unified organization • Formal, structured, aligned
Protection Program Focus Areas • Security Governance • Organization operations and partners • Network Defense • Security strategy and architecture • Protection Management • Projects and continuity program
Security Roles Information Protection Physical Security Protect people, property and tangible assets from loss, destruction, theft, alteration, or unauthorized access Incident Response Information security Disaster/business continuity Risk assessments Security technology Investigations Enterprise risks Inspection procedures Secure digital assets Independent controlsassessment Internal / external regulatory compliance Risk management Financial
Changes Ahead for Security Professionals • Cybercrime failures will result in major liability judgments • Public / Private Sector formally share infrastructure protection roles • Certification / licensing for (all?) security professionals • CSO’s assume responsibility for operational risks • Security is subsumed into ERM and Finance/CRO’s predominate
A Security Professional for All Seasons…. • Grounded in multiple protection disciplines • Capable project/program manager • Life long passion to learn • Business acumen • Diplomatic and adaptable • Adept at framing issues as risk management • Professional training / certifications
A Security Mantra • Vision without Action is Imagination • Action without Vision creates Chaos • Vision with Right Action is Transformation See the Future and Plan Backwards