270 likes | 473 Views
What’s on the agenda on the CISO? Serge Moreno. Feedback CISO executive meeting – Budapest Is there something new to say?. Basic Business Statement. If it’s not worth Protecting. It’s not worth Doing !. Feeling good & Keeping up the good feeling. What is Security? Security =.
E N D
What’s on the agenda on the CISO?Serge Moreno Feedback CISO executive meeting – Budapest Is there something new to say?
Basic Business Statement If it’s not worth Protecting ... It’s not worth Doing !
Feeling good & Keeping up the good feeling What is Security?Security =
What is doing (business)?=Taking risks Every decision = intrinsic risk NO Risk = NO Business
What is Information Security?Security applied to Information and Information technology Being comfortable with your information: Confidential - Integer – Reliable - Available
The psychology of Security (B. Schneier) Issues: – Incomplete model – Hidden view – Changes to the models difficult to accept Gap Feeling / Reality Feeling Big Unneeded panic Dreaming / too safe Model Reduce the gap Trade off Under control Work to do Small Converge Reality Bad feeling Good feeling Future / Time evolution
What is worrying us? • Based on (ISC)² • Service down time (73%) • Damage to the organization’s reputation (71%) • Privacy of Customer data (70%) • Identity theft (67%) • Theft of intellectual property (64%) • Breach of laws & regulations (61%) • What can we buy on the Internet? • Name, address, DOB = €1.50 • 16 digit credit card number = €1.50 • Expiry date + €1.50 • Security code + €3 • What are we experiencing? Cyber terrorism: • Georgia sites under attack before the Russian military counter attack • Carrefour China attacked due to troubles in Paris with Chinese flag
So what are current risks • Mobility data are running around • Time to market • Convergence – companies, countries, visions • Increased regulations • How can people act against something they do not understand – managers do they understand IT • How build security in a world where company data is not part of the company and even not stored on company systems • Push of technology by the user – be prepared • Reliability of software – there is no real push as the vendor is not liable
What are we doing about it? • “I know what’s best for you” attitude (IT/IT security people) • I make the profit that pays your wages (Business attitude) • Don’t blame me when it goes wrong (CISO) • Yes I will – you should have been more persuasive • Just because you’re paranoid doesn’t mean you’re a good security officer - they’re not out to get you. • Are new technologies are inherently evil? • How do we translate these risks into policies? • e.g. Blogging policy - dangers of P2P from a liability viewpoint • The good side of risk: it opens new horizon, no risk no business
What could we do about it? • Is an ISO (Information Security Officer) also a BPO (Business Prevention Officer)? • Do you need smart-cards to be secure? • Is friendliness a security requirement? • Is preventing access to production a good security practice? • Is common sense a good security attitude? • What do you have to do to be secure? • Become a business enabler • Investigate what is new in the world • Watch risks but also solutions • Have strategy, vision scope and base your judgement on policies and risks • Do sharing of security information with competitors • If you can’t protect it – don’t try it / don’t classify • Scope what you can do
IS Strategic objectives… In control ofC.I.A.A. + Sec Structure Availability (Continuity) Confidentiality IntegrityAccountability IS Security Management Structure Purpose, Proportionality, Transparency
In control of « My environment » In control of « My family » In control of « My Home » Strategic objectives applied to the landscape A B C D Company @ Third Parties People, Process, Technology, Data
What issues do we have? • Security is unspoken need • Nobody wants to pay as we take security for granted • Security can be forgotten without direct impact • Monitoring and control costs - benefits not easy to prove/measure • Build security onto system is always more costly • Security is everyone business • Example must come from management • But management does not sufficiently aware of IT security issues and possibilities • In past, security was too much business stopper • IT is complex • IT Security is everywhere – from firewall to the IF-statement in a program • Business does not understand IT, IT does not always understand security The gap is big
Compliance: a burden or a benefit? • To what? • SOX, Basel, PCI DSS, privacy regulations, ISO, policies, … • Is compliance to all still possible? • Define your vision and strategy • Cross reference the regulations to your KPI’s • Make your strategy part of the business decisions • Risk is a part of all decisions • Compliance is a must: • Cost of compliance is always less than the cost of a breach and its consequences: • Reputation • Recovery costs • Compliance should NEVER be avoiding penalties or fines
Time The information security challenge Always too much until it’s not enough “Before the impact, time is your friend…. Who runs out… “After the impact, time is your enemy … definitively Be prepared – avoid the problem before it occurs The risk components Impact Capacity to react Risk exposure Poten-tiality Proba-bility Vulnerability Threat Business at stake
How drive the organisation? • Fear & Carrots • Budgets & ROI’s = figures • What figures do you have? • Incidents: not only quantity but also quality (impact) • Cost of controls • Benchmarks and models: CobiT, ITAF™, ISO, ISF, … • Position and market the value in business terms • SANS (survival time), ISF (Survey), ISACA ? • Internally – per department • What does the CEO look at? • Graphs and RAG-schemes • Cost per transaction or customer • Use your figures in graphs and RAGs • On business level • Make business managers accountable = be in their bonus
Drive your organisation with positive energy • Look out with fear • Fear is never a good adviser • Management does not want to have fear • Show the benefits comes with new technology which enables the business and have it secured from the first go • You will be able to say yes in stead of No • CISO should be insurance specialists to show how a risk can be calculated and a ROI based on a risk • Don’t be exact – they will pin you down on figures – work with validated estimates • Look how marketing gets the budget without tangible ROI and have KPI to show it really worked • My interest is in the future because I’m going to spend the rest of my life there – Woody Allen • Is a fire extinguisher a good investment? • Define measure for all business areas • Be close to your business
The human factor There is no boundary to man’s ingenuity or stupidity, and sometimes I suspect they merge spectacularly. They will always find a way to astonish you in the way they can bypass common sense. Charles V. Pask
And the solution? • Is it really the responsibility of IT? • Can the CISO really do something about it? • Look outside of the IT box – examine the whole process • Fraud is even more present outside IT, IT makes it easier to track • CISO job is to show business how not to do it wrong • Evaluation should contain an exam on compliance (adapted to your audience)
Back to basics (1) • Get rid of what you don’t need • Much cheaper than to protect it • Focus on real assets you need for your business • And protect those properly • Protection is • Backups and restores (tested !!) • Registration of users but more importantly • De-registration and re-registration process • Identification and access (up to date !!) • Need to help the user • Nothing new – people loose things • in the past a report • now a laptop or USB stick with many reports and much data • A user does not understand No => security officer should find the way to do it right
Back to basics (2) • The future may be bright but look first at today • Look at what happens today – know your incidents- align with the helpdesk • Focus on real alerts – not on events • The easiest way to fix a problem is to make it smaller • Ensure all agree it is a problem • Ask management what they feel would be a problem • Should you give tool to control device or protect data with encryption • Give users the tools they need.
Does the CISO meet the CEO expectations? • The rule: classify all information assets? • Is this really possible, cost efficient? What else to do? • Explain risk • Define what sensitive information is and show it • Define what information is the basis for decisions • Explain consequences of outage • Look out for “rewarded risk” • Business benefit due to risk taking • Users want to play around • Every no is a reason to blame you • If the door is closed, they’ll try the window • Be proactive on technology and solutions • Find ways to help the business to move forward • The CEO uses 3 factors to evaluate his decision: • Embarrassment, impact and frequency • CISO takes many factors into consideration: such as likelihood, opportunity, recovery • IT sees a different world than the business • Look out: information we don’t want is pushed back / forgotten
Security metrics ! • CEO thinks in numbers, RAG (Red-Amber-Green), action plans • Higher management: • Understand his business • Measures its performance • Translates for the CEO • Ask what they want to see • Objective, quantifiable measures against specific targets that enable an organisation to judge the effectiveness of information security in the organisation. • Key performance indicators • Business function measurements • Operational metrics
Conclusion • Is there something new? • Don’t forget the basics • Show before the reporting gets you • Think in CEO terms • Say yes before they implemented it insecurely
(Information) security is just the basic requirement for doing business Security - Trust - BusinessversusInsecure - No faith - No Business No Risk - No Business
Questions ? Serge Moreno - CarrefourSerge_moreno@carrefour.com