1 / 26

Doomed by Design: Unearthing the Problems with Government Security Programs

Doomed by Design: Unearthing the Problems with Government Security Programs. Christopher Buse Assistant Commissioner & State CISO June 12, 2014. AGENDA. State of the States Minnesota Plan Q&A. The State of the States. A National Lens. Security significantly underfunded

yamin
Download Presentation

Doomed by Design: Unearthing the Problems with Government Security Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Doomed by Design: Unearthing the Problems with Government Security Programs Christopher Buse Assistant Commissioner & State CISO June 12, 2014

  2. AGENDA • State of the States • Minnesota Plan • Q&A

  3. The State of the States

  4. A National Lens Security significantly underfunded Diverse security posture between states Underlying data soft and sometimes unavailable Fragmented governance

  5. By The Numbers

  6. State of IT Security: % of budget spent Most States Only Spend Between 1-2% of the IT Budget on Security

  7. Program Strategy

  8. Authority • Good news: The enterprise CISO position is now firmly entrenched in most states • Bad news: The enterprise CISO position is often one of coordinating cross-agency resources • Limited ability to drive actions across organizational boundaries • Security spend outside the control of the CISO

  9. Pillars of Success Executive Support Freedom To Act Comprehensive Plan Resources Is Your State Security Program Doomed by Design?

  10. It’s Not Just Retail … One of over 2,000 negative headlines on the recent South Carolina breach Hackers gain access to 780,000 individual health records

  11. The Minnesota IT Consolidation Plan

  12. What About Us? • Minnesota: a microcosm of the national scene • Strong executive support • Strategic and tactical plans • Security spend is insufficient • 2010 legislative study: State of Minnesota spend is 2% of state budget vs. industry standard investment of 5% • Overall reduction in security spend in FY13 • Silos of agency-based IT • Restricted our ability to leverage economies of scale • Hampered our ability to implement enterprise security strategies

  13. IT Security Consolidation Plan • Published in April 2014 • Describes the desired end state, yet recognizes • Reaching that end state will take a long-term commitment • We need to use our existing resources better • Outlines a shift in the service delivery model • Establishes centrally delivered services • Creates line of business security teams • Details the breakdown of work between central and line of business teams • Focuses on a subset of services to address first

  14. The Basic Concept: Consolidated Services Information Security program management Enterprise Services Delivered to All We will reorganize security resources into a single management structure that creates consistency and aligns resources Those services deemed to be enterprise services will be delivered by a centralized security team

  15. The Basic Concept: Close-to-Business Services Even if we consolidate the common security services, we still don’t have the resources for each agency-based office to manage close-to-the-business security services Close-to-Business Security Cluster 3 Cluster 2 Cluster 1 Cluster 4 Cluster 5 Cluster 6 Our plan is to cluster security teams into “lines of business” to provide close-to-the-business services to groups of agencies with similar business/security requirements … sharing resources, but keeping the specialization where it needs to be

  16. The Basic Concept: Effective allocation of resources Staff will be assigned to a cluster or to the enterprise services based on their current work and expertise. Information Security program management Cluster 6 Cluster 3 Cluster 4 Cluster 5 Cluster 1 Cluster 2 Close-to-the-business services Close-to-the-business services Close-to-the-business services Close-to-the-business services Close-to-the-business services Close-to-the-business services Enterprise Services Delivered to All

  17. Identity and Access Management Realigning Work Close-to-the-business services focus on implementation at the business and application level Information Security Risk and Compliance Business Continuity and Disaster Recovery Information Security Training and Awareness Secure System Engineering Single management conserves resources and drives consistency Information Security Program Management Continuous Vulnerability Management Information Security Incident Response and Forensics Boundary Defense Enterprise delivers common functions and tools to all Physical Security Endpoint Defense Information Security Monitoring

  18. Lines of Business 23 10 7 10 12 11

  19. A Look Ahead: Industry Trends Does Your Organization Have a Central Security Team? Does Your Organization Have Local Security Groups? Conclusion: MN.IT’s Proposed Model Aligns Well With National Trends

  20. Functional Organization Chart

  21. Service Delivery Methodology

  22. Priority Services • Selected through planning team consensus • Represent highest payback from a risk perspective • Plan focuses on rollout of priority services first • Plan does not include all service delivery details • Secure Systems Engineering • Continuous Vulnerability Management • Information Security Program Management • Boundary Defense • Information Security Monitoring

  23. IT Security Consolidation: Value Proposition • MN.IT can provide a full suite of security services to all customers • Cost to the customer far less than ramping up alone • Better service, as expertise is shared • More agile service: getting the experts when and where they need to be • More job opportunities and specialization skills for employees • Will it be perfect? • Priorities will still have to be set, but they will be done at an enterprise level • No agency can “opt out” of security

  24. Beneficiaries • Customers • Existing resources used as efficiently and effectively as possible • Consistent security practices • Metrics to understand security posture • MN.IT Services • More specialization and deeper bench strength • Clear priorities for the enterprise • Reduction in single points of failure • More career opportunities for staff • Better understanding of our risk posture

  25. Final Thoughts • Auditing applications is easy and safe • Policymakers may be better served by an assessment your state security program foundation • Executive support • Freedom to act • Funding • Comprehensive plans

  26. Thank you! Chris.Buse@State.MN.US @BuseTweet

More Related