3 executive strategies to reduce your it risk
DESCRIPTION
Do you want to know how ‘best-of-breed’ enterprises prioritize their IT risk? Join Richard Mason, Vice President & Chief Security Officer at Honeywell, whose team is responsible for global security, during a roundtable discussion with Pat Clawson, Chairman & CEO of Lumension and Roger Grimes, Security Columnist & Author. Uncover strategies beyond traditional antivirus signatures and learn a more holistic approach to effective risk management. Find out ‘how’ and ‘why’ you can make security a prioritized function within your organization. Join this expert panel webcast to learn how to: 1)Understand your business audiences and evaluate their risk tolerance 2)Leverage reputation management services that are appropriate for your organization 3)Utilize realistic change management to secure prioritized data depositoriesTRANSCRIPT
3 Executive Strategies to Prioritize Your IT Risk
• Roger A. Grimes
• Rich Mason
• Pat Clawson
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION1
Today’s Agenda
How to Evaluate Risk Tolerance
Leveraging Reputation Management Services
How to Secure Prioritized Data Depositories
Recommendations
3
Rich Mason VP & Chief Security Officer
Honeywell
Pat ClawsonChairman & CEO
Lumension
Roger A. GrimesSecurity Consultant,
Author and Columnist
Today’s Panelists
How to Evaluate Risk Tolerance
False understanding of risk tolerance:
» IT and management accepts little to no risk
or
» Only accepts risks that do not lead to compromise of critical assets
How to Evaluate Risk Tolerance
The Truth:» Every company accepts some level of risk
» Too expensive to eliminate all risks
» Acceptable risk is not even across all asset classes
» Security is not just a technology problem
» What is the acceptable risk tolerance?
How to Evaluate Risk Tolerance
“It’s a boardroom issue”» Let senior management be the risk deciders
» IT should supply the facts so senior management can make the best decisions
» Real life: Picking battles vs. productivity, prioritizing, making choices, and then following through
How to Evaluate Risk Tolerance
» Compliance does not always equal security
» Checklist security doesn’t always equal security
» All security solutions will have weaknesses
How to Evaluate Risk Tolerance
How to Evaluate Risk Tolerance
» Must know your threats and risks
» Job #1 is Inventory: What assets are you protecting• Not as easy as it first appears
» Who is attacking you and why?
» Malware, APT, DDoS, Financial gain, etc.• History is a great indicator of future attacks
» Attacker personas
How to Evaluate Risk Tolerance
» Not all assets and data should be protected equally
» What are your “golden egg” assets?
» Often defined by physical assets
» Better to define by application, service, and database
» Must consider all the supporting infrastructure• Often contains your most valuable data
Leveraging Reputation Management Services
Leveraging Reputational Mgmt. Services
» In the real world, we often rely upon a person or company’s reputation before we interact with them
» Same concept is becoming more true in the digital world
» Another way to say it is “trust” or assurance
Leveraging Reputational Mgmt. Services
» We should allow greater access and have less investigative controls on processes and users we trust more
Leveraging Reputational Mgmt. Services
Examples» Content Filtering\Inspection
» PKI and Digital Certificates
» Trusted Publishers/Application Trust vs Reputation
How to Secure PrioritizedData Depositories
How to Secure Prioritized Data Depositories
» You can’t secure everything equally, so better protect your most valuable assets
» Inventory
» Identify owners
» Identify related infrastructure
» Identify threats and risks to all involved assets
» Build strong controls for these assets
How to Secure Prioritized Data Depositories
» Two-factor authentication» Separate networks» Separate forest\domains» Computer hardening» Computer and port isolation» Faster patching» Less access to the Internet and other systems» Strong auditing and alerting
Recommendations
Recommendations
» Clearly define your critical infrastructure» Work with end users and with senior management
to set risk tolerances» Communicate the possible threats» Focus on Attack Vectors, Not Malware Family
Names» Don’t try to protect everything equally» Plan for security control failure» Plan for unequal application of controls and gaps
Recommendations
» Measure and Improve Consistency» Create Reports With Actionable Metrics
Questions?