3 Executive Strategies to Prioritize Your IT Risk

• Roger A. Grimes

• Rich Mason

• Pat Clawson

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION1

Today’s Agenda

How to Evaluate Risk Tolerance

Leveraging Reputation Management Services

How to Secure Prioritized Data Depositories

Recommendations

3

Rich Mason VP & Chief Security Officer

Honeywell

Pat ClawsonChairman & CEO

Lumension

Roger A. GrimesSecurity Consultant,

Author and Columnist

Today’s Panelists

How to Evaluate Risk Tolerance

False understanding of risk tolerance:

» IT and management accepts little to no risk

or

» Only accepts risks that do not lead to compromise of critical assets

How to Evaluate Risk Tolerance

The Truth:» Every company accepts some level of risk

» Too expensive to eliminate all risks

» Acceptable risk is not even across all asset classes

» Security is not just a technology problem

» What is the acceptable risk tolerance?

How to Evaluate Risk Tolerance

“It’s a boardroom issue”» Let senior management be the risk deciders

» IT should supply the facts so senior management can make the best decisions

» Real life: Picking battles vs. productivity, prioritizing, making choices, and then following through

How to Evaluate Risk Tolerance

» Compliance does not always equal security

» Checklist security doesn’t always equal security

» All security solutions will have weaknesses

How to Evaluate Risk Tolerance

How to Evaluate Risk Tolerance

» Must know your threats and risks

» Job #1 is Inventory: What assets are you protecting• Not as easy as it first appears

» Who is attacking you and why?

» Malware, APT, DDoS, Financial gain, etc.• History is a great indicator of future attacks

» Attacker personas

How to Evaluate Risk Tolerance

» Not all assets and data should be protected equally

» What are your “golden egg” assets?

» Often defined by physical assets

» Better to define by application, service, and database

» Must consider all the supporting infrastructure• Often contains your most valuable data

Leveraging Reputation Management Services

Leveraging Reputational Mgmt. Services

» In the real world, we often rely upon a person or company’s reputation before we interact with them

» Same concept is becoming more true in the digital world

» Another way to say it is “trust” or assurance

Leveraging Reputational Mgmt. Services

» We should allow greater access and have less investigative controls on processes and users we trust more

Leveraging Reputational Mgmt. Services

Examples» Content Filtering\Inspection

» PKI and Digital Certificates

» Trusted Publishers/Application Trust vs Reputation

How to Secure PrioritizedData Depositories

How to Secure Prioritized Data Depositories

» You can’t secure everything equally, so better protect your most valuable assets

» Inventory

» Identify owners

» Identify related infrastructure

» Identify threats and risks to all involved assets

» Build strong controls for these assets

How to Secure Prioritized Data Depositories

» Two-factor authentication» Separate networks» Separate forest\domains» Computer hardening» Computer and port isolation» Faster patching» Less access to the Internet and other systems» Strong auditing and alerting

Recommendations

Recommendations

» Clearly define your critical infrastructure» Work with end users and with senior management

to set risk tolerances» Communicate the possible threats» Focus on Attack Vectors, Not Malware Family

Names» Don’t try to protect everything equally» Plan for security control failure» Plan for unequal application of controls and gaps

Recommendations

» Measure and Improve Consistency» Create Reports With Actionable Metrics

Questions?