charlotte issa summit - building resiliency into your ... · }reputation: the coherent framework...
TRANSCRIPT
9/6/18 CONFIDENTIAL 1
Building Resiliency into Your Security
Program
CharlotteISSASummitMay10,2018
9/6/18 CONFIDENTIAL 2
Introduction
Gary SheehanAsCSOofASMGi,Garyhasresponsibilityforallsecuritymattersoftheorganizationandisresponsibleformanagingthedesign,deliveryandimplementationofGRCcustomersolutions.
linkedin.com/in/garyjsheehan/
Abstract
Areyousatisfiedwithyoursecurityprogramanditseffectiveness,orisittimetotakeanewapproachtoprotectingyourorganizationandyourorganization’sassets?
9/6/18 CONFIDENTIAL 3
Agenda, Overview and Objectives}UnderstandingResiliency}UsingResiliencyConceptsforSecurityandSecurityConceptsforResiliency} People} Process} Technology
}WrapUp
9/6/18 CONFIDENTIAL 4
Governance,RiskandCompliancearecriticalcomponentstoEnterpriseResiliency.
Understanding Enterprise Resiliency
Enterprise ResiliencyResiliencyistheabilityofanorganizationtoanticipate,preparefor,andrespondandadapttoincrementalorchronicchangeandsuddendisruptions,aswellasminoreverydayeventsandacuteshocksinordertosurviveandprosper.
} Resiliencyisastrategicobjectiveintendedtohelpanorganizationtosurviveandprosper.
} Resiliencyisagoal,notafixedactivityorstate.} Resiliencyisarelative,dynamicconceptand,assuch,anorganizationcanonlybemoreorlessresilient.
} Resiliencyisnotjustdisasterrecoveryandbusinesscontingencyplanning.
9/6/18 CONFIDENTIAL 5
Understanding Enterprise Resiliency
Enterprise | Organization | Company | Business}Notnecessarilyinterchangeable,butareoftenusedtomeanthesamething.
}Canrepresentahierarchywithinacompany.}Beawareofthesubtledifferenceinmeaningsbetweenorganizations.
9/6/18 CONFIDENTIAL 6
Understanding Enterprise Resiliency
EnterpriseResiliencyistheabilityanorganizationhastoquicklyadapttodisruptionswhilemaintainingcontinuousbusinessoperationsandsafeguardingpeople,assetsandoverallbrandequity.
Governance,RiskandCompliancearecriticalcomponentstoEnterpriseResiliency.
9/6/18 CONFIDENTIAL 7
Understanding Enterprise Resiliency
Security Program ResiliencyYouknowyourSecurityProgramisresilientwhen:
} Itcananticipate,preparefor,andrespondandadapttoincrementalorchronicchangeandsuddendisruptionsintheorganization
} Itcananticipate,preparefor,andrespondandadapttoincrementalorchronicchangesinyourorganization’sbusiness,securityandcompliancerequirements.
} Itcananticipate,preparefor,andrespondandadapttoincrementalorchronicchangesinthethreats,threatagentsandthreattrendsthataffectyourorganization.
9/6/18 CONFIDENTIAL 8
Understanding Enterprise Resiliency
Benefits / Challenges
9/6/18 CONFIDENTIAL 9
Each organization comes to its own decisions on
these issues according to the amount and type of
risk it is willing to pursue or retain, and the amount
it is willing to invest in resilience.
Understanding Enterprise Resiliency
Benefits of Resiliency}Competitiveness: Thebehaviorsthatanorganizationdevelopsaspartofaresilientculturecanalsohelptobuildinnovationandcommonvaluesandvision,anddevelopanabilitytoanticipateandadapttochangeandevolvethebusinessmodel.
}Coherence: Resiliencebothrequiresandallowsorganizationalsilostobecomemoreintegratedandinteroperable.
}EfficiencyandEffectiveness:Workingwithinacoherentandintegratedframeworkhastime- andcost-savingimplications.
9/6/18 CONFIDENTIAL 10
Understanding Enterprise Resiliency
Benefits of Resiliency (continued)}Reputation: Thecoherentframeworkbuiltbyresiliencesupportstheorganizationinunderstandingandactingontheinterdependencyofbrand,trustandreputation,therebymanagingandenhancingitsreputation.
}Societal/communityResilience: Resiliencycanalsogiveassurancetootherinterestedparties,suchasregulators,thirdparties,government,customers,partnersandshareholders.
9/6/18 CONFIDENTIAL 11
Understanding Enterprise Resiliency
Challenges}Understandingwhentotakeaction.}Resolvingpotentialtensionsbetweencostandresilienceinbuildingjust-in-timeprocessesandjust-in-caseredundancy.
}Determininganappropriatetrade-offbetweencontrollingcostsandachievinggreaterresilience.
} Identifyingwhentoembracenewvaluesratherthanpersistingwithexistingbehaviors.
9/6/18 CONFIDENTIAL 12
Understanding Enterprise Resiliency
Challenges (continued)}Resolvingconflictsbetweentheneedtokeepinformationfromcompetitorsandtheneedtoshareinformationforresiliencewhencollaboratingwithothers.
} Identifyinglegalandregulatoryconstraints,aswellasvoluntarycodesadoptedbydifferentsectors,thatcanlimitdesirableresilienceactions.
9/6/18 CONFIDENTIAL 13
Each organization comes to its own decisions on these issues according to the amount and type of risk it is willing to pursue
or retain, and the amount it is willing to invest in resilience.
RESILIENCYThe New Model For Security
Resiliency – The New Model For Security
BASEDONFRAMEWORKSAframeworkisanextensiblestructurefordocumentingandimplementingasetofconcepts,processes,methods,technologies,proceduresandculturalchangesnecessaryforacompleteproduct.
Byaligningtheframeworkobjectivestoenterprisestrategies,theframeworkhelpstokeepthefocusonachievingthegoalsoftheenterprise.
9/6/18 CONFIDENTIAL 15
Provides:Consistency
StandardizationMeasurement
Efficiencies
Resiliency – The New Model For Security
9/6/18 CONFIDENTIAL 16
PROCESS FUNCTION/TECHNOLOGY
PEOPLE
Resiliency – The New Model For Security
9/6/18 CONFIDENTIAL 17
BS65000 ISONIST
Team/Leadership
PROCESS FUNCTION/TECHNOLOGY
PEOPLE
Resiliency – The New Model For Security
Thismodelwillprovide:}Clarity}Commitment}Alignment}Collaboration}Standardization}Measurement
9/6/18 CONFIDENTIAL 18
Thismodelrequires:}CulturalChange}Commitment}Accountability}Leadership}Participation}Support
9/6/18 CONFIDENTIAL 19
Resiliency – The New Model For Security
EnterpriseResiliency GRC
WORKFLOWS
9/6/18 CONFIDENTIAL 20
Understanding Enterprise Resiliency
EnterpriseStrategy
EnterpriseMissionandVision
BusinessGoalsandObjectives
BusinessToolsandCriticalProcesses
Department’sGoalsandObjectives
Department’sToolsandCriticalProcesses
YourToolsandCriticalAssets
You
Are You Informed,
Alignedand
Engaged?
Resiliency – The New Model For Security
9/6/18 CONFIDENTIAL 21
BS65000 ISONIST
Team/Leadership
PROCESS TECHNOLOGY
PEOPLE
BS 65000:2014
BS65000:2014givesguidanceonbuildingenterpriseresilienceby:
}Clarifyingthenatureandscope.} Identifyingtheprincipalcomponentsofresilience.
} Identifyingandrecommendinggoodpractice.
9/6/18 CONFIDENTIAL 22
9/6/18 CONFIDENTIAL 23
BS 65000:2014Resiliencerequirestheabilitytomakegooddecisionsinformedbyanunderstandingofwhattheorganizationstandsforandwhereitistryingtogo,theorganization’senvironment,whatmatterstotheorganizationandwhatresourcesithasatitsdisposal.TheBritishStandards
Institute- 2014
Actions necessary to make the
organization more resilient.
BS 65000:2014
Building a Foundation for ResiliencyThefundamentalattributesdefinetheattitudesthatshapedecisionsandactions,andultimatelyunderpinresiliencyare:
} GovernanceandAccountability} Thesystemsofrules,structuresandprocessesthatdrivecoherentdecisionmakingwithinacceptableparametersofcost,riskandspeedcontributetoresilience.
} LeadershipandCulture} Staffshouldbeappropriatelyempoweredbyacultureoftrust,opennessandinnovation.
} CommonVisionandPurpose} Shouldberecognizedandsharedthroughouttheorganization.
9/6/18 CONFIDENTIAL 24
BS 65000:2014
Building ResiliencyResiliencyrequirestheabilitytomakegooddecisionsinformedbyanunderstandingofwhattheenterprisestandsforandwhereitistryingtogo,thebusinessenvironment,whatmatterstotheenterpriseandwhatresourcesithasatitsdisposal.}Actionsinclude:
} Beinformed} Setdirection} Bringcoherence} Developadaptivecapacity} Strengthentheorganization} Validateandreview
9/6/18 CONFIDENTIAL 25
Resiliency – The New Model For Security
9/6/18 CONFIDENTIAL 26
BS65000 ISONIST
Team/Leadership
PROCESS TECHNOLOGY
PEOPLE
Security Frameworks - ISO 27x
}Thestandard"establishedguidelinesandgeneralprinciplesforinitiating,implementing,maintaining,andimprovinginformationsecuritymanagementwithinanorganization“.
}Theactualcontrolslistedinthestandardareintendedtoaddressthespecificrequirementsidentifiedviaaformalriskassessment.
}Thestandardisalsointendedtoprovideaguideforthedevelopmentoforganizationalsecuritystandardsandeffectivesecuritymanagementpracticesandtohelpbuildconfidenceininter-organizationalactivities.
9/6/18 CONFIDENTIAL 27
Security Frameworks - NIST
International Harmonization and Context}TheFramework,createdthroughcollaborationbetweenindustryandgovernment,consistsofstandards,guidelines,andpracticestopromotetheprotectionofcriticalinfrastructure.
}Theprioritized,flexible,repeatable,andcost-effectiveapproachoftheFrameworkhelpsownersandoperatorsofcriticalinfrastructuretomanagecybersecurity-relatedrisk.
9/6/18 CONFIDENTIAL 28
Security Frameworks- NIST
InFebruary2013,PresidentObamaissuedExecutiveOrder(EO)13636,ImprovingCriticalInfrastructureCybersecurity,inFebruary2013.ItdirectedNISTtoworkwithstakeholderstodevelopavoluntaryframework– basedonexistingstandards,guidelines,andpractices- forreducingcybersecurityrisks.
9/6/18 CONFIDENTIAL 29
“Thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthemostseriousnationalsecuritychallengeswemustconfront.ThenationalandeconomicsecurityoftheUnitedStatesdependsonthereliablefunctioningoftheNation'scriticalinfrastructureinthefaceofsuchthreats”~SectionIoftheExecutiveorder~
Resiliency – The New Model For Security
9/6/18 CONFIDENTIAL 30
BS65000 ISONIST
Team/Leadership
PROCESS TECHNOLOGY
PEOPLE
7.0 - Building a Team for Resiliency
7.0 - Building a Team for Resiliency
}ACHIEVINGTRUST
• Trustisknowingthatwhenateammemberdoespushyou,they’redoingitbecausetheycareabouttheteam
• Goodintentions- noreasontobeprotectiveorcarefularoundthegroup
• Takerisksinofferingfeedbackandassistance• Appreciateandtapintooneanother’sskillsandexperiences• Focustimeandenergyonimportantissues,notpolitics
7.0 - Building a Team for Resiliency
}MASTERINGCONFLICT
• Thedesiretopreserveartificialharmonystiflestheoccurrenceofproductiveideologicalconflict
• Greatteamsdonotholdbackwithoneanother.Theyareunafraidtoairtheirdirtylaundry.Theyadmittheirmistakes,theirweaknesses,andtheirconcernswithoutfearofreprisal
• Havelively,interestingmeetings• Extractandexploittheideasofallteammembers• Solverealproblemsquickly
7.0 - Building a Team for Resiliency
}ACHIEVINGCOMMITMENT
• Thelackofclarityorbuy-inpreventsteammembersfrommakingdecisionstheywillstickto
• Organizationsneedtrustandconflictsopeoplecanfullycommit• Mostreasonablepeoplejustneedtobeheardandtoknowthattheirinput
wasconsideredandrespondedto• Createsclarityarounddirectionandpriorities• Alignstheentireteamaroundcommonobjectives• Developsanabilitytolearnfrommistakes• Leadersmustcommunicatetheresultstotheirteams
7.0 - Building a Team for Resiliency
}ACCOUNTABILITY
• Everyteammemberisresponsibleforholdingtheteamaccountable• AppliestoALLLEVELSoftheorganization• AccountabilitytoTrust,ConflictandCommit• Helpspoorperformersimprove• Identifiespotentialproblemsquickly• Establishesrespectamongteammembers• Avoidsexcessivebureaucracy
7.0 - Building a Team for Resiliency
}RESULTS
• Thepursuitcollectivesuccessmustbe#1• Clarity- Makeresultssoclearthatnoonewouldevenconsiderdoingsomethingpurelytoenhancehisorherindividualstatusorego
• Retainsachievement-orientedemployees• Minimizesindividualisticbehavior• Enjoyssuccessandsuffersfailureasateam
Wrap Up
9/6/18 CONFIDENTIAL 38
Resiliency/Securitymustbeembeddedthroughouttheorganization,cuttingacrosssilos,organizationalstructuresandhierarchies,withoperationalactivitiesalignedtostrategicpriorities.
9/6/18 CONFIDENTIAL 39
Buildingaresilientworkgroup,department,businessunit,organization,companyororganizationishardwork- forEVERYONE.
Resilience/Securityisinherentlyrelative,andnoorganization,person,networkorsystemcanbeabsolutelyresilientorsecure,astheyexperienceconstantchangeandoperateundervaryingdegreesofuncertaintyandrisk.
9/6/18 CONFIDENTIAL 40
9/6/18 CONFIDENTIAL 41
}Everyoneinanorganizationplaysaroleinresiliency/security.
}Youmustunderstandyourbusinessandtheroleyouplayinhelpingyourorganizationachieveresiliency/security.
}Allemployeesmustbeactiveparticipantsintheresiliencyplan/securityplan.
}Don’tbethemissingpiece!
9/6/18 CONFIDENTIAL 42