Security Leadership:Enabling Business Transformation
John D. Johnson, Ph.D., CISSPJohn Deere
Agenda Our organizations desire to leverage IT to:
Gain deep customer knowledge Gain competitive advantage Move into new markets Build and maintain brand Collaborate with business partners
How do we protect IT systems and data in a world where change is accelerating? New technologies (SMAC) means new threats New business needs and processes Erosion of perimeter The adversaries have gotten serious
Defending The Castle
The Castle Model of DefenseWhat is the advantage of a castle?• The castle is built on high ground• The castle has visibility to see enemies approaching far away• The castle has thick, impervious walls• Guards watch everyone coming and going• It is very difficult and expensive for enemies to breach a castle
Why is our enterprise not a castle?• The Internet has no high ground• We don’t have good visibility to threats• We have lots of holes in our walls• We don’t inspect all the traffic coming and going• The Asymmetric problem: It is expensive to defend, but the
adversary only needs to find one hole to breach the enterprise
Extended Enterprise
IT Trends: Nexus of Forces
CoIT
Data
Mobile
SocialCloud
Internetof
Things
Threats
Regulations
Secu
rity
Arc
hit
ectu
re
Risk Opportunity
The “Wave”of CoIT
The Situation Today• The boundaries are moving, perimeter is evolving• Threats are more sophisticated and coming at us faster;
internal and external• The way we are doing business requires new
processes/technologies to spur innovation, support agility, find competitive advantage
• Customers are demanding services• Employees are demanding mobile devices,
anytime/anywhere access, flexible work/life balance• Business partners/suppliers/vendors need access to
resources and data
We cannot enable business transformationif we are still trying to defend a castle
we need a new risk-based security model of governanceand we need to be recognized as key change agents
Risk-Based Security Governance There are various risk-management models to
choose from (ISO, NIST, hybrid, etc.) Risk is a meaningful way to express what we
do to business leaders Standard frameworks allow us to compare
against other organizations and we should express IT security risk in a way that fits into enterprise risk model
Our job is not to own riskour job is to clearly explain risk and offer solutions
executives make risk-based decisions every day
ISO 31000 Risk Management Process
EISA Framework
Existence of formal RBSM function
Commitment to RBSM
Example RBSM Roadmap Understand Current State
Environment (assets (value/vulns/comp…), networks, data, applications)
Business knowledge (requirements, processes…) Regulatory environment Threats (std process for threat modeling/assessment) Capability maturity
Determine Risk Prioritize Security Portfolio
Business Alignment Reduce risk Build capabilities
Develop Metrics (tactical strategic) Measure effectiveness at risk reduction Measure efficiency
Communicate Business Value
Cyber Risk Analysis: Threat Modeling
Target•Data (DAR, DIM, DIU)•Code/Software•Services•Databases•Operating Systems•Networks/Infrastructure•Platforms/Hardware/Firmware
Threat Vector
•Copy, Exfiltrate•Modify, Corrupt•Destroy, Denial of Service
Threat Source
• Insider•Hacktivists•Motivated Hobbyist•Corporate Espionage•Cybercriminals•Nation State
Requirements• Level of
knowledgerequired
• Ability, Expertise• Proximity
required• Access required• Resources
required• Time required
Motivations• Money• Ideology• Coercion• Ego
RIS
K
{
Risk can be mitigated; the threat landscape remains unchanged.
Impact• Magnitude• Scope
Likelihood
• Event Probability
RiskScore
Risk Scoring
Magnitude• Cost• Reputation• Injury
Scope• Localized• Widespread
{ {
Sophistication of Attack
AccessMitigatingControls
Motivation ofAttacker
Risk Heat (Bubble) Map
Likelihood
Imp
act
Legend
Size = Effort
Color = Status (R/Y/G)
Arrow = Trend, Velocity (direction, length)
2
17
310
9
54
11
6
8
Risk Scenario Prioritization► Risk Scenario Prioritization – allows us to compare the
level of loss exposure from multiple scenarios, which improves our ability to prioritize effectively
Choose Effective Security Controls
As the security program matures, more fundamental pieces will be in place to support advanced toolsets and capabilities necessary to protect against more advanced
threats and respond faster to attacks
Security Capability Maturity Model
Informal
1
Planned & Tracked
2
Well Defined
3
QuantitativelyControlled
4
ContinuouslyImproving
5
Improved ability to anticipate, execute & respond
Capability Maturity Assess capabilities and develop roadmap to
mature
BSIMM
IT Security MetricsA consistent risk-based approach allows you to prioritize the
security portfolio and express security value to your executives
• You can manage things you can’t measure, • Quantitative metrics are great when you can get them
(automated, reliable)• Don’t let large error bars and uncertainty keep you
from getting started• Find consistent ways to express KRIs and KPIs that are
meaningful to business• (Scott Borg) There are things you didn’t know you
could quantify: reputation harm, customer trust & loyalty, etc.
Use of metrics to determine RBSM effectiveness
Wrap Up There are no magic buttons for
security Doing something is better than
doing nothing Questions:
How many of you use RBSM? Why? What are the results? How have you gained “business knowledge”? Do you use a CMM? Are you maturing capabilities? Are
you comparing to others? Do you have an IT security metrics program? Successful? Can you share examples of how you communicate the
value of IT Security to your executives? Are you seen as a change agent?