Brought to you by:

Troy BrabanChief Information Security 

Officer (CISO)A simple Security Strategy for the busy

CIO

85Troy Braban Chief Information Security Officer

TabcorpA simple Security Strategy for the busy CIO

July 2011

Classification: Public

86

Who am I? And how did I pick the short straw to be asked to talk about this “easy” topic?

Tabcorp / Echo

Tabcorp: Australia's premier gambling group with leading customer brands including TAB, Tabaret, Keno, Luxbet and TAB Sportsbet

Echo Entertainment Group: Leading entertainment brand including Star City and Jupiters Casinos

A little about me

Chief Information Security OfficerResponsible for end to end Information Security across all lines of businessClient, Consulting and Sales background15 years of Information Security experience

Life is too short to drink bad wine…

Tabcorp’s recent Security Activities

Approved and mandated Information Security StrategyNew Information Security Executive Dashboard report now presented to Technology Board each quarterMajor overhaul of Information Security Policy suite based on Business requirementsAgreed Information Security Operating Model with the Business, clearly agreeing accountabilities and responsibilitiesBuilt an internal Information Security “Centre of Excellence”Made significant cost savings through a range of strategic and tactical projects that delivered business benefits while improving securityLaunched new Information Security services

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

87

Is anyone else sick of clouds? I am… and I promise I won’t talk about them other than this obligatory graphic which every presentation needs to have…

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

88

http://www.balancedscorecard.org/FinancialPerspective/tabid/100/Default.aspx

The CISO role often reports to a CFO or CIO. How much attention can you give to Information Security?

Major responsibilities of a Chief Information Officer

The CIO role is constantly evolving with greater demands on time, breadth of knowledge and expertise.

In other organisations Security reports into the CFO, Shared Services, or somewhere else: the challenge remains the same

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

89Material may not be used without permission from Troy Braban or Tabcorp Senior Management

It is not so much about convincing “why” – it is more about convincing “what” and “how”

I could throw all the “scary news” at you

With all of the scary numbers

Plenty of others will happily tell you those things.

I’d rather focus on what to do and how to start… how we went about it is one way – but not the only way

90

Ernst & Young’s Borderless Security Survey from 2010 shows me some key messages about why Information Security initiatives are often not effective

Ernst & Young Material used by Permission: Chris Nadebaum (Chris.Nadebaum@au.ey.com)

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

91Ernst & Young Material used by Permission: Chris Nadebaum (Chris.Nadebaum@au.ey.com)

One of the most interesting observations for me relates to organisation’s having a documented Information Security Strategy

Does your organization have a documented information security strategy for the next one to three

years?

In relation to your information security strategy:

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

92

Deloitte’s 2010 Global Security Survey also shows me a significant gap in how organisations traditionally approach Information Security

Deloitte Material used by Permission: Damien Tampling (dtampling@deloitte.com.au)

Audience Quarterly or Better

Semi Annually or

BetterBoard 34% 44%CEO 38% 50%

Senior Mgmt 58% 66%

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

93

Information Security Key Principles

So what do we do? Commit to some key principles with your Security Lead and their team – which drive the 3 key requirements to simplify Security

Strategy

Policy

Functional Capabilities

Reporting

Operating Model

F1 F2 F3 F4 F5

Compliance

1. One Page Diagram 2. Strategy 3. Executive Dashboard

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

We must be able to explain it on 1 page or it is too complexIf we can’t measure it we can’t manage it

We must first understand the business so we can help them understand Information SecurityIt is up to us to tell people about what we are doing and what they will get for itBe strategic not tactical whenever possibleCompliance is the minimum reason to do SecurityWe will work with the business to make informed risk decisions

94

The one page diagram must simply explain to the Board and Business what Security means for your organisation

The below “pyramid” shows a similar diagram to the one we started with. It has since evolved as our approach and organisation have matured – but the key elements remain consistent

Strategy

Security Policy

Functional Capabilities

Security Reporting

Security Operating Model

Functional Area 1

Functional Area 2

Functional Area 3

Functional Area 4

Functional Area 5

Security Compliance

Defines the strategic plans, approach, frameworks and models for Information Security

A framework to track and monitor compliance to Policy, Regulatory and Industry obligations

A series of documents that describe behaviours and activities that must be followed throughout the organisation to protect information and assets

Describes the teams, roles / responsibilities, services and approach to governance for IS activitiesA framework for IS

reporting to provide maturity and service metrics on IS activities

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

95

Be strategic… not tactical… long term… not short termBuild the strategy around protecting informationMake it presentable and get out there and tell people about itRegularly update it and re-communicate it

The Information Security Strategy should help the business understand what Security is going to do and what they will get for their money

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

Items to include:Why Security is important

Business contextBusiness environmentThreat LandscapeIndustry Perspective

What is Security (the 1 Page Diagram)What you will do (a program of work)What the business will getWhat success looks like

96

Then take those key areas defined in the 1 Page Diagram and report on them – If you can’t measure it you can’t manage it!

You can invest in a tool that can generate good Security Reporting from the information you already have

Or simply create a dashboard based on your framework

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

97

If you can only remember a couple of things from this presentation…

Material may not be used without permission from Troy Braban or Tabcorp Senior Management

Don’t over complicate Security – it should not be that hard

Clearly you need a good team – keep them business focused not too heavily technical

Expect more from your Security team than just keeping the lights on, not getting in the way and getting rid of SPAM

Security for the organisation can be explained in 1 page

Your Security team must have a documented Security strategy that you review, understand and agree regularly

If you can’t measure it you can’t manage it – so start measuring or stop wasting your time trying to manage

98

Troy Braban

Chief Information Security OfficerTabcorp Holdings Ltd

brabant@tabcorp.com.au

Material may not be used without permission from Troy Braban or Tabcorp Senior Management