final cio sydney summit 2011 - idg · keno, luxbet and tab sportsbet ¾echo entertainment group:...
TRANSCRIPT
Brought to you by:
Troy BrabanChief Information Security
Officer (CISO)A simple Security Strategy for the busy
CIO
85Troy Braban Chief Information Security Officer
TabcorpA simple Security Strategy for the busy CIO
July 2011
Classification: Public
86
Who am I? And how did I pick the short straw to be asked to talk about this “easy” topic?
Tabcorp / Echo
Tabcorp: Australia's premier gambling group with leading customer brands including TAB, Tabaret, Keno, Luxbet and TAB Sportsbet
Echo Entertainment Group: Leading entertainment brand including Star City and Jupiters Casinos
A little about me
Chief Information Security OfficerResponsible for end to end Information Security across all lines of businessClient, Consulting and Sales background15 years of Information Security experience
Life is too short to drink bad wine…
Tabcorp’s recent Security Activities
Approved and mandated Information Security StrategyNew Information Security Executive Dashboard report now presented to Technology Board each quarterMajor overhaul of Information Security Policy suite based on Business requirementsAgreed Information Security Operating Model with the Business, clearly agreeing accountabilities and responsibilitiesBuilt an internal Information Security “Centre of Excellence”Made significant cost savings through a range of strategic and tactical projects that delivered business benefits while improving securityLaunched new Information Security services
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
87
Is anyone else sick of clouds? I am… and I promise I won’t talk about them other than this obligatory graphic which every presentation needs to have…
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
88
http://www.balancedscorecard.org/FinancialPerspective/tabid/100/Default.aspx
The CISO role often reports to a CFO or CIO. How much attention can you give to Information Security?
Major responsibilities of a Chief Information Officer
The CIO role is constantly evolving with greater demands on time, breadth of knowledge and expertise.
In other organisations Security reports into the CFO, Shared Services, or somewhere else: the challenge remains the same
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
89Material may not be used without permission from Troy Braban or Tabcorp Senior Management
It is not so much about convincing “why” – it is more about convincing “what” and “how”
I could throw all the “scary news” at you
With all of the scary numbers
Plenty of others will happily tell you those things.
I’d rather focus on what to do and how to start… how we went about it is one way – but not the only way
90
Ernst & Young’s Borderless Security Survey from 2010 shows me some key messages about why Information Security initiatives are often not effective
Ernst & Young Material used by Permission: Chris Nadebaum ([email protected])
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
91Ernst & Young Material used by Permission: Chris Nadebaum ([email protected])
One of the most interesting observations for me relates to organisation’s having a documented Information Security Strategy
Does your organization have a documented information security strategy for the next one to three
years?
In relation to your information security strategy:
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
92
Deloitte’s 2010 Global Security Survey also shows me a significant gap in how organisations traditionally approach Information Security
Deloitte Material used by Permission: Damien Tampling ([email protected])
Audience Quarterly or Better
Semi Annually or
BetterBoard 34% 44%CEO 38% 50%
Senior Mgmt 58% 66%
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
93
Information Security Key Principles
So what do we do? Commit to some key principles with your Security Lead and their team – which drive the 3 key requirements to simplify Security
Strategy
Policy
Functional Capabilities
Reporting
Operating Model
F1 F2 F3 F4 F5
Compliance
1. One Page Diagram 2. Strategy 3. Executive Dashboard
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
We must be able to explain it on 1 page or it is too complexIf we can’t measure it we can’t manage it
We must first understand the business so we can help them understand Information SecurityIt is up to us to tell people about what we are doing and what they will get for itBe strategic not tactical whenever possibleCompliance is the minimum reason to do SecurityWe will work with the business to make informed risk decisions
94
The one page diagram must simply explain to the Board and Business what Security means for your organisation
The below “pyramid” shows a similar diagram to the one we started with. It has since evolved as our approach and organisation have matured – but the key elements remain consistent
Strategy
Security Policy
Functional Capabilities
Security Reporting
Security Operating Model
Functional Area 1
Functional Area 2
Functional Area 3
Functional Area 4
Functional Area 5
Security Compliance
Defines the strategic plans, approach, frameworks and models for Information Security
A framework to track and monitor compliance to Policy, Regulatory and Industry obligations
A series of documents that describe behaviours and activities that must be followed throughout the organisation to protect information and assets
Describes the teams, roles / responsibilities, services and approach to governance for IS activitiesA framework for IS
reporting to provide maturity and service metrics on IS activities
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
95
Be strategic… not tactical… long term… not short termBuild the strategy around protecting informationMake it presentable and get out there and tell people about itRegularly update it and re-communicate it
The Information Security Strategy should help the business understand what Security is going to do and what they will get for their money
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
Items to include:Why Security is important
Business contextBusiness environmentThreat LandscapeIndustry Perspective
What is Security (the 1 Page Diagram)What you will do (a program of work)What the business will getWhat success looks like
96
Then take those key areas defined in the 1 Page Diagram and report on them – If you can’t measure it you can’t manage it!
You can invest in a tool that can generate good Security Reporting from the information you already have
Or simply create a dashboard based on your framework
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
97
If you can only remember a couple of things from this presentation…
Material may not be used without permission from Troy Braban or Tabcorp Senior Management
Don’t over complicate Security – it should not be that hard
Clearly you need a good team – keep them business focused not too heavily technical
Expect more from your Security team than just keeping the lights on, not getting in the way and getting rid of SPAM
Security for the organisation can be explained in 1 page
Your Security team must have a documented Security strategy that you review, understand and agree regularly
If you can’t measure it you can’t manage it – so start measuring or stop wasting your time trying to manage
98
Troy Braban
Chief Information Security OfficerTabcorp Holdings Ltd
Material may not be used without permission from Troy Braban or Tabcorp Senior Management