is and the innovator's dilemma dcass_final
TRANSCRIPT
David A. Cass, CISO Cloud and SaaS Operations October 5, 2015
Information Security and the Innovator’s Dilemma
A notable quote
“Strategy without tactics is the slowest route to victory.
Tactics without Strategy is the noise before defeat.”
- Sun Tzu
Agenda
3
We will review the external, internal factors, and the threat landscape that is driving change. We will discuss failure modes and how to overcome them, and look at innovation drivers.
A framework for innovation
How to execute on an innovation strategy
What’s Changed?
Why CISO’s fail?
Enabling Innovation
Execution
Wrap Up
What’s changed – In the news
! 2015 as the year of escalating breaches – Retail breaches
! 40 to 60 + million card holders impacted ! Cost of breaches estimated in the Billions of dollars
– Medical records ! 80 million social security numbers exposed ! the cost per record breached for healthcare
organizations is $363* – Entertainment Industry
! Corporate network taken over ! Exfiltration of movies ! Loss of corp. emails, PII, and more..
– Government ! personnel data of 4.2 million current and former Federal government
employees had been stolen. ! background investigation records of current, former, and prospective
Federal employees and contractors. ! More than 21 million SSNs and 5.6 million finger print records
! External Factors – Privacy
! > 80 Countries with Privacy Laws
! US vs. EU vs. APAC definitions
! Opt in vs. Opt out
What’s Changed?
! External Factors – Law & Cyber
! HIPAA, GLBA, MA, CA… – Cloud
! Fundamental change to the way people work
– Mobile Apps – BYOD – Social – Big Data – IOT
What’s Changed?
! Internal Factors – Expectations of workforce
– Insider threat – Changes in IT staff core competencies
– Increased focus on Risk Management
What’s Changed?
Threat Landscape - Then
• Captive Workforce • Desktops & Laptops • Corporate Network with VPN for remote workers • Corporate Owned Devices
Enterprises
• Rouge Individuals • Motivated by the challenge • Little or no financial gain
Attackers
• Noisy • Server side/infrastructure vulnerabilities • Noticeable • Damaging & Costly but not complicated to remediate
Attacks
Threat Landscape - Now
• Highly Mobile Workforce • Smartphones & Tablets • Use of home Wi-Fi, free Wi-Fi, cellular
connections • Corporate Owned Devices
Enterprises
• Organized • Well funded • Highly skilled • Organized Crime • Financial/Political gain
Attackers
• Stealthy • Applications, Databases, and Social Engineering • Hard to detect • Goal is data exfiltration
Attacks
Innovation Drivers
! Companies are very vulnerable to disruption!
! Low barrier to entry
! Disruption defined: – The same value delivered in different ways
! Time to market is critical
! Innovation allows companies to pivot
Guidelines / Framework for Innovation
1. Research first
2. Innovate process at small scales – Improves ability to deliver – Allow everyone to innovate
3. Share as much as you can – Break down silos – Transparency = Speed
Guidelines / Framework for Innovation
4. Sell it before you make it – See what works – Get traction – Don’t build solutions in search of problems
5. Act Responsibly – Reputation – Say what you do and do what you say! – Aspirational vs. attainable
How can Security Innovate?
! Understand what is the Critical Business Knowledge
! Business Transformation
! Policies, Standards, Training & Awareness
! Communications at the Board and Exec Level
! Privacy and Security by Design
Innovation
! Critical Business Knowledge – Define it
! Is it a source of competitive advantage ! Is there a regulatory requirement
– Define a goal
Innovation
! Business Transformation – What is the experience we want?
– How do we deliver what they want?
– Transparency
Innovation
! Policies & Standards – Right size them
– 1 page with bullet points
! Training & Awareness – Deliver the message in the way people consume info today
Innovation
! Communications at the Board and Exec Level – Become a better story teller – Frame the conversation using FORR
! Financial ! Operational ! Reputational ! Regulatory
! Practice Privacy by Design
– Proactive not Reactive
– Privacy as the Default Setting
– Privacy Embedded into Design
Innovation
Innovation
! Practice Privacy by Design – Full Functionality
– End-to-End Security – Full Life Cycle Protection
– Visibility and Transparency
– Respect for User Privacy
Innovation
! Security by Design – Protect the data and application
– Security Awareness Training
– Partner with the business ! M&A process ! Cloud
Innovation
! Security by Design – Risk & Assurance
– Application Security COE
– Security Architecture
– Incident Response
Execution - Putting Innovation to work
! Strategy is the starting point of execution – Clear and relatively simple – You need to know what really matters
! To execute you need: – Alignment – Agility – Coordination
Executing Strategy
! Is low price a strategy?
! Strategy is not: – A string of buzzwords – Not a vision statement – Not a financial projection
Wrap up
! Innovation requires you understand the way the business works
! Apply the principles for innovation
! Use the strategy execution triad
! We win by accomplishing business goals
Questions?
David Cass CISO, IBM Cloud & SaaS Operations E-mail: [email protected] Twitter: @dcass001 Linkedin: www.linkedin.com/in/dcass001/