David A. Cass, CISO Cloud and SaaS Operations October 5, 2015

Information Security and the Innovator’s Dilemma

A notable quote

“Strategy without tactics is the slowest route to victory.

Tactics without Strategy is the noise before defeat.”

- Sun Tzu

Agenda

3

We will review the external, internal factors, and the threat landscape that is driving change. We will discuss failure modes and how to overcome them, and look at innovation drivers.

A framework for innovation

How to execute on an innovation strategy

What’s Changed?

Why CISO’s fail?

Enabling Innovation

Execution

Wrap Up

What’s changed – In the news

!  2015 as the year of escalating breaches – Retail breaches

!  40 to 60 + million card holders impacted !  Cost of breaches estimated in the Billions of dollars

– Medical records !  80 million social security numbers exposed !  the cost per record breached for healthcare

organizations is $363* – Entertainment Industry

!  Corporate network taken over !  Exfiltration of movies !  Loss of corp. emails, PII, and more..

– Government !  personnel data of 4.2 million current and former Federal government

employees had been stolen. !  background investigation records of current, former, and prospective

Federal employees and contractors. !  More than 21 million SSNs and 5.6 million finger print records

! External Factors – Emerging Markets

– Outsourcing

What’s Changed?

! External Factors – Privacy

! > 80 Countries with Privacy Laws

! US vs. EU vs. APAC definitions

! Opt in vs. Opt out

What’s Changed?

! External Factors – Law & Cyber

! HIPAA, GLBA, MA, CA… – Cloud

! Fundamental change to the way people work

– Mobile Apps – BYOD – Social – Big Data – IOT

What’s Changed?

!  Internal Factors – Expectations of workforce

– Insider threat – Changes in IT staff core competencies

– Increased focus on Risk Management

What’s Changed?

Threat Landscape - Then

• Captive Workforce • Desktops & Laptops • Corporate Network with VPN for remote workers • Corporate Owned Devices

Enterprises

• Rouge Individuals • Motivated by the challenge • Little or no financial gain

Attackers

• Noisy • Server side/infrastructure vulnerabilities • Noticeable • Damaging & Costly but not complicated to remediate

Attacks

Threat Landscape - Now

• Highly Mobile Workforce • Smartphones & Tablets • Use of home Wi-Fi, free Wi-Fi, cellular

connections • Corporate Owned Devices

Enterprises

• Organized • Well funded • Highly skilled • Organized Crime • Financial/Political gain

Attackers

• Stealthy • Applications, Databases, and Social Engineering • Hard to detect • Goal is data exfiltration

Attacks

Why CISO’s fail?

Used to be: Failure to help the business with:

Innovation Drivers

! Companies are very vulnerable to disruption!

! Low barrier to entry

! Disruption defined: – The same value delivered in different ways

! Time to market is critical

! Innovation allows companies to pivot

Guidelines / Framework for Innovation

1.  Research first

2.  Innovate process at small scales – Improves ability to deliver – Allow everyone to innovate

3.  Share as much as you can – Break down silos – Transparency = Speed

Guidelines / Framework for Innovation

4.  Sell it before you make it – See what works – Get traction – Don’t build solutions in search of problems

5.  Act Responsibly – Reputation – Say what you do and do what you say! – Aspirational vs. attainable

How can Security Innovate?

! Understand what is the Critical Business Knowledge

! Business Transformation

! Policies, Standards, Training & Awareness

! Communications at the Board and Exec Level

! Privacy and Security by Design

Innovation

! Critical Business Knowledge – Define it

! Is it a source of competitive advantage ! Is there a regulatory requirement

– Define a goal

Innovation

! Business Transformation – What is the experience we want?

– How do we deliver what they want?

– Transparency

Innovation

! Policies & Standards – Right size them

– 1 page with bullet points

! Training & Awareness – Deliver the message in the way people consume info today

Innovation

! Communications at the Board and Exec Level – Become a better story teller – Frame the conversation using FORR

! Financial ! Operational ! Reputational ! Regulatory

! Practice Privacy by Design

– Proactive not Reactive

– Privacy as the Default Setting

– Privacy Embedded into Design

Innovation

Innovation

! Practice Privacy by Design – Full Functionality

– End-to-End Security – Full Life Cycle Protection

– Visibility and Transparency

– Respect for User Privacy

Innovation

! Security by Design – Protect the data and application

– Security Awareness Training

– Partner with the business ! M&A process ! Cloud

Innovation

! Security by Design – Risk & Assurance

– Application Security COE

– Security Architecture

– Incident Response

Execution - Focus on Four Principles

! Familiar

! Simple

! Impactful

! Measured

Execution - Putting Innovation to work

! Strategy is the starting point of execution – Clear and relatively simple – You need to know what really matters

! To execute you need: – Alignment – Agility – Coordination

Executing Strategy

! Is low price a strategy?

! Strategy is not: – A string of buzzwords – Not a vision statement – Not a financial projection

Executing Strategy

Alignment

Agility Coordination

Wrap up

! Innovation requires you understand the way the business works

! Apply the principles for innovation

! Use the strategy execution triad

! We win by accomplishing business goals

Questions?

David Cass CISO, IBM Cloud & SaaS Operations E-mail: dcass@us.ibm.com Twitter: @dcass001 Linkedin: www.linkedin.com/in/dcass001/