Securing the enterprise despite management’s best effort to stop you

Jeff Reava, Pfizer May 15, 2009

Management support: great stuff, if you can get it “Once the policies have been

created and the entire corporation made aware of their existence, it is important for each of these policies to have the continued support of the executive team. Without the support of the executives, a policy isn’t worth the paper it is written on.”King, Dalton & Osmanoglu, Security Architecture: Design, Deployment and Operations, p.16

Management support: great stuff, if you can get it “…the direct support and

involvement of senior management is essential… senior management must ensure that adequate resources are available… management should issue a formal statement outlining its commitment…”Yusufali F. Musaji, Auditing and Security: AS/400, NT, Unix, Networks and Disaster Recovery Plans, p.494

Management support: great stuff, if you can get it “…initiation, support and

direction come from top management…A bottom-up approach is usually less effective, not broad enough, and doomed to fail.”Shon Harris, CISSP All-in-One Exam Guide, p.56

Management support: great stuff, if you can get it “If you do not have the support

of your upper management, your program is doomed to fail before you finish writing the policy.”Scott Barman, Writing Information Security Policies, p. 4

So how do you get management support? “Executive management needs

to be knowledgeable of all aspects of the project so that it can make appropriate decisions regarding project support.”Jan Killmeyer Tudor, Information Security Architecture: An Integrated Approach to Security in the Organization, p. 180

So how do you get management support? “How You Gain Management

Support: First you can try to reason with them. You can point out that the systems and data have real costs. You can demonstrate how an outsider or a disgruntled insider can easily access sensitive information that could damage the company’s business functions. You can show them studies, articles, even this book. But if this doesn’t convince them, you might have to wait until your first disaster.”Scott Barman, Writing Information Security Policies, p. 4

An example Sometime around 2001, a business unit

decided to quit applying automatic antivirus signature updates on key manufacturing systems.

Rationale: “automatically applying untested software (in this case, virus signatures) on a controlled system risks taking the system out of a state of control.”

How should the security team respond?A) Too bad, we’re updating anyway.B) Call the VP and explain the inner workings of

signature-based malware detection. If your counterparts won’t listen to you, maybe their boss will…

C) Point out that virus infections also take a system out of a state of control. Then update signatures anyway.

Securing the enterprise At times it may seem that only the

security group is concerned about information protection.

Management isn’t really out to stop you; they’re doing their best for the organization:

“People make rational decisions based on their understanding of the facts of the situation, their understanding of cause-and-effect relationships between actions and outcomes, and the incentives associated with their roles.”

Winning Management Support Basic assumptions

What makes an organization secure? What makes an organization

profitable? Management Theory and Security

Practice: winning support when you’re starting with (almost) nothing

A working example Summary

Assumptions (and definitions) Building blocks of a secure

organization: the implementation of controls in response to threats that mitigate risk to a level acceptable to management

Administrative, technical and physical controls: Deter, Prevent, Detect, Correct, Restore Network, Host, Application, User, Data

Defense in depth: layers of controls between threats and assets that cannot be circumvented

Assumptions (and definitions) Building blocks of a profitable

organization:

Cash = inflow – outflow per period Margin = price – cost of goods sold Velocity = rate of sales Growth = extension and expansion Customers = aligned with market

cashmargi

nvelocity

growth

customers

Security vs. Profits: the battleground

sales

competitive advantage:trade secrets and intellectual property

fixed costs (overhead)incident costscompliance fines

variable costs (labor/time materials)

reduced transaction volume due to security controls

new productsnew markets

alignment with consumer preferences

reputation damage

cashmargi

nvelocity

growth

customers

Security vs. Profits: the battleground

cashmargi

nvelocity

growth

customers

People are rational: they act in their own best interests

CEO: maximize shareholder value (stock price)

CFO/COO: manage cashReduce costs

Marketing: sales growthResearch: new products

CIO: enable business initiativesCISO/CSO: prevent security incidents

Management Theory and Security Reality Management isn’t automatically

on your side. To win their support:

Understand the business and security environment

Fix what you can Manage Up

Everything that can go wrong

Virus lost laptop

intrusion power outage

The case for Managing Up Consider the information security

landscape:

Things you

and your boss can influence

Things your boss can help with

Everything that you can control

AcceptableResidualRisk

The case for Managing Up Quantifying the information

security landscape (NIST 800-30):78% control coverage (7 of 9)

Administrative

Change Manageme

nt

Separation of Duties

Acceptable Use Policy

Technical Secure baseline

Physical Locked wiring closets

Data Center

Security

Locked office

LAN/WAN Windows/UNIX

End User

Assets

Threats

AcceptableResidualRisk

Managing Up: the basics Your time, authority, influence and

information is finite Your boss can:

Provide budget, resources Connect you to higher levels of the

organization Track organizational priorities while you

focus on security-specific issues Your boss needs:

Cooperation, reliability Unfiltered information about how things

are going “on the ground”*”Managing Your Boss”, Harvard Business Review, January 2005 (reprint of 1980)*Influence without Authority, Cohen and Bradford, 2005

Managing up: in practice Understand your boss, and their context:

What are their key responsibilities? What keeps them up at night? Do you know their career goals? How is their performance measured? How do they measure others? You? Work and communication styles?

Phone, Email, face-to-face? Reader or listener? Hands-on, or delegate? Big-picture, or gritty details?

What are their strengthsand weaknesses?

Managing up: in practice Understand yourself:

What’s my preferred communication style?

What are my strengths and weaknesses?

How do they mesh with my boss?

Am I overly dependent? Counter-dependent? I.e. “He or she sees the boss as someone who, by virtue of the role, is a hindrance to progress, an obstacle to be circumvented or at best tolerated.*”

Managing up: in practice Managing the relationship:

Set mutual expectations up front; what should you try to accomplish? What is reasonable, given the environment?

Communicate openly – no spin, no surprises

Value their time Take strengths, styles and preferences

into account so that your approach fits your boss

What if you and your boss hit resistance?

Managing up: overcoming resistance

“People make rational decisions based on their understanding of the facts of the situation, their understanding of cause-and-effect relationships between actions and outcomes, and the incentives associated with their roles.”

Managing Up diagnoses the situation; but resistance must be met and addressed …

Changing Minds -- what it is not:

Changing Minds: what it is

resistance

resonanc

e

Reason

Research

Real world

events

Representational

redescriptio

ns

Resources & rewards

Changing Minds: initial content

Category

Security Business

Concepts

Defense in depthNeed to know

Weighted Average Cost of Capital (WACC), NPV, IRR, ROI

Stories SecurityFocusSANS Newsbytes

Bloomberg, Business Week, Wall Street Journal

Theories

Exposed systems are rapidly compromised

Fewer technical controls increases agility

Skills Vulnerability Management

Activity Based Costing

Changing Minds: Levers of change Reason: logical arguments Research: metrics, benchmarking Resonance - the story "feels right" to the

hearer Representational redescriptions: your

story in their words. Your story in many forms

Real world events: “Conficker C”, “GhostNet” Other security incidents/events

Resources & Rewards: when people you are trying to affect are rewarded for the change (think Covey “Win – win”) and they have the resources to carry out the change

Changing Minds: in practice

“New ideas do not travel easily, and it is hard for them to take hold. Because we cannot know in advance which formats will prove effective in communicating a new message, we are well advised to use several alternative formats…We need to monitor the words and actions of a leader's constituents to glean how ideas have been translated and internalized…until we 'get it right'--or at least until the next change in context challenges current representations and calls for yet another take on the situation at hand.”

Howard Gardner, Changing Minds, p.104

Antivirus … Part 2 Managing up: what is the business impact of critical manufacturing system failure? How does that risk affect the key decision makers? Frame the security issue in business terms; increased overhead due to additional testing vs. incident costs, compliance risk and

possible reputation damage Measure and report: How many viruses are detected each day? How many get through? How many signature updates fail?

cashmargi

nvelocity

growth

customers

fixed costs (overhead)incident costscompliance fines

reputation damage

Conclusion: virus risk and upgrade risk is unacceptable.

Isolate critical environments

In conclusion

People make rational decisions based on understanding and self-interest

Support is earned. We have to compete for it

Commit to the long haul Understand how the organization makes

its profit Explain how threats impact assets

through vulnerabilities in the context of business goals

Support your boss Be creative Never quit

Questions?

Ram Charan, What the CEO Wants you to know Howard Gardner, Changing Minds Cohen and Bradford, Influence without Authority Gabarro and Kotter, Managing Up: Harvard Business Review Steven J. Spear, Chasing the Rabbit reavaj@gmail.com or jeffrey.reava@pfizer.com http://reava.blogspot.com