securing the enterprise despite management’s best effort to stop you jeff reava, pfizermay 15,...
TRANSCRIPT
![Page 1: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/1.jpg)
Securing the enterprise despite management’s best effort to stop you
Jeff Reava, Pfizer May 15, 2009
![Page 2: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/2.jpg)
Management support: great stuff, if you can get it “Once the policies have been
created and the entire corporation made aware of their existence, it is important for each of these policies to have the continued support of the executive team. Without the support of the executives, a policy isn’t worth the paper it is written on.”King, Dalton & Osmanoglu, Security Architecture: Design, Deployment and Operations, p.16
![Page 3: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/3.jpg)
Management support: great stuff, if you can get it “…the direct support and
involvement of senior management is essential… senior management must ensure that adequate resources are available… management should issue a formal statement outlining its commitment…”Yusufali F. Musaji, Auditing and Security: AS/400, NT, Unix, Networks and Disaster Recovery Plans, p.494
![Page 4: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/4.jpg)
Management support: great stuff, if you can get it “…initiation, support and
direction come from top management…A bottom-up approach is usually less effective, not broad enough, and doomed to fail.”Shon Harris, CISSP All-in-One Exam Guide, p.56
![Page 5: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/5.jpg)
Management support: great stuff, if you can get it “If you do not have the support
of your upper management, your program is doomed to fail before you finish writing the policy.”Scott Barman, Writing Information Security Policies, p. 4
![Page 6: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/6.jpg)
So how do you get management support? “Executive management needs
to be knowledgeable of all aspects of the project so that it can make appropriate decisions regarding project support.”Jan Killmeyer Tudor, Information Security Architecture: An Integrated Approach to Security in the Organization, p. 180
![Page 7: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/7.jpg)
So how do you get management support? “How You Gain Management
Support: First you can try to reason with them. You can point out that the systems and data have real costs. You can demonstrate how an outsider or a disgruntled insider can easily access sensitive information that could damage the company’s business functions. You can show them studies, articles, even this book. But if this doesn’t convince them, you might have to wait until your first disaster.”Scott Barman, Writing Information Security Policies, p. 4
![Page 8: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/8.jpg)
An example Sometime around 2001, a business unit
decided to quit applying automatic antivirus signature updates on key manufacturing systems.
Rationale: “automatically applying untested software (in this case, virus signatures) on a controlled system risks taking the system out of a state of control.”
How should the security team respond?A) Too bad, we’re updating anyway.B) Call the VP and explain the inner workings of
signature-based malware detection. If your counterparts won’t listen to you, maybe their boss will…
C) Point out that virus infections also take a system out of a state of control. Then update signatures anyway.
![Page 9: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/9.jpg)
Securing the enterprise At times it may seem that only the
security group is concerned about information protection.
Management isn’t really out to stop you; they’re doing their best for the organization:
“People make rational decisions based on their understanding of the facts of the situation, their understanding of cause-and-effect relationships between actions and outcomes, and the incentives associated with their roles.”
![Page 10: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/10.jpg)
Winning Management Support Basic assumptions
What makes an organization secure? What makes an organization
profitable? Management Theory and Security
Practice: winning support when you’re starting with (almost) nothing
A working example Summary
![Page 11: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/11.jpg)
Assumptions (and definitions) Building blocks of a secure
organization: the implementation of controls in response to threats that mitigate risk to a level acceptable to management
Administrative, technical and physical controls: Deter, Prevent, Detect, Correct, Restore Network, Host, Application, User, Data
Defense in depth: layers of controls between threats and assets that cannot be circumvented
![Page 12: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/12.jpg)
Assumptions (and definitions) Building blocks of a profitable
organization:
Cash = inflow – outflow per period Margin = price – cost of goods sold Velocity = rate of sales Growth = extension and expansion Customers = aligned with market
cashmargi
nvelocity
growth
customers
![Page 13: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/13.jpg)
Security vs. Profits: the battleground
sales
competitive advantage:trade secrets and intellectual property
fixed costs (overhead)incident costscompliance fines
variable costs (labor/time materials)
reduced transaction volume due to security controls
new productsnew markets
alignment with consumer preferences
reputation damage
cashmargi
nvelocity
growth
customers
![Page 14: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/14.jpg)
Security vs. Profits: the battleground
cashmargi
nvelocity
growth
customers
People are rational: they act in their own best interests
CEO: maximize shareholder value (stock price)
CFO/COO: manage cashReduce costs
Marketing: sales growthResearch: new products
CIO: enable business initiativesCISO/CSO: prevent security incidents
![Page 15: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/15.jpg)
Management Theory and Security Reality Management isn’t automatically
on your side. To win their support:
Understand the business and security environment
Fix what you can Manage Up
![Page 16: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/16.jpg)
Everything that can go wrong
Virus lost laptop
intrusion power outage
The case for Managing Up Consider the information security
landscape:
Things you
and your boss can influence
Things your boss can help with
Everything that you can control
AcceptableResidualRisk
![Page 17: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/17.jpg)
The case for Managing Up Quantifying the information
security landscape (NIST 800-30):78% control coverage (7 of 9)
Administrative
Change Manageme
nt
Separation of Duties
Acceptable Use Policy
Technical Secure baseline
Physical Locked wiring closets
Data Center
Security
Locked office
LAN/WAN Windows/UNIX
End User
Assets
Threats
AcceptableResidualRisk
![Page 18: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/18.jpg)
Managing Up: the basics Your time, authority, influence and
information is finite Your boss can:
Provide budget, resources Connect you to higher levels of the
organization Track organizational priorities while you
focus on security-specific issues Your boss needs:
Cooperation, reliability Unfiltered information about how things
are going “on the ground”*”Managing Your Boss”, Harvard Business Review, January 2005 (reprint of 1980)*Influence without Authority, Cohen and Bradford, 2005
![Page 19: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/19.jpg)
Managing up: in practice Understand your boss, and their context:
What are their key responsibilities? What keeps them up at night? Do you know their career goals? How is their performance measured? How do they measure others? You? Work and communication styles?
Phone, Email, face-to-face? Reader or listener? Hands-on, or delegate? Big-picture, or gritty details?
What are their strengthsand weaknesses?
![Page 20: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/20.jpg)
Managing up: in practice Understand yourself:
What’s my preferred communication style?
What are my strengths and weaknesses?
How do they mesh with my boss?
Am I overly dependent? Counter-dependent? I.e. “He or she sees the boss as someone who, by virtue of the role, is a hindrance to progress, an obstacle to be circumvented or at best tolerated.*”
![Page 21: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/21.jpg)
Managing up: in practice Managing the relationship:
Set mutual expectations up front; what should you try to accomplish? What is reasonable, given the environment?
Communicate openly – no spin, no surprises
Value their time Take strengths, styles and preferences
into account so that your approach fits your boss
What if you and your boss hit resistance?
![Page 22: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/22.jpg)
Managing up: overcoming resistance
“People make rational decisions based on their understanding of the facts of the situation, their understanding of cause-and-effect relationships between actions and outcomes, and the incentives associated with their roles.”
Managing Up diagnoses the situation; but resistance must be met and addressed …
![Page 23: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/23.jpg)
Changing Minds -- what it is not:
![Page 24: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/24.jpg)
Changing Minds: what it is
resistance
resonanc
e
Reason
Research
Real world
events
Representational
redescriptio
ns
Resources & rewards
![Page 25: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/25.jpg)
Changing Minds: initial content
Category
Security Business
Concepts
Defense in depthNeed to know
Weighted Average Cost of Capital (WACC), NPV, IRR, ROI
Stories SecurityFocusSANS Newsbytes
Bloomberg, Business Week, Wall Street Journal
Theories
Exposed systems are rapidly compromised
Fewer technical controls increases agility
Skills Vulnerability Management
Activity Based Costing
![Page 26: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/26.jpg)
Changing Minds: Levers of change Reason: logical arguments Research: metrics, benchmarking Resonance - the story "feels right" to the
hearer Representational redescriptions: your
story in their words. Your story in many forms
Real world events: “Conficker C”, “GhostNet” Other security incidents/events
Resources & Rewards: when people you are trying to affect are rewarded for the change (think Covey “Win – win”) and they have the resources to carry out the change
![Page 27: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/27.jpg)
Changing Minds: in practice
“New ideas do not travel easily, and it is hard for them to take hold. Because we cannot know in advance which formats will prove effective in communicating a new message, we are well advised to use several alternative formats…We need to monitor the words and actions of a leader's constituents to glean how ideas have been translated and internalized…until we 'get it right'--or at least until the next change in context challenges current representations and calls for yet another take on the situation at hand.”
Howard Gardner, Changing Minds, p.104
![Page 28: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/28.jpg)
Antivirus … Part 2 Managing up: what is the business impact of critical manufacturing system failure? How does that risk affect the key decision makers? Frame the security issue in business terms; increased overhead due to additional testing vs. incident costs, compliance risk and
possible reputation damage Measure and report: How many viruses are detected each day? How many get through? How many signature updates fail?
cashmargi
nvelocity
growth
customers
fixed costs (overhead)incident costscompliance fines
reputation damage
Conclusion: virus risk and upgrade risk is unacceptable.
Isolate critical environments
![Page 29: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/29.jpg)
In conclusion
People make rational decisions based on understanding and self-interest
Support is earned. We have to compete for it
Commit to the long haul Understand how the organization makes
its profit Explain how threats impact assets
through vulnerabilities in the context of business goals
Support your boss Be creative Never quit
![Page 30: Securing the enterprise despite management’s best effort to stop you Jeff Reava, PfizerMay 15, 2009](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649e4f5503460f94b45e19/html5/thumbnails/30.jpg)
Questions?
Ram Charan, What the CEO Wants you to know Howard Gardner, Changing Minds Cohen and Bradford, Influence without Authority Gabarro and Kotter, Managing Up: Harvard Business Review Steven J. Spear, Chasing the Rabbit [email protected] or [email protected] http://reava.blogspot.com