ten tenets of security success - sans · • 27002 –code of practice ... •attributed to q4 byod...

Ten Tenets of Security Success

SANS Security Leadership Summit

© 2016 Frank Kim | All Rights Reserved


ABOUT

• Frank Kim

• CISO, SANS Institute

• Curriculum Lead

• Management

• Application Security

• Author

• MGT514: Security Strategic Planning, Policy, and Leadership

• DEV541: Secure Coding in Java


#1 Create Credibility


Stakeholder Management Strategy

• As you become more successful in your career, the initiatives you run will affect more people

• It’s likely your work will impact people who have power and influence over your projects

• These people can support or block you

• Meet with stakeholders to:

• Build trust

• Form alliances

• Understand what motivates them

• Identify what you can provide to them

4


Understanding Stakeholders – Example

• Power/Interest Grid

5

Keep

Satisfied

ManageClosely

MonitorKeep

Informed

From mindtools.com

Pow

er

Low

Low

High

High

CIO

End

Users

HR

Legal CISO

CFO

Ops Team

Interest


#2 Catch the Culture

SANS Security Leadership Summit 7

Organizational Culture

“Culture eats strategy for breakfast.”

- Peter Drucker


#3 Relate to Risk


Precision Farming

• Use sensors and drones

• Simulate water, fertilizer, and pesticide adjustments

• Goal

• Increase yields and profit

• Impact

• Crop & pricing manipulation


Industrial Control Systems

• Ukrainian Power Grid

• Power distribution hacked

• 225,000 citizens w/o power

• Goal

• Supply power reliably

• Impact

• Power outage

• Political destabilization

• Decreased confidence in government


Technology Risk

1995 2000 2005 2010 2015

Ris

k E

xp

osu

re

Increasing complexity of threats results in

additional exposure due to security risks

Basic Threats

Partners

Advanced Persistent Threats

Organized Crime

Activists

Insider Threats

Nation States

Stuxnet

Year of the breach Increasing risk due to

evolving threat

landscape and

business

requirements

Edward Snowden

First web site

Increasing complexity of technology

environment results in operational risks

Global network

Introduction of Mobile Devices

Mobile Payments

First Mobile App

Cloud Computing

Big Data

Wireless Network

Internet of Things

11


#4 Shape the Strategy


• Security frameworks provide a blueprint for

• Building security programs

• Managing risk

• Communicating about security

• Many frameworks share common security concepts

• Examples include

• ISO 27000 Series• 27001 – ISMS requirements

• 27002 – Code of practice

• 27003 – Implementation guidance

• 27004 – Measurement

• 27005 – Risk management

13

Identify a Security Framework

• COBIT

• ENISA Evaluation Framework

• NIST Cybersecurity Framework


• Composed of three parts• Core, Implementation Tiers, Profiles

• Defines a common language for managing security risk

• Core has five Functions that provide a high-level, strategic view of the security life cycle

• Helps organizations ask:• What are we doing today?

• How are we doing?

• Where do we want to go?

• When do we want to get there?

14

NIST Cybersecurity Framework

Identify

Protect

Detect

Respond

Recover


Maturity Comparison Example

0 1 2 3 4 5

Recover

Respond

Detect

Protect

Identify

Current state

Target state

Lagging Industry Leading


#5 Don’t Show Me the Money


• Stakeholders don’t value expertise

• They value results

• By understanding what they value

• We can learn to innovate with the business

17

Establish a Vision

“The best way to predict the future is to invent it.”

- Alan Kay


Mapping to Strategic Objectives

18

Financial/Stewardship

Customer/Stakeholder

InternalBusinessProcess

Organizational Capacity or“Security Capability”

Increased

profitability

Increased

revenue

Lower wait

times

Increase process

efficiency

Lower cycle

times

Improved knowledge

& skills

Improved tools

& technology

Business

innovation/new

product support

Improved

compliance &

regulatory

Improved

satisfaction

Improved availability

& resiliency

Lower costs


Translating Security Vision & Strategy

19

Financial/Stewardship

How much does security cost to operate?

• Security budget as a % of IT

• Budget including CAPEX, OPEX

• Lower costs, increased revenue, increased profitability

How incidents financially impact your company

• Direct loss (e.g. IP, customer lists, trade secrets, loss or destruction of assets)

• Cost of downtime (e.g. refunds, or failed transactions)

• Cost of containment, recovery, and restitution

Customer/Stakeholder

• Improved compliance & regulatory (e.g. security controls of impacted systems and reporting capability)

• Lower wait times (e.g. meeting SLAs on evidence to HR/Legal, and on-time, on-budget delivery of projects)

• Improved satisfaction (e.g. responsiveness in time to remediate incidents on customer facing sites)

InternalBusiness Process

• Improved availability & resiliency (e.g. time to detect, respond, remediate outages caused by incidents)

• Increased process efficiency (e.g. time to remove unauthorized devices from the network)

• Lower cycle times (e.g. response time for customer facing security activities)

• Business innovation/new product support (e.g. response time for security assessments)

Security Capability

• Improved knowledge & skills (e.g. security awareness training completion rate and/or phishing results)

• Improved tools & technology (e.g. false positive trends on customer visible security controls such as encryption)


#6 Deliver the Deal


• As a manager and leader you are expected to

• Understand the vision and mission of the company

• Make security understandable to business leaders

• Don’t just ask for the money

• Sell the vision and how you will solve business problems

• Let the case speak for itself

• Allow decision makers to come to their own conclusion

• Outline three options with various pros and cons

• Let them pick one

21

Build Your Business Case


Provide Options

Option A

✔

$

• Highlight trade-offs with business value, risk reduction, cost

Business value

Risk reduction

Cost

Option B

✔✔

$$

Option C

✔✔✔

$$$


#7 Invest in Individuals


Putting Leadership Into Perspective

Boss ✗ Manager ✔ Leader ✔

Drives people Manages things Coach, mentors and grows people

Thinks short term Thinks mid term Things long term

Focused on self Focused on process Focused on people

Instills fear Earns respect Generates enthusiasm

Says “I” Says “Our” Says “We”

Micromanages Delegates Motivates

Places blame on roadblocks Navigates roadblocks Removes roadblocks

Dictates how it’s done Shows how it’s done Influences how it’s done

Takes credit Shares credit Gives credit

Commands Asks Influences

Says “Go” Says “let’s go” Says “way to go”


The Three “Es” of Learning

Education 10% Exposure 20% Experience 70%

• Training Course

• Leadership programs

• Professional Conferences

• Online Resources

• Online Learning

• Career Education

• Reading

• Peer Learning

• Formal Education

• Increase your perspective

• Showcase your sills

• Peer Networking

• Career Counseling

• Networking workshops

• Informal Interviews

• Shadowing

• Use a buddy

• Mentor

• Cross-functional project Stretch task

• Special assignment

• Leadership challenge

• Deliver a presentation

• Expanding skills

• Teach/Coach

• Best practice

• Special initiative

• Special project


• Everyone should have a piece of the P.I.E.

• Performance

• Perform exceptionally well

• Image

• Cultivate the proper image

• Exposure

• Manage their exposure so the right people will know them

26

Career Management – P.I.E.


Marissa Mayer on Sponsorship

“Work for someone who believes in you,

because when they believe in you,

they’ll invest in you.”

- Marissa Mayer


#8 Make Metrics Matter


Metrics Hierarchy

29

Strategic

Operational

Technical

• Focus & actions increase as you move up the pyramid

• Volume of information increases as you move down the pyramid

FocusData

ImplementationCharts

& Graphs

TypeMeasures

FocusAnalysis

& Trends

ImplementationSecurity

Dashboard

TypeMetrics

FocusStrategic

Objectives

ImplementationBalanced

Scorecard

TypeKPIs


Security Dashboard Example

30

# Authorized/unauthorized devices on the network

Avg. time to remove unauthorized devices from the network

Application Scanning Coverage

Security Budget Allocation% of Products Delivered On Time

and On BudgetDevelopers Trained in Secure Coding

-

5,000

10,000

15,000

20,000

25,000

30,000

35,000

Q1 Q2 Q3 Q4

#, AuthorizedDevices

#,UnauthorizedDevices

Total

$0

$1

$1

$2

$2

$3

$3

Q1 Q2 Q3 Q4

Mil

lio

ns

Training

Services

Products

Budget

Actuals

0%

50%

100%

Q1 Q2 Q3 Q4

Actual

Upper ≥ 95%

Lower ≥ 55%

-

500

1,000

1,500

2,000

2,500

3,000

Q1 Q2 Q3 Q4

Scanned

Not Scanned

Total

0%

20%

40%

60%

80%

100%

Q1 Q2 Q3 Q4

% DevelopersNot trained

% Devoloperstrained

Lower ≥ 75%

Upper ≥ 95%

0

5

10

15

Q1 Q2 Q3 Q4

Ho

ur

s

Avg. time toremediate(hours)

Upper ControlLimit (hours)

Lower ControlLimit (hours)


Balanced Scorecard Example

31

Financial/Stewardship Customer / Stakeholder Internal Business Process

Q4 % Product Development Budget Allocated to Security

Q4 % of Products Delivered On Time and On Budget

Q4 % of Developers Training in Secure Coding Principles

Target 5% ✔Trend

• Increased support for legal as they piloted their case management system

Target 95% ✔Trend

• 18% increase over Q3 in on-time and on budget delivery. Security staffed temporary PMO team to meet goal

Target 95% ✔Trend

• 100% of flagship application developers completed training reducing overall risk to organization

Q4 & YTD Security Budget Allocation Customer SatisfactionQ4 % of Developers Attaining

Certification

Target 90% ✗Trend

• 8% increase over Q3 in customer satisfactionrating of 4 or higher out of 5 possible

Target 95% ✗Trend

• Mitigation plan: Follow-up with developers after training is complete for certification

5% 95% 97%

85% 42% Q1 Q2 Q3 Q4

Products $575,000 $597,000 $425,000 $732,000

Services $1,590,000 $1,320,000 $1,190,000 $1,090,000

Training $326,000 $315,000 $427,000 $301,000

Actuals $2,491,000 $2,232,000 $2,042,000 $2,123,000

Budget $2,190,000 $2,211,900 $2,234,019 $2,256,359

$Variance -$301,000 -$20,100 $192,019 $133,359

YTD


Balanced Scorecard Example

32

Security Capability Status Trend Highlights

Identify: Manage risk to systems, assets, data, and capabilities

Yellow

• 32% increase in unauthorized devices• 29% IT• 3 % HR

• 27% increase in unauthorized software• Attributed to Q4 BYOD pilot

Protect: Ensure delivery of critical infrastructure services

Green

• 12% of users failed sponsored email phishing tests• 15% of employees have not passed security

awareness assessments

Detect: Identify occurrence of a cybersecurity event

Green • 27% decrease in elevated access accounts• 275 total elevated access accounts

Respond: Take action regarding a detected cybersecurity event

Green • 5% of database systems with sensitive information

have not been scanned by vulnerability scanners

Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event

Red

• 34% of systems not enabled with up to date anti-malware

• Attributed to Q4 BYOD pilot


#9 Master Your Message


• Physical and psychological barriers can stop the flow of communication

• Culture, background, and bias

• Allowing past experience to change the meaning of the message

• Ourselves

• Focusing on self rather than the other person can lead to confusion and/or conflict

• Defensiveness, superiority, and ego

• Perception

• Barriers such as poor language skills, a persons status, etc.

• Stress

• Psychological frame of reference at the given moment

34

Filters to Communication


Example #1: Bad Exec Communication (DMARC)

DMARC is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport.

It expands on two existing mechanisms, the well-known Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), coordinating their results on the alignment of the domain in the From: header field, which is often visible to end users. It allows specification of policies (the procedures for handling incoming mail based on the combined results) and provides for reporting of actions performed under those policies. Source: https://en.wikipedia.org/wiki/DMARC


Example #1: Better Exec Communication (DMARC)

The solution prevents scammers from sending fraudulent email to our customers. These fraudulent emails result in stolen usernames, passwords, and fraudulent transactions. The solution reduces the number of stolen accounts by 20%, account fraud by 10%, and the total amount of fraudulent transactions by $1 million per year.


Example #2: Bad Exec Communication (DDoS)

DDoS is an attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Distributed Denial of Service (DDoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. The DDoSattack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets.

Source: http://www.webopedia.com/TERM/D/DDoS_attack.html


Example #2: Better Exec Communication (DDoS)

All web sites are up and operational after an traffic flood attack on Friday night. Our primary web site was unavailable for two minutes because it was flooded with traffic from the Internet by cyber attackers. We immediately instituted our incident response and recovery procedures and the web site was made available with zero customer impact.


Simplify Your Message


#10 Solve Business Problems


IT SecurityIT Security

41

Evolution of Security Leadership

Old

School

New

School

Risk Management

Graphic credit: https://www.rsaconference.com/writable/presentations/file_upload/prof-m07-from-cave-man_to-business-man-the-evolution-of-the-ciso-to-ciro.pdf

Regulatory, Compliance,

Legal, Privacy

Business Savvy

Technology Focus

Business Focus


Ten Tenets of Security Success

Create Credibility

Catch the Culture

Relate to Risk

Shape the Strategy

Don’t Show Me the Money

#1

#2

#3

#4

#5

Deliver the Deal

Invest in Individuals

Make Metrics Matter

Master Your Message

Solve Business Problems

#6

#7

#8

#9

#10


Presentation based on:

MGT514: IT Security Strategic Planning, Policy, and Leadership

Frank [email protected]

@fykim

Thank You!

ten tenets of security success - sans · • 27002 –code of practice ... •attributed to q4 byod...

Documents