Ten Tenets of Security Success

Transcription

1 Ten Tenets of Security Success 2016 Frank Kim All Rights Reserved

2 ABOUT Frank Kim CISO, SANS Institute Curriculum Lead Management Application Security Author MGT514: Security Strategic Planning, Policy, and Leadership DEV541: Secure Coding in Java

3 #1 Create Credibility

4 Stakeholder Management Strategy As you become more successful in your career, the initiatives you run will affect more people It s likely your work will impact people who have power and influence over your projects These people can support or block you Meet with stakeholders to: Build trust Form alliances Understand what motivates them Identify what you can provide to them 4

5 Power Understanding Stakeholders Example High Keep Satisfied HR Legal Manage Closely CIO CFO CISO Power/Interest Grid Ops Team Monitor End KeepUsers Informed Low Low Interest High From mindtools.com 5

6 #2 Catch the Culture

7 Organizational Culture Culture eats strategy for breakfast. - Peter Drucker 7

8 #3 Relate to Risk

9 Precision Farming Use sensors and drones Simulate water, fertilizer, and pesticide adjustments Goal Increase yields and profit Impact Crop & pricing manipulation 9

10 Industrial Control Systems Ukrainian Power Grid Power distribution hacked 225,000 citizens w/o power Goal Supply power reliably Impact Power outage Political destabilization Decreased confidence in government 10

11 Risk Exposure Technology Risk Increasing complexity of threats results in additional exposure due to security risks Year of the breach Edward Snowden Nation States Stuxnet Advanced Persistent Threats Increasing risk due to evolving threat landscape and business requirements Organized Crime Activists Cloud Computing Big Data Internet of Things Partners Mobile Payments First Mobile App Basic Threats Insider Threats Wireless Network Introduction of Mobile Devices First web site Global network Increasing complexity of technology environment results in operational risks

12 #4 Shape the Strategy

13 Identify a Security Framework Security frameworks provide a blueprint for Building security programs Managing risk Communicating about security Many frameworks share common security concepts Examples include ISO Series ISMS requirements Code of practice Implementation guidance Measurement Risk management COBIT ENISA Evaluation Framework NIST Cybersecurity Framework 13

14 NIST Cybersecurity Framework Identify Protect Detect Respond Recover Composed of three parts Core, Implementation Tiers, Profiles Defines a common language for managing security risk Core has five Functions that provide a high-level, strategic view of the security life cycle Helps organizations ask: What are we doing today? How are we doing? Where do we want to go? When do we want to get there? 14

15 Maturity Comparison Example Identify Protect Detect Respond Current state Target state Recover Lagging Industry Leadin g 15

16 #5 Don t Show Me the Money

17 Establish a Vision Stakeholders don t value expertise They value results By understanding what they value We can learn to innovate with the business The best way to predict the future is to invent it. - Alan Kay 17

18 Mapping to Strategic Objectives Financial/Stewar dship Lower costs Increased profitability Increased revenue Customer/Stakeh older Improved compliance & regulatory Lower wait times Improved satisfaction Internal Business Process Improved availability & resiliency Increase process efficiency Lower cycle times Business innovation/new product support Organizational Capacity or Security Capability Improved knowledge & skills Improved tools & technology 18

19 Translating Security Vision & Strategy Financial/Stew ardship How much does security cost to operate? Security budget as a % of IT Budget including CAPEX, OPEX Lower costs, increased revenue, increased profitability How incidents financially impact your company Direct loss (e.g. IP, customer lists, trade secrets, loss or destruction of assets) Cost of downtime (e.g. refunds, or failed transactions) Cost of containment, recovery, and restitution Customer/Stak eholder Internal Business Process Improved compliance & regulatory (e.g. security controls of impacted systems and reporting capability) Lower wait times (e.g. meeting SLAs on evidence to HR/Legal, and on-time, on-budget delivery of projects) Improved satisfaction (e.g. responsiveness in time to remediate incidents on customer facing sites) Improved availability & resiliency (e.g. time to detect, respond, remediate outages caused by incidents) Increased process efficiency (e.g. time to remove unauthorized devices from the network) Lower cycle times (e.g. response time for customer facing security activities) Business innovation/new product support (e.g. response time for security assessments) Security Capability Improved knowledge & skills (e.g. security awareness training completion rate and/or phishing results) Improved tools & technology (e.g. false positive trends on customer visible security controls such as encryption) 19

20 #6 Deliver the Deal

21 Build Your Business Case As a manager and leader you are expected to Understand the vision and mission of the company Make security understandable to business leaders Don t just ask for the money Sell the vision and how you will solve business problems Let the case speak for itself Allow decision makers to come to their own conclusion Outline three options with various pros and cons Let them pick one 21

22 Provide Options Highlight trade-offs with business value, risk reduction, cost Option A Option B Option C Business value Risk reduction Cost $ $$ $$$ 22

23 #7 Invest in Individuals

24 Putting Leadership Into Perspective Boss Manager Leader Drives people Manages things Coach, mentors and grows people Thinks short term Thinks mid term Things long term Focused on self Focused on process Focused on people Instills fear Earns respect Generates enthusiasm Says I Says Our Says We Micromanages Delegates Motivates Places blame on roadblocks Navigates roadblocks Removes roadblocks Dictates how it s done Shows how it s done Influences how it s done Takes credit Shares credit Gives credit Commands Asks Influences Says Go Says let s go Says way to go 24

25 The Three Es of Learning Education 10% Exposure 20% Experience 70% Training Course Leadership programs Professional Conferences Online Resources Online Learning Career Education Reading Peer Learning Formal Education Increase your perspective Showcase your sills Peer Networking Career Counseling Networking workshops Informal Interviews Shadowing Use a buddy Mentor Cross-functional project Stretch task Special assignment Leadership challenge Deliver a presentation Expanding skills Teach/Coach Best practice Special initiative Special project 25

26 Career Management P.I.E. Everyone should have a piece of the P.I.E. Performance Perform exceptionally well Image Cultivate the proper image Exposure Manage their exposure so the right people will know them 26

27 Marissa Mayer on Sponsorship Work for someone who believes in you, because when they believe in you, they ll invest in you. - Marissa Mayer 27

28 #8 Make Metrics Matter

29 Metrics Hierarchy Focus & actions increase as you move up the pyramid Volume of information increases as you move down the pyramid Strategic Operational Focus Strategic Objectives Focus Analysis & Trends Type KPIs Type Metrics Implementation Balanced Scorecard Implementation Security Dashboard Technical Focus Data Type Measures Implementation Charts & Graphs 29

30 Millions Hours Security Dashboard Example # Authorized/unauthorized devices on the network Avg. time to remove unauthorized devices from the network Application Scanning Coverage 35,000 30,000 25,000 20,000 15,000 10,000 5,000 - Q1 Q2 Q3 Q4 #, Authorized Devices #,Unauthorized Devices Total Q1 Q2 Q3 Q4 Avg. time to remediate (hours) Upper Control Limit (hours) Lower Control Limit (hours) 3,000 2,500 2,000 1,500 1, Q1 Q2 Q3 Q4 Scanned Not Scanned Total Security Budget Allocation % of Products Delivered On Time and On Budget Developers Trained in Secure Coding $3 $3 $2 $2 $1 Training Services Products Budget 100% 50% Actual Upper 95% 100% 80% 60% 40% % Developers Not trained % Devolopers trained Lower 75% $1 $0 Q1 Q2 Q3 Q4 Actuals 0% Q1 Q2 Q3 Q4 Lower 55% 20% 0% Q1 Q2 Q3 Q4 Upper 95% 30

31 Balanced Scorecard Example Financial/Stewardship Customer / Stakeholder Internal Business Process Q4 % Product Development Budget Allocated to Security Target 5% Trend Increased support for legal as they piloted their case management system Q4 % of Products Delivered On Time and On Budget Target 95% Trend 18% increase over Q3 in on-time and on budget delivery. Security staffed temporary PMO team to meet goal Q4 % of Developers Training in Secure Coding Principles Target 95% Trend 5% 95% 97% 100% of flagship application developers completed training reducing overall risk to organization Q4 & YTD Security Budget Allocation Q1 Q2 Q3 Q4 Products $575,000 $597,000 $425,000 $732,000 Services $1,590,000 $1,320,000 $1,190,000 $1,090,000 Training $326,000 $315,000 $427,000 $301,000 Actuals $2,491,000 $2,232,000 $2,042,000 $2,123,000 Budget $2,190,000 $2,211,900 $2,234,019 $2,256,359 $ Variance -$301,000 -$20,100 $192,019 $133,359 YTD Target 90% Trend Customer Satisfaction 8% increase over Q3 in customer satisfaction rating of 4 or higher out of 5 possible Q4 % of Developers Attaining Certification Target 95% Trend 85% 42% Mitigation plan: Follow-up with developers after training is complete for certification 31

32 Balanced Scorecard Example Security Capability Status Trend Highlights Identify: Manage risk to systems, assets, data, and capabilities Yellow 32% increase in unauthorized devices 29% IT 3 % HR 27% increase in unauthorized software Attributed to Q4 BYOD pilot Protect: Ensure delivery of critical infrastructure services Green 12% of users failed sponsored phishing tests 15% of employees have not passed security awareness assessments Detect: Identify occurrence of a cybersecurity event Green 27% decrease in elevated access accounts 275 total elevated access accounts Respond: Take action regarding a detected cybersecurity event Green 5% of database systems with sensitive information have not been scanned by vulnerability scanners Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event Red 34% of systems not enabled with up to date antimalware Attributed to Q4 BYOD pilot 32

33 #9 Master Your Message

34 Filters to Communication Physical and psychological barriers can stop the flow of communication Culture, background, and bias Allowing past experience to change the meaning of the message Ourselves Focusing on self rather than the other person can lead to confusion and/or conflict Defensiveness, superiority, and ego Perception Barriers such as poor language skills, a persons status, etc. Stress Psychological frame of reference at the given moment 34

35 Example #1: Bad Exec Communication (DMARC) DMARC is an validation system designed to detect spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the (including attachments) has not been modified during transport. It expands on two existing mechanisms, the well-known Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), coordinating their results on the alignment of the domain in the From: header field, which is often visible to end users. It allows specification of policies (the procedures for handling incoming mail based on the combined results) and provides for reporting of actions performed under those policies. Source: 35

36 Example #1: Better Exec Communication (DMARC) The solution prevents scammers from sending fraudulent to our customers. These fraudulent s result in stolen usernames, passwords, and fraudulent transactions. The solution reduces the number of stolen accounts by 20%, account fraud by 10%, and the total amount of fraudulent transactions by $1 million per year. 36

37 Example #2: Bad Exec Communication (DDoS) DDoS is an attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Distributed Denial of Service (DDoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. The DDoS attack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets. Source: 37

38 Example #2: Better Exec Communication (DDoS) All web sites are up and operational after an traffic flood attack on Friday night. Our primary web site was unavailable for two minutes because it was flooded with traffic from the Internet by cyber attackers. We immediately instituted our incident response and recovery procedures and the web site was made available with zero customer impact. 38

39 Simplify Your Message 39

40 #10 Solve Business Problems

41 Evolution of Security Leadership Old School New School IT Security IT Security Risk Management Technology Focus Regulatory, Compliance, Legal, Privacy Business Savvy Business Focus Graphic credit: 41

42 Ten Tenets of Security Success #1 Create Credibility #6 Deliver the Deal #2 Catch the Culture #7 Invest in Individuals #3 Relate to Risk #8 Make Metrics Matter #4 Shape the Strategy #9 Master Your Message #5 Don t Show Me the Money #1 0 Solve Business Problems 42

43 Thank You! Frank Presentation based on: MGT514: IT Security Strategic Planning, Policy, and Leadership

44