Post on 16-Jan-2017
Winning a Battle Doesn't
Mean We Are Winning the War.Are we doing the best job we can?
Gary Sheehan, CISSP, HISP, CERP, CIS LI
CSO / GRC Services Director
©2016 ASMGi CONFIDENTIAL 2
Practical IT Innovation
©2016 ASMGi CONFIDENTIAL 3
#COISWin
©2016 ASMGi CONFIDENTIAL 4
Disclaimer: These ideas and concepts you are about to hear are not for the faint of heart and are not your typical solutions. This presentation may force you to make a fundamental change in your approach to implementing security and underlying assumptions about good security practices. After viewing this presentation your thinking about how to build a successful security program may change.
REALITY CHECK HAZARD
Agenda
©2016 ASMGi CONFIDENTIAL 5
1. State of the Union2. Ideas and concepts for
Improvement
3. Tools 4. Q&A
©2016 ASMGi CONFIDENTIAL 6
State of the Union
State of the Union
Ransomware takes Hollywood
hospital offline, $3.6M
demanded by attackers
©2016 ASMGi CONFIDENTIAL 7
State of the Union
There were 736 million records exposed in 2015 due to a record setting 3,930 data breaches.
2016 has only just started, and based on the incidents being reported in the public, data protection is still
one of the hardest tasks to master in InfoSec.
CSO Magazine
©2016 ASMGi CONFIDENTIAL 8
State of the Union
©2016 ASMGi CONFIDENTIAL 9
U.S. Internal Revenue Service (IRS) said it will mail out nearly 700,000 letters to taxpayers who may have had their tax records compromised. Since 2014, at least 724,000 U.S.
citizens have had personal and tax records stolen by thieves who hacked a “Get Transcript” feature formerly available on
the IRS website.
http://247wallst.com/
State of the Union
Experian - 2016 Data Breach Industry Forecast• The EMV Chip and PIN liability shift will not stop payment breaches.
• Big healthcare hacks will make the headlines but small breaches will
cause the most damage.
• Cyber conflicts between countries will leave consumers and
businesses as collateral damage.
• 2016 U.S. presidential candidates and campaigns will be attractive
hacking targets.
• Hacktivism will make a comeback in this election year
©2016 ASMGi CONFIDENTIAL 10
©2016 ASMGi CONFIDENTIAL 11
Ideas and Concepts For ImprovementIdeas and Concepts For ImprovementIdeas and Concepts For ImprovementIdeas and Concepts For Improvement
Ideas and Concepts For Improvement
• Understand and embrace your role
• Build a business-aware security culture
• Be informed
• Set direction
• Bring coherence
• Develop adaptive capacity
• Strengthen the organization
• Validate and review
• Maturity and measurement
©2016 ASMGi CONFIDENTIAL 12
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 13
Understand and Embrace Your Role• What is your current job description
• What are your responsibilities
• What do you need to do to enable
• Business success
• Stakeholder success
• Boss success
• Your success
• How is your success measured
• How do others in the organization view you
• How do they view your role
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 14
Build a Business-Aware Security Culture• Know your current business culture
• Know your customers
• Know your stakeholders
• Primary
• Secondary
• Understanding communication & education
• Current reputation
• Sphere of influence
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 15
Be Informed• Understand the overall strategy of the organization• Know what your organization values • Know where your data is• Know who has access to your data• Identify single points of failure• Anticipate, identify, monitor and evaluate the
security trends, potential issues• Drawing upon existing risk management
frameworks• Know your suppliers and vendors• Identify and learn lessons
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 16
Set Direction• Data governance• Purpose and vision for information security• Values of the organization should be integrated
into your security plans and strategy• Clear security priorities – aligned within the
organization• Clear security roles and responsibilities
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 17
Bring Coherence• Ensure security priorities are aligned with
operational activities to achieve coherence across the various business processes
• Risk management should be coordinated across the enterprise
• The organization should manage change• Communicate and share information• Collaboration realizes mutual benefit
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 18
Develop Adaptive Capacity• Build an ability to identify and respond to change
in a timely and effective manner• Promote innovation• Enable flexibility and agility• Disseminate and implement good practice• Share errors, failures and mistakes openly• Proactively seek lessons from other organizations• Train and develop people
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 19
Strengthen The Organization• Ensure security is baked in to everything• Ensure Incident Response plans are current and tested• Take actions to protect all business assets - holistically• Ensure your BCP is current and has been tested• Encourage broader participation in security and risk
management across all of business units
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 20
Validate and Review• Audits, assessment, testing and other exercises• People, Process & Technology• The organization should verify that it is
complying with industry, legal and regulatory obligations
Ideas and Concepts For Improvement
©2016 ASMGi CONFIDENTIAL 21
Maturity and Measurement• Identify a security baseline to determine existing
levels of security• Identify appropriate metrics (business focused) • Review metrics• Take action
A basic maturity model can assist in determining to what extent an organization is addressing good
practice
©2016 ASMGi CONFIDENTIAL 22
Depends on what
tools you need
Which Tools are Right For You?Which Tools are Right For You?Which Tools are Right For You?Which Tools are Right For You?
Tools
2016 Security trends suggested from a study conducted by a large research consulting firm:
1. Processes, procedures and awareness are essential ingredients for risk mitigation, along with the right technologies
2. There will be a much greater emphasis on an intelligence-led security
3. A change in the information security industry
©2016 ASMGi CONFIDENTIAL 23
• Cloud Broker• Cloud Access Security Broker • Key / Certificate Protection• Policies / Plans / Processes / Procedures• Data Discovery• Asset Management• Access Controls• Encryption• Logging / Monitoring• Assessment • Forensic• Training
Tools
24©2016 ASMGi CONFIDENTIAL
Questions
©2016 ASMGi CONFIDENTIAL 25
Questions / Comments
©2016 ASMGi CONFIDENTIAL 26
October
24-28
©2016 ASMGi CONFIDENTIAL 27
Download this presentation and extra materials at:
www.asmgi.com/COISWin
#COISWin
Gary Sheehan
CSO / Director of GRC Services
ASMGi
O - 216-255-3056
M - 216-633-8220
gsheehan@asmgi.com
www.asmgi.com