Bryan Littlefair

Chief Information Security OfficerVodafone GroupVodafone Group

Presentation Themes

• How do you secure your organisation, what strategy should you have in place• The CISO’s role in your organisation going forward• Leadership Strategies for your security function that support your business• The Security Program within Vodafone and some of the success’ we have had• The Security Program within Vodafone and some of the success we have had

My objectives of today

• I run technology / information security for one of the worlds biggest organisation and• I run technology / information security for one of the worlds biggest organisation and brands

• I want to share some of the strategies and programs that have worked for me

E l i h h t d it i t t f ti d t• Explain how we have turned security into a support function and a revenue stream

• Share knowledge and experience that will hopefully echo with you in your roles

What does a CISO do for the business ?

• Centrally manage all Information, IT and Network security risk and compliance initiatives

• Drive security transformation activities – standardisation, simplification and harmonisation

• Drive security awareness and business continuity programs

• Manage elements of the risk management function

Manage programs

Manage elements of the risk management function

• Ensure effective security solutions are in place• Manage the 24x7x365 security operations • Manage IT security incidents and escalations

Manage OperationsManage IT security incidents and escalations

• Control outsourced / off shored services and functions• Develop new security models for new products and services

• Own the security policies, guidelines and standardsy p , g

• Own Sarbanes Oxley Compliance

• Own Data Privacy

• Own Payment Card Industry Compliance

Manage Compliance

• Own ISO27001 compliance

But what SHOULD the CISO do for the business

Yes Risk Management, Programs, Operations, Governance and Compliance are important…but its

not strategic…

• Become the Security CEO, the champion of security within your organisation• Become a fully integrated member/advisor of the executive

team regardless of reporting lineteam, regardless of reporting line • Never commit to what you cant deliver• Be the ‘Tone at the top’• Balance strategic, tactical, and technical security

requirements U d t d h t k it titi• Understand how to make security a competitive differentiator for your business

• Enable Security as a Service• Get out of the ivory security tower and out into the• Get out of the ivory security tower and out into the

business, your employees, partners, and customers.

• Drive your Vendors – don’t be driven !• Set the research agenda’s of your vendors, to meet your

i trequirements• Ensure that you are getting the ‘best bang for your buck’

• Don’t let them divide and conquer your organisation

Defining Security Strategy

• Simple – Protect sensitive data and assets by defence in depth security controls and s stems sing a risk based approachcontrols and systems using a risk based approach

The Strategies set – so how can security support the business ?

• FACT – Security enables any business to do• FACT – Security enables any business to do more…..it opens up new avenues and opportunities

• The security organisation needs to support the business, not block new initiatives– Evolving your security function to support new business

models – Cloud for example– Advising the business on potential risks and proposing

solutions not just problems and risks – become asolutions, not just problems and risks become a solutions provider…

– Don’t be a Dr. No….. Always say ‘Yes…but’– Be agile and dynamic, just because something is in the

security policy one day doesn’t mean its right the nextsecurity policy one day, doesn t mean its right the next day..

– Recognise that your security requirements are trading off against functionality / end user experience, always f thi d b i tifocus on this and be innovative.

Managing your vendors, heading towards a standardised environment

• The security market is commoditising fastIt’s a buyers market and acquisitions happen daily• It’s a buyers market and acquisitions happen daily

• There is still no silver bullet in security• Everyone is still selling point solutions with their ‘world class GUI’s’

I V d f l h d hb d GUI l b ll• In Vodafone we only have one dashboard, one GUI – globally• It all has to integrate into the Global Security Operations Centre (GSOC)

• Drive your Vendors for feature enhancements and solutions that allow you to simplify your network and remove complexity Complexity isyou to simplify your network and remove complexity…. Complexity is the enemy of security.

• Its not all about technology, the impact of good standardised global processes and policies and guidelines coupled with an effectiveprocesses and policies and guidelines, coupled with an effective awareness program will far outweigh any technology investment

• Move from a country procurement model to a domain based approach with enterprise licence agreements rather than local contracts drivewith enterprise licence agreements rather than local contracts, drive standardisation through effective fiscal control and governance

Getting Security embedded into the organisation

• Its all about effective risk management• Effective risk management means the ability toEffective risk management means the ability to

• Being able to define the top Strategic Risks for the Enterprise

• Capture all the lower level risks that may impact the top strategic risks

• Demonstrate all of the mitigations and compensating controls that are in place

• Present on a per risk basis, net and gross risk and potential impact

• Track risks through the life cycle of the program and into BAU mode• Track risks through the life cycle of the program and into BAU mode

• Ensure that people who accept risks, have the authority to do so - ‘4 eyes’

• Being able to define and quanity what your enterprise’ risk appetite and exposure is

Successful initiatives within VF

•Centralised Security Operations Centrey pGlobal Network Security MonitoringGlobal Security Device ManagementCentralised Incident management and responseCentralised security services and scanning

Decommissioning of local services saving multi-million annual Opex commitment

•Information Security Transformation

M i t d f i d th hMoving to a defence in depth approachLarge Capital investment in security technology Network simplification and re-zoning Standardised policies, procedures and guidelinesSimplified compliance journeysSimplified compliance journeysGlobal security accreditation

External Recognition shows we are on the right path

European Information Security Team of the yearSecurity Team of the year 2010 - Vodafone

VODAFONE AWARDED FOR EXCELLENCE IN INFORMATION AND DATA SECURITYINFORMATION AND DATA SECURITY

Vodafone Essar has become the 1st telecom services operator in India to receive this certification.

Global Telecoms Business has recognized Bryan LittlefairGlobal Telecoms Business has recognized Bryan Littlefair, Global CISO of Vodafone as one of its esteemed "40 Under 40" executives who will likely "run the telecoms industry in 2020.

External Compliance is critical as well

In SummaryEnsure you are operating strategically, fight tomorrow's battles, not yesterday's:

Operationalise or outsource routine security functionsp y

Use converged platforms that adapt to new threats.

Be more aggressive with your vendors:Be more aggressive with your vendors:Demand more for less cost, like the rest of IT.

Let them know that you are willing to switch vendors

Move to a domain model rather that a country model

negotiate enterprise “all you can eat” licenses

Demand solutions for virtualized environments.

Change your mind-sets:Security as an adaptive dynamic system not rigid silosSecurity as an adaptive, dynamic system, not rigid silos

Protect workflows and information, not individual devices… look end to end

Provide managed risk service levels with accurate reporting, not zero risk, you wont get there…