Bryan Littlefair - Virus Bulletin
Transcript of Bryan Littlefair - Virus Bulletin
Bryan Littlefair
Chief Information Security OfficerVodafone GroupVodafone Group
Presentation Themes
• How do you secure your organisation, what strategy should you have in place• The CISO’s role in your organisation going forward• Leadership Strategies for your security function that support your business• The Security Program within Vodafone and some of the success’ we have had• The Security Program within Vodafone and some of the success we have had
My objectives of today
• I run technology / information security for one of the worlds biggest organisation and• I run technology / information security for one of the worlds biggest organisation and brands
• I want to share some of the strategies and programs that have worked for me
E l i h h t d it i t t f ti d t• Explain how we have turned security into a support function and a revenue stream
• Share knowledge and experience that will hopefully echo with you in your roles
What does a CISO do for the business ?
• Centrally manage all Information, IT and Network security risk and compliance initiatives
• Drive security transformation activities – standardisation, simplification and harmonisation
• Drive security awareness and business continuity programs
• Manage elements of the risk management function
Manage programs
Manage elements of the risk management function
• Ensure effective security solutions are in place• Manage the 24x7x365 security operations • Manage IT security incidents and escalations
Manage OperationsManage IT security incidents and escalations
• Control outsourced / off shored services and functions• Develop new security models for new products and services
• Own the security policies, guidelines and standardsy p , g
• Own Sarbanes Oxley Compliance
• Own Data Privacy
• Own Payment Card Industry Compliance
Manage Compliance
• Own ISO27001 compliance
But what SHOULD the CISO do for the business
Yes Risk Management, Programs, Operations, Governance and Compliance are important…but its
not strategic…
• Become the Security CEO, the champion of security within your organisation• Become a fully integrated member/advisor of the executive
team regardless of reporting lineteam, regardless of reporting line • Never commit to what you cant deliver• Be the ‘Tone at the top’• Balance strategic, tactical, and technical security
requirements U d t d h t k it titi• Understand how to make security a competitive differentiator for your business
• Enable Security as a Service• Get out of the ivory security tower and out into the• Get out of the ivory security tower and out into the
business, your employees, partners, and customers.
• Drive your Vendors – don’t be driven !• Set the research agenda’s of your vendors, to meet your
i trequirements• Ensure that you are getting the ‘best bang for your buck’
• Don’t let them divide and conquer your organisation
Defining Security Strategy
• Simple – Protect sensitive data and assets by defence in depth security controls and s stems sing a risk based approachcontrols and systems using a risk based approach
The Strategies set – so how can security support the business ?
• FACT – Security enables any business to do• FACT – Security enables any business to do more…..it opens up new avenues and opportunities
• The security organisation needs to support the business, not block new initiatives– Evolving your security function to support new business
models – Cloud for example– Advising the business on potential risks and proposing
solutions not just problems and risks – become asolutions, not just problems and risks become a solutions provider…
– Don’t be a Dr. No….. Always say ‘Yes…but’– Be agile and dynamic, just because something is in the
security policy one day doesn’t mean its right the nextsecurity policy one day, doesn t mean its right the next day..
– Recognise that your security requirements are trading off against functionality / end user experience, always f thi d b i tifocus on this and be innovative.
Managing your vendors, heading towards a standardised environment
• The security market is commoditising fastIt’s a buyers market and acquisitions happen daily• It’s a buyers market and acquisitions happen daily
• There is still no silver bullet in security• Everyone is still selling point solutions with their ‘world class GUI’s’
I V d f l h d hb d GUI l b ll• In Vodafone we only have one dashboard, one GUI – globally• It all has to integrate into the Global Security Operations Centre (GSOC)
• Drive your Vendors for feature enhancements and solutions that allow you to simplify your network and remove complexity Complexity isyou to simplify your network and remove complexity…. Complexity is the enemy of security.
• Its not all about technology, the impact of good standardised global processes and policies and guidelines coupled with an effectiveprocesses and policies and guidelines, coupled with an effective awareness program will far outweigh any technology investment
• Move from a country procurement model to a domain based approach with enterprise licence agreements rather than local contracts drivewith enterprise licence agreements rather than local contracts, drive standardisation through effective fiscal control and governance
Getting Security embedded into the organisation
• Its all about effective risk management• Effective risk management means the ability toEffective risk management means the ability to
• Being able to define the top Strategic Risks for the Enterprise
• Capture all the lower level risks that may impact the top strategic risks
• Demonstrate all of the mitigations and compensating controls that are in place
• Present on a per risk basis, net and gross risk and potential impact
• Track risks through the life cycle of the program and into BAU mode• Track risks through the life cycle of the program and into BAU mode
• Ensure that people who accept risks, have the authority to do so - ‘4 eyes’
• Being able to define and quanity what your enterprise’ risk appetite and exposure is
Successful initiatives within VF
•Centralised Security Operations Centrey pGlobal Network Security MonitoringGlobal Security Device ManagementCentralised Incident management and responseCentralised security services and scanning
Decommissioning of local services saving multi-million annual Opex commitment
•Information Security Transformation
M i t d f i d th hMoving to a defence in depth approachLarge Capital investment in security technology Network simplification and re-zoning Standardised policies, procedures and guidelinesSimplified compliance journeysSimplified compliance journeysGlobal security accreditation
External Recognition shows we are on the right path
European Information Security Team of the yearSecurity Team of the year 2010 - Vodafone
VODAFONE AWARDED FOR EXCELLENCE IN INFORMATION AND DATA SECURITYINFORMATION AND DATA SECURITY
Vodafone Essar has become the 1st telecom services operator in India to receive this certification.
Global Telecoms Business has recognized Bryan LittlefairGlobal Telecoms Business has recognized Bryan Littlefair, Global CISO of Vodafone as one of its esteemed "40 Under 40" executives who will likely "run the telecoms industry in 2020.
External Compliance is critical as well
In SummaryEnsure you are operating strategically, fight tomorrow's battles, not yesterday's:
Operationalise or outsource routine security functionsp y
Use converged platforms that adapt to new threats.
Be more aggressive with your vendors:Be more aggressive with your vendors:Demand more for less cost, like the rest of IT.
Let them know that you are willing to switch vendors
Move to a domain model rather that a country model
negotiate enterprise “all you can eat” licenses
Demand solutions for virtualized environments.
Change your mind-sets:Security as an adaptive dynamic system not rigid silosSecurity as an adaptive, dynamic system, not rigid silos
Protect workflows and information, not individual devices… look end to end
Provide managed risk service levels with accurate reporting, not zero risk, you wont get there…