IBM System Integrator Executive Forum SI Executive Forum – Cannes Proposed agenda.
Ciso executive forum 2013
-
Upload
bill-burns -
Category
Documents
-
view
523 -
download
2
Transcript of Ciso executive forum 2013
CISO Survival In The Real World
Bill BurnsDirector, Information Security
ISSA CISO Executive ForumFeb 24, 2013
“Thrive”, not Survive
•Context
•A few contributions
•Future Bets & Areas of Focus
Future Bets 2015: Forcing Functions
•Social + Mobility + Cloud
•Traditional Controls Are Lacking
•Analytics
NetflixBusiness
• World’s largest TV network
• 33 million members in 40 countries
• Over a billion hours streamed per month
• Supported on 1000+ device types
• 1/3 of evening Internet traffic
(c) 2011 Sandvine
Our Culture
•High Performance, Engineering-Focused
•Fail Fast, Learn Fast ... Get Results
•Data- and Metrics-Driven
•Take Smart Risks
•Some core values:
•“Freedom & Responsibility”
•“Loosely-Coupled, Highly-Aligned”
•“Context not control”
Today: DataCenters & Cloud
• Tooling
• Risk Assessments, Treatments
• Business Processes
• ~99% Cloud-based today
• Goal: Pure-Cloud Streaming
Cloud:On-Demand Capacity
1. Demand: Typical pattern of customer requests rise & fall over time
2. Reaction: System automatically adds, removes servers to the application pool
3. Result: Overall utilization stays constant
1
Demand
2
# Servers
3
Utilization
The Netflix Simian Army
• Striving for continuous testing, monitoring
• Identify and test common failure modes
• Automation everywhere to manage risk
• Chaos Monkey - Kills randomly instances
• Chaos Gorilla - Evacuates entire data centers
• Chaos Kong - Evacuates entire regions
• Janitor Monkey – Ensures a clean inventory
• Security Monkey – Various security checks
InfoSec Challenge in an IaaS Cloud :: Confidentiality/Possession
Key Management :: HSMs
• Motivation:
• Decouple DC and Cloud
• Trust our Cloud more fully
• Others probably want this too
• Challenges:
• Need crypto keys near the Cloud
• HSMs are in the data center
• Can’t entirely trust our CSP
• Solution:
• A real HSM: FIPS 140-2 certified hardware
• Keys stay in hardware
• “HSM as a Service”
Security: Thrivingin an
Agile Enterprise
Future Bets 2015: Org Demands
• Fluid, Virtual Teams of specialists / specialties
• Dynamically form & dissolve to address opportunities, challenges
• Emphasis on collaboration, roaming
• Analytic, data-driven
Future Bets 2015: Team Dynamics, Skills
•Teams will•Be Risk/Security Advisors, coaches, business analysts
•Speak their language•Skill sets will become•Less: people clicking on GUIs•More: analytics, automation, gluing systems together (APIs)
SaaS: In use Today? next Year?
1. Email/chat/calendar
2. File Storage/backups
3. Service Ticketing4. On-call paging5. Log management6. Authentication/
IAM7. App vulnerability
scanning
8. Risk management9. HRIS, ERM 10. Source code
repository11. Blogs, websites12. Doc collaboration13. Risk assessments14. Encryption / key
management
15. Data analytics/BI/DSE
16. Project Management
17. SIEM18. VPN19. MDM20. Anti-Virus/Anti-
malware
Future Bets 2015: Data, Application Security
•Business Forcing Function: Third-party cloud apps will innovate faster than your IT department can
•Cloud/SaaS will be IT tools, not competitors
•Data will be encrypted automatically off-network, off-device
•Automated, continuous assessments of your controls
Future Bets 2015: Device Security
•All-wireless office, Gigabit Wireless•Smartphone building badges•MDM layers: managed VPN, device- and app-wrapping
Future Bets 2015: Network Security
•You will be breached – Not “if” but “when”?
•How fast can you respond, contain?
•Mix of trust: corporate, vendor, employee owned devices
•Verify every device, user
Future Bets 2015: Automated protection
•We will no longer talk about BYO[everything]
•Zero-Trust / NAC will be common
•Networks will dynamically quarantines, inspects, tests
•Large-scale event correlation, analytics => reaction
Future Bets 2015: What about the users?
• Awareness Training will• Be automated• Be context-relevant, bite-
sized• Phish your employees
before they do!• Actively test for
vulnerabilities, quarantine• Gamifiy, (“peer pressure”) on
compliance, activity• Be developed collaboratively
Future Bets: Areas of Focus Today
The future is already here - it's just not evenly distributed. —William Gibson
The best way to predict the future is to invent it. – Alan Kay
Future Bets 2015: Targeted Training
Future Bets 2015: Security Analytics
SAMPLE DATA
Future Bets 2015: Security Analytics
Security Control A/B Testing
SAMPLE DATA