Implementing a Business Aligned InfoSec Strategy

Dane Warren – Head of Information Security and Risk

Overview

• Strategic and business planning

• Aligning a security strategy with the business

• Using organisational change to deliver the strategy

X-Corp

• ~1 Billion in Revenue – fast growth (2X Industry CAGR)

• ~ 5000 employees

• Marketing focus

• Sells widgets to consumers

• Wants to grow market and revenue share through differentiation and customer service – customer intimacy

• Needs to improve EBITDA and ROCE – operational efficiency

• No confidence in the security program – legacy issues

1. LISTENING: You need to engage stakeholders, at all levels, to understand the situation.

• Identify key people

• Take them out for a coffee

• Identify constraints

• Draft your plan based on the outcome of these sessions

2. PLANNING: Your security program will need to have a mission, vision and values that are security related and aligned to the business.

MarketMarket

Core ValuesCore Values

VisionVision

MissionMission

Strategic Strategic PlanningPlanning

2. PLANNING: When looking at your security strategy, consider how you can provide business opportunities

How do we add value?

How do we make money?

How do we save money?

Competitors?

3. CONTEXTUALISING: Create a burning platform - a need to change - that will catalyse the paradigm shift.

• Industry requirements (PCI-DSS)

• New legislation (Privacy, SOX)

• Contract requirements (ISO 17799)

• Negative audit results

3. CONTEXTUALISING: Demonstrate to senior leadership that there are risks. Communicate these risks in a consistent manner.

Rare Unlikely Possible Likely Almost Certain

Severe M H H VH VH

Major M M H H VH

Moderate L M H H H

Minor L L M M H

Negligible L L M M H

Impact: Business Assessment Likelihood: Technical Assessment

3. CONTEXTUALISING: Assign ownership of risk to the right people. Manage, track and report.

Business Owner

What are you doing about the risk?

What is the current status?

4. GOVERNANCE: Create a guiding coalition that will help to drive the change. Identify key decision types and assign ownership of those decisions through this guiding coalition.

5. COMMUNICATE: Leverage the security governance board to deliver a message to the organisation about how important security is.

• Get the CEO to send out an email – leverage the guiding coalition and exploit those relationships

• Hold briefing sessions with senior management

• Use internal communications to publish security memos

5. COMMUNICATE: Build and Information Security education program that is based on best practice with a focus on key risk areas

• Communicate relevant policies and standards

• Conduct security awareness games

• Be the face of security for all new hires

• Leverage existing organisational training opportunities

6. DELEGATE: Break the program down and assign it to

the relevant senior managers and line managers.

• Create a culture of security

• Let the people within the organisation own the risks and treatment strategies

• Look for opportunities in new projects

7. QUICK WIN: Even with a big program there are opportunities to improve risk quickly

• Identify quick win situations through stakeholder engagement and enterprise risk register

• Identify ‘hot’ audit issues that can be addressed with minimal effort – processes and standards

• Build a reporting framework that tracks progress – use the right metrics

8. DON’T STOP: Never declare the program over before it

is.

• Review your program and your metrics to determine the % complete

• Picture the organisation without you – can this progress continue?

• Discuss performance criteria with HR and look to integrate security into the performance appraisal processes

9. RE-FREEZE: Once the change has been implemented

lock it in!

• Education is in place

• Performance appraisals have a security component

• Security / Risk Aware culture is in place

• Succession planning is in place

Questions … ?

… lead the change.