information innovation and transformation in the digital age · PDF fileexploit known and...

braking bad positioning information security to drive

innovation and transformation in the digital age

richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH

braking bad positioning information security to drive innovation and transformation in the digital age


agenda

• Context

• The business digital ecosystem and Information security

• Legacy perceptions about security and some thoughts on how we can try

to break them…

• Positioning information security to drive innovation and transformation in

the digital age




3 caveats before we start…

I don’t have all the answers – but what I do have, I give to you today…

The below is a work in progress for me – still plenty of work to do at Curtin

My first principle for information security is that…

CONTEXT IS KING!



my context


Notable research initiatives

WA’s largest University - ~60,000 enrolled students

Australia’s 7th largest University by student number

>4,000 staff

Revenue >$.9B in 2015 in a national sector generating $30B annually

38 schools across 5 teaching areas

>60 different research bodies across 4 faculties



environment characteristics (not unique to Curtin)

Varying degrees of security wherewithal (but it’s improving)

Centralised IT, but shadow/grey IT, ghost-ware persists

Presently, no Uni-wide mandate for security visibility or oversight

Limited understanding of information asset value

Security previously seen as tactical, reactive, and compliance-driven

Information risks seen as an IT or records management problem

Sound, but intuitive IT security practices

Pervasive [academic] cultural paradigm is to share information



the digital context and information security


richard addiscott director IT planning, governance & security | curtin university



information security leaders need to recognise…

Digitisation is not going away any time soon…

87% report that Digitisation is a priority for their company

67% believe their company must become significantly more digitised to remain competitive

80% believe digitisation is a long term transformation, not a fad

66% believe that a recession won’t slow the pace of digitisation

78% actively promote digitisation in their companies

Source: CEB 2016 Digitization Enterprise Survey



information security and change? Pace of change will vary….as will reactions to that change…

Today, the information security team’s effectiveness (and therefore its VALUE) depends on its ability to demonstrably deal with and adapt to pervasive, ongoing digital change…



information security and change?

• Information security leaders need to ask themselves:

o What type of information security service do I want to build and deliver?

o What’s the perception my information security team has of its role today?

o How do my stakeholders perceive us as an information security function?

o Again, context matters…

CHANGE AGENT



breaking perceptions



Security is too hard to engage with…they talk

techie…

Meh… That’s IT’s

problem…they’ll figure it

out…someday

some legacy perceptions…


They just don’t understand my

business Yeah…nah,

they’re just the compliance police



breaking perceptions Recognise two critical things…


That you can’t do it all – identifying internal and external opportunities for symbiotic collaboration is key…

It won’t happen overnight – it will require sustained effort and leadership



positioning information security



positioning information security

• Build alignment between the business and security

• Build & embed bi-directional security awareness

• Build and maintain a baseline level of information security capability maturity

• Adopt a risk-driven, rather than compliance-focused, approach to information security decision making…




building alignment • Defining and documenting a strategic vision, mission, strategic

roadmap aligned to business objectives is vital to breaking down legacy perceptions and gaining buy-in with the Executive…

• Must be written in business-centric language that clearly demonstrates an understanding of the enterprise’s strategic objectives;

• Identifies critical gaps and security challenges that must be met in a risk-informed manner to generate and deliver maximum business value;

• Details how security will enhance the business’ ability to exploit known and emerging opportunities in the digital ecosystem to drive innovation and transformation.

ENTERPRISE STRATEGY

INFORMATION SECURITY STRATEGY



Non-existent

Compliance-focused

Promoting Awareness & Behaviour Change

Long-Term Sustainment & Culture Change

Metrics Framework

building awareness • Security awareness training typically

done to meet compliance requirements and focuses on basic security principles for system users

• SALE vs SAT…

• Combined Push and Pull approach

• Security and risk wherewithal and culture must be built across multiple groups: o Users (staff, students and researchers); o Technical staff; and o Enterprise services leaders


Diagram courtesy of SANS Institute



building awareness • Awareness is bi-directional - not just about the ‘user’!

• The information security team needs to be ‘aware’ of:

o the business’ strategic drivers and objectives; and

o how achieving those objectives creates business value; and

o then focus on identifying and managing critical risks to that value.

• Critical to develop a “coalition of the willing” across the organisation

o those who understand and see the business benefits of your mission; and

o have the ability (and proactively seek) to influence other key stakeholders.



building ‘awareness’ @curtin • Dedicated internal Information Security Advisory Services established

(softly) in Q3 2015 delivering pragmatic, risk-appropriate, and business-enabling information security and risk advice…

• Full launch scheduled for June 2016 and intent is to become a highly visible and available ‘pull’ awareness mechanism to help embed security into the IT capability acquisition from the ground up

• However, capability and capacity is limited currently to providing GRC advisory services (threat and risk assessments, PIA’s, threat modelling etc.)

• Information Security Services Panel established March 2016 to supplement & augment internal Security Advisory capabilities



build capability maturity • Achieving a ‘defined’ capability maturity rating is the

baseline level required to gain traction and build trust in the information security function;

• If not “defined”, then it’s likely information security hygiene practices are not standardised or applied consistently;


• Capability maturity gaps = increased vulnerability to security threats

• Likely expectation from the Executive is to prioritise plugging gaps before investing time surfacing enabling initiatives!

5 -

Op

tim

ised

4 -

Ma

na

ged

3 -

De

fin

ed

2 –

Re

peat

ab

le/M

an

age

d

1 –

Init

ial TI

ME

CAPABILITY MATURITY LEVELS



curtin’s information security roadmap 2016-2018

CYBER RESILIENCE

GOVERNANCE

AWARENESS & CULTURE

• information security management system • policies, procedures, standards & guidelines • security governance framework

• classification and handling guidance • information security risk management framework • annual assurance program

• strategy & roadmap • security advisory service • information security services panel • SALE (users, technical staff, service owners)

• student & researcher security awareness campaigns • embedding secure systems development skills • ongoing communications framework • roles and responsibilities

• strengthening security monitoring & log management

• email advanced persistent threat protection • security architecture framework

• incident response enhancements • privilege management & application control • annual assurance program



risk over compliance… • Every business is different – remember, CONTEXT IS

KING!

• Achieving and maintaining compliance with some legislation and regulations (e.g. Privacy, CCA) is non-negotiable for most organisations;

• However, focusing on compliance and check-list driven security will not increase perceptions of value for the information security team…

• The level and pace at which compliance is achieved across the organisation’s legislative and regulatory ecosystem should be just another risk-informed decision based on risk appetite and risk tolerance…

“You don’t make friends with salad” – Homer Simpson, 1995

RISK COMPLIANCE



risk over compliance… • Security tends to get a lot of traction immediately after major breaches occur;

• However, using FUD to ‘sell security’ to the Executive also has limited value over time… especially when your organisation’s focused on building competitive advantage and their risk appetite and tolerance levels are very high!

• So, wherever possible, talk in the language of risk rather than compliance

• Even better, talk in terms of ‘opportunity’ rather than risk….

“We must put strong & visible security in the new app to reduce the likelihood of a breach of a user’s personal information or their credentials being harvested.

We’ll be in breach of the Privacy Act if we don’t...”

“I reckon we can give users a more positive digital experience if we embed strong & visible security into the app.

If they see we’re serious about protecting their personal information they maybe be willing to share even more with us further increasing customer data volumes & insight…”

Which sounds better to you?

V.S.



risk over compliance… • Information security leaders will provide most value during an

organisation’s innovation-driven digital transformation by:

o helping ‘aware’ business stakeholders recognise early any new threats, vulnerabilities that could impact their ability to leverage maximum benefit and value from their initiatives; and

o providing risk-informed, pragmatic recommendations to reduce risk exposures in the system design phase; and

o providing ongoing risk-informed advice across the system’s entire lifecycles to ensure digital capabilities are deployed, operated, maintained, and decommissioned in accordance with their agreed risk posture. RISK COMPLIANCE

BUSINESS VALUE



key takeaways to support digital transformation

Talk in terms of opportunity not FUD

Establish good security hygiene platform to build

trust

Bi-directional security awareness is critical

Build change management skills and leadership

through the security team

Add “customer-obsessed” to the information security

team’s ethos

Articulate a clear, business aligned Strategy, Vision and Mission for Security

Focus on:

Risk

Compliance

Knowing what business value looks like is critical

Look to build a security “coalition of the willing” to gain business traction

Innovation-driven digital transformation is not

going away

Make information security advice easy to access and

business-centric

Defined security maturity = more time to invest on

enabling initiatives CONTEXT IS KING!

+ some other elements and tips we haven’t covered today…..

Live by the principle of

“No Surprises”

Organisation structure also key to gaining traction

and buy-in

The extant IT operating model will be an influence security’s operating model

Ensure governance enables rapid security

decision making



questions?


richard addiscott director IT planning, governance & security | curtin university



contact details

Richard Addiscott

Director IT Planning, Governance & Security, Curtin University

: 0410 566 548

: [email protected]

: https://www.linkedin.com/in/richardaddiscott

: @raddisco


mailto:[email protected]

https://www.linkedin.com/in/richardaddiscott



reference material & further reading


*=Subscription Based Content

Material referenced directly or that has informed the development of this presentation is listed below: • Digitization Enterprise 2020: Navigating Risks in the Digitization Journey, Corporate

Executive Board, January 2016* • Scholtz T., Managing Risk and Security at the speed of Digital Business, Gartner, 24

February 2016 • Whitworth M., McClean C., & O’Malley C., Security Leaders, Earn your Seat At The

Table, Forrester, 29 April 2015 • Whitworth M, McClean C, O’Malley C, & Dostie P, Six Steps to a Better Security

Strategy, Forrester, 22 January 2016

information innovation and transformation in the digital age · PDF fileexploit known and...

Documents

Transcript of information innovation and transformation in the digital age · PDF fileexploit known and...