Think like an MBA not a CISSP

Matt Malone

Security Services Director

512-650-0179

Matt.Malone@SLAITconsulting.com

Think like an MBA not a CISSPEmbracing University Culture to Achieve Security Initiatives'

Goals

• Security is a business problem not a IT

support issue.

• Utilize business tools

• Provide metrics / track progress

Provide analysis not argument

Act like an MBA not a CISSP

Pop Quiz:

• When asked “Who is in charge of security?” Who do people think of?

Security is about Communication

• Policy

• Awareness

• Training / Education

• Roles and Responsibilities

• Reports / Risk GAP Assessments

Speaking the Language

Speaking the same language

• SWOT

• Top Down Approach

• Security Process Framework

–Change the culture by proving your

value

The Business of Security

• Fund security initiatives

• Better serve your customers

• Provide metrics / track progress

– Act like an MBA not a CISSP

– Provide analysis not argument

SWOT

SWOT

Strengths: Weakness: Opportunities: Threats:

Resources, great access to researchers, interns, information, resources, studentsConferences, share information, external organizations, etc.

Decentralized authorityDifficult to create governanceAmount of resources

Government fundingProfessors who want to get publishedHighly regulated- Use the Reg as a driver Classify the most important system:pick the most important regulation and use the regulation to format across all of the schools in the university, but first classify the data

Unique; backbone of the internet and everyone’s targetVery little of filtering of internetVolume of traffic and attacks

How does SWOT impact you?

• Short on resources, but big on brain power and connections

• Leverage and share with other universities and get government funding

• Lead by examples and success

– Pick an example department and implement your security program, do it by the book.

– Start with policy, assess controls, perform risk assessment and then write a case study on it.

Top down vs. Bottom Up

Security FrameworkCOBIT, NIST, ISO 17799, 27001, NIST 800-53,

Etc.

Security Policy

Regulations Governing Industry or Organizations

(PCI, HIPAA, FISMA, FERPA, ETC)

Standards Guidelines, Policies Procedures

Network

Infrastructure

SIEM and Log

Mgmt.

End Point Security

Data Encryption and

Loss Prevention

Wireless end

Network

Strong

Authentication

Network Perimeter

Security

Technology SolutionsSecurity Software and Products• implementing technical and some non technical controls in accordance with organizational policy

Risk and Compliance ServicesRisk / GAP assessments• Addresses deficiencies and organizational risk

• Demonstrate compliance• Justification of spend via risk • Driven by business

Assessment ServicesVulnerability scansSocial Eng. Web App testing• Testing for adherence • Technical controls testing • Does not calculate risk• Implementation and vulnerability mgmt.

Strategic -Executive Sponsorship (Highly Effective)

Strategic

Tactical

Tactical / Operational

Balanced Scorecard

Balanced Scorecard

• Finance:– Security Spending vs. fines paid?

– Damage to brand

• Internal Process: – How efficient are you?

• Using metrics: “If I ask you to find an IP address, how long would it take to find it?” “How long would it take to harden a server?”

Balanced Scorecard

• Customer:– Who is the customer of you serve?

• Students

• Alumni

• Government

– How satisfied are they?• FISMA

• FERPA

• Records

• Learning and Growth: – What kind of information security knowledge does the security

staff have?

– What is their ability to innovate new tools and methods.

Project Oriented

Conclusions

• CISO / ISO Roles

– Management vs. Technical

– Educational focused

• Utilize business tools to better serve your customers:

– Achieve your security goals

– Track your progress

– Report progress to management

– Better serve your customer

– Initiatives / goals

Think like an MBA not a CISSP

Matt Malone

Security Services Director

512-650-0179

Matt.Malone@SLAITconsulting.com

Questions?

Think like an MBA not a CISSPEmbracing University Culture to Achieve Security Initiatives'

Matt Malone

Security Services Director

512-650-0179

Matt.Malone@SLAITconsulting.com