Think like an MBA not a CISSP · Think like an MBA not a CISSP Matt Malone Security Services...
Transcript of Think like an MBA not a CISSP · Think like an MBA not a CISSP Matt Malone Security Services...
Think like an MBA not a CISSP
Matt Malone
Security Services Director
512-650-0179
Think like an MBA not a CISSPEmbracing University Culture to Achieve Security Initiatives'
Goals
• Security is a business problem not a IT
support issue.
• Utilize business tools
• Provide metrics / track progress
Provide analysis not argument
Act like an MBA not a CISSP
Pop Quiz:
• When asked “Who is in charge of security?” Who do people think of?
Security is about Communication
• Policy
• Awareness
• Training / Education
• Roles and Responsibilities
• Reports / Risk GAP Assessments
Speaking the Language
Speaking the same language
• SWOT
• Top Down Approach
• Security Process Framework
–Change the culture by proving your
value
The Business of Security
• Fund security initiatives
• Better serve your customers
• Provide metrics / track progress
– Act like an MBA not a CISSP
– Provide analysis not argument
SWOT
SWOT
Strengths: Weakness: Opportunities: Threats:
Resources, great access to researchers, interns, information, resources, studentsConferences, share information, external organizations, etc.
Decentralized authorityDifficult to create governanceAmount of resources
Government fundingProfessors who want to get publishedHighly regulated- Use the Reg as a driver Classify the most important system:pick the most important regulation and use the regulation to format across all of the schools in the university, but first classify the data
Unique; backbone of the internet and everyone’s targetVery little of filtering of internetVolume of traffic and attacks
How does SWOT impact you?
• Short on resources, but big on brain power and connections
• Leverage and share with other universities and get government funding
• Lead by examples and success
– Pick an example department and implement your security program, do it by the book.
– Start with policy, assess controls, perform risk assessment and then write a case study on it.
Top down vs. Bottom Up
Security FrameworkCOBIT, NIST, ISO 17799, 27001, NIST 800-53,
Etc.
Security Policy
Regulations Governing Industry or Organizations
(PCI, HIPAA, FISMA, FERPA, ETC)
Standards Guidelines, Policies Procedures
Network
Infrastructure
SIEM and Log
Mgmt.
End Point Security
Data Encryption and
Loss Prevention
Wireless end
Network
Strong
Authentication
Network Perimeter
Security
Technology SolutionsSecurity Software and Products• implementing technical and some non technical controls in accordance with organizational policy
Risk and Compliance ServicesRisk / GAP assessments• Addresses deficiencies and organizational risk
• Demonstrate compliance• Justification of spend via risk • Driven by business
Assessment ServicesVulnerability scansSocial Eng. Web App testing• Testing for adherence • Technical controls testing • Does not calculate risk• Implementation and vulnerability mgmt.
Strategic -Executive Sponsorship (Highly Effective)
Strategic
Tactical
Tactical / Operational
Balanced Scorecard
Balanced Scorecard
• Finance:– Security Spending vs. fines paid?
– Damage to brand
• Internal Process: – How efficient are you?
• Using metrics: “If I ask you to find an IP address, how long would it take to find it?” “How long would it take to harden a server?”
Balanced Scorecard
• Customer:– Who is the customer of you serve?
• Students
• Alumni
• Government
– How satisfied are they?• FISMA
• FERPA
• Records
• Learning and Growth: – What kind of information security knowledge does the security
staff have?
– What is their ability to innovate new tools and methods.
Project Oriented
Conclusions
• CISO / ISO Roles
– Management vs. Technical
– Educational focused
• Utilize business tools to better serve your customers:
– Achieve your security goals
– Track your progress
– Report progress to management
– Better serve your customer
– Initiatives / goals
Think like an MBA not a CISSP
Matt Malone
Security Services Director
512-650-0179
Questions?
Think like an MBA not a CISSPEmbracing University Culture to Achieve Security Initiatives'
Matt Malone
Security Services Director
512-650-0179