Changing the Mindset: Crea/ng a Risk Conscious and Security Aware
Culture
Presented By: John P. Piron*,
CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP President, IP Architects, LLC.
Hacker Hotshots July 30, 2013
Copyright 2013 -‐ IP Architects, LLC., -‐ All Rights Reserved
Agenda • Using risk management to remove the fear of security
• What is a Risk Aware and Security Conscious Culture?
• Approaches to changing crea/ng and changing culture
• Final Thoughts
What is a Risk Conscious and Security Aware Culture?
• Risk and Security ac/vi/es are business as usual considera/ons – Embraced as benefit to business and not an obstacle to success
• Threats and Risks are accurately iden/fied, an/cipated, and managed – Fear Uncertainty and Doubt (FUD) no longer influences decisions or ac/vi/es
• Business leaders and stakeholders are empowered – Able to make informed and business appropriate risk management and security decisions
3
Benefits of a Risk Conscious and Security Aware Culture
• Provides enhanced protec/on to informa/on infrastructure and data assets – Security is embraced instead of avoided
• Creates a force mul/plier – Personnel ac/vely assist in risk management and security ac/vi/es
• Security awareness empowers the organiza/on – Enables informed decision making
– Understand business benefits, expecta/ons, and requirements
4
Using Risk Management to Remove The Fear of Security
• Business leaders and stakeholders are typically afraid of or annoyed by security – O^en believe it will create obstacles that will prevent them from being successful
– Always being told what they cannot do by security
• Risk management empowers business leaders and stakeholders to make appropriate decisions about security – Stop telling them what you think they have to do
– Help them appreciate the risks associated with their op/ons
5
Risk Management and Security vs. Security and Risk Management
• Mind of business person -‐ “Security” – Preven/on, disablement, disempowerment
• Mind of business person -‐ “Risk” – Understanding, management, control, empowerment
• Alignment with risk leads to greater acceptance then alignment with security – Both terminology and approach – Changing the mindset requires risk first and security second approach
6
Change the Percep/on and Ac/ons
• Security professionals o^en use the word “Risk” when they mean “Threat and/or Vulnerability” – Iden/fy and quan/fy probabili/es and impacts
• Without current business intelligence risk can not be accurately or properly calculated – Strategy, financial, business priori/es, etc.
• Leading prac/ces instead of best prac/ces – Only you know what is “best” for your environment
7
Business and Informa/on Risk Profiles
• Iden/fy risk tolerances of business leaders and stakeholders – Establish bounds of acceptable loss, compromise,
distribu/on, or disablement for key business processes and assets
• Informa/on risk management and security should assist in their development – Assists in cul/va/ng awareness of consulta/ve
approach – Iden/fy informa/on threats and and vulnerabili/es and
associated likelihoods and business impacts if realized – Iden/fy, develop, implement and maintain risk aligned
control objec/ves in line with iden/fied tolerances • Business leaders will view of Informa/on Risk
Management and Security (IRMS) will change – Valuable informa/on resource – Protec/ve and suppor/ng func/on
8
Security by Compliance – Fear the Auditor More Then The Aiacker
• Compliance always intended as the star/ng point not the endgame – Compliance requirements will always have to catch up to aiackers and their capabili/es
• Audit and examina/on findings have a known business outcome and impact – Security threats and vulnerabili/es have probabili/es and poten/ali/es
• Compliance provides business leaders and stakeholders a way to push back on FUD – Believe that they are doing what can be reasonably expected of them
9
Policies and Standards First, Controls and Technology Second
• Policies and standards define requirements and expecta/ons – Iden/fy control objec/ves – Approved by business leaders and stakeholders
• Controls and technologies assist in mee/ng policy and standard requirements – Technologies should not define control objec/ves or requirements
– Controls and technologies presented as requirements without suppor/ng policies and standards o^en considered op/onal or ignored
• Proposed requirements and control objec/ves should be socialized to affected audience in advance of policy development – Iden/fy areas of discomfort or discontent before developing policies and standards
10
Users – Your Greatest Asset and Most Challenging Adversaries
• Many security professionals incorrectly assume users are weakest link – User may unknowingly cause damage or harm
– Must be protected from themselves • User intui/on can be a powerful control
– Both detec/ve and preventa/ve – Technical controls based on “yes” or “no”, user knows “Maybe”
• User trust is key to cultural change – Work with users not against them
• Privileged users can cause the most damage – Business leaders o^en unable or unwilling to accept users may be working against them
11
Trust But Verify • Ideal way to protect both users and corporate assets – Ensures users are not falsely accused
– Provides effec/ve oversight control for corpora/on
• Make sure users are made aware of the existence of monitoring – Existence alone may prevent malicious user from taking ac/on
• Privileged user ac/vi/es most important to monitor – Highest poten/al for material business impact
12
Embrace but Educate Turning “No” Into “Yes”
• Security known for its ability to say “No” – Drives covert behaviors and ac/ons
• Embrace but educate enables security to say “Yes” more o^en – Ensures risks and expecta/ons of security are understood
– Creates posi/ve percep/on of IRMS – Reinforces advisory and consulta/ve approach
• Use techniques that can be easily understood and internalized – Simple language – Case studies – Examples
13
Personal Benefits Approach • Help individuals to help themselves
– Make them want to change their behaviors – Change both personal and professional behaviors
• Controls that restrict without context will drive covert behaviors – Proac/ve educa/on and personal benefit beier and o^en cheaper control
– Educa/on of safe social networking easy example to use to champion approach
• Users will embrace security if they understand the universal benefits – Remove the percep/on of security as only a requirement of the business
– Assist users in deriving personnel benefit and value from security knowledge and guidance
14
Final Thoughts • Culture of an organiza/on ul/mately determines
its ability to protect itself • Crea/ng a risk conscious and security aware
culture is a journey not a race – Requires careful aien/on and constant reinforcement
– Ul/mately provides highest return on investment for protec/on of data assets and informa/on infrastructure
• Change in culture o^en results in conversion of malicious aiacks from incidents to anomalies – Liile to no material business impact – Business will embrace the value of Informa/on Risk Management and Security
15
Thank You for Your Time!
John P. Piron* CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP
President, IP Architects, LLC. jpiron/@iparchitects.com
Copyright 2013 -‐ IP Architects, LLC., -‐ All Rights Reserved
Top Related