This document is a presentation about how CIOs and CSOs are becoming mission-critical business partners. The presentation covers how information is the lifeblood of organizations and how events involving data loss are rising. It discusses moving to an information-centric security approach and developing critical partnerships across organizations. The presentation emphasizes that security is not about checking boxes for compliance, but rather focusing on behavior change through education and building relationships.
2. Protecting the Information
Infrastructure:
Why CIOs and CSOs are
Becoming Mission-Critical
Business Partners
SNW Fall 2011
Jay McLaughlin, CISSP
Chief Security Officer, Q2ebanking
Wednesday, October 12, 11
3. DISCLAIMER
The materials, thoughts, comments, ideas
and opinions expressed throughout this
presentation are entirely my own and do
not necessarily represent the thoughts or
opinions of my employer (past or present).
Wednesday, October 12, 11
4. AGENDA
• Information..the lifeblood of an organization
• Events involving loss of data are rising - who
is to blame?
• Mitigating our vulnerabilities
• A shift to Information-Centric Security
• Developing critical partnerships across the
organization
Wednesday, October 12, 11
5. Information is the
lifeblood of organizations, and considered
a critical factor in a company’s effective
pursuit of its business goals and success.
Wednesday, October 12, 11
6. Information is not only
valuable to an organization…but also to...
Wednesday, October 12, 11
7. WHAT ARE WE TRYING TO
PROTECT?
Regulated information is the type of data most often thought of
when the subject of information protection is raised.
• Includes personally identifiable information (PII) of individuals, such
as social security numbers, bank and credit card numbers and
medical records. A great deal of public outrage, lawsuits, fines and
loss of brand trust can accompany the compromising of this
information.
Confidential information may involve marketing plans, financial
projections, sales reports and M&A discussions.
• Breaches on this information can range from public embarrassment
to catastrophe
Intellectual property (IP) is arguably the most critical type of
information.
• According to the FBI, $600 billion worth of intellectual property is
stolen every year in the U.S
• Companies tend to focus on regulated data while doing
comparatively little to secure the IP that is critical to their business.
Wednesday, October 12, 11
8. Setting the Stage - Recent Attacks
– Defense Contractors
»Lockheed Martin
»Northrop Grumman
»L-3
– Commercial Organizations
»SONY
»GOOGLE
– Security Firms
»RSA
»Barracuda Networks
»HB Gary Federal
»Comodo / Digitar
– Government
»United States DoD
»Texas Comptroller’s Office
Wednesday, October 12, 11
9. It gets worse...
Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011
Wednesday, October 12, 11
10. Change in Tactics
• Highlighted that in 2010,
the largest number of
data breach incidents
occurred, yet the volume
of records dropped
significantly
• Criminals are engaging
in small, opportunistic
attacks rather than large-
scale, difficult attacks
using relatively low
sophistication attacks to
penetrate organizations.
Wednesday, October 12, 11
11. Will your organization be on this list?
• University of Texas: 688 students' and prospective students' personal
information accessed by employees after configuration error made data
available on intranet
• Blackpool Coastal Housing: 80 tenants' names, addresses, national
insurance numbers, telephone numbers and confidential care plans
transferred to employee's home computer where they were accessible to
others
• Guilford County Tax Dept: 1,000 taxpayers' SSNs, names and
addresses, and images of checks paid were accessible on internet
• Bright House Networks: Customer names, addresses, phone numbers
and account numbers exposed in unauthorized access
• California State Assembly: 50 employees' personal information may
have been acquired by hacker
• Montgomery County Dept of Job and Family Svcs: Names and Social
Security numbers of 1,200 individuals seeking agency assistance were
on lost thumb drive
Wednesday, October 12, 11
13. Overly Confident?
Ninth Annual Global Information Security Survey
9,600-plus business and technology execs
surveyed, 43 percent identify themselves as
security frontrunners and believe they have
a sound security strategy and are executing
it effectively.
http://www.pwc.com/gx/en/information-security-survey/giss.jhtmx
Wednesday, October 12, 11
15. CIOs: Call to Action
• Delivery of effective • Maximizing the
technology solutions value of technology
to external customers investments to
and internal improve business
constituents performance
• Reducing related • Increasing agility of
operational costs the organization,
across business enabling it to adapt
units to changing needs
Wednesday, October 12, 11
16. Roles of the CSO
• ENABLE
• AUDIT
• ENFORCE
• EDUCATE
Wednesday, October 12, 11
17. Influencing Behavior
• Education is critical
• Security awareness is a
start...but not good enough
• “Behavioral change” is required
Wednesday, October 12, 11
19. Overly Confident?
To a fault...
• “...we haven’t been attacked before”
• “...why would someone target our company?”
• “...we undergo routine internal/external audits”
Why do we remiss security?
• CIOs and C-Level executives often don’t hear
about security until an incident occurs
• CIOs are value-focused managers
• is security NOT viewed AS value-adding?
Wednesday, October 12, 11
24. Compliance Security
• This isn’t about checking the box
• Compliance Defined
: conformity in fulfilling official
requirements.
standard
It is the that is the
problem, not the compliance with the
standard.
Wednesday, October 12, 11
25. CSOs tend to fixate on building an
“EXCELLENT”
information security program
Wednesday, October 12, 11
27. • Security is new to the
executive table
• Security discussions in
today’s enterprise tend to
The Business be focused on the
qualitative aspects
Problem instead of the quantitative
Topology
• CSOs speak a language
that is NOT understood
by others executives
• CSOs struggle with
creating awareness and
changing behaviors
Wednesday, October 12, 11
28. But, Security is often viewed as a
BOTTLENECK
Wednesday, October 12, 11
29. The “R” Word
• Developing those critical
RELATIONSHIPS within
the organization
• WALK A MILE
• Breaking down the
walls...we’re all fighting the
same battle
Wednesday, October 12, 11
31. Current Environment
• Regulations and compliance requirements are
demanding more time and attention
• Regulators and auditors including PCI-DSS, GLBA, SOX/
404, HIPAA, etc. are demanding more executive time and
attention
• Greater interest from CIOs and other business
stakeholders regarding information security
• Routine communication around information
security, compliance, investment and risk is
critical...but challenging.
Wednesday, October 12, 11
32. Management Differences
CIO CSO
Value- Risk-
focused focused
managers managers
LEADERSHIP PHILOSOPHIES
RISK MITIGATION
translates to
VALUE
Wednesday, October 12, 11
33. Effective Risk Managers?
• Generally, human beings struggle at managing
risk
• We often overestimate risks that are highly
visible or catastrophic and underestimate the
risks that are slower to develop or not easily
seen
• CIOs tend to overestimate risks that they have
less control over, and underestimate the risks
that they have more control over
ex: flying an airplane vs driving a car
Wednesday, October 12, 11
34. Assessing Risk
• Engagement of business
• Top-Down Approach,
ranking information assets
• Business Impact Analysis
• Quantitative vs. Qualitative
Wednesday, October 12, 11
35. Understanding Risk
Risk Management involves identifying threats
and applying mitigating controls to effectively
reduce the risk of those threats:
• RISK=(THREAT x VULNERABILITY)
COUNTERMEASURES
• Multiple by VALUE for quantitative
• Controls can mitigate risk…
...but can rarely fully eliminate risk
Wednesday, October 12, 11
36. Calculating Loss Expectancy
• The annualized loss expectancy (ALE) is the
product of the annual rate of occurrence
(ARO) and the single loss expectancy (SLE)
Mathematically expressed: ALE = ARO * SLE
-> calculating SLE SLE = AV * EF
• Suppose than an asset is valued at $100,000,
and the exposure factor (EF) for this asset is
25%. The SLE then, is (25% * $100,000), or
$25,000.
• For an annual rate of occurrence of 1, the
annualized loss expectancy is (1 * $25,000)
Wednesday, October 12, 11
37. Applying Countermeasures
Our Approach is CRITICAL
COUNTERMEASURES
RONG
W
THREATS
• Focus efforts on the mitigating the ACTUAL
vulnerabilities that are specific to the organization
• Avoid industry marketing FUD
Wednesday, October 12, 11
38. Defense By Layer
• Acknowledges that reliance on any single
control or mitigating factor is not sufficient
• This approach is commonly recommended
Scenario: Protecting Hosted Customer Data
from an external attacker
• Database tables are encrypted
• Role-based access levels are applied
• Data Storage Encryption
Wednesday, October 12, 11
39. Paradigm Shift
Information-Centric Security
• Emphasizes security of the INFORMATION
itself...rather than the security of networks, systems,
and applications.
• 4 Principles:
1. Information (data) must be self describing and defending.
2. Policies and controls must account for business context.
3. Information must be protected as it moves from
structured to unstructured, in and out of applications, and
changing business context.
4. Policies must work consistently through the different
defensive layers and technologies we implement.
Source: Rich Mogull, CEO/Principal Analyst, Securosis
Wednesday, October 12, 11
40. Developing A Strategy
• Creating an information protection strategy
– understanding the business and its specific needs for information
protection.
– defining a set of objectives to deliver quick wins and address long-
term goals.
• Locating and classifying the information that
means the most
– An impact analysis should be performed to identify the information
with the greatest impact to strategic, tactical and operational
objectives.
• Weaving information protection into the fabric
of the organization
• Developing the necessary capabilities to
protect their information assets
– Organizations need to determine the technologies and processes
that best support their information protection objectives
Source: Dr. Alastair MacWillson, Security Week Aug 2011
Wednesday, October 12, 11
41. Summary
• Educate by establishing a foundation for
communication (e.g. metrics, scorecards)
• Embrace an information-centric approach
• Play offense (ACT vs. REACT)
• Leverage leading edge technology that
enables agility within the organization
• Security is NOT perfect, and it requires
ACCOUNTABILITY
• START with the BASICS
Wednesday, October 12, 11
42. Be Prepared
The future ain’t what it
used to be.
- Yogi Berra, New York Yankees
Wednesday, October 12, 11