21 st century security: convergence collaboration and competition??
DESCRIPTION
21 st Century Security: Convergence Collaboration and Competition??. April 5, 2005. Bill.Boni @ Motorola.com Vice President and Chief Information Security Officer. Agenda The “Warring Tribes” of Security Convergence Collaboration Competition Conclusions. Warring Tribes?. Badges Bytes - PowerPoint PPT PresentationTRANSCRIPT
Page 1
21st Century Security: Convergence Collaboration and Competition??
April 5, 2005
Bill.Boni @ Motorola.com
Vice President and Chief Information Security Officer
IT Governance Page 2
Agenda• The “Warring Tribes” of Security• Convergence• Collaboration• Competition• Conclusions
IT Governance Page 3
Warring Tribes?
• Badges• Bytes• Beans
IT Governance Page 4
Badges – Corporate Security /Physical Security
• Typically drawn from law enforcement or military• Reports Administration, Facilities, Human Resources• Frames the issue as protection of people, facilities,
operations• Values authority and command• Contributes prevention skillsets
IT Governance Page 5
Bytes – IT or Information Security
• Typically drawn from technologist ranks• Reports to CIO or IT Operations• Frames the issue as availability, integrity,
confidentiality of information and systems• Values creativity and technology innovation• Contribution is continuity and availability of IT capacity
IT Governance Page 6
Beans – The Financial Wizards
• Typically drawn from financial community• Reports to Chief Financial Officer or • Frames the issue as “Risk Management”• Values financial efficiency and loss avoidance• Contribution is quantitative rigor
IT Governance Page 7
Convergence?
• What challenges are generally the same ?1. Extended enterprise risks
2. Diverse operational risks
3. Increased legal and regulatory scrutiny
4. Complexity
5. Common approach
6. Common philosophy
7. Mobility and choices
IT Governance Page 8
Dissolution of Perimeter Security
Joint Ventures
Parts
Servicess
Contract Manufacture
Contract Design
““Organization (Risk) Organization (Risk) Community”Community”
Customers
Un-trusted Un-trusted IntranetsIntranets
Transportation
1.Extended Enterprises
IT Governance Page 9
b
Hostile Internet
Every system must be secured
Inside is almost as risky as outside
Individual Individual systemssystems
Un-trusted Un-trusted IntranetIntranetData
Center
=
Data Center
Foundational Issues
• Ubiquitous connectivity• Microcomputers everywhere• Mobile workforce• Many assets not protected• “Contingent workers”
– Contractors and consultants• Links to partners / suppliers
2.Diverse Operational Risks
IT Governance Page 10
Web / Internet
Databases
Collaboration
Wireless
Mobile Devices
CustomersCompetitorsGovernmentsSuppliers/ PartnersEmployees
3.Legal and Regulatory Issues
Pressure mounting on organizations to prove compliance with an increasing array of laws and regulations. All elements of
security become ever more challenging.
Laws/Regulations Technologies Stakeholders
Sarbanes-Oxley
GLB/HIPAA/Patriot
EU Data Protection
U.S. Info Security Responsibility Act
IT Governance Page 11
4.Complexity of Protection Systems
• Many bits & pieces• Too few qualified security
personnel~.005% of employees
• Lack of standards• Integrated safeguards
– Smart cards– Digital forensics
Network AccessControl Interceptionand Enforcement
Facility
PKI ManagerCentralized
SecurityPolicy Manager
DigitalSignatureInterface
Other SecurityEntity Manager
Token CardManager
OS SecurityManagement
Tools
CertificateAuthorityInterface
Virus Interception& Correction
VPN Session orTunnel
Manager
Single Sign-onTools
Security EventReport
Writer(s)
EncryptionFacilities for
NetworkConnections
Security PolicyDistributor
Cyberwall/FirewallRule Base
ConnectionManager and
Logging
Application ProxyImplementations
Security TrafficEvent Analyzer
ApplicationLogging Facility
VPN IPSec andVPN
ConnectionManager
StatefulInspection
IntrusionLogging
IntrusionPrevention
ApplicationInspection
Security EventLogging
Security IntegrityManager
PacketInspection
Frame Inspection
SecurityFilter Engine
Real-timeFrame
Management
IntrusionDetection
Network
Host-based
Application-based
Authentication
Cryptography
Anti-Virus
Intrusion Detection
Auditing
Security Management
IT Governance Page 12
5. A Common Approach to Strategy?
• PROTECT – Key assets and capabilities
• DETECT– Attacks and malicious actions
• RESPOND– Rapid notification and reaction
• Recover– Disaster / business continuity planning
IT Governance Page 13
6. Common Philosophy : Security Must Be Rational
COST OF SECURITYCOUNTERMEASURES
COST OF SECURITYBREACHES
OPTIMAL LEVEL OF SECURITY AT MINIMUM
COSTCOST ($)
0%
SECURITY
LEVEL
100%
TOTAL COST
IT Governance Page 14
7a. IP Networking - Mobility
Terminals
Nomadic
IP Based PBX
Automobiles Hot Spot EnterpriseHome
COMMUNICATION DOMAINS
Subs Database
NetworkManagement
BROADBAND IP NETWORKS
Content ProvidersContent
Providers
Application DevelopersApplication Developers
Routers
PSTNPSTN
Gateway
INTERNETINTERNET
PoCServer
Access TechnologiesWireless | Cable | DSL
Middleware
SoftSwitch
IMS
Public Safety
InFiNet, IP Phone, Web Phone
IT Governance Page 15
7b. Securing the Mobile Users
As the person responsible for the organization you only have “control” in this space
But the mobile users moving throughout the entire set of possibilities
IT Governance Page 16
Competition
• Overall leadership• Staffing• Budget• Access to leadership
IT Governance Page 17
State of the Security Profession?
• Corporate – Physical security - CSO• IT – Information Security - CISO• The Security Alliance Initiative
– ASIS
– ISSA
– ISACA
• CRO• ERM : Revenge of the “bean counters” ?
IT Governance Page 18
Enterprise Risk Management
• Top Down - comprehensive risk management– Insurance
– Financial
– Strategic
– Operational
• Operational Risks Security Professionals• Financial Expertise benefits from metrics/data
IT Governance Page 19
The board should manage enterprise risk by: Ascertaining that there is transparencytransparency about the significant
risks to the organization Being aware that the final responsibilityresponsibility for risk management
rests with the board Considering that a proactive risk management approach creates
competitive advantagecompetitive advantage Insisting that risk management is embeddedembedded in the operation of
the enterprise Obtaining assuranceassurance that management has put processes and
technology in place for (information) security
Risk Management Risk Management
Source: IT Governance Institute
IT Governance Page 20
3 Generic Approaches to Organization Security
• Silo’s of independence– Little or no communication and coordination
• Councils of collaboration– Periodic, ad hoc, often incident focused
• Unified organization– Formal, structured, aligned
IT Governance Page 21
Protection Program Focus Areas
• Security Governance– Organization operations and partners
• Network Defense– Security strategy and architecture
• Protection Management– Projects and continuity program
IT Governance Page 22
Security Roles
Information Protection
Physical Security
Financial
Protect people, property and tangible assets
from loss, destruction, theft, alteration, or unauthorized
access
Enterpriserisks
Secure digital assets
Inspectionprocedures
Information securityDisaster/business continuity
Risk assessmentsSecurity technology Investigations
Independent controls
assessmentInternal / external
regulatory complianceRisk management
IncidentResponse
IT Governance Page 23
Changes Ahead for Security Professionals
• Cybercrime failures will result in major liability judgments
• Public / Private Sector formally share infrastructure protection roles
– Certification / licensing for (all?) security professionals
• CSO’s assume responsibility for operational risks
• Security is subsumed into ERM and Finance/CRO’s predominate
IT Governance Page 24
A Security Professional for All Seasons….
• Grounded in multiple protection disciplines• Capable project/program manager• Life long passion to learn• Business acumen• Diplomatic and adaptable• Adept at framing issues as risk management• Professional training / certifications
IT Governance Page 25
A Security Mantra
• Vision without Action is Imagination
• Action without Vision creates Chaos
Vision with Right Action is Transformation
See the Future and Plan Backwards