why lead with risk?
TRANSCRIPT
@NTXISSA
Why Lead with Risk?
Doug LandollCEO
LantegoApril 25, 2015
www.lantego.com(512) [email protected]
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 2
CISO Priorities
Q: How do security organizations lead?
Q: How do you measure and demonstrate success?
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 3
Questionable Approaches
• Technology-led strategy• Audit-led strategy• Hero-led strategy
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 4
Identifying Technology-led Strategies
• Technology-driven Strategies• Symptoms
• No clear security strategy • Vendors dictate security solution “map”• Lack of integration with non-IT• Minimal use of product functions
• Disorder• Vendor-based spending (latest, greatest)• Strategy defined without regard to mission• Lack of leadership• Technology heavy (picket fence)
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 5
Identifying Audit-led Strategies
• Audit-driven Strategies• Symptoms
• No clear security strategy • Auditors as justification for security controls• Thrashing
• Disorder• Audit-based spending (priorities, minimum)• Consistent state of catch-up• Lack of focus• Ineffective
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 6
Identifying Hero-led Strategies
• Hero-based Strategies• Symptoms
• Unclear roles and responsibilities• No formal project plans• Difficulty budgeting• Move from fire to fire
• Disorder• Initiatives = interests• No repeatable processes• Fail most non-technical areas of audits• Extremely reliant on individuals
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 7
INFOSEC Purpose
Q: What is the primary function of the Chief Information Security Officer?
• Prevent loss, fraud, beaches
• Demonstrate compliance• Manage policy• Ensure continuity• Plan response• Prioritize initiatives
• Manage configurations• Review logs• Respond to incidents
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 8
INFOSEC Purpose
Q: What is the primary function of the Chief Information Security Officer?
Reduce Information Security Risk
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 9
That “DAM” Risk
If your primary function is to reduce information security you must ensure that you:
1. Determine: accurately measure risk2. Address: effectively manage risk3. Monitor:
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 10
Determine: Measure Risk
• Importance of measuring accurately• Data Quality
• Data Quality Cube / GIGO• RIIOT• Risk Equation
• Valid analysis• When “risk” isn’t Risk• Invalid equations
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 11
Determine: Importance of Accuracy
Risk – basis of all security decisions therefore it is important to determine it accurately.
Risk method
Risk AssessmentRisk Monitoring
Security Decisions
Common Risk Method Mistakes
1 Poor Data Quality? 2 Spreadsheets & Pen Tests?3 Invalid Equations?
@NTXISSA
Determine: The Data Quality Cube
Quality
GIGO
Expe
rienc
ed A
sses
sors
Multiple Data Points
Independent Asse
ssors
@NTXISSA
Determine: The RIIOT Approach
• Introduced in “Security Risk Assessment Handbook” • Organizes the task of data gathering on all controls.• Identifies the 5 methods to data gathering
• Review Documents• Interview Key Staff• Inspect Controls• Observe Behavior• Test Controls
@NTXISSA
Determine: Risk Equation
Risk = Assets * Threats * VulnerabilitiesCountermeasures (controls)
Valuation / Business Impact Threat Classes / Capabilities Likelihood of Existence / Ease of Exploitation Remediation / Cost Benefit
•Vulnerability Scan•Penetration Test
•Security Audit•Compliance Audit
Not Risk Assessments
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 15
Determine: Invalid Equations
4 x = 1 ?
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 16
Determine: Invalid Equations (2)
• Ordinal Numbers• Order but not scale or quantity• Ex: 1st place, 2nd place, H, M, L• Conclusion: Mathematical operations are invalid
• Cardinal Numbers• Order and Scale (size)• Ex: $3M, 4 times/yr, 1200 employees, 25 breaches• Mathematical operations are valid
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 17
Determine: Invalid Equations (3)
• Invalid Approaches1) Mathematical operations with ordinal
numbers2) “Kitchen sink” approach
System exposure
System content
System criticality
Compromise impact
Combined risk score
1-4 1-4 1-4 1-4 4-16+ + + =
Design Flaw
Bad Practice
No Mitigating controls
Sensitive data
Risk of Accidental
Exploit
Risk of Intentional
Exploit
Risk Level
1-5 1-5 1-5 1-5 1-5 1-5 6-30+ + + =+ + =
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 18
Address: Managing Risk Effectively
• Security is a business problem• MBA not CISSP
• Risk Solutions• Business drives
• Control interactions• Its complicated
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 19
Address: The business of reducing risk
Managing Risk is a Business Problem not a Security Problem
• Understanding of the business mission• Business management experience• Proper role in organization
Implementing controls• Not a technology only approach• Requires management
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 20
Address: Risk SolutionsReaction is NOT a Strategy
– Plan based on business drivers, then select controls Governance Operations Productivity Security Flexibility
Integration of Technology is a Project– Not an IT task– Not an appointment
Technology is no substitute for understanding your business
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015
Address: Control Interaction
21
Data Center
Video RecordingAccess
control log
Access Controls
SoDLP
Intrusion Detection System
Administrative
Technical
Physical
Prevent Detect Correct
ResponseTeam
Who will respond?
Intrusion Prevention
System
What will respond?
How will they respond?
Who has physical access?
Who has logical access?Who oversees?What training is needed?
Policy
What policy to enforce?
Training
How is it protected?
Log Review
Incident Response
PlanBCP
How to spot an attack?
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 22
Monitor: Diligently Monitor Risk
• Responsibility & Ownership• Are these separate?
• Capital “C” CISOs• Seat at the table?
• Lasting Changes: • Process not heros
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 23
Monitor: Responsibility & Ownership
• Somebody “owns” Risk• Not IT or Security Operations• LoB owner, Product manager, CFO
• Somebody “owns” security risk management• Security's role is to assist the risk owner• Not IT or SecOps (part of security risk)
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 24
Monitor: “Senior-most Security Position”
• Real CISO• Management: “C level” means a fudiciary
responsibility, P&L responsibility, business mindset.
• Test: To whom does the SSP report?
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 25
Monitor: Implementing Lasting Changes
Failed Approaches:• Patch & Proceed / Test & Respond1. incomplete knowledge = incomplete
implementation2. Dynamic environments require process
• Hire & Forget1. Improvement Comes Through Process
2. Hereos don't work 24x7, don't stay forever
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 26
Monitor: Lasting Changes
• Reward Improvements Not Saves• Document process, train to process
• Implement Information Security Management System (ISMS)• Policy-defined• Process-driven• Independently verified
@NTXISSANTX ISSA Cyber Security Conference – April 24-25, 2015 27@NTXISSA
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
Thank you