Post on 03-Aug-2015
Value-added security
services
Carsten Maartmann-Moe
May 20, GRC 2015
Powerful external forces require us to
re-think information security
Yourbusiness
Regulations
IT reliance
Increasedattack surface
Advancedthreats
New waysof working
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
The greatest risk is strategic
“Only a few CEOs realize that the real cost of cybercrime
stems from delayed or lost technological innovation […] we
estimate that over the next five to seven years, $9 trillion to
$21 trillion of economic-value creation, worldwide, depends
on the robustness of the cybersecurity environment.”
McKinsey & Company: The rising strategic risk of cyberattacks
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
How can the information security
function stay relevant?
Realize that:
• Failure to handle cybersecurity effectively will not only
incur security breaches
• it will also slow down the business and make us less
competitive
• traditionally our strategy for handling cybersecurity
focus on protecting the business
• we need to shift to both protect and enable.
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
Protect and enablePrinciples of value-added security services
Protect
• risk-centric
• easy-to understand and
in-tune policies and
requirements
• provide solutions to lower
risk
• measure, measure, measure
Enable
• service-oriented
• a trusted advisor to the
business
• provide solutions to reduce
(security) cost and enable
your business
• measure, measure, measure
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
Protect
© T
ran
scen
den
t G
rou
p 2
015
Figure out what capabilities we need to
protect our modern users
Cloud Mobile Collaboration
requires these enterprise security capabilities
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
App
threat / vuln.
Mgmt.
Trust model
/ IdAM /
RBAC
Collabo-
ration for
mobile
Mobile
Device Mgmt.
From “no, you can’t” to “yes, let’s do it
this way”
• Don’t create 110-page policies, requirements and standards
• Create short “do it this way” documents – communicate what’s
secure
• Support the documents with actual tools to make it easy to do it
right
• Be pragmatic and risk-centric – for instance by infusing small
risk assessments into key business processes (project
methodology, production processes, yearly reviews, etcetera)
• Pick 2-5 metrics that gauges desired behavior, and start reporting
on progress
© T
ran
scen
den
t G
rou
p 2
015
Enable
© T
ran
scen
den
t G
rou
p 2
015
People are nice*
• Yes, it’s true!
*) There are some caveats
© T
ran
scen
den
t G
rou
p 2
015
Idiotic security
© T
ran
scen
den
t G
rou
p 2
015
• Make it easy to do it
right
• Make it hard to do it
wrong
Case in point: AD Password policies
Typical policy:
• You have to change your password every 90. days
© T
ran
scen
den
t G
rou
p 2
015
Illustrative cost (NAV, Norwegian welfare administration)
• 17 000 employees
• In total 9 000 incidents per month
• 17 % of support incidents are password reset related and solved in
under an hour
• Over 10 FTEs are wasted each year in NAV due to this single policy
Research shows that expiring passwords
do not have the intended effect
“To be economically justifiable, time spent by computer users changing passwords
should yield $16 billion in annual savings from averted harm.”
Microsoft: So long, and no thanks for the externalities: The rational rejection of security advice by
users (2010)
“[…] our evidence suggests it may be appropriate to do away with password
expiration altogether, perhaps as a concession while requiring users to invest the
effort to select a significantly stronger password than they would otherwise (e.g., a
much longer passphrase).”
Yinqian Zhang: The security of modern password expiration: An algorithmic framework and
empirical analysis (ACM CCS 2010)
© T
ran
scen
den
t G
rou
p 2
015
Making it easier and more secure
1. Measure
1. Number of password-related support incidents
2. Current password quality (% of passwords easily cracked)
3. User satisfaction with having to change passwords every 90 days
2. Remove the “Password Expiration” policy
3. Teach your users how to select a strong password
4. Inform users that if they select a strong password, they will never
have to change their password again
5. Crack passwords every 90. days, and reset cracked passwords
6. Repeat step 1
© T
ran
scen
den
t G
rou
p 2
015
Return On Investment
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
Summary
© T
ran
scen
den
t G
rou
p 2
015
Summary
• To avoid a security backlash where the greatest risk of security is
security itself, we must shift our focus to protect and enable
• Protect and stay relevant:
– Understand that the new ways of working will require a re-think
– Create lean protection mechanisms that focus on real risk
• Enable and be a hero:
– Understand what the user is trying to do, and help him/her do it
securely
– Don’t accept status quo and rip out worthless security
• Deliver real value by measuring and thus showing that you are both
protecting and enabling
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
www.transcendentgroup.com