From No Seat to Multiple Hats: The Evolution of the Information Security Management Function...

8/9/2019 From No Seat to Multiple Hats: The Evolution of the Information Security Management Function (261565918)

http://slidepdf.com/reader/full/from-no-seat-to-multiple-hats-the-evolution-of-the-information-security-management 1/39

From No Seat to Multiple Hats:The Evolution of the

Information Security Function

April 1, 2015 (no fooling!)

David Sherry

CISO

Brown University



Today’s Agenda

• A brief history of information security

• How security used to be done

• Addressing security now

• The maturity of security

• Q&A



Why are we here?

4



To highlight that information

security continues to evolve (just

as the attacks and issues continue

to evolve) towards what isbecoming a mature,

risk-based model.



About 25 Years of

Computer Security(in 5 slides)



History, Chapter 1

Source: http://blog.trendmicro.com/threat-morphosis/



History, Chapter 2



History, Chapter 3



History, Chapter 4



History, Chapter 5

“The Media Era”

Heartbleed

XP end of life

Shellshock

Poodle

Target, Home Depot, JP Morgan Chase……pick

your poison.



“Exponential Times”

• Google searches in 2006: 12.6 billion/month

– Google searches in 2008: 31.2 billion/month

– Google searches in 2010: 66.3 billion/month

– Google searches in 2011: 116.1 billion/month – Google searches in 2014: 138.3 billion/month

• Text messages were introduced in 1994

– daily amount now exceeds Earth’s population

• Top 25 jobs in demand for 2013

– 19 didn’t even exist in 2005

• More information was produced and saved in 2014

than in all of human history



“Exponential growth”

Years to reach 50 million users:

• Radio = 38 years

•TV = 13 years

• Internet = 4 years

• iPod = 3 years

• Facebook = 2 years

• Twitter = two months (Jan/Feb 2012)

• Cloud adoption for email?????



Takeaways to this point

• Information threats have evolved andwill continue to.

• Threats are in the public eye, and

discussed in the board room.• The information security model must

continue to evolve as well, and mature

at a similar rapid pace.



Security in the Past

16



The early security model

• Security positions were rare

• Rarer was a security department

• Usually part of the network group• Put in a firewall, throw in some anti-

virus, and hope for the best

• No manager or security spokesperson

• FUD was the model of choice



The early security model: results

• Deep reliance on the firewall

• Reactionary posture

• “Good enough” was the benchmark

• Often an afterthought after an event

• Widespread attacks were prevalent

• An attack could impact operations

for lengthy periods of time



“The troglodytes at the end

of the hall….”

Early firewall management



Key Skill Sets for New Thinking

• Security pros see things differently• cameras, voting machines, boarding passes,

computer vulnerabilities

•engineers like to make things work; security pros like tosee how they can be broken

• Soft skills are increasingly important:

• persuasion, negotiation, business cases,

organizational value and legal mindset playing abigger role than bits and bytes



The maturing operational model

• Separate the business / risk aspects from thenetwork / architecture aspects

• At Brown, this means the ISG and the NTG

• Benefits:

– Separation of duties

– Engineers can concentrate on networks, not policy

– Information Security can lead (and deny) from thefront

23



So what do you focus on?

24



Where should an organization focus?

• Establish a security program

• Ensure a base policy set

•Establish the baseline posture

• Provide security awareness broadly

• Target compliance from the start

• Take privacy seriously

• Use risk assessments strategically

• Train for incident response

25

Part I: Managerial



Where should an organization focus?

• Build a secure architecture

• Use security solutions strategically

• Be zealous of secure access

• Set baselines (servers, mobile, BYOD, etc)

• Ensure secure use of the Cloud

• Target web apps security and continual

scanning

26

Part II: Technical



How to do this

27



What an organization can do

• Be proactive about security

• Assign executive responsibility

• Make security a business function

• Adopt a framework

• Partner with audit and legal

•Get the message out!

• Ensure that there is a senior security leader

28



The changing role of the CISO

• The proliferation of technology at every level of the business

has made Information Security less about technology

• Increasingly, Information Security is more about policy,

mitigation, education and process

• Privacy is the current new "thing" in Information Security

• Today CISOs are presented with issues that several years ago

would have gone directly to the Office of the General

Counsel

• State and Federal regulations require documented and

measurable compliance

• Often, the CISO is looked at to be a stakeholder in Risk

Management, requiring a different set of skills and thinking



Current Job Postings for a CISO

• 12-15 years of experience

• Leadership

• Vision

• Strategy

• Rapid analysis

•Presentation skills

• Articulation

• Business acumen

• Governance

•Compliance

• Risk Management

• Legal mindset

• MBA or Masters in Computer Science

• Certifications (CISSP, CISA, CRISK, CIPP)



The Result?

• Information Security is gaining as a contributor to the

success of the organization

• Not only attends risk management meetings, but

may also be leading them• Sometimes is speaking for conflicting priorities!

• Models also indicate a subtle shift towards the lead

information security person reporting to the Chief

Risk Officer



From “no seat at the table” to

“wearing multiple hats”

32



Does Anyone Want It?

“Pity the poor CISO” – A Tough Corporate Job Asks One Question: Can you Hack It?

• New York Times, 7/20/14

33



Was this a presentation?

35



Summary

• The threats to information security are increasingand evolving

• The role of information security has evolved aswell

• The information security function is now a keycomponent in the success and risk managementposture of an organization

• Security success is through managerial, technical

and awareness methods• Organizations need a security leader!

36



Pity the poor CISO? Atleast we are no longer

troglodytes



David Sherry, CISSP CISM

Chief Information Security Officer

Brown University

Campus Box 1885

Providence, RI 02912

401-863-7266

[email protected]

There is never enough time;thank you for some of yours.

From No Seat to Multiple Hats: The Evolution of the Information Security Management Function...

Documents

Transcript of From No Seat to Multiple Hats: The Evolution of the Information Security Management Function...