Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War

Winning a Battle Doesn't

Mean We Are Winning the War.Are we doing the best job we can?

Gary Sheehan, CISSP, HISP, CERP, CIS LI

CSO / GRC Services Director

©2016 ASMGi CONFIDENTIAL 2

Practical IT Innovation


#COISWin


Disclaimer: These ideas and concepts you are about to hear are not for the faint of heart and are not your typical solutions. This presentation may force you to make a fundamental change in your approach to implementing security and underlying assumptions about good security practices. After viewing this presentation your thinking about how to build a successful security program may change.

REALITY CHECK HAZARD

Agenda


1. State of the Union2. Ideas and concepts for

Improvement

3. Tools 4. Q&A


State of the Union

State of the Union

Ransomware takes Hollywood

hospital offline, $3.6M

demanded by attackers


State of the Union

There were 736 million records exposed in 2015 due to a record setting 3,930 data breaches.

2016 has only just started, and based on the incidents being reported in the public, data protection is still

one of the hardest tasks to master in InfoSec.

CSO Magazine


State of the Union


U.S. Internal Revenue Service (IRS) said it will mail out nearly 700,000 letters to taxpayers who may have had their tax records compromised. Since 2014, at least 724,000 U.S.

citizens have had personal and tax records stolen by thieves who hacked a “Get Transcript” feature formerly available on

the IRS website.

http://247wallst.com/

State of the Union

Experian - 2016 Data Breach Industry Forecast• The EMV Chip and PIN liability shift will not stop payment breaches.

• Big healthcare hacks will make the headlines but small breaches will

cause the most damage.

• Cyber conflicts between countries will leave consumers and

businesses as collateral damage.

• 2016 U.S. presidential candidates and campaigns will be attractive

hacking targets.

• Hacktivism will make a comeback in this election year



Ideas and Concepts For ImprovementIdeas and Concepts For ImprovementIdeas and Concepts For ImprovementIdeas and Concepts For Improvement

Ideas and Concepts For Improvement

• Understand and embrace your role

• Build a business-aware security culture

• Be informed

• Set direction

• Bring coherence

• Develop adaptive capacity

• Strengthen the organization

• Validate and review

• Maturity and measurement




Understand and Embrace Your Role• What is your current job description

• What are your responsibilities

• What do you need to do to enable

• Business success

• Stakeholder success

• Boss success

• Your success

• How is your success measured

• How do others in the organization view you

• How do they view your role



Build a Business-Aware Security Culture• Know your current business culture

• Know your customers

• Know your stakeholders

• Primary

• Secondary

• Understanding communication & education

• Current reputation

• Sphere of influence



Be Informed• Understand the overall strategy of the organization• Know what your organization values • Know where your data is• Know who has access to your data• Identify single points of failure• Anticipate, identify, monitor and evaluate the

security trends, potential issues• Drawing upon existing risk management

frameworks• Know your suppliers and vendors• Identify and learn lessons



Set Direction• Data governance• Purpose and vision for information security• Values of the organization should be integrated

into your security plans and strategy• Clear security priorities – aligned within the

organization• Clear security roles and responsibilities



Bring Coherence• Ensure security priorities are aligned with

operational activities to achieve coherence across the various business processes

• Risk management should be coordinated across the enterprise

• The organization should manage change• Communicate and share information• Collaboration realizes mutual benefit



Develop Adaptive Capacity• Build an ability to identify and respond to change

in a timely and effective manner• Promote innovation• Enable flexibility and agility• Disseminate and implement good practice• Share errors, failures and mistakes openly• Proactively seek lessons from other organizations• Train and develop people



Strengthen The Organization• Ensure security is baked in to everything• Ensure Incident Response plans are current and tested• Take actions to protect all business assets - holistically• Ensure your BCP is current and has been tested• Encourage broader participation in security and risk

management across all of business units



Validate and Review• Audits, assessment, testing and other exercises• People, Process & Technology• The organization should verify that it is

complying with industry, legal and regulatory obligations



Maturity and Measurement• Identify a security baseline to determine existing

levels of security• Identify appropriate metrics (business focused) • Review metrics• Take action

A basic maturity model can assist in determining to what extent an organization is addressing good

practice


Depends on what

tools you need

Which Tools are Right For You?Which Tools are Right For You?Which Tools are Right For You?Which Tools are Right For You?

Tools

2016 Security trends suggested from a study conducted by a large research consulting firm:

1. Processes, procedures and awareness are essential ingredients for risk mitigation, along with the right technologies

2. There will be a much greater emphasis on an intelligence-led security

3. A change in the information security industry


• Cloud Broker• Cloud Access Security Broker • Key / Certificate Protection• Policies / Plans / Processes / Procedures• Data Discovery• Asset Management• Access Controls• Encryption• Logging / Monitoring• Assessment • Forensic• Training

Tools

24©2016 ASMGi CONFIDENTIAL

Questions


Questions / Comments


October

24-28


Download this presentation and extra materials at:

www.asmgi.com/COISWin

#COISWin

Gary Sheehan

CSO / Director of GRC Services

ASMGi

O - 216-255-3056

M - 216-633-8220

[email protected]

www.asmgi.com

Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War

Technology

Transcript of Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War