Implementing Business Aligned Security Strategy Dane Warren Li
-
date post
19-Oct-2014 -
Category
Documents
-
view
855 -
download
0
description
Transcript of Implementing Business Aligned Security Strategy Dane Warren Li
Implementing a Business Aligned InfoSec Strategy
Dane Warren – Head of Information Security and Risk
Overview
• Strategic and business planning
• Aligning a security strategy with the business
• Using organisational change to deliver the strategy
X-Corp
• ~1 Billion in Revenue – fast growth (2X Industry CAGR)
• ~ 5000 employees
• Marketing focus
• Sells widgets to consumers
• Wants to grow market and revenue share through differentiation and customer service – customer intimacy
• Needs to improve EBITDA and ROCE – operational efficiency
• No confidence in the security program – legacy issues
1. LISTENING: You need to engage stakeholders, at all levels, to understand the situation.
• Identify key people
• Take them out for a coffee
• Identify constraints
• Draft your plan based on the outcome of these sessions
2. PLANNING: Your security program will need to have a mission, vision and values that are security related and aligned to the business.
MarketMarket
Core ValuesCore Values
VisionVision
MissionMission
Strategic Strategic PlanningPlanning
2. PLANNING: When looking at your security strategy, consider how you can provide business opportunities
How do we add value?
How do we make money?
How do we save money?
Competitors?
3. CONTEXTUALISING: Create a burning platform - a need to change - that will catalyse the paradigm shift.
• Industry requirements (PCI-DSS)
• New legislation (Privacy, SOX)
• Contract requirements (ISO 17799)
• Negative audit results
3. CONTEXTUALISING: Demonstrate to senior leadership that there are risks. Communicate these risks in a consistent manner.
Rare Unlikely Possible Likely Almost Certain
Severe M H H VH VH
Major M M H H VH
Moderate L M H H H
Minor L L M M H
Negligible L L M M H
Impact: Business Assessment Likelihood: Technical Assessment
3. CONTEXTUALISING: Assign ownership of risk to the right people. Manage, track and report.
Business Owner
What are you doing about the risk?
What is the current status?
4. GOVERNANCE: Create a guiding coalition that will help to drive the change. Identify key decision types and assign ownership of those decisions through this guiding coalition.
5. COMMUNICATE: Leverage the security governance board to deliver a message to the organisation about how important security is.
• Get the CEO to send out an email – leverage the guiding coalition and exploit those relationships
• Hold briefing sessions with senior management
• Use internal communications to publish security memos
5. COMMUNICATE: Build and Information Security education program that is based on best practice with a focus on key risk areas
• Communicate relevant policies and standards
• Conduct security awareness games
• Be the face of security for all new hires
• Leverage existing organisational training opportunities
6. DELEGATE: Break the program down and assign it to
the relevant senior managers and line managers.
• Create a culture of security
• Let the people within the organisation own the risks and treatment strategies
• Look for opportunities in new projects
7. QUICK WIN: Even with a big program there are opportunities to improve risk quickly
• Identify quick win situations through stakeholder engagement and enterprise risk register
• Identify ‘hot’ audit issues that can be addressed with minimal effort – processes and standards
• Build a reporting framework that tracks progress – use the right metrics
8. DON’T STOP: Never declare the program over before it
is.
• Review your program and your metrics to determine the % complete
• Picture the organisation without you – can this progress continue?
• Discuss performance criteria with HR and look to integrate security into the performance appraisal processes
9. RE-FREEZE: Once the change has been implemented
lock it in!
• Education is in place
• Performance appraisals have a security component
• Security / Risk Aware culture is in place
• Succession planning is in place
Questions … ?
… lead the change.