Value-added security

services

Carsten Maartmann-Moe

May 20, GRC 2015

Powerful external forces require us to

re-think information security

Yourbusiness

Regulations

IT reliance

Increasedattack surface

Advancedthreats

New waysof working

© T

ran

scen

den

t G

rou

p N

org

e A

S 2

015

The greatest risk is strategic

“Only a few CEOs realize that the real cost of cybercrime

stems from delayed or lost technological innovation […] we

estimate that over the next five to seven years, $9 trillion to

$21 trillion of economic-value creation, worldwide, depends

on the robustness of the cybersecurity environment.”

McKinsey & Company: The rising strategic risk of cyberattacks

© T

ran

scen

den

t G

rou

p N

org

e A

S 2

015

How can the information security

function stay relevant?

Realize that:

• Failure to handle cybersecurity effectively will not only

incur security breaches

• it will also slow down the business and make us less

competitive

• traditionally our strategy for handling cybersecurity

focus on protecting the business

• we need to shift to both protect and enable.

© T

ran

scen

den

t G

rou

p N

org

e A

S 2

015

Protect and enablePrinciples of value-added security services

Protect

• risk-centric

• easy-to understand and

in-tune policies and

requirements

• provide solutions to lower

risk

• measure, measure, measure

Enable

• service-oriented

• a trusted advisor to the

business

• provide solutions to reduce

(security) cost and enable

your business

• measure, measure, measure

© T

ran

scen

den

t G

rou

p N

org

e A

S 2

015

Protect

© T

ran

scen

den

t G

rou

p 2

015

Figure out what capabilities we need to

protect our modern users

Cloud Mobile Collaboration

requires these enterprise security capabilities

© T

ran

scen

den

t G

rou

p N

org

e A

S 2

015

App

threat / vuln.

Mgmt.

Trust model

/ IdAM /

RBAC

Collabo-

ration for

mobile

Mobile

Device Mgmt.

From “no, you can’t” to “yes, let’s do it

this way”

• Don’t create 110-page policies, requirements and standards

• Create short “do it this way” documents – communicate what’s

secure

• Support the documents with actual tools to make it easy to do it

right

• Be pragmatic and risk-centric – for instance by infusing small

risk assessments into key business processes (project

methodology, production processes, yearly reviews, etcetera)

• Pick 2-5 metrics that gauges desired behavior, and start reporting

on progress

© T

ran

scen

den

t G

rou

p 2

015

Enable

© T

ran

scen

den

t G

rou

p 2

015

People are nice*

• Yes, it’s true!

*) There are some caveats

© T

ran

scen

den

t G

rou

p 2

015

Idiotic security

© T

ran

scen

den

t G

rou

p 2

015

• Make it easy to do it

right

• Make it hard to do it

wrong

Case in point: AD Password policies

Typical policy:

• You have to change your password every 90. days

© T

ran

scen

den

t G

rou

p 2

015

Illustrative cost (NAV, Norwegian welfare administration)

• 17 000 employees

• In total 9 000 incidents per month

• 17 % of support incidents are password reset related and solved in

under an hour

• Over 10 FTEs are wasted each year in NAV due to this single policy

Research shows that expiring passwords

do not have the intended effect

“To be economically justifiable, time spent by computer users changing passwords

should yield $16 billion in annual savings from averted harm.”

Microsoft: So long, and no thanks for the externalities: The rational rejection of security advice by

users (2010)

“[…] our evidence suggests it may be appropriate to do away with password

expiration altogether, perhaps as a concession while requiring users to invest the

effort to select a significantly stronger password than they would otherwise (e.g., a

much longer passphrase).”

Yinqian Zhang: The security of modern password expiration: An algorithmic framework and

empirical analysis (ACM CCS 2010)

© T

ran

scen

den

t G

rou

p 2

015

Making it easier and more secure

1. Measure

1. Number of password-related support incidents

2. Current password quality (% of passwords easily cracked)

3. User satisfaction with having to change passwords every 90 days

2. Remove the “Password Expiration” policy

3. Teach your users how to select a strong password

4. Inform users that if they select a strong password, they will never

have to change their password again

5. Crack passwords every 90. days, and reset cracked passwords

6. Repeat step 1

© T

ran

scen

den

t G

rou

p 2

015

Return On Investment

© T

ran

scen

den

t G

rou

p N

org

e A

S 2

015

Summary

© T

ran

scen

den

t G

rou

p 2

015

Summary

• To avoid a security backlash where the greatest risk of security is

security itself, we must shift our focus to protect and enable

• Protect and stay relevant:

– Understand that the new ways of working will require a re-think

– Create lean protection mechanisms that focus on real risk

• Enable and be a hero:

– Understand what the user is trying to do, and help him/her do it

securely

– Don’t accept status quo and rip out worthless security

• Deliver real value by measuring and thus showing that you are both

protecting and enabling

© T

ran

scen

den

t G

rou

p N

org

e A

S 2

015

www.transcendentgroup.com