Downloaded 10 times
Uploaded byRedZone Technologies
How to Communicate the Actual Readiness of your IT Security Program for PCI 3.0, Omnibus HIPAA, BAAs, New Bank Regs, NCUA
The document discusses the current state of IT security and risk management, highlighting concerns from CIOs and directors regarding the pressure to meet banking compliance and present effective IT security strategies to boards and executives. It emphasizes the need for better tools and innovative approaches to demonstrate value in IT security investments, while also detailing insights from regulators and industry leaders about evolving security challenges and the importance of proactive measures. The narrative underscores a shift from compliance-focused mindsets to a greater emphasis on comprehensive security and the reality of potential breaches.
More Related Content
Similar to How to Communicate the Actual Readiness of your IT Security Program for PCI 3.0, Omnibus HIPAA, BAAs, New Bank Regs, NCUA
How to Communicate the Actual Readiness of your IT Security Program for PCI 3.0, Omnibus HIPAA, BAAs, New Bank Regs, NCUA
- 1. At It’s Hearttoday
- 2. IT Security &Risk Management
- 3. IT Security &Risk Management
- 4. IT Security &Risk Management
- 5. IT Security &Risk Management
- 6. What We AreHearing • From You • From Regulators
- 7. What We AreHearing From You • CIO- “My Board and CEO still doesn’t care about IT security unless I can show them that loss if they don’t do something.” The board and CEO of this public company are concerned about supply chain impact security concerns and what would happen if this were impacted. • Director of IT – “The banks are pressing me for me for more IT Security details now. It used to be relatively easy to fill out but now it is hours and hour of work. I failed one line of the questionnaire. I was certain my answer was not a big deal, but it was. I don’t want to risk my companies business with these banks. Can you help me figure this out?” The pressure is mounting as credit card merchants and banks are going to pass the responsibilities down the food chain. They will be exposing the weakest link in the chain. • CIO – “I really don’t have a problem talking to the CEO and board about justifying our IT Security spending, but I really do need better tools to present the IT Security Vision and Roadmap.” Essentially they trust her, but what if they could trust her plus really understand what IT Security spending is going towards. • CIO – “I am looking for new and innovative approaches to presenting my IT security program to the Board. Sometimes they are so focused on whether they will pass the compliance audit that they lose the fact that we need great IT Technology security for a business of our size.”
- 8. What We AreHearing from You • I would like your opinion so I don’t overspend on my IT Security. • I have so many areas to secure and I have already spent quite a bit on IT Security…. What do you think about it? Should I be concerned about these over lapping functions on systems? • Strategy and architecture – I want to go this way and I am thinking of using these technologies what are your thoughts on my approach? • Help me understand my current IT Security investments to see if they will pass an audit or some deep dive inspection. • I have three main constituents that I need to sell my approach to: Auditors, CEO, and the Board. What is the best presentation approach?
- 9.
- 10. Story An interestingstory- this is not the most creative slide in the world I apologize, but I did mention that it’s a big project so we’re going to get the slides cleaned up at a different time – I was having coffee with the CEO of Unisys just recently, and he was explaining a story that he was at a security event and the ex-Mandiant CEO, or he might still be the CEO but I know that they were purchased and something’s going on with fireye, but he was talking and obviously many of you have listened to, I forget his first name, Mr. Mandiant talk. He asked the CEOs, ‘what do you want from your information security program?’ and they said I want the best. I want the best, best, best, best, just a real male ego type thing; I want to have a killer IT security program. Then when he (Mandiant) explained it, what’s needed, the CEOs dialed back their expectations and said, I just want to make sure I don’t end up on the cover of Wall Street Journal like the Target CEO. It’s an interesting story, the CEOs are sharing information now and it’s interesting to see that even though they want a very powerful program, there’s a reality that many of them are just concerned about their job security. There’s not only the Jamie Diamonds of the world but people that I’m seeing, that I talk to just having coffee and what they’re hearing as well. That’s what we’re hearing from you when we’re listening. What are we learning from regulators?
- 11. What We AreLearning From Regulators • FFIEC • NCUA • HIPAA /Omnibus • BAA (new mandates from Omnibus ruling) • PCI • EMV
- 12. What We AreLearning - Themes • IT Security is a Verb and not an Event • Risk is starting to flow downhill to the weakest link • Don’t just manage Compliance. Must have a great IT Security program • Weak Passwords • Malware - APTs • 3rd party challenges • Manage the basics – Patching is not as easy as it might seem • Authentication challenges • Data Governance
- 13. Proof Needed •CEO and Boards and Auditors and Compliance • Want proof • What is your internal audit and reporting process?
- 14. PCI 3.0 ComplianceValidation BIGGEST PROBLEM IS GRAPH
- 15. FFIEC Webinar •FFIEC members include: (http://www.ffiec.~ov) • Board of Governors of the Federal Reserve • Consumer Financial Protection Bureau -CFPB • Federal Deposit Insurance Corporation -FDIC • National Credit Union Administration -NCUA • Office of the Comptroller of the Currency -OCC • State Liaison Committee
- 16. What Every CEONeeds to Know about the Threats They Don’t See. Executive Leadership of Cyber Security Financial Institutions Examination Council (FFIEC) Cybersecurity and Critical Infrastructure Working Group
- 17. Cyber Risk Management GOVERNANCE
- 18. HIPAA – oldrule • http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf • Page 13
- 19. Omnibus HIPAA –New Rule • http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf • Page 14
- 20. EMV • NewTech Standard • Oct 2015 deadline • Liability for fraud will flow/shift to whichever party has the lesser technology
- 21. NCUA • Costbreach • http://www.ncuareport.org/ncuareport/augus t_2014#pg4 • Top 10 things credit union auditors look for
- 22. IT Security &Risk Management FLOW Checklists CIO Scoreboard CEO/Board
- 23. IT Security SystemManagement Checklist
- 24. Admin Level toCIO Level 40 Security Items
- 25. IT Security &Risk Management FLOW 40 Security Items Security /Infrastructure/DR By Sector/Category Investment Based on Risk
- 26. Big Picture Whatis Happening “Roughly 170 Quadrillion Computer chips wired into a Mega-scale computing platform The total number of transistors In this global network is now approximately the same # of neurons of the human brain” What Technology Wants – Kevin Kelly
- 27.
- 28. Interesting – TheWord Privacy
- 29. JWT – WorldTrends 2014 and Beyond
- 30. JWT – WorldTrends 2014 and Beyond
- 31. JWT – WorldTrends 2014 and Beyond
- 32. JWT – WorldTrends 2014 and Beyond
- 33. WE SIT INTHE MIDDLE AND MANAGE COMPLEXITY
- 34. So What isa Security Leader Today?
- 35. We Are Supposedto be Afraid Right?
- 36. Changing the story Adult Conversations…. Page 6 Assume the Breach Assuming the breach requires a shift Of mindset from prevention alone to Containment after the breach Assumption of a breach requires a maturing of defenses to meet this reality And shifts the focus from ‘if’ to ‘when’
- 37. What about changingthe story or the way we talk about IT Security? I like words like relentlessly proactive Versus playing back on our heals “IT Pros lack Confidence in protecting themselves” Computer weekly
- 38. Show Me TheMoney • Cuba Gooding • Tom Cruise
- 39. Ponemon • Costof Loss
Editor's Notes
- #3 With that let’s get started. We’re going to be showing today how to manage IT security and risk management.
- #4 What I’m going to focus on is how to do this from the technical weeds level, I call it, all the way up through the managers, up through the CIO, up through the CEO, and up through a happy board.
- #5 For today we’re going to cover how we go about doing this. Just a quick story to begin; RedZone was founded in 2001 and we’ve been really all about assisting, at this level, the CIO, manager, and technical doer level for our 14 years of existence. What has really moved us, and it’s really driven a lot of our products and services and such as we’ve gone along, is listening to those 3 core constituents. What’s happened over the past 2 years is that I was hired by a company out of northern Virginia, and RedZone was hired as a CIO and actually the CTO as well. This was a very interesting organization. This organization had basically a major 3-letter agency on its board that was intense to say the least. This board was an educated board about, as you might imagine, about IT security. They wanted to go find a CIO but they needed a very specific one and they knew it was going to take a long time and we had had an 8 or 10 year relationship with this company so I reluctantly stepped in to do this job mainly because of the relationship, but I just don’t have a business model for supporting a CIO/CTO type function. James and I stepped in, James did the CTO role and I did the CIO role. What was interesting was we were mostly communicating with the COO. She was incredibly intelligent yet I found out really quickly that the old methods of communicating that I was using with the CIO were not going to work in this situation. I ended up having to re-craft, and built a set of applications and processes, and tools not only to communicate with them and keep their security, disaster recovery, and infrastructure programs moving forward at the expectation level of this 3-letter agency, but also to make sure that we could apply that methodology across all our clients, all of our customers. As a managed services provider and managed services security provider it just made a ton of sense as we went along. What I’m going to show you today is how we’re doing this. Essentially the pressure points we’re going to address are both the board’s asking for enterprise risk assessments, the auditor’s internal audit, and having a little person off to the right, who, I don’t necessarily care that the compliance person is an external auditor, internal auditor, or what type of material the board or the CEO needs regarding enterprise risk, but ultimately that’s going to be one of the main objectives. The goal here is to make all 3 constituents happy, at the CIO level, the board level, compliance officers, also not just at the technical doer level, but integrating a set of processes and systems and ways of capturing and extracting information from cloud providers, 3rd party providers, MSP partners, vendors and consultants off to the right.
- #6 Ultimately, no pun intended here, we want this communication to make a lot of cents, on the left, so that we have appropriate funding that can be applied to our information security programs. I find that one of the most critical pieces here is, we want to be able to have a lot of logic around this and get of fear mongering business and into logic. Everybody knows about the fears of our industry right now. Especially the people on the phone or you wouldn’t be here. We want to make sure appropriate funding is coming out and flowing into the programs that need support both internally, and externally to support our information security risk programs.
- #7 One of the parts agenda items today was to talk about what we’re hearing from all of you. One of the values of RedZone is that we’re meeting with a lot of people, from the technical doer level up through the CIO and at the CEO level. What are we hearing? Then I’m going to spend a couple slides on what we’re learning, what are the patterns that are coming out of the regulatory agencies. Then we’re going to move into what we’re doing about it.
- #8 Ok so these are just different samples: ‘My board and CEO still don’t care about IT security unless I can show them loss.’ If they don’t do something, so it’s about demonstrating loss for them or in their supply chain. Even though this company is public and they have HIPAA issues, he needs to able to demonstrate to the board, loss and quantify loss. None of these I’m going to qualify as bad or pressing. I just want to show you what I hear day to day so you can see what your peers are coming up with. Director of IT: ‘The banks are pressing me for more and more IT security details now. I used to be relatively easy to fill out a form, maybe 30 minutes to fill out a questionnaire. Now it takes me hours and hours of work and if I fail a line item it bounces me and I’m concerned because our business has a strong relationship with these banks and I’m concerned about filling it out accurately and correctly.’ We’re going to into that a little more specifically. That’s something we hear across the board now and it’s the result of a couple of very specific issues that are going on with the banking industry as a whole right now. This is an interesting one that came up: ‘I really don’t have a problem talking to the CIO and justifying our IT security spending, but I could use a set of better tools to present my vision of IT security and the road map that I’m planning for.’ That was interesting. She recognized that she needs to do the presentation of her program differently although she’s been there quite a while so there’s a lot of trust. There’s kind of an intuitive understanding that IT security is something she needs to come up with a better set of tools for. This last one: ‘I’m looking for new and innovative approaches to presenting my IT security program to the board. Sometimes they’re so focused on whether they will pass the audit, they lose the fact that we actually need great IT security for a business of our size.’ This is very common and actually the regulators are addressing this as well, moving the board from event-based IT security to one that’s more of a verb instead of a noun.
- #9 Questions about overspending, is a huge area, and overlapping system functionality is quite a concern. There’s a lot of great intention, but there’s a lot of vendors, very good vendors that maybe you want to make an investment in but there’s a lot of overlapping functionality, so how do you map all this functionality together such that you’re spending once instead of spending 2 or 3 times to accomplish the same objective? Strategy and architecture – there’s a lot of concerns about architecting a strategy around the new architecture with cloud, with hybrid cloud, and data governance around the architecture and the strategy. These are more items we’re hearing from you. I think the bottom 2 I’ve just covered: Understanding current investments to see if they’ll pass the audit or a deep dive inspection. That comes from a couple more slides in.
- #10 I wanted to make a point here. I went and started at like the real, real, real big boy level and just show you something that was pretty much stunning for me recently. Jamie Diamond, who is the CEO of JP Morgan Chase, I find this interesting as well coming out of the crash in the 2008-9 and 10 realm and just seeing what’s going on now at the big level, they essentially spent 200 million in 2012 on IT security and employed 600 people. His letter to the shareholders, this is the letter to the shareholders that literally was just released over the past couple months, he’s notifying them of the security update, and that that’s moving from 600 employees, he’s moving the dial to 1,000 employees, moving the spending from 200 million to 250 million. That’s to respond and to be poised for breath and depth attacks he’s having to deal with, and 3rd party breaches of systems, and things that he’s planning for like EMV standards and such. If we’re wondering why we’re getting the questions and concerns from the banks right now, the smaller banks, it’s my opinion that it’s starting at the top. This investment has to bleed out somewhere. Someone’s going to end up paying.
- #11 An interesting story- this is not the most creative slide in the world I apologize, but I did mention that it’s a big project so we’re going to get the slides cleaned up at a different time – I was having coffee with the CEO of Unisys just recently, and he was explaining a story that he was at a security event and the ex-Mandiant CEO, or he might still be the CEO but I know that they were purchased and something’s going on with fireye, but he was talking and obviously many of you have listened to, I forget his first name, Mr. Mandiant talk. He asked the CEOs, ‘what do you want from your information security program?’ and they said I want the best. I want the best, best, best, best, just a real male ego type thing; I want to have a killer IT security program. Then when he (Mandiant) explained it, what’s needed, the CEOs dialed back their expectations and said, I just want to make sure I don’t end up on the cover of Wall Street Journal like the Target CEO. It’s an interesting story, the CEOs are sharing information now and it’s interesting to see that even though they want a very powerful program, there’s a reality that many of them are just concerned about their job security. There’s not only the Jamie Diamonds of the world but people that I’m seeing, that I talk to just having coffee and what they’re hearing as well. That’s what we’re hearing from you when we’re listening. What are we learning from regulators?
- #12 The regulators - FFIEC I’ll cover in a later slide, it covers a lot of finance related organizations one of them being the NCUA. We’re going to talk about HIPAA Omnibus and new changes in BAA as it applies to HIPAA Omnibus, new versions of PCI, and EMV. Again, many of you have spent time, and understand the regulations probably quite deeply in any one of these areas.
- #13 My objective was to, in our experience, apply themes and see themes across these, and patterns that can be applied for you, and how we’re applying them to customers.
- #14 One of the big pieces here is proof. The auditors, the compliance organizations, the CEOs and the boards are asking questions regarding proof and this is relatively new I might add. There’s an auditor for example, she runs around for one of the regulator agencies and it’s kind of comical because, she’s not on the phone now but her name is Ruth, and I call her Ruthless Ruth. Ruthless Ruth is smart. She’s one of the smarter ones that we’ve seen over the past 14 years and she’s asking for proof. The CEOs and boards, I’m going to show you a couple of slides later with some resources you can go to where they’re asking for proof. It’s just an interesting piece. How do we get proof? It begs the question, what is your internal auditing and reporting process?
- #15 Let’s pick on PCI for a moment. This is a great graph. I had the challenge with this project, do I make a point over 7-8 slides for PCI or bubble it into 1. Of course I have supporting PCI slides that you can have later, but this picture speaks a thousand words. What it is, is it shows the project as essentially your internal processes and procedures that you’re governing your information security program. Governing everything from just watching a firewall to a security event information system to IDS systems to whatever it may be. Then all of a sudden there’s this raising of this, as the auditor and as your assessment is getting closer and closer and closer, you’re getting more and more and more compliant; you’re dialing it in, really looking at your processes and procedures and getting better and better and better and then there’s the event. Then all of a sudden there’s the fall off. The reason why we like is PCI is we feel it’s a real standard; not that FFIEC doesn’t have a real standard, or HIPAA doesn’t, or NCUA for that matter, we just find that this is a really nice set. It’s one of the most rigorous that we find. Then there’s the drop off. That’s the challenge. In information security eight now that is the problem. We’re treating IT, information security, as an event basis instead of as a program, instead of as a verb that we do over time. It’s stressful for an organization to go through this boost. We’ve been on the side where we stand in, in some of our audit and security programs, we stand in with the team, as a part of the information security team, providing services, and we have to stand in for these audits and it’s a lot of stress going through event based only programs.
- #16 Ok this is interesting. I’m going to hit now PCI, I’m going to hit FFIEC, and it’s going to be quick. I’m going to go quick, deep dodge each one. I can give you the supporting evidence after the fact, but I just want to make a point of these slides not get into endless machinations about it. Essentially, this is a FFIEC webinar. For the board of governors of the Federal Reserve, CFPB, FDIC, NCUA, OCC, I mean it’s the big kahuna speaking here. It’s the boss of all of these sub-agencies.
- #17 Look at the title: What Every CEO Needs to Know About the Threats They Don’t See. You can find it I google, I have a link here for it. What was really interesting is, again one of the big points I want to make is the proof, because it’s hard to prove, it’s not easy.
- #18 Look at this slide, how is the staff of my institution providing me with accurate and timely information about our risks and our ability to mitigate them, so I can prioritize our resource allocations and inform the board of directors? We’ve worked with credit unions for a long, long time, over 20 years. It’s not our only customer base, but it’s a good chunk. This is a challenge. This is a challenge for institutions now, but guess what, this is a CEO presentation. They need to know, ‘how do we know this information is being managed? I know I’ve bought a firewall, spent $150,000 on maintenance renewals of all my security equipment or 1.5 million, but how do I know that I’m getting what I’m getting, and then timely information about our risk?’ I encourage you to look at the whole webinar. I don’t know where they got the slides from but they’re right on the money about current threats and everything, but I thought this one is of particular interest about governance.
- #19 In terms of HIPAA, what we’re noticing is that the new HIPAA regulations for business associate agreements, that even affect people such as ourselves, are really modelling after what the banks have been doing for some of their downstream vendors; which is people who ordinarily never really had to worry about regulations such law firms, some IT companies, things like that, these regulations are now pushing them to say they have to go honor and produce the same level of auditing that their clients do. For some people, like law firms, we have another one that’s actually a construction equipment vendor, based on their contracts on some of these new rulings, they actually have to pass for example, the HIPAA regulations in terms of security even though they sell heavy equipment. Has absolutely nothing to do with HIPAA, but the regulations are trying to prevent things like the Target by saying ‘hey just because you touch our HBAC doesn’t mean you can’t get us hacked, therefore you now have to pass these audits.
- #20 We’re finding it’s hitting a lot of customers at almost every level; people who have never had to have real audits before, or maybe they just had a little bit of PCI because they took a couple of credit cards that someone was paying attention or looking. Now there’s just a direct liability concern. HIPAA is a great example of it because it’s relatively new in that regard, PCI 3 is even worse, but even without those 2 regulations we’re seeing a lot of people being hit just by their customer base as a whole. Whether it’s you having to do some collections work for SunTrust, or manage a system or application for Exxon, people who don’t expect to be hit by these requirements are getting hit. Not only is the IT not necessarily ready for it, but they don’t have that whole process of how to present all the way up to the CEO and the board that ‘hey, here’s what you really have pay attention to and why,’ and you can’t really be freewheeling anymore because, especially when it comes to things like HIPAA and PCI 3, the fines are a lot more real than they used to be in the past.
- #21 Ok the EMV standard. I don’t want to spend a lot of time on this because I’m not sure it really applies to everyone on the phone. It’s interesting listening, reading, and doing some research on this October 2015 deadline for this new technical standard for card providers. Essentially what it means is the liability for fraud will flow and shift to whichever party has the lesser technology. We were talking about the HIPAA ruling here, HIPAA Omnibus, in regards to one of the pieces here, if you look at this bullet point 2nd from the bottom, liability flows to all subcontractors. It’s interesting, it used to be for example RedZone could participate in managing firewall, or managing a domain controller, managing a security system, but we weren’t responsible, we didn’t have obligation because we weren’t covering the core systems that would be related to their member or customer information. Now that is changing. Now, if you even touch a system you are responsible and with the EMV standard the liability for fraud is going to shift to whichever party has the lesser technology. That’s why you’re all going to be asked, many of you, to provide deeper dive, technical justifications because they want to find out how close you are to the information could potentially put members’, customers’ personal identifiable information at risk.
- #22 The NCUA, I don’t want to get into this a ton, but it’s deeply disappointing to me to have specific announcements, and then to read the credit union expectations of the 10 things a credit union auditor looks for and essentially it’s all compliance based, 50% of it’s compliance based and it completely misses. It doesn’t even get to the heart of a matter that would really help a small financial institution. Just because the bigger regulatory agency has guidance doesn’t mean that it’s flowing downhill to their other institutions.
- #23 I want to spend some time really looking at what you can do about it, and what we’ve done about it for our customers and how we’re helping them deal with this and get better and better. We’ve covered so far what you all are saying to us, what we’re hearing and what the regulators are saying. What have we done about it? You’ve heard a story about what I had to do about it for this one organization. RedZone right now has about 2,000 systems under management. We are a complete managed services security provider as well as a project integrator and assessments organization for security. We had to put this in place for us, and our directly managed customers. We also do this for our customers that we don’t directly manage, but we just consult with. We just provide these services. It’s a combination of staff based applications, processes, and work flows that we’ve built. It’s supported by right now 25 different systems. It starts at the bottom here with checklists. Ok so let’s start at the bottom left. At the technical doer level, remember I had that slide which is there’s a strong push to prove what you’re doing. I can’t emphasize that enough. RedZone is faced with the same thing. We have our helpdesk folks who are providing services. We have our project engineers of varying skill levels from level 1 to 3 up through our CIO/CTO level support. We are largely structured the same way as our customers in many respects. I was getting tired of reading resumes about how smart people were. What I did was, James and I went on a sabbatical for 3 months and we literally went into every, single, system that we manage for everybody and we looked for patterns. I tasked James with saying, literally we down into the systems saying, ‘what makes this system a system that actually works, that I would absolutely guarantee that it works. Is it because it has a blinking green light? Is it because the firewall is turned on, that means the firewall is working? What if the firewall has layer 7 services? What if those layer 7 services got turned off because the CEO was trying to do something funny during the day and asked for it to be turned off so that he could get his work done, or someone else asked for it to be turned off? What happens if the firewall has SSL cracking capability and the CIO had authorized that to be purchased on the firewall, but somehow it got turned off because someone’s excel sessions were getting junked up and that service was turned off? The CIO wasn’t brought into the loop on it, he doesn’t know that it was turned off, so they think they’re on a certain security platform doing a certain amount of things, and now it’s drifted.
- #24 Starting with the checklists, one of the big questions that we get asked when we’re helping people defend audits, and I’m just going to say the vague word audits because it doesn’t really matter whether it’s NCUA or PCI or a QSA auditor or enterprise risk, it all boils down to pretty much the same standard, so in that regard one of the questions we got was how do you actually measure whether something is good? There were a lot of people looking at like the old SASS 70 audits and the SSAE 16 new version of it. One of the interesting things we found is that they don’t actually qualify whether what you have is good, just if you have it. What we’ve found lately is that the new enterprise risk auditor and the supplier audits that we’ve seen, all of them want you to validate that it’s actually good not just that you have it. The checklist came up from that point of view of validating how can we define what good is in a replicate-able manner so that not only internally ourselves, but externally customers can look at it and say, ‘Oh ok, I can define this as good because I have these 10 points, or 11 points, or 20 points’. When it comes back to the auditors they can say ‘I’m not saying it’s good because I like it, I’m saying it’s good because I did these 15 oil change check points and I did some math and my math says 13 out of 15; that’s pretty darn good.’ That’s what a lot of them are looking for. What we define for checklists is really a process more than anything else. It’s the process of how to define that a system is healthy, good; how to define that - especially when it comes to security devices, it’s not enough that they’re up they also have to be doing something useful, and how do you measure if they’re doing something useful or not? We designed these checklists to prove, either prove through downloads, prove through screenshots, prove through looking. For example applying a patch to a Microsoft system; unless you have a 3rd party patch management system that can prove that a patch has been applied, many folks don’t have that, or if they have it they don’t even know if that functionality exists for them. Some things we can prove with a process, some we can prove with a screenshot, some we can prove with a download or a file, but ultimately the checklists are meant to prove. We break the checklists into pass/fail. Not give me your opinion based on your resume, or based on your education/training background, but did it pass this checklist or did it not. That’s it. Now, if it fails, it goes into a WIP which flows into a work in process which essentially it goes into a process in which you’re managed. Managing this in month 1, no big deal; managing WIPs overtime is where the challenge comes into play. What if your team who has to manage the technical doer, now has to call AT&T, now has to call the wonderful cloud service provider, now has to call the outsourced SPAM filtering firm, so you can see all of a sudden WIPs can build pretty quickly. What we did is we built a checklist management system. Then it funnels into a reporting tool. The reporting tool is meant for the technical manager, technical security manager, to manage on a red yellow green basis. If it passed, it gets a green. If it didn’t pass and it’s in a middle state, not a dangerous state a middle state, it gets a yellow. If it’s in a red state we’ve got a problem. This is meant for the technical manager to once a month to be able to flow these system state checklists into a management consolidated report which then flows into a technical scoreboard.
- #26 Now, what are some options as we go upstream to the CEO and the board level? This is interesting. You have a couple different – I’m going to show you how to read this here. At the top right, as I mentioned there are approximately 40, for this particular client they had 38 different categories they had scored. As you can see they scored pretty well on approximately 13 at the 8 level then it starts to dip into the 1s area here. Now, it’s a balance. Now they’re having an adult conversation internally about ‘well let’s talk about these 1s and do we care,’ having a conversation about that because obviously 40% of their portfolio is doing pretty well. That’s one way; it’s an interesting way to visualize the data. The data once it’s loaded, most of the data is loaded in SQL and SharePoint so it’s very easily pulled out and manipulated. This is an interesting one here, it’s actually an idea that I received from one of the CIOs that I work with, but it’s in the bottom left, I can’t move my cursor at the moment because my system’s a bit overloaded with the webinar, but if you look at that grid you can take the investment and look at the grid in a couple different ways. You can plot where your risk points are on a grid, on a risk matrix grid and can see which items are 0 to 3, concerning areas 0-3 months, 39- 3to 12 months, and you can look at the investment and map the risk categories with investments. You can show very easily to high level decision makers your plan and again how you’re extracting the data so you can actually look at this as an investment based risk approach; very, very easy to do this. On the bottom right area this shows the 3 major categories, of course I’m only talking about security for this conversation, but we’ve actually developed this for infrastructure and disaster recovery as well. Those 3 different buckets you see there are actually looking at the risk in the 3 major areas security, infrastructure and DR; blue, orange and grey, so different ways to pull the data and manipulate it and work with it.
- #27 The next piece I’m going to get into is what’s really happening here, what is causing this to happen from my point of view. This is an interesting quote here: ‘Roughly 170 quadrillion computer chips are wired in a mega scale computing platform right now. The total number of transistors in this global network is now approximately the same number of neurons in the human brain.’ I love this author, Kevin Kelley, he wrote the book What Technology Wants.
- #28 That’s an interesting proposition; roughly the complexity of one human brain is what we’ve created so far for the world, for the internet and the computing structure that we all use every day. This complexity is obviously not static it’s growing. We don’t even have words, we call it big data, but we don’t even have words, I think we might want to out big ‘blank’ data, we don’t even have words for how much data we’re going to need over the next 5, 10 15, 20 years. They’re pondering that right now. It’s created a complexity. This is what’s forced our hand into developing the ability to get into the weeds and abstract data up. Get into the weeds with checklists. I know it doesn’t sound very elegant, but checklists is how we’ve been able to do it. By extrapolating into the specific systems, the checklists that are needed and then having a process of funneling that up partially by human beings but mostly by automated spreadsheets and using SQL.
- #29 JWT is an organization that covers a lot of different areas for looking at the word privacy. The interesting thing is this word ‘privacy’ is popping up as we go. This is top mobile trends. Obviously mobility is impacting everyone on the phone from a security point of view and how we govern data with essentially our castles crumbling and having to essentially firewall every device in the organization.
- #30 This organization, which wasn’t a security organization, just started talking about privacy number 7, privacy and security spheres are changing the game, largely pushed by mobile.
- #31 2014 trends and beyond we again see mobile, number 4.
- #32 We see the end of anonymity which is privacy
- #33 I find it funny that they have the last slide being mindfulness; I guess people are stressed and adopting mindfulness and meditation to deal with all of this explosiveness; but essentially Mobile, end of anonymity, and being mindful of the fact that this is quite a bit.
- #34 Where does RedZone fit? Essentially, I’ve made a case for complexity. We all hear about the complexity, but I don’t think we heard about it from the analogy of the human brain. Obviously the human brain does get infections, it does get compromised with different diseases and such, so the human body just takes care of that and manages that complexity. I don’t really look at the challenge we face as being any more than we have to identify a way to manage the complexity within our own systems. RedZone sits in the middle. Again, not a very pretty graph, but if you look at this from the right, we sit in the middle of this complexity with customers both from the CEO/board level, from the CIO tools level, from the IT audit checklist level, at the grassroots level, from making sure and ensuring that the data is governed from this complexity and that we’re not abdicating through complexity but actually managing it. I think that the world of big data security analytics is absolutely a must to be able to understand that right now. RedZone made some decisions about what we were going to handle ourselves versus areas that we are going to leverage partners. Big data security analytics is absolutely, because of the nature of the security world we’re in, is absolutely a must to understand and we partner with organizations to help do that, security systems integration, security system products, and managing our cloud. Sitting in the middle means we’re sitting in the middle of a hybrid cloud, sitting in the middle of a cloud, sitting in the middle of the relationship between customers have between the board all the way down into the weeds. That’s what we’re helping people with right now.
- #35 As a security leader today, as you might see I have not put up a bunch of slides of what to be afraid of.
- #36 I don’t believe in that.
- #37 I think right now we need adult conversations. This is a great article, I love this document, it’s called Trustworthy Computing, put out by Microsoft- actually not by Microsoft, Microsoft sponsors this organization, but this organization rocks. I love it. This is a passing the hash document that was just released, new and updated 2014, it’s about 70 pages. There were well over 50 authors, 50 people created this document. Someone had to put a lot of time and thought into it. It is a narrative of where to be with security today. An adult conversation for us is some of you want to come up with new and different ways of communicating with the board, people around you. It’s interesting. What about assuming the breach? This document talks about ‘assume the breach, assume you have been breached,’ I mean, if Jamie Diamond is having problems, I mean I go to the conferences where these big organizations, we all read about it, they completely don’t know what they’re doing; completely. Nobody on the phone is of that size, so we have to assume there has been a breach. This requires a shift of mindset from prevention alone to containment. With that assumption in mind, it means we look at those details, we look at those check sheets, we look at the domain controller, because we’re looking for patterns. If we assume we’ve been breached now we’re just in pattern recognition. We can move from ‘if something happens’, to ‘when.’ I know some of you are like, ‘You’ve got to be kidding me, I would never assume’, but again it’s a mentality shift and how you communicate to your board and to your CEO is for you to decide, but it is a mental shift internally.
- #38 What does this mean? How do we change the story: relentless proactivity versus playing back on our heels. I’ve coached a lot of soccer teams, but my current U-10 girls’ soccer team, there’s a very big difference between them with a proactive attitude going on the field playing against high level teams versus playing against a high level team on their heels. They come off frustrated, and one the attendants on the phone sent me a link: ‘IT pros lack confidence in protecting themselves’, from computer weekly this week. I would say we need to change that. We need to have confidence, but have it be based on reality. The checklists and our methods of scoring put the adults in control of their security and scoring.
- #39 We have a reality based approach. Then we can be confident because if we’re weak we can sit there and just go ‘you know what, we’re just weak and we’re not going to move the dial, we don’t have the money,’ or ‘we are going to the board for this and get the funding’
- #40 If I had a little more time to put this together I was going to – one of the big themes is showing the CEO and the board at a grassroots level all the way up, showing them the proof chain from bottom to top, is a critical part of this. I haven’t gone into how you prove loss, and show loss, and some of the dollars and cents around that. Again, I didn’t base this presentation on that, but there is some great material that if you google ‘Ponemon’, that you can build your case for what it costs the organization if it does have a breach.