Building an effective Information Security Roadmap

Creating an Effective
Security Roadmap
Elliott Franklin, CISSP, CISM

Who Am I?
•  15 Yrs in IT
•  9 Yrs in Info Sec
•  7 Yrs in Mgmt
•  Alamo ISSA
•  San Antonio Security Leaders Forum
•  Texas CISO Council
•  @elliottfranklin

Standard Disclaimer
These are my own thoughts

Mission Impossible
•  Info Sec roles continue to expand
•  The CISO faces a new test of leadership
–  Planning and Communication are essential
•  Manage the crucial links between
–  information security
–  operational performance
–  brand protection
–  shareholder value

What is Changing?
•  53% of CISOs now report to C-level execs
•  74% of CISOs struggled to balance strategy and
operations in 2012
–  “If I need to do strategic planning, I need to come in
during the weekends because ops takes 100% of my
time”

To
be
an
informa,on
security
leader,

companies
need:
1.  An
informa,on
security
strategy

2.  A
chief
security
oﬃcer
who
reports
directly
to

organiza,onal
leadership

3.  An
annual
measurement
and
review
process

4.  An
understanding
of
past
security
events

Types of Security Organizations
•  Operations-focused
•  Governance, Risk and Strategy-focused

Ops Focused
•  Limited business interaction
•  Deploying, managing and monitoring security
tools
•  Vulnerability and Threat Management
•  Anti-malware
•  Encryption
•  Firewalls
•  Blocking and tackling

Risk, Governance and Strategy
•  Supports business objectives
•  Relationship management
•  Manages security priorities
•  Forward looking
•  Anticipates threats and business needs

What Works?
•  A Flexible Organization with a Centralized Core
–  Security Oversight
–  Information Risk
–  Security Architecture and Engineering
–  Security Operations

Corporate Culture
•  What do your executives expect from security?
•  If not strategy, then focus on operations
•  Build trust and demonstrate value
•  Reporting Inside or Outside IT?
•  Centralized or Decentralized?

Start with the ABC’s
•  Assess your assets, risks, resources
•  Build your policy
•  Choose your controls
•  Deploy the controls
•  Educate employees, execs, vendors
•  Further assess, audit, test
*From welivesecurity.com

Assess, Risks and Resources
•  What are you protecting?
–  What is important to the business?
•  What are the main threats to these
systems/data?
•  Who can help you?
–  Never enough resources
–  Leverage Others

Assess, Risks and Resources
•  Fraud
–  How could business processes, manual or automated
be exploited?
•  Physical Security
–  32% of CISOs cover both
•  Now is the time to pick a framework
–  One that covers all regulations

Build your Policy
•  Policies
–  AUP
–  BYOD
–  Passwords
–  Vendors/Cloud Providers
•  Procedures
–  Patching
–  Anti-Virus
–  Group Policies
•  Screensaver Timeout

Controls to enforce policies
•  “Log all access to data by unique identifier”
–  Requires log management or SIEM
•  “Limit access to specific data to specific
individuals”
–  Require unique system username and password
•  “Sensitive data shall not be emailed outside the
organization”
–  DLP or email encryption system

Deploy and test controls
•  A phased approach
–  DLP
–  Email Encryption
•  Test not only if the solution works technically but
also that it does not impose too great a burden
on employees or processes

Educate employees, vendors, etc
•  What are our policies?
•  How to comply?
•  Consequences of failure to comply

Further assess, audit, test…
•  Once policies, controls and education are under
way, it’s time to re-assess
•  Audit
•  Monitor change control
•  New vendor relationships
•  Marketing initiatives
•  Employee terminations

Common Approach
•  A top 10 list based on Gartner and
Trustwave
•  Death by PowerPoint, Of course
•  One per slide
•  No business input
•  Present to executive leadership multiple
times
–  Review and revise quarterly

Strategic Planning
•  Determine the direction of the business
•  Understand security's current position
–  What do we do?
–  For whom do we do it?
–  How do we excel?

Definitions
•  Vision
–  A descriptive picture of a desired future state
–  “Where do we want to be?”
•  Objectives
–  High-level achievement
•  “Improve customer loyalty”
•  “Grow market share”
•  Goals
–  Anything that is measured to help fulfill an
objective

Definitions
•  Strategies
–  Those actions we implement on a day-to-day
basis to achieve our objectives
•  Projects
–  The concrete actions a business takes to
execute its strategic plan
•  Capabilities
–  An organization’s ability, by virtue of its IT
assets, to create business value

Start with Vision
To provide advanced information security
services and expert security guidance to all
members of the Harvard community and to
ensure confidentiality, integrity, and
availability of the information assets and
resources according to University
Enterprise Security Policy, State and
Federal laws.

Objectives
•  Maintain Information Security Policy
•  Build and Maintain a Secure Network
•  Protect Customer and Corporate Data
•  Implement Strong Access Control
Measures

Goals
•  Reduced time to investigate security incidents
•  Maintain 90% compliance for all systems
•  Audit 25% of information security policies
•  Reduce number of security incidents caused
by employees
•  Reduce time required to create new user
accounts
•  Maintain 80% coverage of critical security
patch installation within 30 days of release

Strategy
•  Multiple projects can point to a single
strategy
–  Actively monitor and audit logs, threats and
incidents
–  Make security easy to use and understand
–  Implement strong identity and access
management
–  Create a layered security architecture

Projects
•  SIEM
•  Vulnerability & Threat Mgmt
•  Policy & Procedures Review
•  Security Awareness
•  Identity & Access Mgmt
•  Incident Management

Capabilities
•  Log Monitoring
•  Intrusion Detection
•  Access Management
•  Identity Management
•  Remote Access
•  Architecture Review
•  Data Loss Prevention

Meaningful Metrics
•  Security metrics need to demonstrate business
alignment
•  Are we more secure today than yesterday?
–  Number of machines reimaged
–  Number of phishing attempts blocked
•  How do we compare to our peers?
•  Not limited to what your tools provide
•  Ask the business

Effective Metrics
•  Consistently measured
–  Benchmarks and opportunities for continuous
improvement
•  Cheap to gather
–  If metrics are expensive to gather, they will not be
gathered
•  Use numbers that show relationships
–  Are these numbers relevant to decision makers?
•  Show trends
•  Pretty graphs!

Any Good News?
•  80% of attacks rely on exploits that we can
readily defend against
–  Focus on security awareness
–  Properly maintained IT Infrastructure
–  Effective monitoring
•  15% of the attacks can be mitigated with a solid
security strategy
•  5% are Sophisticated/Nation State
* Key Findings from the 2013 US State of Cybercrime Survey - PWC

Critical for a Competitive Posture
•  Information security now plays a critical role in
enabling the exchange of sensitive information
•  What are your competitors doing in this space?
•  “If you can’t talk ROI, the boardroom isn’t
listening”
•  Transforming from asset guardian to strategic
business enabler

Call to Action
Stay Flexible
Assess Risk
Begin with the business’s plan

Resources
•  Forrester
–  Building A Strategic Security Program And Organization – April
2013
–  Information Security Metrics – Present Information that Matters
to the Business – July 2011
•  PWC
–  Key findings from the 2013 US State of Cybercrime Survey –
June 2013
–  How to align security with your strategic business objectives
•  ESET
–  Cyber security road map for businesses – May 2013

Elliott Franklin, CISSP,CISM
elliott@elliottfranklin.com
@elliottfranklin
http://www.linkedin.com/in/elliottfranklin/

Building an effective Information Security Roadmap

More Related Content

What's hot (20)

Similar to Building an effective Information Security Roadmap (20)

Recently uploaded (20)

Building an effective Information Security Roadmap