SlideShare a Scribd company logo

Convergence innovative integration of security

Download as PPT, PDF
C
ciso_insights

The document discusses the trends of technology, security risks, and the importance of having a clear security strategy and framework. It recommends converging security resources across an organization in a collaborative way to improve risk mitigation, operational effectiveness, and reduce costs. Key aspects include having a preventative security approach, leveraging security technologies, and ensuring security spending aligns with the most important business risks.

TechnologyBusiness
1 of 16
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Convergence – Innovative Integration of Security Dave Tyson CISO Pacific Gas & Electric
Imagine!
Technology Trends Cloud Computing Virtualization Social media IT Transformation Device Ubiquity Industry specific Medical devices on the network Smart Grid Nanotechnology
Security Trends Organized Crime Advanced Persistent Threats Zero day attacks Cyber extortion Internal threats are back on the rise Security staff scarcity and competition
Why are Security trends important Because one person’s reactive event is another person pro-active indicator
Enterprise Security Risk Management Options Security Investment Analysis Utilize a security Mgt. framework Have a clear security strategy Level your risk structure Evaluate all security resources at your disposal for the best mitigation path
Understand your security Investment Are we spending our resources against the most important business challenges? Do we map investment to General, Sector, and Targeted threats appropriately? Do we understand the best strategy to resource against a threat portfolio in a manner that generates the highest ROI? Do we manage risks by relevant BU?
Linkages to other enterprise risk framework and processes 3 Vision and principles Security operations Organization & governance Change management and BU integration Business case (i.e., investments and ROI) Linkages to partners & suppliers Business environment (i.e., commercial and regulatory) Corporate and BU strategies Geopolitical trends and forces Input to framework Counter measure portfolio Design Evaluate risk – investment trade off Implement Compliance, metrics and reporting Risk exposure and prioritization Standards legislation and regulation Security practices and technologies 1 Utilize a Strategic Management Framework
Have a clear security strategy… Security Foundation Preventive Security Three Security Layers Secure Innovation Policies & Standards, Awareness & Training, Laptop Encryption; Secure Desktops; Compliance, Investigations, Incident Response, Security Monitoring, Vendor Security, Mobile Device Security, Security Tools Management, Security Testing & Monitoring Program, Security Architecture, Security Metrics, Security Risk Management, Business Continuity Planning, Crisis Management, Disaster Recovery Planning, Establish Security Technology Layer, Custom Security Solutions, Security Seeds (Partnerships) Cloud Computing, SOA Security Architecture, Fraud algorithms, secure coding 65% 10% 25%
Risk leveling Matrix May result in the costly loss of tangible assets or resources. May violate, harm, or impede an organization’s mission, reputation, or interest. Resulting or may result in human injury. May result in the highly costly loss of major tangible assets or resources. May significantly violate, harm, or impede an organization’s mission, reputation, or interest. Resulting or may result in human injury or death. Resulting or may result in major legal actions. Almost certain to result in the highly costly loss of major tangible assets or resources. Almost certain to significantly violate, harm, or impede an organization’s mission, reputation, or interest. Immediate Qualifying Factors (occurrences that would immediately qualify for this level) Information Resources may only be mildly affected. Non-critical information is vulnerable to exploit that is relatively easy to execute and there are no controls or weak controls currently to prevent or detect such an attack.. Important system has no disaster recovery environment or capacity does not meet operation requirement. Information Resources are vulnerable to exploit that is relatively easy to execute and there are no controls currently to prevent or detect such an attack. Systemic weakness that applies to the enterprise that may put a majority of Information Resources at risk. Some PII information is exposed. Critical system disaster recovery plan is not documented and or exercised. Active network attack Compromised system Breach of Personally Identifiable Information (PII) such as sensitive customer data or employee data. Other Regulatory violations (e.g., Environmental, FCC, etc.) as determined by an authoritative group. Qualifiers / Examples (events that would equate to this risk rating) May be or is happening now. Medium that a particular event will happen. May be or is happening now. High that a particular event will happen. Is happening now or incident has occurred. Very high that a particular event will happen soon. Likelihood (probability that a given event will occur) Information Resource has vulnerability, however, no publically known exploit exists, and our environment may be mildly affected Information Resource has vulnerability and a publicly known exploit exists. Company is non-compliant with regulatory or policy requirements and subject to fines or penalties. Exploitable attack in the wild Evidence that a breach has occurred Company is non-compliant with Regulation Impact Level Description (the level of affect on the organization) Severity Level 3 Severity Level 4 Severity Level 5
Drivers for change in security convergence Rapid expansion of enterprise ecosystem Value Migration from Physical to information based & intangible assets New protective technologies blurring functional boundaries New compliance and regulatory regimes Continuing pressure to reduce cost
Convergence Defined the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.
Security Intelligence Enterprise security intelligence is emerging as a comprehensive, holistic alternative to traditional disjointed security approaches –Gartner 2010
Thoughts If your going into the cloud be sure you have a clear security plan to manage the security issues Ensure your security spend is mitigating your most important risks Retain your best security talent
Associations ASIS International www.asisonline.org Information Systems Audit & Control Association http://www.isaca.org/ Alliance for Enterprise Security Risk Management www.aesrm.org Cloud Security Alliance www.cloudsecurityalliance.org
Dave Tyson CISO PG&E 415 973-5455 [email_address]

More Related Content

PPTX
Security Policies and Standards
primeteacher32
 
PDF
Business case for enterprise continuity planning
William Godwin
 
PDF
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
 
PPT
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
 
PDF
Business case for information security program
William Godwin
 
PPTX
Business information security requirements
gurneyhal
 
DOCX
Information Systems Security & Strategy
Tony Hauxwell
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
Security Policies and Standards
primeteacher32
 
Business case for enterprise continuity planning
William Godwin
 
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
 
Implementing Business Aligned Security Strategy Dane Warren Li
DaneWarren
 
Business case for information security program
William Godwin
 
Business information security requirements
gurneyhal
 
Information Systems Security & Strategy
Tony Hauxwell
 
Building an effective Information Security Roadmap
Elliott Franklin
 

What's hot (20)

PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PPTX
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
PPTX
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
PPT
Security Policies
phanleson
 
PDF
Security-Brochure
Tyler Carlson
 
PDF
Security-Brochure
Prahlad Reddy
 
PPT
Risk Assessment And Management
vikasraina
 
PDF
Connection can help keep your business secure!
Heather Salmons Newswanger
 
PPT
2. Improving an Existing Sec Sys
Micheal Isreal
 
PPT
Chapter003
Jeanie Delos Arcos
 
PDF
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Kienbaum Consultants
 
DOCX
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
PDF
Information Security Risk Management Overview
Wesley Moore
 
PDF
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
PPT
Network security and policies
wardjo
 
PPTX
Understanding the security_organization
Dan Morrill
 
PPT
Information security policy_2011
codka
 
PDF
Strategy Insights - How to Quantify IT Risks
Hernan Huwyler, MBA CPA
 
PPT
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
PPTX
Information Security Risk Management
Nikhil Soni
 
Risk Management Approach to Cyber Security
Ernest Staats
 
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
CISSPills #3.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Security Policies
phanleson
 
Security-Brochure
Tyler Carlson
 
Security-Brochure
Prahlad Reddy
 
Risk Assessment And Management
vikasraina
 
Connection can help keep your business secure!
Heather Salmons Newswanger
 
2. Improving an Existing Sec Sys
Micheal Isreal
 
Chapter003
Jeanie Delos Arcos
 
Safety & Asset Integrity Excellence - A Study of Three Mile Island
Kienbaum Consultants
 
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
Information Security Risk Management Overview
Wesley Moore
 
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Network security and policies
wardjo
 
Understanding the security_organization
Dan Morrill
 
Information security policy_2011
codka
 
Strategy Insights - How to Quantify IT Risks
Hernan Huwyler, MBA CPA
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
Information Security Risk Management
Nikhil Soni
 
Ad

Similar to Convergence innovative integration of security (20)

PDF
Protecting the Portals - Strengthening Data Security.pdf
kelyn Technology
 
PPTX
defensible_security-executive_support-sample.pptx
margueritemcleod1
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
PPSX
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
PDF
Vskills Certified Network Security Professional Sample Material
Vskills
 
PDF
What is the role of risk management in cybersecurity
APAC Entrepreneur
 
PPTX
Selling security to the C-level
Donald Tabone
 
PPT
Testing
lorenceman
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PDF
Cyber-Security-Whitepaper.pdf
Anil
 
PPTX
Security architecture frameworks
John Arnold
 
PPTX
Best Open Threat Management Platform in USA
CompanySeceon
 
PPT
Risk Management: A Holistic Organizational Approach
Graydon McKee
 
PPT
Information security background
Nicholas Davis
 
PPT
Information Security Background
Nicholas Davis
 
PPT
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick
 
PDF
Cyber Security Risk Mitigation Checklist
timsnp
 
PPTX
Draft_ppt_dmss[1][2] (1) FINAL123455667.pptx
mazumderdevangshu
 
PPTX
Enterprise incident response 2017
zapp0
 
PDF
2010 Sc World Congress Nyc
Bob Maley
 
Protecting the Portals - Strengthening Data Security.pdf
kelyn Technology
 
defensible_security-executive_support-sample.pptx
margueritemcleod1
 
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
Vskills Certified Network Security Professional Sample Material
Vskills
 
What is the role of risk management in cybersecurity
APAC Entrepreneur
 
Selling security to the C-level
Donald Tabone
 
Testing
lorenceman
 
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Anil
 
Security architecture frameworks
John Arnold
 
Best Open Threat Management Platform in USA
CompanySeceon
 
Risk Management: A Holistic Organizational Approach
Graydon McKee
 
Information security background
Nicholas Davis
 
Information Security Background
Nicholas Davis
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick
 
Cyber Security Risk Mitigation Checklist
timsnp
 
Draft_ppt_dmss[1][2] (1) FINAL123455667.pptx
mazumderdevangshu
 
Enterprise incident response 2017
zapp0
 
2010 Sc World Congress Nyc
Bob Maley
 
Ad

Recently uploaded (20)

PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Cloud computing and distributed systems.
kkkkkhan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Convergence innovative integration of security

  • 1. Convergence – Innovative Integration of Security Dave Tyson CISO Pacific Gas & Electric
  • 3. Technology Trends Cloud Computing Virtualization Social media IT Transformation Device Ubiquity Industry specific Medical devices on the network Smart Grid Nanotechnology
  • 4. Security Trends Organized Crime Advanced Persistent Threats Zero day attacks Cyber extortion Internal threats are back on the rise Security staff scarcity and competition
  • 5. Why are Security trends important Because one person’s reactive event is another person pro-active indicator
  • 6. Enterprise Security Risk Management Options Security Investment Analysis Utilize a security Mgt. framework Have a clear security strategy Level your risk structure Evaluate all security resources at your disposal for the best mitigation path
  • 7. Understand your security Investment Are we spending our resources against the most important business challenges? Do we map investment to General, Sector, and Targeted threats appropriately? Do we understand the best strategy to resource against a threat portfolio in a manner that generates the highest ROI? Do we manage risks by relevant BU?
  • 8. Linkages to other enterprise risk framework and processes 3 Vision and principles Security operations Organization & governance Change management and BU integration Business case (i.e., investments and ROI) Linkages to partners & suppliers Business environment (i.e., commercial and regulatory) Corporate and BU strategies Geopolitical trends and forces Input to framework Counter measure portfolio Design Evaluate risk – investment trade off Implement Compliance, metrics and reporting Risk exposure and prioritization Standards legislation and regulation Security practices and technologies 1 Utilize a Strategic Management Framework
  • 9. Have a clear security strategy… Security Foundation Preventive Security Three Security Layers Secure Innovation Policies & Standards, Awareness & Training, Laptop Encryption; Secure Desktops; Compliance, Investigations, Incident Response, Security Monitoring, Vendor Security, Mobile Device Security, Security Tools Management, Security Testing & Monitoring Program, Security Architecture, Security Metrics, Security Risk Management, Business Continuity Planning, Crisis Management, Disaster Recovery Planning, Establish Security Technology Layer, Custom Security Solutions, Security Seeds (Partnerships) Cloud Computing, SOA Security Architecture, Fraud algorithms, secure coding 65% 10% 25%
  • 10. Risk leveling Matrix May result in the costly loss of tangible assets or resources. May violate, harm, or impede an organization’s mission, reputation, or interest. Resulting or may result in human injury. May result in the highly costly loss of major tangible assets or resources. May significantly violate, harm, or impede an organization’s mission, reputation, or interest. Resulting or may result in human injury or death. Resulting or may result in major legal actions. Almost certain to result in the highly costly loss of major tangible assets or resources. Almost certain to significantly violate, harm, or impede an organization’s mission, reputation, or interest. Immediate Qualifying Factors (occurrences that would immediately qualify for this level) Information Resources may only be mildly affected. Non-critical information is vulnerable to exploit that is relatively easy to execute and there are no controls or weak controls currently to prevent or detect such an attack.. Important system has no disaster recovery environment or capacity does not meet operation requirement. Information Resources are vulnerable to exploit that is relatively easy to execute and there are no controls currently to prevent or detect such an attack. Systemic weakness that applies to the enterprise that may put a majority of Information Resources at risk. Some PII information is exposed. Critical system disaster recovery plan is not documented and or exercised. Active network attack Compromised system Breach of Personally Identifiable Information (PII) such as sensitive customer data or employee data. Other Regulatory violations (e.g., Environmental, FCC, etc.) as determined by an authoritative group. Qualifiers / Examples (events that would equate to this risk rating) May be or is happening now. Medium that a particular event will happen. May be or is happening now. High that a particular event will happen. Is happening now or incident has occurred. Very high that a particular event will happen soon. Likelihood (probability that a given event will occur) Information Resource has vulnerability, however, no publically known exploit exists, and our environment may be mildly affected Information Resource has vulnerability and a publicly known exploit exists. Company is non-compliant with regulatory or policy requirements and subject to fines or penalties. Exploitable attack in the wild Evidence that a breach has occurred Company is non-compliant with Regulation Impact Level Description (the level of affect on the organization) Severity Level 3 Severity Level 4 Severity Level 5
  • 11. Drivers for change in security convergence Rapid expansion of enterprise ecosystem Value Migration from Physical to information based & intangible assets New protective technologies blurring functional boundaries New compliance and regulatory regimes Continuing pressure to reduce cost
  • 12. Convergence Defined the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.
  • 13. Security Intelligence Enterprise security intelligence is emerging as a comprehensive, holistic alternative to traditional disjointed security approaches –Gartner 2010
  • 14. Thoughts If your going into the cloud be sure you have a clear security plan to manage the security issues Ensure your security spend is mitigating your most important risks Retain your best security talent
  • 15. Associations ASIS International www.asisonline.org Information Systems Audit & Control Association http://www.isaca.org/ Alliance for Enterprise Security Risk Management www.aesrm.org Cloud Security Alliance www.cloudsecurityalliance.org
  • 16. Dave Tyson CISO PG&E 415 973-5455 [email_address]

Editor's Notes

  • #3: Eastern Europe Discussion on OC Business