Driving Change and Resilience: Aligning Cybersecurity with Organizational Strategy
- 1. Driving Change and Resilience: Aligning Cybersecurity with Organizational Strategy CDIC BANGKOK 2024 DAN HOUSER 27-NOV-2024 PRESENTATION LINK: TINY.CC/CDIC2024 Copyright © 2024 Trogdor Heavy Industries, LLC, all rights reserved
- 2. Security Strategy 2002 to present Some things I’ve learned: It’s not about architecture diagrams and infrastructure Product roadmaps define budget expectations Capability roadmaps define strategic direction Business units want to know what problems you can solve Bad actors don’t care about your budgets or timelines
- 3. Alignment of 3 things Organizational Strategic Direction IT Strategy Information Security Strategy
- 4. Strategy as Celestial Navigation Determine your destination Determine where you are now Decide the steps you are going to take to get there
- 5. Where do we want to go? Where are we? How will we get there?
- 6. Alignment with Organizational Strategy Is there a clear strategy? How do you align security strategy with an unknown? Time to play detective…
- 7. Understanding of Mission Purpose Values Corporate Culture
- 8. Purpose What is the purpose of the organization? What problem of humanity do we seek to solve? What is it that drives the company?
- 9. Great Mission Statements Drive Direction Starbucks: Inspire and nurture the human spirit – one person, one cup and one neighborhood at a time. Honest Company: Meaningful transparency and thoughtful design. Patagonia: We’re in business to save our home planet. Microsoft: To empower every person and every organization on the planet to achieve more. Adobe: To change the world through digital experiences.
- 10. A successful strategy must be aligned with organizational values
- 11. How does the Organization Approach Value Creation? Customer Delight Satisfaction Peace of mind Psychological Safety Fulfilling a human need Solving an annoyance
- 12. What values are important in the organization? Work hard, play hard Succeeding as a Team Competitive - Top Dog Wins Serving community PRESENTATION LINK: TINY.CC/CDIC2024
- 13. Market Opportunity Competition Unmet needs in the marketplace New products & services Opening of new markets Restructuring Merger, Acquisition, Divestiture New ways to engage the market
- 14. Determine Corporate Strategic Needs Capabilities required in 3- 5 years? Dream big, what will that future look like? Key: get business partners engaged in that envisioning
- 15. Internal and External Changes SWOT Analysis: Strengths, Weaknesses, Opportunities, Threats Examples of External Changes to account for in the strategy: Upcoming regulation Geopolitical upheaval Supply Chain disruption Adversary AI capabilities Phishing & BEC vectors New markets opening Changes in tax code Case law Competitive Disruptors Changes in labor environment Pandemic Work from home vs. Return to Office War Privacy law Consumer changes Etc.
- 16. Map the To-Be needs of the Organization Strategic direction of the organization creates needs that must be met by the security program. Most critical new security capabilities? Existing capabilities needing improved? What practices will no longer be required? What are the changes outside security? Key time to identify partnerships! Marketing, Legal/Privacy, Innovation/R&D, Business units, Finance, etc.
- 17. Some of the To-Be Needs I’ve Identified MFA to achieve Compliance Cloud Recovery Capabilities Multi-region Cloud Resiliency Rapid and assured Joiner-Leaver Frictionless Authentication Secure Procurement Secure Supply Chain Supply Chain Resiliency Federated Identity Secure BYOD / VDI models In-country datacenter, $country Mobile Device Management Identity Verification / Proofing Directory Optimization Privileged Access Management (PAM) Acquisition DMZ Supply Chain Resiliency Machine Identity Management Acquisition DMZ Cloud Access Governance API Gateway
- 18. Case Study: $100 Billion Healthcare Adding B2C From Private VPN to Public Internet From Bank Transfers to Payment Cards From EDI to eCommerce
- 19. Case Study: $100 Billion Healthcare Situation: Moving from B2B to B2C eCommerce model Challenge: New customer connection model, legacy Customer IAM, DMZ services model not built for untrusted connections Opportunity: Shift towards ambulatory & in-home recovery Capabilities most needed: Greenfield DMZ Zero-Trust Services model Standards & policies Testing capabilities Incident detection & response Governance Customer IAM GDPR & US privacy law Anti-fraud Orchestration & Automation
- 20. Case Study: Breach Recovery, International Hospital Network Major incursion of nation- supported hackers Reducing, not eliminating compromised access, C2 Shutting down life systems not an option
- 21. Case Study: Major Hospital Network Situation: Continued penetration by nation-state Challenge: Legacy flat network, ungoverned servers & services, lack of visibility, low staffing, broken recruiting & HR, 5x12 NOC, SOC Opportunity: Regaining resiliency and keeping control Capabilities most needed: Network Visibility Staffing & Training Hardware & Software Inventory Change Control Governance Automated SEIM response (SOAR) Active Threat Monitoring Organizational HR change Remote Site Security Crown Jewels Enclave Privileged Access Mgmt (PAM) Cloud Access Governance Third-Party Connection Model Isolation of life systems 7x24 SecOps Secure Procurement
- 22. Where do we want to go? Where are we? How will we get there?
- 23. Knowledge of Self “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War
- 24. Archaeology required Metrics Key Performance Indicators (KPI) Key Risk Inidicators (KRI) Audit Findings Portfolio of Security Capabilities Note: this is not a portfolio of security PRODUCTS Prior Security Strategy Where is it in the journey Frank analysis of challenges & successes
- 25. Assessment of Current State Capabilities: NIST CSF 1.1 /2.0, ISO-27001/27002 Controls: NIST SP 800-53, COBIT, SOC-2, CIS Critical Security Controls (Top-20), Strategy should be about creating business capabilities Great resource: https://www.nist.gov/cyberframework/profiles or: https://tinyurl.com/CSF2compare Also this by Brian Ventura, fantastic for strategic planning; GitHub - brianwifaneye
- 26. Outcome & Evidence Based Assessment Look for evidence of outcomes KPIs are your friends Examples: Completeness of software and hardware inventory All systems are accessed via MFA Stale accounts are audited and purged on a weekly basis Data at rest is known to be encrypted based on information classification
- 28. Where do we need the most work? Most Critical Future Capabilites Current State (0-5) Desired State (0-5) Priority (1-5) Cost Time Customer IAM 2 4 5 ₿ ₿ 2025 PCI-DSS Achieved 0 4 4 ₿ ₿ ₿ ₿ 2025 GDPR Compliance 2 4 5 ₿ ₿ 2025 Cloud Recovery 2 3 2 ₿ ₿ 2025 Cloud Multi-region Resiliency 0 3 3 ₿ ₿ ₿ ₿ 2026 Machine Identity PKI 3 3 1 - - Brand & Social Media Monitoring 0 2 2 ₿ 2025 Secure Procurement Governance 1 3 3 ₿ 2026 Normative Compensation Plan 2 3 2 ₿ ₿ 2026 Contract Management 3 4 3 ₿ 2026 Data Privacy Officer 0 3 5 ₿ 2025
- 29. Power BI Visualization Creative Commons: https://tinyurl.com/CDIC2024a
- 31. Where do we want to go? Where are we? How will we get there?
- 32. Sequence the plan Project Management basics to map dependencies Consider Culture Policy, Process, and Ability to Absorb Change Stepping stones towards future state via transition states
- 33. Roadmaps help sell and tell 4Q24 2Q25 4Q25 2Q26 4Q26 Open LDAP Enterprise Directory Meta-Directory Virtual Directory ForgeRock DS Product DIRECTORY SERVICES Technology Entra ID Active Directory Oracle OID
- 34. Example: Strategic IAM Program Roadmap 34 Infrastructure Application Integration Provisioning Automation Access Reporting Paperless Provisioning Provisioning Planning • Current/Future • Role Analysis • Provisioning Roadmap • Audit Trail • Audit Review • Access Review Process • Process Automation • IAM Orchestration Provisioning Upgrade Performance Tuning Core Infrastructure • Hardware Build • Prototype • Base Product Installation/ Configuration • Performance Updates Base Provisioning • Employee Joiners/Leavers • Temp Workers • PW Synch Infrastructure Implementation Project • Self Service Request Process • HR Integration B2B B2B Pilot Extend B2E B2E Pilot • HR System • Employee File • AD Passwords • LDAPs • Mail system • Asset management • Financial/accounting • Pilot App • SSO Audit Integrations Provisioning Process Pilot • B2E Apps • Associate Onboarding • Majority of Apps • Pilot App • SSO Federate Federated Identity API Support PKI • API Gateway B2C B2B Pilot • SAML 2 • ADFS
- 35. Maslow’s Hierarchy: How to Sell Strategy We act as incentivized Do you know how execs are compensated? We all seek belonging Team & Roles We desire recognition Paint the future picture
- 36. To Sell Outside IT: Describe the business experience Avoid security jargon and describe outcomes New customers serviced with expanded capabilities Provisioning new employees within 10 minutes Reducing login intrusion from an hour a week to 10 seconds a day Enabling touchless surgical technology use Supply chain loss reductions Interdiction of organized crime & reduction in shrinkage Protection of investments 10x reduction in customer fraud
- 37. To Sell Inside IT: Describe the achievement of KPIs Avoid security jargon and describe outcomes Moving uptime from 99.7% to 99.9% Trimming dead ¥ $ from the portfolio – Reducing IT spend ₿ Better management of licensing Increased employee satisfaction with login experience Reducing impact of patching by 40%
- 38. Source: HP Identity Mgmt Architectures, http://devresource.hp.com/drc/resources/idmgt_arch /index.jsp To Sell Inside IT: Create Architectural Future State
- 39. Next Steps Remember the navigation: Where must we go? Where are we? How will we get there? Dig into the business Focus on organizational execution and business benefits Key partnerships with organizational leaders Include challengers on your team Strategy is a living thing, ensure it is fed and nurtured
- 40. Q&A Contact Information: Dan Houser Dan.houser@gmail.com @SecWonk Linkedin.com/in/dan-houser PRESENTATION LINK: https://TINY.cc/CDIC2024
Editor's Notes
- #3: I think of stepping stones across a stream. The organization wants to get across the stream, and the job of Information Security is to keep from getting wet… as each foot comes down, IT will have a rock ready to step on, and security strategy will ensure stability & resiliency in that stepping stone.
- #6: In my experience, most organizations do not have a clear strategy that is documented and shared. In many organizations, it is a dark secret, while in others it is “more of same” aligned with values and purpose of the organization.
- #7: Hopefully, there is a corporate mission, as a well-crafted mission statement provides that rudder to the organization to steer it well in a coordinated fashion. I remember at BMW Financial the corporate mission defined the priorities so well we could point to it for the prioritization of IT projects and service management, and it was immediately understood. You may even find that there is no solid corporate mission. If there is not, then you have to derive a level deeper to get to success.
- #8: The mission of the organization should describe the purpose of the organization, Why are we here? The existential question.
- #10: Values and Corporate Culture are paramount. As Demming said, “Culture eats strategy for breakfast”. Since we are talking strategy, it is essential that we discuss culture. What will work in this environment? How are people rewarded? How is bad behavior identified, and stopped? I had a recent engagement with a very large technology manufacturer, and they were having troubles with their User Experience. Users were complaining about slow workstations, substantive problems in productivity. This was a difficult situation to handle since it reflected on their core values as how they saw themselves and the value they bring to the world. You have to recognize culture impacts in your plans if you want to be successful with them.
- #17: In my journeys I’ve encountered a number of needs based on the directions that the organization is headed.
- #26: Seek to determine capabilities based on behaviors and outcomes/ This is where we are particularly focused on capabilities, and not tools. It doesn’t matter if you have a great VM tool if your systems have broad vulnerabilities. Don’t tell me about the great SEIM you have, tell me about how complete and effective your monitoring is. How do you know?
- #27: NIST CSF is a measure of capability, not control strength, and is designed for maturity scoring. The previous page listing of Brian Wif an Eye also includes process, documentation, and policy maturity as well, which I think is very useful… but use your own reference for how to score. Just make sure if you deviate from a published standard that you can back it up with documentation as to how the scoring was achieved.
- #28: Note that these are still capabilities, not solutions. If you see product names or projects here then you’re solutioning.
- #35: We act as incentivized Do you know how execs are compensated? What will drive the company forward without sacrificing bonus? What maximizes both? We all seek belonging Emphasize team Importance of stakeholders We desire recognition Paint the future picture Celebrate Success