James Beeson SOURCE Boston 2011
1 like1,250 views
This document discusses bridging gaps in information security and preparing for the future. It notes that the CIO and CISO roles are similar, as both require an understanding of technology and business, branding, and leadership. It emphasizes that information security and IT do not own risk, and that a "just say yes" approach works better than fear, uncertainty, and doubt messaging. It also stresses the importance of measurement, education, and leveraging existing frameworks to improve security and reduce risks like data loss.
James Beeson SOURCE Boston 2011
- 1. BRIDGING THE GAPS AND PREPARING FOR THE FUTURE! James Beeson Chief Informa0on Security Officer April 20, 2011
- 2. We Are Figh0ng The Same BaCle! Same Risks • Business Disrup0on • Unauthorized Access Don’t Reinvent the Wheel • Data Leakage/Loss Collaborate Use Exis0ng Frameworks • Data Integrity Issues ISO 27001 • Regulatory Non-‐Compliance COBIT NIST Standards Similar Threats • Mistakes/Accidents • Organized Crime (APT) • Vulnerabili0es (SW/HW/NW) • Unauthorized SoVware • Social Engineering (Phishing)
- 3. CIO & CISO Roles Similar • Need to understand what the business does • How does technology enable the business processes • Branding and marke0ng for the cause • Evangelist for the profession and importance • Salesperson to get things accomplished • Leader to mo0vate people to do the right thing Aren’t We All Just Used Car Salespeople?
- 4. Mix of Technical Exper0se and Leadership Informa0on Security Technical Exper0se • CISSP (Cer0fied Informa0on Systems Security Professional) • CISA (Cer0fied Informa0on Systems Auditor) • CRISC (Cer0fied in Risk and Informa0on Systems Control) • CISM (Cer0fied Informa0on Security Manager) Leadership • Team Building and Mo0va0on • Effec0ve Speaking and Presenta0on Skills • Hiring and Management Skills • Style Flex – Understanding Mo0va0on • CAP (Change Accelera0on Process Training) • ITIL (Informa0on Technology Infrastructure Library) Skills • Six Sigma or similar Quality Training
- 5. Just Say “Yes” Approach • Works BeCer than Chicken LiCle or FUD • ShiVs the Ownership/Burden of Risk • As They Say “It’s All In The Spin” • Push for Data Driven Decisions IT and CISO DO NOT Own the Risk!
- 6. KNOW THE 2 MINUTE ELEVATOR SPEECH Key OperaAng Elements Top Risks InformaAon Security Risk Management Data Leakage/Loss IdenAty Management (Access Control) Unauthorized Access Monitoring & Incident Response Business Disrup0on Data Integrity Issues Strategic Approach Regulatory Non-‐Compliance Strong, Simple, Risk Based Policies Top Threats Phishing (Social Engineering) Layered, Measurable Approach Unauthorized SoVware Ongoing Risk Assessment & Quick IR Organized Crime (APT) SW/HW/NW Vulnerabili0es Con0nuous Educa0on and Awareness Mistakes/Accidents Tarnished Brand Name DRIVES Revenue Loss Added Costs (regulatory fines)
- 7. Security is an Enabler to Compliance and Reducing Risk • Leverage Compliance and Legal • Take Advantage of Opera0onal and Business Risk Knowledge • Mix Training, Educa0on, and Communica0ons • Embed Security in Technology and Business Processes • ShiV from Slowing-‐Down to Enabling
- 8. Measurement Drives Behavior As Lord Kelvin once said “If You Can’t Measure It, You Can’t Improve It” Typically Improvement is Measured by: <Reduced Cycle-‐Time <Reduced Cost <Reduced Defects Key Takeaways • Schedule Recurring Reviews • Know Your Audience • Tie Improvement Metrics to Performance • Don’t Reinvent the Wheel • Automate and Define Clear Ownership Threat x Opportunity = Risk
- 9. Trends • I Don’t Buy Your Shoes, Why Would I Buy Your PC • Cloud is the Preferred Way to Manage Data • Conundrum -‐ Digital Na0ves vs Baby Boomers • Power Portability/Mobility with No Perimeter • Organized Crime (APT) is “Big Business” • Focus on Compliance Not Security Posture • Social Engineering Rules – An Educa0on Issue
- 10. Things That Make You Go Hmm • 2 Billion People Internet Connected • YouTube >2B Views/Day • Over 22 Billion Tweets in 2010 • Facebook – Worlds 3rd Largest Country • Over 100 Million Users on LinkedIn • Internet Background Check Common • Tex0ng & Apps Overtake Voice • PC’s/Laptop’s Dropping in Sales • 1/5 Marriages from Internet Da0ng
- 11. Summary • Figh0ng the Same BaCle – Leverage Everyone! – Risks are basically the same • Know Your Business – Become an Enabler – Reduces the “Hindrance” factor • CIO and CISO Roles are Similar – Aren’t we all just Salespeople • Measurement Drives Behavior – “If you can’t measure it, you can’t improve it” • Digital Na0ves versus Digital Immigrant – Helping to “Bridge The Gap”
- 12. QUESTIONS? Contract Informa0on: Email: James.Beeson@GE.com Telephone: 01 203 205 5450