To summit (surmount?) the Matterhorn

To summit (surmount?) the Matterhorn

Building an Effective Security Awareness and Training Program SHAMBLIN | HOFFMAN

Quinn ShamblinExecutive Director & Information Security OfficerBoston [email protected] @BUInfoSecwww.linkedin.com/in/quinnshamblin/

Harry HoffmanSecurity Operations [email protected]

Agenda – The Expurgated Version

▪ Security is a mountain [9 - 10*]Awareness programs: the what, why and overview of how

▪ Topic [10 - 10:30]

▪ Topic [10:45 - 11:15]

▪ Topic [11:15 - 12]

▪ Topic [1 - 2:15]

▪ The route setters [2:30 - 3ish]Considerations in managing an awareness program

(We will show the full agenda once we have talked through a few things…)*Times are very general. Today will be filled with discussion.


What is Security?


Security is a Mountain

Today’s metaphor

▪ Security is a mountain that we are trying to surmount ▪ Huge, many-faceted, challenging, ever-changing, treacherous

▪ Formed by the tectonic plates of regulation and practicality ▪ Regulatory requirements▪ Limits of practicality

▪ The classic view of security ▪ Getting in the way of end users getting things done▪ Department of Business Prevention


What do we mean by Security Awareness?


Training v. Awareness

▪ Training = how, practical skills▪ Awareness = why, emotional and intellectual motivation

▪ “Security training provides users with a finite set of knowledge and usually tests for short-term comprehension….

▪ Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.”

▪ “SETA” – Security Education Training and Awareness


Why should we have an awareness program?


The Debate

▪ Disagreement by some big names▪ Against (Bruce Schineier)

• “I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.”

• $ • Difficult to prove value • Breaches happen anyway

▪ For (Ira Winkler)


Why should we bother doing this when some experts

say it has no value?



HIPAA

SOXFISMA

PCI

Safety of Personal Information

Safety of Organizational Information

Network Hygiene

Reputation

Trade or Research Secrets

Personal Security

Perhaps a more satisfying answer

▪ (Aside from being required by several regulations)

▪ Focusing on technology misses the whole point▪ Understand and avoid fraudulent or malicious behavior

▪ These scams have been around for years, sometimes hundreds of years


What is the goal of Information Security

Awareness?


The Goal: To Change Behavior

▪ In order for a person to change their behavior, they must want to change their behavior

▪ This is an emotional issue not an intellectual one ▪ We don’t need to make them an expert

▪ (Feeds into recommendations on approach)▪ A little bit of knowledge goes a long way if they

understand and believe▪ However, to Bruce’s point, we need to make it easier

for them


When you think of security training, what

do you think of?


What are you doing for Awareness?


Some Awareness Activities

▪ Orientation/on-boarding▪ Regulatory Training▪ NCSAM▪ Email campaigns▪ Phishing campaigns▪ Movie nights▪ Posters▪ Hacking demos▪ Flyers/pamphlets

▪ Local celebrity endorsements▪ Video campaigns▪ Contests▪ Teaching courses (zeitgeist)▪ Off-boarding▪ Shredding events▪ Sharing news articles


The Awareness and Training Framework

▪ There is no all-encompassing true path to the goal▪ Success requires a multi-tiered approach:

1. Getting buy-in and support from the highest level2. Middle management support,

both IT and business line3. Building a security culture into your IT

practitioners: Developers, Admins, Desktop Support

4. Giving the end users the tools and knowledge they need

+ Having a plan to successfully develop and manage an enterprise awareness program


Agenda

▪ Q] The mountain is security [9 - 10]Awareness programs: the what, why and overview of how

▪ Q] Shouting from (to?) the peaks [10 - 10:30]Tone from the top. Buy in and support from the highest level

▪ H] Tone from the middle… [10:45 - 11:15]The importance of support by middle management, both IT and line

▪ H] Those that help us climb [11:15 - 12]The real front line. Building a security culture into your IT practitioners: Developers, Admins, Desktop Support

▪ H] The climbers [1 - 2:15]Those we are trying to help, the end users

▪ Q] The route setters [2:30 - 3ish]Considerations in managing an awareness program


Shouting From (To?) the PeaksThe voice from the top

is heard the farthest

Do we really need Senior Management

support?


Things we can only get through Mgmt

▪ Visible support▪ Exposure to the Board

▪ Policies▪ Setting responsibility ▪ Money


Things we can only get through Mgmt

▪ Visible support▪ Exposure to the Board

▪ Policies▪ Setting responsibility ▪ Money

▪ Beware the arête


Visible Support

▪ High level organizational Priorities▪ Exposure to the Board

▪ Reporting of status▪ Positive as well as negative

▪ Example to next layer of management and down (the start of the support line)

▪ Delegated authority▪ “The president has asked that we…”


If you can’t get visible support

▪ Doesn’t mean you have no program▪ Changes how your program will need

to be run:▪ Middle tier management▪ Core IT▪ End users

▪ Aligning security with core business objectives: ▪ The argument: “security as an enabler”▪ Could Amazon exist without security?


Wait… Policies?

Are policies necessary for a good awareness program?


What policies might be helpful?


What if I can’t make or pass policy?


P. v. p.

▪ [P] Data Classification▪ Training and sensitivity by context of sensitivity of the data▪ Signs in hospitals reminding nurses and doctors to be

careful where and how they talk about patient information▪ [p] Onboarding training policy (or at least procedure)

▪ Periodic refresh▪ [p] Mandatory refresher training

▪ Those that fall for phishing…


Who is responsible for security?


Really?


Setting Responsibility

▪ Changes to the actual organizational chart▪ Tie upper management incentives to security goals

▪ Senior management bonuses – Goal for training▪ Creating dotted lines across the organization to InfoSec▪ Input to performance evaluations

▪ SMART goals • Increase in average performance

on a security evaluation• Requirement to measure against peers• Application updates per quarter • Passes OWAP Top 10/Security code audit


How do I drive buy-in from Senior Management?


Have a Breach


Seriously, I can never get money for security.

What can I do about that?


Is FUD bad?


For management, yes FUD = bad

▪ Talk risk not fear▪ Risk evaluation, base on REAL risk probabilities or

estimates where known.▪ Quantified risk analysis

• Be realistic with your probabilities

▪ Regulation, monetizing the risk using standard risk assessment techniques▪ COSO▪ Binary risk analysis


Talk reputation and then talk numbers

▪ Reputation▪ Peer institutions, ISACs, IVY+▪ Best practices

▪ Remember the bottom line. Control proposed cost. ▪ What can you do on a shoestring?▪ Choose the biggest impact for lowest dollar▪ Value proposition – Cost/Benefit


I have had high level buy-in in the past and my program

still failed. Why!?


This is not a guarantee of success

▪ Sabotage by other senior managers or others▪ Don’t care▪ Not fond of change▪ Thinks it doesn’t apply to them▪ Stragglers

▪ Impact of a single negative person▪ Crowd mentality

▪ Don’t let it discourage you▪ Attempts before first successful attempt


Summary: Managing Senior Leadership

▪ You are the lead climber▪ Forages ahead, gets support, establishes anchor,

sets the line so the next group can be hooked in▪ Speak the language of business risk and value

▪ Total cost, risk avoidance, protection of reputation▪ Monetize the impact of bad security choices

• Compromised machines and accounts• Time and effort costs, time to fix/reimage, time to investigate

and recover.• Breaches

▪ Regulation, monetizing the risk using standard risk assessment techniques (COSO)


Tone From the Middle… .

My boss doesn’t care, why should I?..

What do we need from business line management?


Business Line Management

▪ Security is the responsibility of the business, not IT▪ IT is a service organization, there to support the business

▪ They are responsible for nothing but delivering what the

business requires, but can be very helpful in doing so• They are acutely aware of this, sometime to the detriment

▪ Recall the responsibility setting discussion from senior management…


What do we need from business line mgmt?

▪ Balance Risk - Fully understand the risk▪ Include security in the conversation

▪ Introducing risk because they don’t understand the security implications of their decisions

▪ Support▪ Understanding that there are needs that they sometimes

don’t understand or care about ▪ …but they are still needs (compliance, etc.)


How do we get it?

▪ Can we change that relationship premise?▪ Partner, not just provider

• IT not just a service organization, but responsible for making the business better—another line

▪ Having an equal voice in decisions▪ Establish dotted line ownership to IT

▪ Align process—both business and IT—with overall business objectives and include security considerations along the way


How do we get it?

▪ IT and Cyber Security must be business analysts▪ “It is not my job to say no.

It is my job to find a safe way to say yes.”▪ Suggest ways to meet the business goals,

not just veto▪ Build and maintain credibility

▪ Back suggestions with data, not just anecdotes▪ Be realistic about risk and what is really a “requirement” vs.

just a nice-to-have or a “best practice”.


The problem with autonomy ☺

▪ Procurement – Consumerization and the cloud▪ Going and buying their own stuff

• Provide guidelines ,recommendations and considerations on safely using consumer products and cloud services

▪ End run around procurement, general counsel, security• Relationship building and communication are important

• Regularly meet/lunch with folks to find out what’s going on

▪ Solution: relationship building• Give good, easy-to-use, trustworthy

advice that people will want• Be the go-to person/group

• Requires and openness to do more work


Tone From the Middle… .

My IT boss doesn’t care, why should I?..

IT Middle Management

▪ Interfaces directly with the different business units▪ Sets team and IT unit priorities based on business input▪ Relationship building

▪ Directly controls the priorities, tools and processes used by the Developers and Admins


What do we need from IT mgmt?

▪ Getting things out the door can't be the ultimate decider▪ Need to help the business understand when they are

pushing for things with risk implications▪ Include security in the conversation

▪ Introducing risk because they don’t understand the security implications of their decisions


What else do we need from IT mgmt?

▪ Care for and support of IT staff▪ Tools

• Automated code testing• Vulnerability scanning• Privileged account management• Automated data/behavioral analytics

▪ Processes / frameworks / standards▪ LISTENING and taking action

• Security issues that were not understood until there was greater analysis

• Being willing to go back to the business


How do we get it?

▪ Build risk and security evaluation and approval into IT processes▪ Help communicate risk▪ Involve other groups when needed

▪ Support IT budget requests for security functions/tools▪ Make suggestions, get their buy-in▪ But they propose it in the budget process


A word about integration with processes

▪ Enterprise Architecture▪ Project Management

▪ Security evaluation framework for project requirement analysis and associated training

▪ SDLC▪ Software (and Security) Development Life Cycle

• Coding frameworks, best practices, code audits• QA Testing/Approval

▪ Post-production

▪ Institutional Processes – IRB


Summary: Managing the Middle

▪ Management performance evaluation should include security goals▪ Make security the responsibility of Business and IT

management… in actuality, not just theory▪ Help them understand risk

▪ Build evaluation and approval into processes▪ Make it easy by providing tools and templates

▪ Propose solutions ▪ Provide visible support for good proposals


<Cthon98> hey, if you type in your pw, it will show as stars<Cthon98> ********* see!<AzureDiamond> hunter2<AzureDiamond> doesnt look like stars to me<Cthon98> <AzureDiamond> *******<Cthon98> thats what I see<AzureDiamond> oh, really?<Cthon98> Absolutely<AzureDiamond> you can go hunter2 my hunter2-ing hunter2<AzureDiamond> haha, does that look funny to you?<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******<AzureDiamond> thats neat, I didnt know IRC did that<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******<AzureDiamond> awesome!<AzureDiamond> wait, how do you know my pw?

<Cthon98> I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw<AzureDiamond> oh, ok.


Awareness Break

PWNage

Those That Help Us ClimbBuilding a security cultureinto your IT practitioners:

Developers, Admins, Support

Security Sherpas – IT making security easier

▪ Security is hard enough. Let’s have those designing systems do so to make it as easy as possible

▪ I reject the common thought that“Security and convenience are mutually exclusive”

▪ What we need from IT >>


Make it easy to be secure

▪ Provide tools to make things easier▪ Password managers▪ Modern Multi-factor authentication▪ Adaptive authentication▪ iPhone 5s – fingerprint technology▪ Next Gen AV▪ New device and

other notifications


At the moment of truth

▪ Provide information at the moment they are making a security decision.▪ Clicking link is a security decision, but no one thinks of it

as such. {ClickProtect}▪ Extended Validation Certificates▪ DLP (Data Loss Prevention) Information Tools

▪ Information at the ready▪ Regulations that affect your org▪ List of resources easy to find

• Internal/External links ... regularly updated


The only ones that could know …usually

▪ Practitioners best know the systems and are often the only ones that can understand anomalies ▪ Logs - oh, look... we're being scanned quite a bit for SQL

injection...▪ Know the normal (or the expected) so that

abnormal behaviors become apparent▪ Are you really logging in from Texas at 10am when you

just logged in from Boston at 9:15?▪ …Don’t discount user reports of odd behavior


Architecting for use, for ease and security

▪ Be a business analyst▪ Turnkey business solutions with built-in security

▪ Research solution w/ pre-approved grant supporting documentation (System Security Plans and Data Management Plans)

▪ Web access and security▪ Some IAM considerations

▪ Multi-factor authentication considerations▪ Group/role-based authorization


Architecting for ease and security – IAM

▪ Account management lifecycle▪ Account creation and delivery▪ Security and support through its life▪ Automated authorization changes based on role changes▪ Automated account/authorization

removal/deprovisioning▪ Align procedures with processes

▪ Tie to ERP system, HR takes an action, account is automatically updated with preapproved changes


Technologists: Ask for what you need

▪ Speak up, ask:▪ For security training▪ For frameworks and templates▪ For reviews▪ For support


Third-party considerations

▪ Solutions that automatically wrap security around cloud solutions▪ Guideline and considerations/recommendations where

this is not possible▪ Compatibility/support of SAML and federated

authentication▪ EDUROAM, OAUTH

▪ Get risk support involved:Security, Purchasing and General Counsel


Considerations after Production

▪ Security throughout the SDLC is not the end▪ The higher-ed approach – Pay for once, up front, never

pay for again, run in to the ground• Put up application but don’t plan for resource to maintain

them

▪ Vulnerability scanning and management▪ What is secure today is not secure tomorrow▪ Efficiency of operations and prioritization of patching

▪ Secure retirement at end of life▪ Data destruction, cleaning the backups, hard drives


Summary: Security Sherpas

▪ IT can design to make things easier for the end users▪ Deploy tools to make security transparent or to give

users security information at the moment of the decision (where possible)

▪ When someone reports an issue, take it seriously▪ Listen to what people are trying to accomplish vs.

trying to fix the problem as you think it is▪ But often only you can know when something isn’t

right. Take that seriously too▪ Ask management for what you need


The Climbers Helping your people make good

security decisions

We are in this together

▪ We are all responsible, but we rely on each other

▪ Those on the ground rely onthe support of managementand IT


Traditional Training

▪ Estimated > 50% of data breaches are due directly or indirectly to poor IS security compliance 1

▪ Per Gartner most SETA programs are developed based on “tradition, personal judgment and whim” 2

▪ Most SETA programs lack an underlying theory 3

▪ These programs are not working well:▪ < 12% believe awareness programs are effective 4

▪ 24% didn’t know if their university had a security policy 5

▪ 18% had read it 5


Training Pedagogies

Transmission Transaction Transformation

Learningparadigm

Behaviorism Cognitivism Constructivism Social Constructivism

Generalaims

Mastery ofknowledge

Cognitive abilities

Change beliefs andactions, personalchange

Change beliefs andactions, communalchange

Content Subjectcentered

Problem centered

Learner centered Community centered

Teachingmethods

Instructor led Cognitive problem solving

Personal knowledge through collaboration

Communalknowledge throughcollaboration

Evaluationof learning

Tests Acquired intellectual skills

Conversational forms of evaluation for individuals

Conversational forms of evaluation for groups


We are normally here We want to be here

Learning theory for SETA

▪ The pedagogy for SETA should be “social constructivism”▪ “persuasive and non-cognitive”▪ Cognitive arguments and pedagogies are not successful at

changing behaviors.▪ Social constructivism:

groups construct knowledge for one another collaboratively creating a culture


Advertising has been figured out

▪ Include concepts from the human behavioral and organizational sciences field, which has already been largely explored and figured out…

▪ Leverage those who know in creating the program▪ Marketing and advertising professors in your Business or

Communications Schools


Approach for General Training

▪ Symbols are more important than words▪ Bullet points and stories

make lasting impressions▪ Persuasion not fear

▪ Positive FUD▪ Fun, engaging – not stodgy ▪ Provide clear ways to act

▪ Teach common sense (build common sense)

▪ Leverage social media for distribution and creation▪ Crowd Source


Approach for General Training

▪ Don’t overwhelm – Pick 2-3 priorities each year ▪ Instill a sense of ownership ▪ Reward actions▪ Don’t ignore or forget anyone – everyone has a role

▪ Don’t forget third parties and contractors


Leverage enlightened self-interest

▪ Security benefits the individual & company▪ With great ownership, comes great responsibility

▪ More and more, devices are owned by our clients• Personal convenience, fewer devices

▪ Their device, our data, our risk• Loss, theft, destruction

▪ Help them understand and support the goal of safety for both


Vary format and approach

▪ Change things up like you would an exercise program▪ Intro/baseline/foundational▪ Bricks of learning▪ People will not remember long▪ The gamification movement ▪ Ensure your program addresses different learning modes

• Audio, visual, and repetitive methods ▪ The buddy system

• Do you know anyone that needs to know this?• Train the trainer (turn an end user into a trainer)


Target your training and awareness

▪ Audience - Specify employee, student, and contractor responsibilities▪ Information necessary and appropriate to that role▪ (picture with cliff ready to avalanche)

▪ Modular▪ Target to meet just the specific needs

• HIPAA: Overview > Hospital Visitation > Patient record handling > Research

▪ No shotgun approaches


Flash messages as part of a program

▪ Breaking news▪ Live, action-oriented, present▪ Balanced with realism and a

sense of proportion▪ Pragmatic

▪ Keep your companies strategic capabilities in mind▪ Avoiding knee jerk responses

• Our systems will not run without Java or Flash

▪ Balance “the possible” with “the probable”


Summary tips for effective security training

▪ Serve small bites▪ Reinforce lessons▪ Train in context▪ Vary the message▪ Involve your audience▪ Give immediate feedback▪ Tell a story▪ Make them think▪ Let them set the pace▪ Offer conceptual and procedural knowledge


Process of creating the training

▪ Leverage those who know▪ Marketing and advertising professors in your Business or

Communications Schools or your PR department▪ Crowdsourcing / Special Interest Group meetings

▪ Have end users design and suggests content themselves (not IT, not sec) • This is in and of itself an awareness activity

▪ They can help figure out what they and the groups they represent don’t know and what they need to know (What risks they realistically face)• Tailor the program to that


Consider Outsourcing Options

▪ Popular outsource platforms▪ http://www.securingthehuman.org/ ▪ http://www.wombatsecurity.com/ ▪ http://www.wecomply.com/ ▪ http://www.inspiredelearning.com/sat/default.htm

▪ Things to look for


Summary: Managing the Climbers

▪ Use the correct pedagogy for your program▪ Don’t overwhelm, pick 2-3 core messages each year▪ Target your audience and use members of that

audience to design and build the training.▪ Use people that know marketing and advertising


Implementation Ideas and Examples

Sources of Material


Sources of Free Material - EDUCAUSE

▪ http://www.educause.edu/library/security-awareness▪ Information Security Resources for Presidents and Senior

Executives▪ http://www.educause.edu/library/resources/resources-

presidents-and-senior-executives-information-security▪ Annual Information Security Awareness Video & Poster

Contest▪ https://www.youtube.com/user/SecurityVideoContest


Sources of Free Material – Industry News

▪ nakedsecurity.sophos.com▪ www.cisecurity.org ▪ isc.sans.edu▪ www.secunia.com/community/advisories/historic/ ▪ www.zerodayinitiative.com/advisories/upcoming/ ▪ Multi-State Information Sharing and Analysis Center (MS-ISAC)

– msisac.cisecurity.org/advisories/ ▪ Research and Education Networking ISAC (REN-ISAC)

– www.ren-isac.net ▪ Microsoft Security Slate (arrange through your MS contact)▪ www.privacyandsecuritymatters.com


Sources of Free Material – Professional Orgs

▪ National Cyber Security Alliance National Cyber-Security Awareness Monthwww.staysafeonline.org/ncsam/

▪ ISACA Information Systems Audit and Control Association www.isaca.org

▪ HTCIA High Technology Crime Investigation Association www.htcia.org

▪ Infraguard FBI partnership/ outreach to the private sectorwww.infragard.org


Sources of Free Material – Security Vendors

▪ Trustwave Global Security Reportwww.trustwave.com/gsr

▪ Verizon Data Breach Investigations Reportwww.verizonenterprise.com/DBIR/

▪ Mandiant Intelligence Center Report intelreport.mandiant.com

▪ Sophos Security Threat Report www.sophos.com/en-us/threat-center/security-threat-report.aspxnakedsecurity.sophos.com

▪ McAfee http://www.mcafee.com/us/business-home.aspx


Sources of Free Material – Presentations

▪ Material created by Quinn and Harry that you may freely rebrand ▪ Deter. Detect. Defend. AvoID Theft ▪ Mad Hacker (Gleeful “Scare Tactics” presentation)▪ Securing Your Digital Life▪ IM Social Engineering▪ Monty Python-style script on password disclosure▪ Shop Safe this Holiday Season

▪ Some are older and need to be updated, but are still a place to start


▪ Ah, the IRS outsourced their Tax Return function to ‘Exentric Gamers’ again the year

…Looks legit


http://www.exentric-gamers.com/templates/index.html

Ideas for easy Live Hacking Demos

▪ Sniffer, hash capture, password cracker▪ Run a password cracking program on your users

password and share aggregate data with them to understand what would happen i f someone managed to get a hold of their hashed passwords.

▪ SSID tampering


Top 5 excuses for doing nothing about computer security!

EXCUSE 1. No-one's interested in little old me!

EXCUSE 2. My printer won't work with the latest updates.

EXCUSE 3. I've got a Mac.

EXCUSE 4. Security slows your computer to a crawl.

EXCUSE 5. I only browse to safe sites.


Breaking News | Awareness Break

The Route SettersConsiderations and tips in managing

an effective awareness program

You need a program.You need to make a plan.

How?


General planning

▪ What are you trying to achieve and why? ▪ What is the goal?

▪ Who is your audience? ▪ What do they need? ▪ How are they best approached?

▪ What are common factors that lead to success?▪ What constraints should you build in to the plan?▪ What resistance are you likely to meet?

▪ How will you deal with it?▪ How will you measure or prove value and success?

▪ How will you build a sustainable program?


Why are we doing this in the first place?


Reasons to have an awareness program

▪ It is a regulatory requirement ▪ HIPAA, PCI, FERPA, GLBA,

FISMA (NIST 800-53), SOX (for publically traded)

▪ It helps protect ▪ The organization ▪ The individuals themselves

▪ It can educate people on the policy▪ (I’m sure they read

them all when hired.)


You don’t know what you don’t know.

How do you fix that?


Collect Other Requirements

▪ Find out what is required, what various interests and constituencies in your organization (let’s call them stakeholders) may want from such a program▪ Faculty, students, staff, ▪ HR, communication, PR, physical security▪ Regulatory officers, risk officers, general counsel,

internal audit▪ Gauge your efforts against your peers and those the

next level up▪ Recognize and embrace resistance

▪ Talk to your detractors – Opposing views are best at teaching you where your plan is weak


Reminder: Considerations for each level

▪ Go back to the end of each of our sections and reviewconsiderations for managing:▪ Senior leaders▪ Business line management▪ IT management▪ IT practitioners▪ Clients on the ground

▪ Particularly important: If you can, ensure that all management have responsibility via goals set from the top


Factors of a successful plan

▪ Don’t forget this is Marketing.▪ Creativity and enthusiasm are a must▪ Don’t just say what not to do, tell them what to do▪ Multimodal – what form factors can you think of?

• Generational and self-identity factors

▪ Security Culture …to an appropriate level

▪ Motivation for all levels▪ Enterprise v distributed

(enterprise experts working with local champions)


Understand and plan around constraints

▪ Constraints▪ Timing constraints (fiscal or semester beginning or end)▪ Effective timing cycle

• Training has a 27-day shelf life• 90 days, three main topics at a time• Connects to metrics as well

▪ Funding▪ Ways around the constraints

▪ Things you can do


Create a plan

▪ Split into manageable chunks▪ How do you climb the Matterhorn? ▪ One section at a time…▪ Timing

• Monthly, quarterly, semesterly (?), annually

▪ Narrow the requirements ▪ Scope▪ What will your program cover ▪ Start with least common

denominator and build from there


Plan to prove value and success

▪ Plan at the beginning how to measure success▪ Metrics

▪ Don’t forget to get a Baseline!▪ Training records

▪ Compliance tracking and progress reporting metrics▪ Plan to report regularly


Possible Metrics

▪ Success Metrics▪ How many phishing messages get delivered▪ Number of phishing reports▪ Code analysis▪ Update compliance

• Endpoint Operating System and Anti-Malware• Server patches

▪ Value Metrics▪ Frequency and number of compromised accounts▪ Reduction in related tickets (staff hours)


Plan for Reporting

▪ Release findings on a regular basis and at all levels of the organization▪ Talk about what’s working▪ Talk about what’s not working▪ Talk about what you’re going to do to fix the not working▪ Gauge yourself among your peers (ISACs, IVY+, etc)

▪ Report to each group down through the levels▪ Not just to senior management▪ Don’t create acrimony, change is hard enough!


Vet the plan, get support

▪ Get people on board before you begin. Buy-in▪ Give others ownership, get them invested

▪ A personal reason to actively help the program succeed ▪ Remember to embrace resistance as an opportunity to

improve▪ Talk to your detractors▪ Can teach you where your plan is weak.


Common points of resistance

▪ Slippery slope ▪ Adding security controls in an unmanaged environment▪ Privacy (in higher ed)▪ Big brother▪ Not having well-thought-out programs▪ Why people don’t want security

▪ The fallacy of “academic freedom”


Addressing Resistance

▪ Listen.▪ Work to understand the real concern

▪ Rephrasing

▪ Build selfish considerations and personal benefits into the program

▪ Help people understand the “A” in the “C.I.A.” triad


Execute the plan


Program Sustainability


Keep things

fresh


ENJOY THE CLIMB!

Quinn ShamblinExecutive Director & Information Security OfficerBoston [email protected] @BUInfoSecwww.linkedin.com/in/quinnshamblin/

Harry HoffmanSecurity Operations [email protected]

References used as source material for this presentation are collected in the notes section of this slide…

Documents

To summit (surmount?) the Matterhorn