How Information Security Won Hearts and Minds

Baxter Thompson Associates


We are specialists in business relationship management. We provide Reconnaissance for IT.

2


HOW INFORMATION SECURITY WON THE HEARTS AND MINDS OF ITS PARTNERS

Jon Baxter, Founder and Managing Associate www.baxterthompson.com

3


  We are passionate about enabling the BRM role to achieve its true strategic, value adding potential.

  Formed in 2009, Baxter Thompson Associates has always specialised in Information Technology Services. We bring together a blend of experienced, Interim Managers and Consultants who have delivered tangible results while working as Business Relationship Managers.

  Our aim is to be an industry innovator, respected as a thought leader by our peers and seen as a strategic partner by our clients. We help clients gain competitive advantage through enabling IT Business Relationship Management. We do this through a framework we call "Reconnaissance for IT”™. This helps us identify the opportunities, plan and deliver with clients the deliverables required to improve the shared value of information technology with business strategy.

  We typically help corporate companies on an European basis but are equally at home with smaller growing companies.

15/12/15 © All rights reserved, Baxter Thompson Ltd

4


  Case study approach on the application of BRM to InfoSec:   The client view – 35 mins

  Enable   Engage   Talk “Risk”

  The BRM view – 15 mins   Defining clarity of the BRM role   Improving Demand Shaping   Improving Servicing

  Questions – 10 mins

Structure of the talk:

© All rights reserved, Baxter Thompson Ltd 15/12/15

•  A lot of information •  Fast pace •  Questions at the end •  Happy to take

questions off line via email or separate phone call

5


KeyaspectsofsuccessfulBusinessRela2onshipManagement  Client company (this presentation scope)   Defining Clarity of the BRM role   Improving Demand Shaping Discipline   Improving Servicing Discipline

Key Themes:

15/12/15

House of BRM courtesy of BRMI

6

Baxter Thompson Associates15 December 2015

Client View

7


2)  From Awareness to Engagement Focus 3)  From Technology to Risk Focus

Enable Focus

1) From a Protect Focus To a Protect AND Enable Focus.

The company The symptom The problem to solve Strategic intent

© All Rights reserved Baxter Thompson Ltd 15/12/15

8


June 2014: IPO And Separation

2000 Merger of 3 exchanges.

2001/2002 2 more exchanges added.

2006 Buyout.

2012 Further buyout.

2014 IPO and separation for the company

Over a decade of IT change, much of it extremely complex, integration and separation work, across 6 different cultures.

15/12/15

9


Business Mix of Client Company

14

46

20

13

7

Business Mix %

Listing

Trading - Cash and Derivatives

Market Data and Indices

Post Trade - Clearing, Settlement and Custody

Market Solutions

15/12/15

10


Organisational Context


IT

ITS

Markets

Business Design

Solutions

InfoSec I&O

Other Service

functions E.g. HR, Finance

Admin

EU Prog. Man.

11


Key Relationships With InfoSec And Sources Of Demand

•  Markets •  Solutions •  Executive level •  Head of Department (HoD) HOD

•  Product owners •  Business Development

managers •  Project Managers and

Business Analysts

Key Influencers

•  All employees of client company Users

Strategic Governance

Generate demand – new solutions, new markets, new clients, improved services etc. that manifest eventually

as projects.

Engagement activities around controls, risk, best practices, policies,

comms. and training.


Organisational Context: Infosec Capabilities

Training

IT Asset Management

Security Control

Management

Incident & change

Management

Security Architecture Management

Threat Management

Communication Demand

Management

Governance (Tech. change control and business decision making)

Risk Management

Data Classification

Project Management

(Security Inspired)

Proposed New

Capabilities

Impacted Capabilities

(this presentation

scope)

ConsultantIden2fied

ClientIden2fied

© All rights reserved, Baxter Thompson Ltd

13


1.  Technology focused – prevent breach and avoid publicity.

Features Of A ‘Protect; Focused Firm’


14


2.  Default Message is ‘NO’, or at best ‘Maybe, but, no, er, No’.

Features of a ‘Protect; Focused Firm’


15


‘Protect’ Focused Security Team: Cultural Challenges Limits Enablement

Herman’s Iceberg Model – Issues in ‘Informal’ Areas


16


InfoSec Industry Awareness Approach

16

Risk

•  Security risk vector identified through business users e.g. phishing

Control

•  Technical and procedural controls put in place

Communicate

•  Business users informed and trained where necessary

Expected outcome:

Reduced risk

Other outcome:

Antagonism

Other outcome:

Perception

Other outcome:

Avoidance


17


How to reduce business user risk long term whilst at the same time reducing antagonism, negative

perception and avoidance of controls and procedures?

To Enable Business AND Protect Poses A Problem


18


Problems InfoSec Solutions

1.  Improve credibility by Strategy definition and Programme Planning.

2.  Improve trust, relationships and communication skills by delivery on principles through an Engagement Manager and deployment of processes

3.  Improve way of working by reviewing security architect capacity and processes.

Other outcome: Antagonism

Other outcome: Perception

Other outcome: Avoidance

©AllRightsreservedBaxterThompsonLtd

Enable AND Protect Problems And Solutions


19


Infosec Strategy ‘To Enable and Protect Client Company to efficiently execute its business strategy’

50% Enablement Focus 50% Protect Focus Which Means

Enable working with our partners Identify security options Inform risk based decisions

Protect by monitoring information flows Assess potential and existing threats Manage security incidents

By

Thro ugh

Defensive Strategy (DS)

Projects and Continuous

Improvement (PCI)

InfoSec Engagement Project (IEP)

New Organisation

Structure (NOS)

Technical Risk Management

(TRM)

One PROACTIVE team – security

responsibility of all. Engage Earlier

Security Options instead of ‘No’ where possible

Partner focused Solutions profiled by risk


20


Engagement Focus 1.  From a Protect Focus to a Protect AND Enable Focus

3.  From Technology to Risk Focus

2. From Awareness to Engagement Engagement Principles Engagement Process Engagement Plan


21


Engagement Principles

Change in business & IT culture from helpdesk to executive. Engagement with HR and business partners to identify:

Desired business values. Desired attitudes. Desired behaviours.

SharedBusiness

andITGoals

Showaninterestinhowthebusinessmakesmoney

Take2metounderstandthe

businessrequirement

Empathy.Walkamileintheirshoes

Jointbusinessdecisiononbenefits

vsrisk


One PROACTIVE team – security responsibility of

all Engage Earlier

Security Options instead of ‘No’ where possible

Partner focused Solutions profiled by risk

Examples

Impact


22


Using and Updating Policy and Procedures

Developing Training

Providing Communication

Discussing with InfoSec Liaisons and Employees

Enforcing Policies

Understanding business

opportunities and threats

Applying InfoSec Principles

Identifying Controls and

mitigating Actions

Engagement Approach It’s not just security awareness!

FlowofInforma2onBetweenStakeholders


Existing Activities

New Activities


23

Engagement Plan 2015 How?

HoD Meetings

Engagement Manager

Training

InfoSec Liaisons

Site Visits

Policy Enforcement

Communications

Continuous Improvement

Surveys

Objective: Reduce risk posed by threats to client company by proactively working with InfoSec business partners. Through setting up and running engagement activities on an ongoing basis.

Enablers: Learning Management System. “Version 2” Policies and Procedures.


24


  Phase 1 Setup complete

  Engagement Manager ready

End Jan

  Survey / intranet deployed

  Inductions started

  Policies approved

End Feb

  Policies v2 approved

  Training in dev.   Site visits in

progress   Liaisons ready   Newsletter out

End May

  LMS available   HoD meetings

in progress   Liaisons

meeting

End Aug

  UK and Holland rolled out LMS

  Policies enforced

  Engagement activities steady - state

End Oct   Training fully deployed to all parts of the company

End Dec

This project has been split into 2 phases: Phase 1 Initiation up to end Jan 2015. Phase 2 Delivery of activities until end 2015.

How to get there


25


  Role of Engagement Manager   Deploy and manage InfoSec Liaisons   Supervise Demand Coordinator role   Proactively harvest user issues that impact

security and work with peers to identify solutions

  Identify controls and update policy   Develop communication and training

material that responds to needs   Deploy and administer learning

management system   Work with users to identify ways that risks

can be reduced and controlled.

InfoSec Roles


  Skills and behaviours required   Excellent people focus – collaborative,

friendly, empathetic, communicator   Analytical and results oriented

  Capabilities Impacted

  Communication   Training   Demand Management

  Target Audience   Business Users (majority %)   Key influencers (minority %)

15/12/15

26


Risk Focus 1.  From a Protect Focus to a Protect AND Enable Focus 2.  From Awareness to Engagement

3) From Technology to Risk Focus •  Risk language •  InfoSec Demand •  Project Lifecycle •  Demand Management Processes


27


?

Threats Reputation Data loss

Exchange & market stability

Information Security Key Engagement Message – Talk “Risk”

Risk Management Governance

Business engagement

Business controls Regulation

Business continuity Legal Requirements

Creativity Competitive advantage

Productivity

Risk is the common language between InfoSec

and Business Partners

Understanding the security risk helps

•  Strike a balance between creativity and control

•  Prioritise activity


28


Sources Of InfoSec Demand

Operational requirements

Market requirements

Regulatory requirements

Demand generated by “Key Influencers”


IT

ITS

Markets

Business Design

Solutions

InfoSec I&O

Other Service

functions E.g. HR, Finance

Admin

EU Prog. Man.

29


  5 sources of Demand and internal projects.

  All competing for the same resource.   All requests “top priority”.   Currently Demand hitting InfoSec

Architects at all stages of the project lifecycle.

  Symptom: Architects swamped with work and “unable to prioritise work”.

  Root cause: Engagement approach, Lack of Governance, Demand Planning processes, Project Management, Capacity Planning and overall capacity,

Sources Of Demand – Problem Statement

29

ITS

Solutions

Operational

Other Functions

Markets Internal Projects

InfoSec I&O

PM PM BA A

IT

BA

PM

A Architect

Project Management

Business Analysis


30


  Significant unfulfilled demand

Security Architect Capacity Planning (Feb)

30

Black line = current capacity Yellow = Ideas, Initiatives, Unprioritised projects (no start date) Other colours = operational commitments and planned projects

FTE


31


Typical Project Lifecycle

Business Case Project Handover Time

“Initiative” “Project” “Service ”

Man

-day

s E

ffort

“BAU”

Feasibility, High Level

Assessment, Supplier

Assessment

Detail Design, Service Design, Develop, Install

Sprint 0,1,2,3…n

Training, Handover


32


A Common Industry Project Lifecycle

Business Case if done

Project Handover If done

Time “Initiative” “Project” “Service ”

Man

-day

s E

ffort

“BAU”

Lack of planning, conception, scope creep, poor

governance, poor alignment to benefits / outcomes and loose risk controls leads to cost and

time over-runs

Past examples: 100%+ variance from initial budget forecast


33


InfoSec Demand Management Vision •  To move from a “protect” to a “protect and enable” vision, InfoSec would like to work more upstream in the project lifecycle

and effectively engage with Key Influencers with Architecture and Engagement Manager roles.

•  The Benefits are:

1.  Identify those initiatives which present a real security risk to the organisation 2.  build into the project sufficient resource (budget, mandays) to mitigate project risk and therefore business risk 3.  Prioritise effort on those projects with the highest risk

•  The Requirement is: •  Extra Architects working at the initiative stage of the project lifecycle

Man

day

s ef

fort

Time

“Initiative” Business Case Project Handover

“Project” “Service”

Current Future

Enable Protect


34


The outcome required is information that helps build the business case for the idea – do we proceed or not?

High Level Assessment – Initiative Stage

HLA Document Proposal / idea

Asset value

Attributes of idea

High Level Risk assessment document

InfoSec man-days effort

Decision to continue / next project step IT

InfoSec


35


Is it a standard service?

Is it to participate

in a project?

Is it something

else?

Change Request Management Project Planning Service

Management

Close request

Risk / Issue or further action?

High Level Assessment

Record request in Register

G R RY

Y

InfoSec Demand Management Process

Implementation Status R Y G

Is it a Change request?


36


  TACTICAL PROCESS CONSIDERATIONS   Demand Coordinator (Under the auspices of the Engagement Manager)

  Receives requests and determines type.   Tracks request and associated activity in Register.   Allocates resource to request.   Sets expectations on delivery of request.

  Security Architect   Delivers project planning, High Level Risk Assessments and Go-Live Risk Assessments.   Conducts activities - Identifies Risks, Issues, Solution Design etc.   Reports progress and escalates Risks.

Demand Management Roles


37


  Role of Security Architect   Research threats and opportunities that

impact security infrastructure   Proactively assess solutions that protect

AND enable company   Contribute to the architecture design and

planning of systems   Consult with key influencers and assess

security risk of proposed activities   Collaboratively consider options that reduce

security risk

  Skills and behaviors required   Architecture design and planning   Strategic oriented, consulting skills   Security knowledge   Strong, non technical communication skills   Proactive and forward thinking; Open

minded   Capabilities Impacted

  Demand Management   Security Architecture

  Target Audience   Key Influencers

InfoSec Roles


38


InfoSec Enablement In Summary

From Protect

to Enable AND Protect

From Awareness

to Engagement

From Technology focus

to Risk focus

©AllRightsreservedBaxterThompsonLtd15/12/15 © All Rights reserved Baxter Thompson Ltd

39


The Business Relationship Management View

15/12/15

40


KeyaspectsofsuccessfulBusinessRela2onshipManagement

  Defining Clarity of the BRM role   Improving Demand Shaping Discipline   Improving Servicing Discipline

Key Themes



41


  The disciplines on the previous slide show

how at a high level the BRM competencies interacts with the provider capabilities.

  Capabilities relate to the provider organisation – People, Process & Tools.

  Competencies relate to the person

  Some capabilities of the provider can be the responsibility of the BRM e.g. Demand management

  The competency of the person to fulfill the BRM role is a function of personal skills and aptitude. These can be trained and coached.

A note about Competencies and Capabilities…..


BRM Competency

Provider Capability

PersonalSkillsandAp2tude

ProcessesToolsRoles&

Resp.

42


Generic Provider Capability Maturity Model

Level 1 Initial

Level 2 Managed

Level 3 Defined

Level 4 Quantitively Managed

Level 5 Optimising

People working at an administrative level, unclear of role. Processes unpredictable, poorly controlled and reactive. Tools consist of email and phone. No formal management techniques

People operationally focused and silo’d. Processes often reactive. Tools basic and not integrated. Some management techniques applied

People work in teams Processes characterised for the organisation and is proactive. Some cross functional tools integrated. Best practice techniques applied occasionally with some success

People work collaboratively across functions. Processes measured and controlled. Integrated platforms. Best practice techniques generally applied and successful

People work together towards shared goals. Change part of culture Focus on process improvement. Innovative techniques applied. Technology responsive and agile.

Maturity Levels

© All Rights reserved Baxter Thompson Ltd

Evi

denc

e To

ols,

Pro

cess

, Peo

ple

15/12/15

43


Defining Clarity of the BRM Role



Organisa(onalcontextwithinwhichtheproviderworks

DefiningtheProviderStrategyUnderstandingtheProviderOpera(ngModel

ClarifyingtheBRMRole

44



Improving Demand Shaping Discipline


DemandShaping-TheDemandShapingDisciplines(mulates,surfacesandshapesbusinessdemandforProviderservices,capabili(es,andproducts……

….DemandShapingisfocusedonop(mizingthebusinessvaluerealizedthroughProviderservices,capabili(es,andproducts—thatlow-valuedemandissuppressedwhilehigher-valuedemandiss(mulated.

ItensuresthatbusinessstrategiesfullyleverageProvidercapabili(es,andthattheProviderserviceporLolioandcapabili(esenablebusinessstrategies.

45



Improving Servicing Discipline


Servicing-TheServicingDisciplinecoordinatesresources,managesBusinessPartnerexpecta(ons,andintegratesac(vi(esinaccordancewiththeBusinessPartner-Providerpartnership.ItensuresthatBusinessPartner-Providerengagementtranslatesdemandintoeffec(vesupplyrequirements.

….coordinatesresources…….translatesdemandintoeffec(vesupplyrequirements…..

…integratesac(vi(es….

…managesBusinessPartnerexpecta(ons….

46


• Focus front and centre on strategy and business value. Not the technology solutions nor the operational issues

• Subsequent outcomes driven to key focus areas or problem statements.

Strategic Analysis

• Answer what competencies and capabilities are required to resolve problem

•  Identify gap between current and future level of competence and capability

Functional Analysis

• Allocate competencies and responsibilities to roles • Document roles, processes, training and procedures • Fund, recruit and deploy roles • Train and coach

Define and deploy to achieve outcomes

Steps Taken


47


Enlightened client identified problem to solve: - The business case had already been made for the client project. - Strategic intent of the project drove custom, context specific outcomes

Build not Buy. - Client company’s case wasn’t to implement BRM per se – more implement the capabilities and competencies derived from BRM. - A lot of effort was spent defining the approach, tools, techniques and roles.

A “lite” & “undercover” BRM: - Only some of the disciplines and competencies were focused on. - The role effectively managed between Architect and Engagement Manager – Security architecture expertise complimenting training / liaison. Both are “relationship” roles but manifest in different contexts.

This starts the journey on BRM. - The benefits have started: Clear strategic intent, communication approach, demand management

Observations


48


1.  This specific implementation requires:   A framework – cross referencing the problem statement to potential solutions. Not copy / pasting.   Significant understanding of the organisational context –in the first month of work this was organic and achieved only after

relationships were established.   Tailoring solutions and make it “theirs”

2.  Benefits of the above approach:   Addresses business needs / concerns and therefore adds most value at the given point in the client journey.   Demonstrates the flexibility of Business Relationship Management in any context   …but requires significant effort to tailor.

3.  Benefits of Business Relationship Management in general:   Strategic Alignment   Focus activity on the right priorities – reduces risk and maximises value   Increases collaboration across the company – maximises value

4.  Strategic BRM requires stability and competence in the delivery of core services

Application of BRM to Provider Functions


49


TIME FOR QUESTIONS

50


  Phone + 44 20 33 84 94 63   Email: [email protected]

www.baxterthompson.com

  Baxter Thompson Ltd Dalton House 60 Windsor Avenue London SW19 2RR United Kingdom

To find out more….


51


The content of this slide deck is for information purposes only and does not constitute any advice. The information and materials contained in this presentation are provided ‘as is’ and Baxter Thompson Associates does not warrant the accuracy, adequacy or completeness of the information and materials and expressly disclaims liability for any errors, omissions or for any consequential loss or damage of any nature . This presentation is not intended to be, and shall not constitute in any way a binding or legal agreement, or impose any legal obligation on Baxter Thompson Associates. Except as described, all proprietary rights and interest in or connected with this publication shall vest in Baxter Thompson Ltd. No part of it may be redistributed or reproduced without the prior written permission of Baxter Thompson Associates. Portions of this presentation contain materials or information copyrighted, trademarked or otherwise owned by a third party. No permission to use these third party materials should be inferred from this presentation. Baxter Thompson Associates refers to Baxter Thompson Ltd.

Legal Notice


Leadership & Management

How Information Security Won Hearts and Minds