Security Vision - Inspiring People to Embrace Security

SECURITY VISION

ANITIAN

INSPIRING A CULTURE OF SECURITY

intelligent information securityA N I T I AN

OUR VIS ION

WE BELIEVE

SECURITY IS ESSENTIAL FOR

GROWTH, INNOVATION, AND

PROSPERITY


programs

controls

practices

policies

in the cloud

leaders

OUR MISSION

Build great security…


OUR SERVICES

• Enterprise risk assessments

• HIPAA risk assessment

• Third party risk assessment

• PCI-DSS

• HIPAA / HITRUST

• ISO 27001:2013

• SOC2

• FFIEC / GLBA

• FISMA / NIST

• NERC-CIP

• EI3PA

• Cloud compliance

• Penetration testing

• Application security

• Code review

• Configuration analysis

• Firewall policy review

• Cloud architecture

• Social engineering

• Red team testing

• Managed security (MSSP)

• NGFW

• SIEM

• Endpoint

• Vulnerability Management

• Web Gateway

• DLP

• Behavior Analytics

• Managed detection & response

(MDR)

• Digital forensics & incident

response (DFIR)

• Leadership as a Service

• On-Demand advisory

• Industry & market research

• Staff augmentation


OUR SPEAKER

• President / CEO of Anitian

• Principal at TrueBit CyberPartners

• 20+ years of experience in security

• Discovered SQL injection in 1995

• Helped develop first in-line IPS engine

(BlackICE)


OVERVIEW

Intent

• Help you build a more effective security program

• Discuss the value of creating Security Vision

• Demonstrate Anitian’s value

Outline

1. The Challenge

2. Defining Security Vision

3. Implementing Security Vision

4. Qualities of Great Security Leaders

Logic clearly dictates that the needs of the many, outweigh the needs of the few…or the one.

- Spock Star Trek II The Wrath of Khan

THE CHALLENGE

DO WE HAVE A SECURITY

PROGRAM EFFECTIVENESS

PROBLEM?

YES

PEOPLERESOURCE

ARE THE MOST IMPORTANT: THREAT

CHALLENGE

I just want to do the right things

…but I can’t

Security is a top priority…

…that does not apply to me

SCHIZOID SECURITY

CHECKBOX SECURITY

DESTROYS TRUST

GOOD ENOUGH

ISN’T GOOD ENOUGH

Weakness is endemic...

…exploitation is epidemic

Alerts are a hacker’s way of saying goodbye

PASSIVE SECURITY

Apps, cloud, access…

…the back door is wide open.

IS THERE ANY

HOPE?


YES

WITH

SECURITY

VISION

MEANING

FOCUS

RELEVANCE

ACTION

DEFININGSECURITY VISION


WH

Y

HO

W

WH

AT

WH

ER

E

WH

O

AC

TIO

N

SECURITY OPERATIONS

PROJECTS

METR

ICS

SECURITY

PROGRAM


BUSINESS RISK VISION COMPONENTS

•Vision and Mission StatementsWHY

• Core ValuesHOW

• Risk ManagementWHAT

• ProjectsWHERE

• Roles and responsibilitiesWHO

• SimplicityACTION


START WITH WHY

Simon Sinek: www.startwithwhy.com


VISION & MISSION STATEMENTS

• Vision

• Make the world a better place

• Improve quality of life for everybody

• Preserve our heritage

• A world free of evil (pain, misery, loss, disease, etc.)

• Mission

• Care for the sick

• Defend (Enable, Cultivate) prosperity and innovation

• Bring (service) to everybody

• Build great security leaders

• Manage risk to promote prosperity


INWARD VS OUTWARD VISION

• FedEx

FedEx will produce superior financial returns for shareowners

by providing high value-added supply chain, transportation,

business and related information services through focused

operating company.

• Raytheon

One global team creating trusted, innovative solutions to

make the world a safer place.

Customer success is our mission.


HOW: SAMPLE CORE VALUES - RAYTHEON

• Trust

• Respect

• Collaboration

• Innovation

• Accountability


WHY/HOW: ANSWER THE BIG QUESTIONS

Communicate

1. Why we are here? <- Vision

2. Why do what we do? <- Mission

3. How do we do it? <- Core Values

4. What do we do? <- Security Program

Execute:

• Encourage care

• Bring people to the table

• Focus people on the right things

• Inspire decision making

IMPLEMENTINGSECURITY VISION


WHAT: IS THE THREAT?

• Your program must be based in risk management

• Communicate

• What can damage the business?

• How could it happen?

• What would be the outcome?

• What weaknesses

• Execute

• Conduct a comprehensive, organizational risk assessment

• Share the top 10 threats with the organization

• Define projects based on those top 10

• Focus staff on those threats


SAMPLE THREAT INTELLIGENCE BRIEFING

# Threat Vulnerabilities Recommendations Imp

act

Pro

bab

ility

Ris

k

1. Attacker

successfully

tricks user

to perform

unsafe

action

No formal security

awareness training

program for employees.

Insufficient personnel for

execution of security

awareness training.

Users have been the target

of multiple sophisticated

spear-phishing email fraud

campaigns.

Implement a formal

security awareness

training program for all

employees.

Conduct regular

internal phishing

campaigns to help raise

awareness of potential

security issues.

H E H


SAMPLE RISK INTELLIGENCE BRIEFING


WHERE: IS THE ANSWER?

• Establish projects that target threat and support the

business

• Communicate

• Focus on the strategic goals of the company

• Align projects to those goals, and the vision, mission, and

core values

• Have clearly defined business, security, and cost

requirements

• Execute

• Select projects to improve:

1. People

2. Technologies

3. Procedures/Policies

In that order


WHO: REALLY MATTERS?

• People are not assets

• Communicate

• Each team member’s value

• Trust, collaboration, and togetherness

• Read Speed of Trust

• Be a Servant Leader

• Execute

• Follow the 13 Behaviors of Trust

• Hire on cultural fit, not technical skill

• Fire toxic employees quickly

• Spend every day engaged, working with your team

• Serve the needs of the many AND the few


ACTION: AFFECT CHANGE

Communicate

• Favor action over reaction

• Push people to learn, grow, and become more

• What is the total cost of ownership (time, money, effort)?

Execute

• Control vendor engagement closely

• Ask people to commit to deadlines and milestones, hold

them accountable.

• Reward action that protects the business

• Establish metrics that measure result, not effort


ACTION PLAN EXAMPLE

• Define exactly what must be done to reduce/eliminate risk

• Be specific; no vague hopes

• Define the effort to implement the fix

# Action Description Estimate Effort

A1 Integrate all

critical devices

with SIEM

Complete the SIEM deployment,

aggregating system- and application-level

logs for all critical application and security

monitoring devices.

Tune event correlation, incident thresholds

and alerting.

Integrate alerting with incident response

plan.

This work is critical because currently little

to no automated review or alerting for

unauthorized access to PHI occurs.

200-280

hours

$100,000

High


KEY GOVERNANCE METRICS

Metric Definition

Dwell time How long can an intruder linger before being

detected?

Patch latency How long does it take you to distribute a security

patch?

Velocity of change How quickly are changes implemented, averaged

over time?

Control strength Aggressively test controls

Regulatory coverage Compliance state, progress toward completion

Risk Trend YOY how is your total risk trending


SECURITY VISION ENABLES

AGILE AUTHENTIC

ALIGNED ACTIONABLE

SECURITY PROGRAM

QUALITIES OF GREAT SECURITY LEADERS

TRUSTWORTHY

ABRAHAM LINCOLN

ANALYTICAL

NIKOLA TESLA

VISIONARY

STEVE JOBS

INSPIRATIONAL

VINCE LOMBARDI

INCLUSIVE

DR. MARTIN LUTHER KING JR.

HUMBLE

MAHATMA GANDHI

FEARLESS

AUNG SAN SUU KYI

THANK YOU

EMAIL: [email protected]

TWITTER: @andrewplato

@AnitianSecurity

WEB: www.anitian.com

BLOG: blog.anitian.com

SLIDES: bit.ly/anitian

CALL: 888-ANITIAN

Technology

Security Vision - Inspiring People to Embrace Security