How to Communicate the Actual Readiness of your IT Security Program for PCI 3.0, Omnibus HIPAA,...
-
Upload
thunderdg -
Category
Technology
-
view
255 -
download
0
description
Transcript of How to Communicate the Actual Readiness of your IT Security Program for PCI 3.0, Omnibus HIPAA,...
At It’s Heart today
IT Security & Risk Management
CEO
CIO
Happy Board
Managers
Technical
Do’ers
IT Security & Risk Management
CEO
CIO
Happy Board
Managers
Technical
Do’ers
ENTERPRISE
RISK
Assessments
AUDITORS
Internal
Audit
IT Security & Risk Management
CEO
CIO
Happy Board
Managers
Technical
Do’ers
MSP
Partners
Vendors
Consultants
Third
Parties
Cloud
Providors
ENTERPRISE
RISK
Assessments
AUDITORS
Internal
Audit
IT Security & Risk Management
CEO
CIO
Happy Board
Managers
Technical
Do’ers
What We Are Hearing
• From You• From Regulators
What We Are HearingFrom You• CIO- “My Board and CEO still doesn’t care about IT security unless I can show them that loss if
they don’t do something.” The board and CEO of this public company are concerned about supply chain impact security concerns and what would happen if this were impacted.
• Director of IT – “The banks are pressing me for me for more IT Security details now. It used to be relatively easy to fill out but now it is hours and hour of work. I failed one line of the questionnaire. I was certain my answer was not a big deal, but it was. I don’t want to risk my companies business with these banks. Can you help me figure this out?” The pressure is mounting as credit card merchants and banks are going to pass the responsibilities down the food chain. They will be exposing the weakest link in the chain.
• CIO – “I really don’t have a problem talking to the CEO and board about justifying our IT Security spending, but I really do need better tools to present the IT Security Vision and Roadmap.” Essentially they trust her, but what if they could trust her plus really understand what IT Security spending is going towards.
• CIO – “I am looking for new and innovative approaches to presenting my IT security program to the Board. Sometimes they are so focused on whether they will pass the compliance audit that they lose the fact that we need great IT Technology security for a business of our size.”
What We Are Hearing from You• I would like your opinion so I don’t overspend on my IT Security. • I have so many areas to secure and I have already spent quite a
bit on IT Security…. What do you think about it? Should I be concerned about these over lapping functions on systems?
• Strategy and architecture – I want to go this way and I am thinking of using these technologies what are your thoughts on my approach?
• Help me understand my current IT Security investments to see if they will pass an audit or some deep dive inspection.
• I have three main constituents that I need to sell my approach to: Auditors, CEO, and the Board. What is the best presentation approach?
JP Morgan Chase
StoryAn interesting story- this is not the most creative slide in the world I apologize, but I did mention that it’s a big project so we’re going to get the slides cleaned up at a different time – I was having coffee with the CEO of Unisys just recently, and he was explaining a story that he was at a security event and the ex-Mandiant CEO, or he might still be the CEO but I know that they were purchased and something’s going on with fireye, but he was talking and obviously many of you have listened to, I forget his first name, Mr. Mandiant talk. He asked the CEOs, ‘what do you want from your information security program?’ and they said I want the best. I want the best, best, best, best, just a real male ego type thing; I want to have a killer IT security program. Then when he (Mandiant) explained it, what’s needed, the CEOs dialed back their expectations and said, I just want to make sure I don’t end up on the cover of Wall Street Journal like the Target CEO. It’s an interesting story, the CEOs are sharing information now and it’s interesting to see that even though they want a very powerful program, there’s a reality that many of them are just concerned about their job security. There’s not only the Jamie Diamonds of the world but people that I’m seeing, that I talk to just having coffee and what they’re hearing as well. That’s what we’re hearing from you when we’re listening. What are we learning from regulators?
What We Are Learning
From Regulators• FFIEC • NCUA• HIPAA /Omnibus• BAA (new mandates from Omnibus ruling)• PCI• EMV
What We Are Learning - Themes
• IT Security is a Verb and not an Event• Risk is starting to flow downhill to the weakest link• Don’t just manage Compliance. Must have a great IT Security
program• Weak Passwords• Malware - APTs• 3rd party challenges • Manage the basics – Patching is not as easy as it might seem• Authentication challenges• Data Governance
Proof Needed
• CEO and Boards and Auditors and Compliance• Want proof• What is your internal audit and reporting
process?
PCI 3.0 Compliance ValidationBIGGEST PROBLEM IS GRAPH
FFIEC Webinar
• FFIEC members include: (http://www.ffiec.~ov)
• Board of Governors of the Federal Reserve• Consumer Financial Protection Bureau -CFPB• Federal Deposit Insurance Corporation -FDIC• National Credit Union Administration -NCUA• Office of the Comptroller of the Currency -OCC• State Liaison Committee
What Every CEO Needs to Know about the Threats They Don’t See.
Executive Leadership of Cyber SecurityFinancial Institutions Examination Council
(FFIEC)Cybersecurity and Critical Infrastructure Working
Group
Cyber Risk Management GOVERNANCE
HIPAA – old rule• http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf• Page 13
Omnibus HIPAA – New Rule• http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf• Page 14
EMV
• New Tech Standard• Oct 2015 deadline• Liability for fraud will flow/shift to whichever
party has the lesser technology
NCUA
• Cost breach• http://www.ncuareport.org/ncuareport/augus
t_2014#pg4• Top 10 things credit union auditors look for
IT Security & Risk Management FLOW
CEO
CIO
Happy Board
Managers
Technical
Do’ersChecklists
CIO Scoreboard
CEO/Board
IT Security System Management Checklist
Admin Level to CIO Level40 Security Items
IT Security & Risk Management FLOW
CEO
Happy Board
Security /Infrastructure/DRBy Sector/Category
40 Security Items
Investment Based on Risk
Big PictureWhat is Happening
“Roughly 170 Quadrillion Computer chips wired into aMega-scale computing platformThe total number of transistorsIn this global network is now approximately the same # of neurons of the human brain”What Technology Wants – Kevin Kelly
Complexity
Interesting – The Word Privacy
JWT – World Trends 2014 and Beyond
JWT – World Trends 2014 and Beyond
JWT – World Trends 2014 and Beyond
JWT – World Trends 2014 and Beyond
WE SIT IN THE MIDDLE AND MANAGE COMPLEXITY
So What is a Security Leader Today?
We Are Supposed to be Afraid Right?
Changing the storyAdult Conversations….
Page 6Assume the BreachAssuming the breach requires a shiftOf mindset from prevention alone toContainment after the breach
Assumption of a breach requires a maturing of defenses to meet this realityAnd shifts the focus from ‘if’ to ‘when’
What about changing the story or the way we talk about IT Security?
I like words like relentlessly proactive
Versus playing back on our heals
“IT Pros lack Confidence in protecting themselves”Computer weekly
Show Me The Money
• Cuba Gooding• Tom Cruise
Ponemon
• Cost of Loss