Rsac2015 burns-fighting the right battle
-
Upload
bill-burns -
Category
Career
-
view
142 -
download
0
Transcript of Rsac2015 burns-fighting the right battle
SESSION ID:
#RSAC
VP, CISOInformatica Corp.
@x509v3 | [email protected]
Bill Burns
Increasing your Effectiveness:Don’t Fight The Wrong Battle
#RSAC
My Background
2
u Current: VP, CISO @ Informatica u New ISO27k security/compliance program, new security product line, culture of
security u My previous lives:
u Investing in InfoSec – Building VC Security Investment Thesis u Democratizing Trusted Cloud Security – AWS CloudHSM u Architecting, Building and Operating Security @ Scale
#RSAC
Why Are We Here?
u Who are you fighting for? u Shareholders, Owners u Employees, Teammates u Customers, Constituents
u Why do you do this job?!? u The Challenge, A Puzzle u Protecting Others u Sense of Duty, What’s Right
3
#RSAC
As A Security Leader, You Are Fighting for
u Corporate Budget u Skilled Resources u Employees’ Attention u Raising The Security Bar On Your Watch u Improving The Security State Of The Art
4
… Relevance
#RSAC
Frames of Reference — Being Relevant
1. Risk vs. Threats 2. Data vs. Opinion 3. Relationships vs.
Transactions 4. Business Impact vs.
Business Disruption 5. Systems vs. Tasks 6. Security vs. Compliance
7. Value vs. Cost 8. Efficiency vs. Effort 9. Results vs. Effort 10.Being Heard vs. Talking 11.Feedback loops
5
#RSAC
Risk vs. Threats
u Risk ~= Vulnerabilities * Threats * Impact u You do not control threats
u What the attackers could do u You do have (some) control over impact, vulnerabilities:
u Patching effectively u Incident response capability u Regular response plan testing
u Focus on what you can control, being prepared u Helps your program be seen as Being Proactive vs. Reactive
6
#RSAC
Data vs. Opinion
u Ask yourself: “Who has better data about this situation?” u Have fact-based conversations
1. Establish hypotheses 2. Run experiments to gather data (“A/B Tests”) 3. Measure results 4. Prove / Disprove your theories 5. Make decisions to improve security 6. Rinse, repeat
7
#RSAC
Relationships vs. Transactions
u Move beyond transaction-based personal interactions u Industry and Peer benchmarks are powerful leverage
u Establishes a neutral or trusted third-party, external expertise u Removes emotion, subjectivity u Ponemon, Gartner, Forrester, WiseGate, peers, etc
u Build & Maintain Relationships … With Your Security Peers u Salaries, Budgets, Product Reviews, Training, Feedback, Sanity :)
u … With Your Company’s Peers u Pre-wiring meetings, Your Program’s Support, Their Program’s Support
8
#RSAC
Business Impact vs. Business Disruption
u Business Disruption: u Applying OS patches typically requires reboots u Critical infrastructure patches lowers availability u Pay down technical debt means we can’t ship the new features
u Business Impact: u Compare security posture, features to your peers, industry benchmarks u Security can be a competitive differentiator, or a “must do”, not a tax u Use events like “What if we had the same thing happen to us…?” u Speak to the business impact, not the technical details u Get this on record, have this conversation, build your case
9
#RSAC
Systems & Programs vs. Tasks
u We know security is an ongoing process, not a task or one-time checklist u Task-focused security appears never-ending
u Hard to show return on investment, results for effort u Minutiae obscures the value of security from project-level work
u Focus on higher-level metrics, regular cadence, objectives, accountability u Build repeatable processes, automation, Programs u Focus on what you can control u Follow program management guidelines, best practices
u Charter, Goals, Sponsorship, Metrics, Review, Cadence, RACI
10
#RSAC
Systems & Programs vs. Tasks (II)
u Example: Patching, Vulnerability Management is hard work. Never “done”. u Filing individual vulnerabilities & issues is not sustainable u Pre-wire conversations ahead of review meetings to re-affirm expectations, address
concerns u Establish regular cadence with stakeholders to build accountability, credibility,
measure progress u Prioritize the risk of what’s discovered, enabled
u Measure efficacy and efficiency, not effort u Move beyond “numbers of criticals” u Report “time to close” critical vulnerabilities u Not “100% patched”, but “close critical vulns within 2 days of release”
u Goal: Sustainable Security Programs
11
#RSAC
Security vs. Compliance
u Focus on solid security foundations u Compliance will come along for the ride
u “Say It” – Policies u “Do It” – Procedures & Guidelines u “Prove It” – Generate evidence to review
u Many standards, pick the best match for your company u Already started with Compliance? Expand into Good Security
12
#RSAC
Assess once, comply many
13
Controls: ISO 27000 SOX GLBA HIPAA US-EU Data
Privacy
Security Policy ! ! ! ! !
Organization of InfoSec ! ! ! ! !
Human Resource Security ! ! !
Asset Management !
Access Control ! ! ! ! !
Cryptography ! ! !
Physical & Environmental ! ! ! !
Operations Security ! ! ! !
Communications Security ! ! ! ! !
System Acq, Dev & Maint ! ! ! ! !
Supplier Relationships ! ! ! ! !
InfoSec Incident Management ! ! ! !
Business Continuity ! ! ! !
Compliance ! ! ! ! !
#RSAC
Efficiency vs. Effort
14
OperationalExcellence
CompetitiveAdvantage
Undifferentiated Heavy Lifting
CompetitiveDisadvantage Not to Do
Strategic To Company
Opera2onal /“Must Do”
HighImpact/ Growth
Low Impact/ Sustain
#RSAC
Results vs. Effort
15
Automate, SecDevOps
Focus /Invest
Outsource, Self-Service,Operations
Automate, SecDevOps
HighImpact/ Growth
Opera2onal /“Must Do”
Low Impact/ Sustain
Strategic To Company
#RSAC
Communicating vs. Talking
u Security is about influencing, selling, advising u Communications is what The Receiver Does u To be heard, use their vocabulary u To be effective, use their communications vehicle
u Avoid “Impedance Mismatches” u Operations: Change Requests & Tickets u Engineering: Bug Reports, Feature Requests u Automate filing audit tasks via your ticketing system u Create User Stories for desired security features
16
#RSAC
Feedback Loops
u Putting it all together …
u Create tight feedback loops with your stakeholders u Builds relationships, trust u Require metrics, measuring the Right Things u Establish data-based decision making u Reinforce / disprove your hypotheses u Increase your security velocity u This encourages Results, incremental improvements
17
#RSAC
It’s All About Results. Do The Following:
u By Next Week u Time map: Evaluate where [you | your team] is spending its energy u Take your [CIO | Operations Peer | Engineer Peer ] to lunch
u With Next Quarter u Assess what metrics are truly impactful. Eliminate the rest. u For a month, measure your time-to-remediate vulns on one critical system or subnet u Identify 3 repeatable tasks you can automate
u By the End of This Year u Take your [General Council | Chief Product Officer | etc] to lunch. Share top metrics. u Automate at least 2 repeatable audit or security tasks u Create 1+ feedback loop on a task with your Operations or Engineer peer
19