Transform The Security Conversation

David Lynas Consulting Limited 2017

Transform the Security ConversationEnablement : Excellence : Value

eCrime Singapore, 4 May 2017

David Lynas

CEO David Lynas Consulting Ltd

CEO The SABSA Institute CIC

COSAC Chairman

David Lynas Consulting Limited 2017 1

Your Presenter – David Lynas

36th year in Information Security

Co-author of SABSA

CEO SABSA Institute

SABSA Accredited Education Provider

Co-author “Enterprise Security Architecture”

ISBN 1-57820-318-X

Architecture & strategy clients on every continent

Fellow BCS & CSI Lifetime Achievement Award

Founder and chair of COSAC

http://www.cmpbooks.com/product/1461

http://www.cmpbooks.com/product/1461

Agenda – Use SABSA to Transform

the Security Conversation



The World’s Leading ESA Method & Framework

Free-use Methodology & Framework

Certified Architects in 60+ Countries

Formal regulated Professional Institute

Official & de facto Standard

Government, Finance & Industry

Change the Landscape of Security & Risk

Management, Enable Business and Bring

Demonstrable Value to Your Security Program

4

SABSA Top Ten Applications

Security Architecture

Enterprise Architecture

Traceability & Alignment of Solutions to Business Requirements

Enterprise Risk & Opportunity Management

Assurance, Compliance & Audit

Governance & Policy Architecture

Technical Solutions Design

Integration & Alignment of approaches, framework & standards

Security Service Management Framework

Critical National Infrastructure Strategy


The Security Language Barrier




What are your

security

requirements?

I don’t know

– that’s what

I pay you for!



I can give you

Confidentiality!

But I didn’t go

into Business

to achieve

confidentiality



Do you lose

sleep worrying

about scary

threats?

I lose sleep

worrying about

opportunities

I can’t grasp!



What about

DDOS, ZeroDay,

Bots, Phishing,

Malware and

RootKits?

¿Qué?

Huh?

Say what?


Requirements are lost in

translation

We ask the wrong question

We offer a non-business solution

to a business problem

We talk the wrong language

We sell negatives to

stakeholders who desire……


enablement, excellence & value

What Really Matters


Seraph to Neo – The Matrix Reloaded

“I protect that which matters most”

Transform Language of Requirements


SABSA Attributes Profiling Technique

Engineering technique for modelling Business

Requirements into normalised, measureable,

demonstrable, re-usable, reportable form

The “Things that matter most”

Instinctive to stakeholders at all levels

Measureable to define performance targets and risk

appetite

Populates the missing link between Business and Security

Delegates Risk Appetite & Performance Targets

Example: Values of an NHS Trust


Patient

Focussed

Respectful

Trusted

Clear

Example: Values of an NHS Trust


Prioritised

ResponsibleProfessional

Communicative

Innovative

Example: NHS Trust Strategic Plan


Quality

Effective

Error-Free

Financially

Sustainable

Available

Accessible

Mobile

Scaleable

Timely

Safe

Reliable

A Hierarchy of Systemic Understanding


Systemic Interactions

Vertically

Peer-to-peer

Delegation of risk appetite

Governance, Ownership & delegation of responsibility

Every subdomain contributes performance to

superdomain

Subdomains exist to serve the risk & performance

appetite of the superdomain

Transform the Language of Security


Patient

FocussedPrioritised

Financially

SustainableTrusted Responsible Error Free

Culture

SensitiveAvailable

Cost

EffectiveAccountable Compliant Protected

Identified

Authenticated

Authorised

Access

Controlled

Reliable

Resilient

Recoverable

Standards

Compliant

Integrity

Assured

Educated &

Aware

Confidential

Auditable

Re-usable Monitored

Affordable

Accessible

Attributes for Two-Way Traceability

The Language of Horseshoe Nails


Risk Appetite Distribution, Policy Delegation & Systemic Risk

But HOW does the King check the horseshoe nails?

“For want of a nail the shoe was lost.

For want of a shoe the horse was lost.

For want of a horse the rider was lost.

For want of a rider the message was lost.

For want of a message the battle was lost.

For want of a battle the kingdom was lost.

And all for the want of a nail.”

— George Herbert, Jacula Prudentum, 1651

Transform the Language of Governance


Accountable

Responsible

Performance Target /

Risk Appetite

Distributed

Downwards

Contributing

Risk

Performance

Aggregated

Upwards

The Secret to Measures & Metrics: “What Have you Done for me Lately?”

Transform the Language of Governance


Customer

FocussedUser Centric Profitable Reputable Trusted Crime Free

Culture

SensitiveAvailable

Cost


Identified

Authenticated

Authorised

Access

Controlled

Reliable

Resilient

Recoverable

Standards

Compliant

Integrity

Assured

Educated &

Aware

Confidential

Auditable

Re-usable Monitored

Affordable

Accessible

Attributes for Reporting: Governance & Compliance

Balanced Risk Theory


Two Sides of the Same (Attribute) Coin

Measurable

Performance target

Risk Appetite

Risk v Reward

The Language of Risk Balance


Protect Enhance

Control Enablement

Maintain

Prevent Damage

Stop

Etc

Increase

Enable

Go

Etc

The Language of Risk Balance


Protect life Prevent Crash Go Faster Increase Trust

Control

Objective

Enablement

Objective

Control Enabler

SABSA Risk Balance Model


Transform the Language of Risk


Patient

FocussedPrioritised

Financially


Culture

SensitiveAvailable

Cost


Identified

Authenticated

Authorised

Access

Controlled

Reliable

Resilient

Recoverable

Standards

Compliant

Integrity

Assured

Educated &

Aware

Confidential

Auditable

Re-usable Monitored

Affordable

Accessible

Attributes for Risk & Opportunity Management

The Language of “The Boss”


“Either you demonstrate support for my business objectives or

you are a business prevention department getting in my way!”

Transform the Language of Strategy


Patient

FocussedPrioritised

Financially


Culture

SensitiveAvailable

Cost


Identified

Authenticated

Authorised

Access

Controlled

Reliable

Resilient

Recoverable

Standards

Compliant

Integrity

Assured

Educated &

Aware

Confidential

Auditable

Re-usable Monitored

Affordable

Accessible

Attribute for Strategic Road Mapping

Current-state Target-state

More Information


The World’s most experienced

SABSA Delivery Team

Contact [email protected]

mailto:[email protected]

More Information

Visit David Lynas Consulting / SABSAcourses in the Exhibition

Hall and enter draw for a free place on our next Singapore course


Singapore Official Training

12 – 16 June 2017

Sabsacourses.com


THANK YOUDavid Lynas

[email protected]

www.sabsacourses.com

Transform The Security Conversation

Technology

Transcript of Transform The Security Conversation