2. Who am I?
Joel Cardella
Over 20 years in IT in various capacities
– infrastructure operations & data
centers, sales support, network ops,
security
Email: jscardella@gmail.com
Twitter: @JoelConverses
3. Fear, Uncertainty and Doubt (FUD) can no
longer be the fait accompli of the security
world to try and drive good security
decisions.
fait ac·com·pli
ˈfet əkämˈplē,ˈfāt/
noun
a thing that has already happened or been decided before those affected
hear about it, leaving them with no option but to accept.
"the results were presented to shareholders as a fait accompli"
4. http://securityintelligence.com/cost-of-a-data-breach-2015/#.ValJ7vlVhBc
• The average cost paid for each lost or stolen record containing sensitive
and confidential information increased 6 percent, jumping from $145 in
2014 to $154 in 2015.
• The lowest cost per lost or stolen record is in the transportation industry, at
$121, and the public sector, at $68.
• On the other hand, the retail industry’s average cost increased
dramatically, from $105 last year to $165.
13. Michael Lynton, CEO of Sony Entertainment Inc
In a December [2014] interview with National Public Radio, Lynton insisted
his company was “extremely well prepared for conventional
cybersecurity,” but faced “the worst cyberattack in U.S. history.” He has
repeatedly described it as a “highly sophisticated attack.” Sony Pictures
provided written responses to questions through Robert Lawson, its chief
spokesman. He says Lynton has no plans to fire or discipline anyone. The
CEO’s reasoning rests on the belief that because Sony’s assailant was a
foreign government, with far more resources than a renegade band of
hackers, what happened was unstoppable. The studio simply faced an
unfair fight.
http://fortune.com/sony-hack-part-1/
14. If the data represents you, you are the owner.
The company hosting it, or collecting it, or buying it from a
clearinghouse is merely the custodian. And as a custodian they
have fiduciary responsibilities to that data, but they also
have financial obligations to their investors and shareholders.
So, in that equation, Mr and Mrs Data Owner suffer the downside of
risk.
15.
16. These are all things I tried and
did not succeed with
Don’t refer to security as an insurance
model
Don’t use standards that don’t map to
your industry, or use apples & oranges
comparisons
Don’t confuse compliance with security,
and don’t discuss them in the same
context – separate the words and define
them differently
17.
18. What do we do?
Pivot
This can be (sometimes should be) very obvious
Understand what your ROI is
E.g. If the penalty for non-compliance is $X,
then we spend $Y to offset it
X < Y = Positive ROI
X > Y = Negative ROI
X = Y = ROI needs to be evaluated
Other ROI can be more complex, and need
their own models
19. What to do?
Treat Cybersecurity as a Business
Risk
And start referring to it as business risk
○ Example: SGRC
Ask how your business assess risk and
pattern a model that follows it – show execs
what they are used to seeing
Engage your peers and superiors on risk
topics – use what is in the media as a
conversation starter
This is where ROI begins
20. What to do?
Build the path to awareness by your
leadership
Prepare reports on what’s going on in the
industry around you – execs love to know
how they are ding compared to those
around them
Start with the next level manager, or
managers in other departments –
sometimes it’s a journey not a ladder
This is where ROI is discussed
21. What to do?
Learn from the past mistakes of others
This is where ROI is proven
Example of Sony:
Sony’s email-retention policy left up to seven
years of old messages on servers, unencrypted
The company was essentially using email for
long-term storage of business records,
contracts, and documents saved in case of
litigation.
An array of sensitive information—including user
names and passwords for IT administrators—
was kept in unprotected spreadsheets and Word
files with names like “Computer Passwords.”
22. What to do?
Be prepared! Know your data and
know what it takes to protect it – but
let someone else make the risk
decision on it
This requires emotional detachment!
This is where ROI is defended
23. What to do?
Network! Network! Network!
Come to community meetups and cons
Come to local group meetings (#misec)
Engage on Twitter, or other social mediums
Forum discussions
Ask questions, share info
SWIPE
This is where ROI can be enhanced
24. Functional Area Key functions How we achieve it Business value
Security • Ensure proper controls for
systems and data access
• Ensure Confidentiality of
business data
• Ensure business data is
resistant to unauthorized
change
• Investment in security
technologies
• Multi-layer defensive strategy
• Segregation of duties controls
in SAP and other business
critical systems and
applications
• Ensure logical separation of
critical data
• Business can operate within
acceptable tolerance of risk
• Enterprise “crown jewels” are
protected from malicious
threats
• Confidence in data is
increased, business decisions
have greater value
Governance • Ensure global and regional
directives and standards are
in place for all NASC and
relevant business processes
• Global ISMS participation
• Policy creation and
documentation
• Reviewing and approving
standards and practices
• Ensures the effective and
efficient use of IT Security in
enabling the business to
achieve its goals
• Ensures alignment with global
governance
Risk • Reduce enterprise risk
• Stay abreast of new risks and
threats
• Business continuity planning
and system availability
planning
• Ongoing risk assessments for
both IT and business
• Continually manage threats in
constantly changing threat
landscape
• Proactively test systems for
vulnerabilities
• Investment in risk
technologies
• Business continuity planning
for recovery of data and
continuation of business in
disaster situations
• Business can run with
reduced risk, allowing more
innovation and growth
• Newly emerging threats can
be dealt with more quickly
• Recovery capabilities for
outage situations can be dealt
with quickly, allowing for
minimal business interruption
Compliance • Ensure compliance activities
for regional and global
directives are met
• Ensure Legal mandates are
met
• ICS activities
• Interfacing with IT, global and
business auditors on all audits
• Interfacing with Legal
• Ensure follow up on audit
findings
• Internal Controls Systems
mandates are met
• Legal mandates are met
• Understanding of audit risks
and findings, help with
mitigation
25. Critical Success Factors • Confidentiality, Integrity and Availability of data is
managed to business expectation
• Providing cost effective security controls and risk
mitigation
• Proactively addressing security improvements and
mitigations where required
• Improve recovery capability
Key Activities • Managing audit findings as a tool for improving security
posture and maturity
• Execute control activities for governance and compliance
• Continually assess risk and validate mitigations and
controls
• Disaster/continuity planning and recovery planning
• Assess vulnerabilities, mitigate and manage emerging
threats
Key interfaces • Global IT security
• Project management
• Regional and global auditors
• External auditors (E&Y, PwC)
• Legal, both regional and global
• Corporate Communications
• Business units, all LOBs and process areas
• Executive management
• IT Security community
Guiding Principles 1. Focus on the Business
2. Comply with Relevant Legal and Regulatory
Requirements
3. Evaluate Current and Future Information Threats
4. Adopt a Risk-based Approach
5. Protect Classified Information & Ensure Proper Use
26. Layered security model
26
Perimeter defense
(hardware firewall,
intrusion detection)
Managed security
services, security threat
detection
Windows Firewall,
patching (software)
Anti-Virus
Measures
End User
Access
Controls
Critical
business
data
Hardware, restricts network
access from the internet
Software to restrict access,
patching to deal with known
vulnerabilities
End user awareness
training, strong passwords,
dual factor authentication
Services partner watches all
network activity, looks for
suspicious activity
Anti-virus blocks known
threats
Access controls restrict access
to the critical systems, manage
SOD conflicts
27. Final thoughts
Remember, your job is to LOWER the risks of
doing business. Do so using positive ROI.
Emotionally detach yourself from the things
that drive you nuts as an infosec admin or
manager.
Understand you are there as an advisor, a
counselor. When you make decisions in this
capacity, you become trusted. You are no
longer a gatekeeper. Gatekeeper =
compliance.
But keep in mind: your business can do
business without security. It’s high risk, but if
the benefits outweigh the risks…
28. Who am I?
Joel Cardella
Over 20 years in IT in various capacities
– infrastructure operations & data
centers, sales support, network ops,
security
Email: jscardella@gmail.com
Twitter: @JoelConverses