1

2

Index

1. Problem Statement2. Solutions: Portfolio

3

Index

1. Problem Statement2. Solutions: Portfolio

4

Complexity

5

P Solutions

Cost

Risk

Imp

act

Probability

I - So

lutions

Usability

Man

agea

bili

ty

Complexity

6

Organizationand

Environment

7

Changes (Organization)

and moreChanges

(Environment)

8

Incomplete Information

9

Levels of detail

10

Limited Resources

11

Limited Influence

12

“Negative” Results

13

Trust

14

Activity and Results are

Weakly Linked

15

Misunderstanding

16

It can be difficult to tell the Good…

17

…from the Lucky

18

From Doorman Mentality…

19

…To Manager Mentality

20

From Invulnerability...

21

...To Return on Investment

22

FromIncidents = Failure…

23

…ToIncidents =

Opportunity for Improvement

24

From Protect the asset...

25

...To Protect business bjectives

26

FromThreats…

27

…To Results

28

FromPreventing policy violations...

29

...To Providing value

30

Level of Commitment

Goals Obligations

Success What we want to What we have to

Quality As well as we want to

As well as we have to

Security As reliably as we want to

As reliably as we have to

Providing value: Governance Playground

31

Providing value: Security PlayGround

Level of Commitment

Goals Obligations

Success What we have to

Quality

Security As reliably as we want to

32

From Contrarian view of business and security....

33

...To Security seen as part of the

business.

34

Continuous Improvement

35

“We want to prevent attacks from succeeding”. With this approach, to be secure means to be invulnerable.

An incident is any loss of confidentiality, integrity or availability.

You look at a piece of data and think: Is it confidential, has it got integrity, is it available?

Traditional approach to security:

36

“We want to guarantee that our business objectives are met”. With this approach, to be secure means to be reliable, despite attacks, accidents and errors.

An incident is a failure to meet a security objective resulting from accidents, errors or attacks.

You look at a piece of data and think: What properties of this data must be protected for it to have business value?

Inovement style Approach:

37

Use case – Malware Management

Use case – Traditional management Motivation: Clean viruses or your business will sink. Objective: No system should get a virus ever Activity: Install antivirus on personal computers, servers, mail

servers, add antivirus functionality to firewalls, add antispyware, antitrojan, antirookit to the mix.

Policy: Prevent any USB, DVD, to touch any company system without being searched for viruses.

Success criterion: When no system gets ever a virus. Continuous improvement: Add more antimalware controls

(Tripwire, CORE, etc)

38

Use Case – Inovement-style management Motivation: Unfortunately systems, specially Windows and malware prone.

We should invest proportionally to the damage they can make. Goal: Systems should accomplish their business role with or without

malware. Activity: Install antimalware in vulnerable systems. Measure activity, scope,

update and availability of antimalware. Consider other measures, like using less malware prone systems.

Policy: Use in every system the antimalware protection that will detect malware and prevent the system from failing to play its business role.

Success criterion: When protected system play their business role without interruption or degradation.

Continuous improvement: Use metrics to improve the antimalware protection and use those with better effectively and ROI.

Use case – Malware Management

39

Index

1. Problem Statement2. Solutions: Portfolio

40

Portfolio

Communication ServicesKnowledge Management ServicesProcess Orientation

Education ServicesConsulting

41

Communication Services - Problem

Both users and IT find it difficult to explain what they need in terms of security (Symptom: They never ask for anything)

Security finds it difficult to understand what the business needs (Symptom: Users and IT avoid meetings with security, difficulties getting budget for projects, lack of collaboration or even conflicts with other departments)

Security feels they don’t have enough power in the organization to get things done.

42

Communication Services - Solution

Learn a new language, “O-ISM3”, including:Security Objectives, which remove ambiguity

and streamline communication.Security Targets, which simplify risk

assessment, and make it easy to relate investment and results.

Processes, which make obvious what is the value provided to the organization.

43

Communication Services - Benefits

Streamline Communication.Improve the alignment of efforts and business

needs.Enable Benefits Realization.Make cristal clear who is responsible for what.Gain influence in the organization.

44

Knowledge Management - Problem

Every task is performed differently depending on who performs it.

When an improvement is identified it is slow to spread among the team, or even lost.

High dependency on the supplier, making the cost of switching very high.

Replacing resources of the team is difficult, requires a high level of effort or it is even risky.

Holidays, attending events and courses, sick leave, become stressing events for the team to be avoided.

Audits are highly disruptive, as there nothing is documented or archived.

45

Knowledge Management - Solution

Identification and archival of all outputs of the activities of the team.

Formal structure and framework for documentation.

Switch from Word documents to Wiki.Clear distribution of knowledge management

responsibilities.Knowledge management integrates seamlessly

with day to day operations.

46

Knowledge Management - Benefits

Every task is performed consistently.Improvement are identified and implemented

quickly and uniformly across the team.No depedency on suppliers.Replacing resources becomes a non-event.More freedom for the work team, improving

motivation and performance, lowering rotation.Audits become painless.

47

Process Management - Problem

There are literally hundreds of activities.Activities are assigned depending on skills.The main driver for activities are compliance with

standards, rather than business needs.Priorities change too frequently.When new activities are created, older activities

become abandoned rather than cancelled.There are activities that don’t show up on the

Follow-up Reports.There are few metrics that infrequently drive

decisions.There is no schedule for activities, or the deadlines

are failed with few exceptions.

48

Process Management - Solution

Switch from activities to processes.Switch from “doing things” to “making deliverables”Group activities with common goals in processes.Prioritize activities depending on business value.Report everything the process performs.Distribute supervisory, audit, operation

responsibilities.Use Activity, Scope, Availability, Load, Quality,

Effectiveness and Efficiency Metrics.

49

Process Management - Benefits

Improve the value for the business.Make better use of resources.Reach higher levels of capability and maturity.Continuous improvement becomes possible.Interface better with other process based methods,

like ITIL.Maintain compliance with standards painlessly.

50

Portfolio

Communication ServicesKnowledge ManagementProcess Orientation

Education ServicesConsulting

51

668862242

learn@inovement.es

Calle Loeches, 1, 28008, Madrid, Spain