1 © Copyright 2014 EMC Corporation. All rights reserved.
Transforming Information Security Insights from the Security for Business Innovation Council Dr. Michael Teschner, RSA Deutschland Mai 2014
2 © Copyright 2014 EMC Corporation. All rights reserved.
The Security for Business Innovation Council
A group of highly successful security executives from Global 1000 enterprises
Driving industry conversation about how to better aligning security with business strategy
Ideas published in a series of reports, combined with independent research
Convened and sponsored by RSA
3 © Copyright 2014 EMC Corporation. All rights reserved.
Who is in the SBIC? ABN Amro Dr. Martijn Dekker, Senior Vice President, Chief Information Security Officer AstraZeneca Simon Strickland, Global Head of Security Automatic Data Processing, Inc. Roland Cloutier, Vice President, Chief Security Officer The Coca-Cola Company Renee Guttmann, Chief Information Security Officer eBay Leanne Toliver, Office of the Chief Information Security Officer EMC Corporation Dave Martin, Vice President and Chief Security Officer FedEx Corporation Denise Wood, Corporate Vice President, Information Security, Chief Information Security Officer, Chief IT Risk Officer Fidelity Investments Timothy McKnight, Executive Vice President, Enterprise Information Security & Risk HDFC Bank Limited Vishal Salvi, Chief Information Security Officer and Senior Vice President HSBC Holdings plc. Bob Rodger, Group Head of Infrastructure Security Intel Malcolm Harkins, Vice President, Chief Security and Privacy Officer Johnson & Johnson Marene Allison, Worldwide Vice President of Information Security JPMorgan Chase Anish Bhimani, Chief Information Risk Officer Nokia Petri Kuivala, Chief Information Security Officer SAP AG Ralph Salomon, Vice President Security, Processes & Compliance Office, SAP Cloud and SAP IT TELUS Kenneth Haertling, Vice President and Chief Security Officer T-Mobile USA Bill Boni, Corporate Information Security Officer (CISO) and Vice President, Enterprise Information Security Walmart Jerry Geisler, Office of the Chief Information Security Officer
4 © Copyright 2014 EMC Corporation. All rights reserved.
Transforming Information Security
A three part series created across 2013-2014
Vision of what an effective and forward-leaning information security program looks
– Actionable advice for how to get there
Recommendations for: – Designing a state-of-the-art extended team – Future-proofing information security processes – Evaluating and adopting essential new technologies
6 © Copyright 2014 EMC Corporation. All rights reserved.
Today’s security teams are in transition
TEAMS IN THE PAST … TEAMS TODAY … Implemented and operated security controls
Performs business- and risk-driven security functions
Collaborative approach with shared responsibility for securing info assets
Siloed, “we do it all” approach
Focuses on proactive, strategic risk priorities
Focused on reactive, technical security controls
7 © Copyright 2014 EMC Corporation. All rights reserved.
Security teams in transition (cont’d.)
TEAMS IN THE PAST … TEAMS TODAY …
Multidisciplinary teams with diverse technical and business leadership skills
Technically-oriented security personnel
Wide range of backgrounds, from data science to military intel
Traditional IT or security backgrounds
8 © Copyright 2014 EMC Corporation. All rights reserved.
Redefine and strengthen core competencies
Increase proficiencies in four main areas: 1. Cyber risk intelligence and security data analytics 2. Security data management 3. Risk consultancy 4. Controls design and assurance
1
9 © Copyright 2014 EMC Corporation. All rights reserved.
Delegate routine operations Identify suitable processes: repeatable and well-established
Allocate to internal groups or external service providers
Ensure adequate command and control – Implement requirements, standards, and SLAs – Retain sufficient domain expertise
Continually evaluate what functions could be done by others more efficiently and/or cost-effectively
2
10 © Copyright 2014 EMC Corporation. All rights reserved.
Borrow or “rent” experts
Augment the expertise of the core team particularly when: – The core team lacks expertise in specialized areas – Infeasible or too costly to keep specialized experts on-staff – Work overflow due to special projects or staff shortages
Leverage personnel from other departments or external consultants
3
11 © Copyright 2014 EMC Corporation. All rights reserved.
Lead risk owners in risk management
Partner with the business to manage cyber risks – Establish risk appetite and acceptance levels – Gauge cyber risks versus business rewards
Develop a consistent approach to risk identification, assessment, remediation, and reporting
Incorporate information risk into overall ERM program
Make it easy for business and hold them accountable – Self-service tools, integrated processes, and automation
4
12 © Copyright 2014 EMC Corporation. All rights reserved.
Hire process optimization specialists
Meet requirement for formalized system to consistently measure and improve processes
Integrate team members with experience in quality, project management, or service delivery
– E.g. Six Sigma, ITIL’s IT Service Management (ITSM), COBIT IT Governance, and/or TOGAF’s Enterprise Architecture
Leverage professionals from other areas of the organization, – E.g. Quality Department or Enterprise Program Office
5
13 © Copyright 2014 EMC Corporation. All rights reserved.
Build key relationships
Engage at all levels of the organization – Managers controlling technology investments – Executives overseeing strategic business programs
Have influence with key players – Owners of the organization’s “crown jewels”
▪ E.g., business processes involving IP or valuable proprietary data – Middle management – Business process outsourcing providers
6
14 © Copyright 2014 EMC Corporation. All rights reserved.
Think out-of-the-box for future talent
Work with business units and HR on recruitment strategy – Consider wide-range of sources including unconventional
▪ E.g., database admins, software developers, military intel, journalists, historians, mathematicians, economists, DNA scientists
Lack of readily available expertise means developing talent – Create an internal “cyber security academy” – Support employees who pursue external training/certifications – Partner with universities
▪ E.g., shape curricula and create internship opportunities
7
16 © Copyright 2014 EMC Corporation. All rights reserved.
Processes That Need Improving
Risk Measurement
Business Engagement
Control Assessments
Third-Party Risk Assessments
Threat Detection
17 © Copyright 2014 EMC Corporation. All rights reserved.
Shift Focus from Technical Assets to Critical Business Processes
1
18 © Copyright 2014 EMC Corporation. All rights reserved.
Institute Business Estimates of Cybersecurity Risks
2
19 © Copyright 2014 EMC Corporation. All rights reserved.
Establish Business-Centric Risk Assessments
3
20 © Copyright 2014 EMC Corporation. All rights reserved.
Set a Course for Evidence-Based Controls Assurance
4
21 © Copyright 2014 EMC Corporation. All rights reserved.
Develop Informed Data Collection Techniques
5
23 © Copyright 2014 EMC Corporation. All rights reserved.
Thinking About Security Tech Investments Major innovations underway in
security technology can address emerging challenges
– Changes in the threat landscape – Use of cloud technologies – Transition to mobile devices
Technologies are not being developed or implemented quickly enough to keep up with emerging threats
24 © Copyright 2014 EMC Corporation. All rights reserved.
Shift In Mindset, Shift in Technology More organizations acknowledge the
inevitability of breaches, and have turned attention to minimizing their impact
– Leading security teams are making investments in technologies to detect versus prevent intrusions
Need for security technologies that can provides better anticipatory defenses as well as improve business productivity
25 © Copyright 2014 EMC Corporation. All rights reserved.
Focus Areas For Increased Investment
1. Cyber-threat Resilience – Detection and response to minimize
damage or loss
2. End-user Experience Optimization – Improved UX of security feature /
function
3. Cloud Security – Enhanced visibility and control
26 © Copyright 2014 EMC Corporation. All rights reserved.
Specific Technologies To Consider Security Analytics
– A foundational technology to help achieve a stronger cyber defense
Next-Generation Anti-Malware – Add new techniques to this baseline
capability
27 © Copyright 2014 EMC Corporation. All rights reserved.
Specific Technologies To Consider Flexible Authentication Methods
– Implement new analytics driven/risk-based models
– Optimize end-user convenience and level of assurance
Identity & Access Management – Increased granularity – providing deeper, vital
insight into user privileges
28 © Copyright 2014 EMC Corporation. All rights reserved.
Specific Technologies To Consider New Cloud Services
– Services to help with visibility and control in the Cloud
29 © Copyright 2014 EMC Corporation. All rights reserved.
Look At Least 3 Years Ahead
Determine what security capabilities will be needed and what security technologies will be available
– Think about maturity vs. value
Advanced planning can help the organization maintain a competitive advantage
– Report offers 5 ideas to stay ahead of the curve
1
30 © Copyright 2014 EMC Corporation. All rights reserved.
Achieve a Bigger Picture Through Integration Technologies are now available to more easily
integrate systems for a greater overall benefit – More comprehensive visibility – Data enrichment – Correlation – Operator efficiency
2
31 © Copyright 2014 EMC Corporation. All rights reserved.
Maximize Value through Formalized Technology Deployments Predict and Track Total Costs and Total Value
Scale Deployments for Quick Wins
Approach Maintenance strategically
3
32 © Copyright 2014 EMC Corporation. All rights reserved.
The Security Transformation Journey
Intelligence Driven
Security
People
Process
Technology
33 © Copyright 2014 EMC Corporation. All rights reserved.
For More Information
http://www.emc.com/microsites/rsa/security-for-business-innovation-council.htm
Download full reports, infographics, videos
Sign-up to get new reports delivered