Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | hbayraktar |
View: | 221 times |
Download: | 0 times |
of 37
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
1/37
Educating Senior BusinessEducating Senior Business
anagemenanagemen Generously sponsored by:enerously sponsored by:
ISSA Web ConferenceISSA Web Conference,Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London
,
Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
2/37
WelcomeWelcome
on erence o eratoron erence o erator--. ,
Treasurer/Chief Financial Officer
ISSA International Board
. ,Treasurer/Chief Financial Officer
ISSA International Board
2
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
3/37
AgendaAgenda
The Art of Selling Security to the BusinessRon Hardy - Vice President, Product Management and Marketing, NetIQ
The Art of Selling Security to the BusinessRon Hardy - Vice President, Product Management and Marketing, NetIQ
What Senior Management Needs to Know About Your SecurityBusiness Case
What Senior Management Needs to Know About Your SecurityBusiness Case
. , , - , ,
Pinehurst
The Emperor's New Clothes: Be Skeptical or Be Exposed
. , , - , ,
Pinehurst
The Emperor's New Clothes: Be Skeptical or Be Exposed
Michael Waters - Manager of Enterprise Information Security, Booz Allen Hamilton
Michael Waters - Manager of Enterprise Information Security, Booz Allen Hamilton
Closing Remarks
Closing Remarks
3
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
4/37
The Art of SellingThe Art of Selling
Ron Hardy
Vice President, Product Managementand Product Marketin NetIQ
Ron Hardy
Vice President, Product Managementand Product Marketin NetIQ
4
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
5/37
The State of Information ProtectionThe State of Information Protection
Spending on IT security Spending on IT security
moderately increasing Breach costs continue to
moderately increasing Breach costs continue to
exceed investments in
security
exceed investments in
security Six years, 900 million
records, $180 billion Six years, 900 million
records, $180 billion
2010 Verizon BusinessRisk Report
2010 Verizon Business
Risk Report
5
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
6/37
Pressure Has Increased on IT DepartmentsPressure Has Increased on IT Departments
6
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
7/37
Effective Communications are CriticalEffective Communications are Critical
Compliance mandates Compliance mandates
Corporate risk management
Corporate risk management ecur y an pera ons
Emerging technologies
ecur y an pera ons
Emerging technologies
SOX
7
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
8/37
Security 101: The Language of LeadershipSecurity 101: The Language of Leadership
Every day CEOs must assume the role of risk-takers.This is one component that defines a good CEO. What risks
it? The CISO must be able to contribute to the wider risk
discussion and help the company take the right risks.- Claudia Natanson,Chief Information Security Officer, Diageo
8
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
9/37
Evaluating the RiskEvaluating the Risk
You cannot counter threat,but you can mitigate theYou cannot counter threat,but you can mitigate thepotential for loss.
CEOs expect investment
potential for loss.
CEOs expect investment
to be justified by:
Risk assessment
to be justified by:
Risk assessment easona e re uc on
in risk easona e re uc on
in risk
9
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
10/37
It's All about BalanceIt's All about Balance
Cost
Control Effectiveand
Operational
Risk
10
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
11/37
Achieving Business AlignmentAchieving Business Alignment
Understand thebusiness.
Understand thebusiness.
Make risk mitigationa part of all new Make risk mitigationa part of all new.
Information protection
should not be an
.
Information protection
should not be ana er oug .
Information protection
a er oug .
Information protection,
not impede,innovation.
,not impede,innovation.
11
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
12/37
Making Information Protection StrategicMaking Information Protection Strategic
Communicate need for security investments in terms
Communicate need for security investments in terms .
Security is not the goal but a means to manage risk ofbusiness innovation.
.
Security is not the goal but a means to manage risk ofbusiness innovation.
Proactively work with the business to mitigate risk as
part of new initiatives.
Proactively work with the business to mitigate risk as
part of new initiatives. . Avoid layering security on after the fact.
Ensure com liance investments im rove securit .
.
Avoid layering security on after the fact.
Ensure com liance investments im rove securit . Minimize compliance for compliances sake.
Minimize compliance for compliances sake.
12
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
13/37
Learn More at NetIQ.comLearn More at NetIQ.com
Access analyst reports;gain insight.
Access analyst reports;gain insight.
Market Overview: PrivilegedIdentity Management, byAndras Cser, Forrester Research
Market Overview: PrivilegedIdentity Management, byAndras Cser, Forrester Research
No More Chewy Centers:Introducing The Zero Trust Model
Of Information Security, by John
No More Chewy Centers:Introducing The Zero Trust Model
Of Information Security, by John,
Continue the conversation!
Twitter.com/NetIQ
,
Continue the conversation!
Twitter.com/NetIQ tinyurl.com/ZeroTrust
tinyurl.com/PIMwhitepaper
Facebook.com/NetIQ
Community.Netiq.com
Facebook.com/NetIQ
Community.Netiq.com
13
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
14/37
..
NetIQ Worldwide Headquartersest oop out , u te
Houston, Texas 77027 USAWorldwide: 713.548.1700N. America Toll Free: [email protected]
.
Follow NetIQ:
14
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
15/37
ues on an nswerRon Hardyues on an nswerRon Hardyce res en , ro uc anagemen
and Product Marketing, NetIQ
ce res en , ro uc anagemen
and Product Marketing, NetIQ
15
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
16/37
Needs to Know about YourNeeds to Know about Your
Insert
Photo
James Anderson
Professional Assurance
James Anderson
Professional Assurance
Here
[email protected]@profassure.com
16
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
17/37
Senior Management Needs to KnowSenior Management Needs to Know
The scope and cost of your plan The scope and cost of your plan
How it fits with the current security situation
How it fits with the current security situation
What are the risks being addressed
How will implementation success be measured
What are the risks being addressed
How will implementation success be measured
SubstantiveconcernsthatSr.Mgmtisresponsiblefor
17
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
18/37
What Senior Management Expects to HearWhat Senior Management Expects to Hear
A frightening story
A frightening story
We have no alternative but to do this project
We have no alternative but to do this project
These are ne ative messa es that canCreateproblemsforyoulater
18
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
19/37
Reverse Engineering a SuccessfulReverse Engineering a Successful
ecur ty us ness aseecur ty us ness ase
Draft the business case so it fits with this approach Draft the business case so it fits with this approach
Outline and plan the pre-work Components and costs in or out, timeline, etc.
Outline and plan the pre-work Components and costs in or out, timeline, etc.
-
Availability of metrics before or after
Issues and obstacles
-
Availability of metrics before or after
Issues and obstacles
repar ng t e groun p ase may ta e mont s
Identify company bus case templates, procedures
repar ng t e groun p ase may ta e mont s
Identify company bus case templates, procedures
Complete and pitch the business case Follow-ups and after action analysis Complete and pitch the business case Follow-ups and after action analysis
19
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
20/37
Preparation and ProcessPreparation and Process
The single most important phase of the overallbusiness case rocess.
The single most important phase of the overallbusiness case rocess.
Develops the relationships in facts, plans andorganizational functions
Develops the relationships in facts, plans andorganizational functions find out friends and enemies
Understand the key obstacles and challenges
find out friends and enemies
Understand the key obstacles and challenges
ea s an og ro ngnecessary
Business Case Process: forms, schedules,
ea s an og ro ngnecessary
Business Case Process: forms, schedules,
NPV or IRR? Cost Thressholds? NPV or IRR? Cost Thressholds?
20
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
21/37
Sr. Mgmt. Perspective -- CostsSr. Mgmt. Perspective -- Costs
Out of pocket vs. soft Out of pocket vs. soft
.
Headcount is special
.
Headcount is special
How to handle the benefit of productivity gains
How to deal with the benefit of reduced risk
How to handle the benefit of productivity gains
How to deal with the benefit of reduced risk Hint: its not a savings Hint: its not a savings
21
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
22/37
Sr. Mgmt. Perspective Bus & Tech FitSr. Mgmt. Perspective Bus & Tech Fit
Do you use existing technology? Do you use existing technology?
platforms?
platforms?
needed?
Does our ro osal disru t existin functional
needed?
Does our ro osal disru t existin functionalboundaries?
Does it enable the business?
boundaries?
Does it enable the business?
Do you meet a need demanded by customers orbusinesses? or that willbe demanded shortly?
Do you meet a need demanded by customers orbusinesses? or that willbe demanded shortly?
22
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
23/37
Sr. Mgmt. Perspective Security and RiskSr. Mgmt. Perspective Security and Risk
tuat ontuat on
Where does our ro osal fit in the overall securit Where does our ro osal fit in the overall securit
and risk picture? Address well-known gap?and risk picture? Address well-known gap?
Deal with a recently discovered problem
Deal with a recently discovered problem
business? Or across multiple parts?
How does this ro osal fit with other initiatives ast,
business? Or across multiple parts?
How does this ro osal fit with other initiatives ast,
present of planned?present of planned?
23
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
24/37
Sr. Mgmt. Perspective Risks, contdSr. Mgmt. Perspective Risks, contd
Do you have a way to see that the risk reductionromises are bein fulfilled?
Do you have a way to see that the risk reductionromises are bein fulfilled?
Have you researched the risk retention profile ?
Have you researched the risk retention profile ?
threats
Your assumptions change
threats
Your assumptions change External threats escalate
Internal vulnerabilities change
External threats escalate
Internal vulnerabilities change
..doyouhaveawaytogetontheseniormanagementradarscreenwhenwarranted?
24
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
25/37
Sr. Mgmt. Perspective -- MetricsSr. Mgmt. Perspective -- Metrics
Are there good before and after metrics around thero osed new facilit ?
Are there good before and after metrics around thero osed new facilit ?
Risk
Input
Risk
Input
Outcome
Outcome
be) hooked into?
How close are our metrics to the revenue- roducin
be) hooked into?
How close are our metrics to the revenue- roducin
side of the business?side of the business?
25
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
26/37
Conclusion Your Security BusinessConclusion Your Security Business
asease
Is not onl well researched but well socialized Is not onl well researched but well socialized
Makes sense in the context of the business Makes sense in the context of the business
Can be measured through non-controversial metrics
Can be measured through non-controversial metrics
Succeeds on multiple levels Succeeds on multiple levels
.. forothersforlateruse!
26
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
27/37
ues on an nswerJames Anderson
ues on an nswerJames Anderson
ro ess ona ssurance
ro ess ona ssurance
27
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
28/37
The Emperor's New ClothesThe Emperor's New Clothes
Be Skeptical or Be ExposedBe Skeptical or Be Exposed
Michael WatersManager of Enterprise Information Security
Booz Allen Hamilton
28
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
29/37
Three types of firmsThree types of firms
Those that have been compromised Those that have been compromised
Those that have been compromised but dont know it
Those that have been compromised but dont know it
Recognizing and defending against noisy threats likeviruses, spam, and script kiddies is basic. Most firms
do this and consider themselves safe.
Recognizing and defending against noisy threats likeviruses, spam, and script kiddies is basic. Most firms
do this and consider themselves safe.
Advanced attackers the adversary are stealthy,persistent and almost certainly in your environment
Advanced attackers the adversary are stealthy,persistent and almost certainly in your environment
right nowright now
29
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
30/37
Potential impact of compromise is hugePotential impact of compromise is huge
For compromises that are made public Loss of re utation / client confidence lost future revenue
For compromises that are made public Loss of re utation / client confidence lost future revenue
Loss of shareholder confidence decreased market cap
Contractual remedies loss of revenue + loss of clients
Loss of shareholder confidence decreased market cap
Contractual remedies loss of revenue + loss of clients
-generating activities
Regulatory penalties
state privacy legislation, HIPAA, etc.
-generating activities
Regulatory penalties
state privacy legislation, HIPAA, etc. For compromises by stealthy adversaries, not public
Loss of Intellectual Capital loss of competitive edge
For compromises by stealthy adversaries, not public Loss of Intellectual Capital loss of competitive edge
Plusall the impacts of public compromises if it becomes public
Plusall the impacts of public compromises if it becomes public
30
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
31/37
Steps you need to take to defend yourselfSteps you need to take to defend yourself
Many firms still dont get the basics right Patch user s stems and servers
Many firms still dont get the basics right Patch user s stems and servers
Challenge and validate security at each step in systemdevelopment / acquisition lifecycle.
Challenge and validate security at each step in systemdevelopment / acquisition lifecycle.
Web proxy to prevent access to dangerous sites
Ste in it u
Web proxy to prevent access to dangerous sites
Ste in it u Two factor authentication to replace passwords
Internet isolation
Two factor authentication to replace passwords
Internet isolation
desktops
Network Access Control (NAC)
desktops
Network Access Control (NAC)
31
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
32/37
What you need to check and protectWhat you need to check and protect
Systems you build or buy for internal use Systems you build or buy for internal use
Systems you build or buy to sell to your clients
Systems you build or buy to sell to your clients
Outsourced services you resell to your clients
Systems you had no idea were associated with your
Outsourced services you resell to your clients
Systems you had no idea were associated with yourrm u were oug y o n ccoun ng ve yearsago from a cousin of his that now sits unprotected onthe Internet serving up your sensitive information to
rm u were oug y o n ccoun ng ve yearsago from a cousin of his that now sits unprotected onthe Internet serving up your sensitive information to
any script kiddie with an Internet connectionany script kiddie with an Internet connection
32
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
33/37
Trust, but verifyTrust, but verify
Establish internal standards, then check to ensurethe are bein followed
Establish internal standards, then check to ensurethe are bein followed
Outsourced service providers that do not providevalidation of the security status of their offerings
Outsourced service providers that do not providevalidation of the security status of their offeringsshould be subject to additional scrutiny
An unverified promise that a third party will protect
should be subject to additional scrutiny
An unverified promise that a third party will protectyour n orma on s co com or n e even o abreachyour n orma on s co com or n e even o abreach
33
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
34/37
ues on an nswerMichael Waters
ues on an nswerMichael Waters
anager o n erpr se n orma on ecur yBooz Allen Hamilton
anager o n erpr se n orma on ecur yBooz Allen Hamilton
34
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
35/37
Open DiscussionOpen Discussion
Kevin D. Spease, CISSP-ISSEP Treasurer/Chief FinancialKevin D. Spease, CISSP-ISSEP Treasurer/Chief Financial
cer, n erna ona oar
Ron Hardy - Vice President, Product Management and
cer, n erna ona oar
Ron Hardy - Vice President, Product Management and
Marketing, NetIQ
Michael Waters - Manager of Enterprise Information Security,
Marketing, NetIQ
Michael Waters - Manager of Enterprise Information Security,Booz Allen Hamilton
-
Booz Allen Hamilton
-. , , ,
Professional Assurance, LLC Pinehurst
. , , ,
Professional Assurance, LLC Pinehurst
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
36/37
CPE CreditCPE Credit
Within 24 hours of the conclusion of this webcast, you willreceive a link via email to a post Web Conference quiz.
Within 24 hours of the conclusion of this webcast, you willreceive a link via email to a post Web Conference quiz.
http://www.surveygizmo.com/s3/649201/ISSA-Web-Conference-Educating-Senior-Business-Management
http://www.surveygizmo.com/s3/649201/ISSA-Web-Conference-Educating-Senior-Business-Management
After the successful com letion of the uiz ou will be After the successful com letion of the uiz ou will begiven an opportunity to PRINT a certificate of attendanceto use for the submission of CPE credits.given an opportunity to PRINT a certificate of attendanceto use for the submission of CPE credits.
36
8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011
37/37
Closing RemarksThank you to our Sponsor
Thank you to Citrix for donating this Webcast service
Online Meetings Made Easy
37