SESSION ID:

#RSAC

VP, CISOInformatica Corp.

@x509v3 | Bill.Burns@informatica.com

Bill Burns

Increasing your Effectiveness:Don’t Fight The Wrong Battle

#RSAC

My Background

2

u Current: VP, CISO @ Informatica u New ISO27k security/compliance program, new security product line, culture of

security u My previous lives:

u Investing in InfoSec – Building VC Security Investment Thesis u Democratizing Trusted Cloud Security – AWS CloudHSM u Architecting, Building and Operating Security @ Scale

#RSAC

Why Are We Here?

u Who are you fighting for? u Shareholders, Owners u Employees, Teammates u Customers, Constituents

u Why do you do this job?!? u The Challenge, A Puzzle u Protecting Others u Sense of Duty, What’s Right

3

#RSAC

As A Security Leader, You Are Fighting for

u Corporate Budget u Skilled Resources u Employees’ Attention u Raising The Security Bar On Your Watch u Improving The Security State Of The Art

4

… Relevance

#RSAC

Frames of Reference — Being Relevant

1. Risk vs. Threats 2. Data vs. Opinion 3. Relationships vs.

Transactions 4. Business Impact vs.

Business Disruption 5. Systems vs. Tasks 6. Security vs. Compliance

7. Value vs. Cost 8. Efficiency vs. Effort 9. Results vs. Effort 10.Being Heard vs. Talking 11.Feedback loops

5

#RSAC

Risk vs. Threats

u Risk ~= Vulnerabilities * Threats * Impact u You do not control threats

u What the attackers could do u You do have (some) control over impact, vulnerabilities:

u Patching effectively u Incident response capability u Regular response plan testing

u Focus on what you can control, being prepared u Helps your program be seen as Being Proactive vs. Reactive

6

#RSAC

Data vs. Opinion

u Ask yourself: “Who has better data about this situation?” u Have fact-based conversations

1. Establish hypotheses 2. Run experiments to gather data (“A/B Tests”) 3. Measure results 4. Prove / Disprove your theories 5. Make decisions to improve security 6. Rinse, repeat

7

#RSAC

Relationships vs. Transactions

u Move beyond transaction-based personal interactions u Industry and Peer benchmarks are powerful leverage

u Establishes a neutral or trusted third-party, external expertise u Removes emotion, subjectivity u Ponemon, Gartner, Forrester, WiseGate, peers, etc

u Build & Maintain Relationships … With Your Security Peers u Salaries, Budgets, Product Reviews, Training, Feedback, Sanity :)

u … With Your Company’s Peers u Pre-wiring meetings, Your Program’s Support, Their Program’s Support

8

#RSAC

Business Impact vs. Business Disruption

u Business Disruption: u Applying OS patches typically requires reboots u Critical infrastructure patches lowers availability u Pay down technical debt means we can’t ship the new features

u Business Impact: u Compare security posture, features to your peers, industry benchmarks u Security can be a competitive differentiator, or a “must do”, not a tax u Use events like “What if we had the same thing happen to us…?” u Speak to the business impact, not the technical details u Get this on record, have this conversation, build your case

9

#RSAC

Systems & Programs vs. Tasks

u We know security is an ongoing process, not a task or one-time checklist u Task-focused security appears never-ending

u Hard to show return on investment, results for effort u Minutiae obscures the value of security from project-level work

u Focus on higher-level metrics, regular cadence, objectives, accountability u Build repeatable processes, automation, Programs u Focus on what you can control u Follow program management guidelines, best practices

u Charter, Goals, Sponsorship, Metrics, Review, Cadence, RACI

10

#RSAC

Systems & Programs vs. Tasks (II)

u Example: Patching, Vulnerability Management is hard work. Never “done”. u Filing individual vulnerabilities & issues is not sustainable u Pre-wire conversations ahead of review meetings to re-affirm expectations, address

concerns u Establish regular cadence with stakeholders to build accountability, credibility,

measure progress u Prioritize the risk of what’s discovered, enabled

u Measure efficacy and efficiency, not effort u Move beyond “numbers of criticals” u Report “time to close” critical vulnerabilities u Not “100% patched”, but “close critical vulns within 2 days of release”

u Goal: Sustainable Security Programs

11

#RSAC

Security vs. Compliance

u Focus on solid security foundations u Compliance will come along for the ride

u “Say It” – Policies u “Do It” – Procedures & Guidelines u “Prove It” – Generate evidence to review

u Many standards, pick the best match for your company u Already started with Compliance? Expand into Good Security

12

#RSAC

Assess once, comply many

13

Controls: ISO 27000 SOX GLBA HIPAA US-EU Data

Privacy

Security Policy ! ! ! ! !

Organization of InfoSec ! ! ! ! !

Human Resource Security ! ! !

Asset Management !

Access Control ! ! ! ! !

Cryptography ! ! !

Physical & Environmental ! ! ! !

Operations Security ! ! ! !

Communications Security ! ! ! ! !

System Acq, Dev & Maint ! ! ! ! !

Supplier Relationships ! ! ! ! !

InfoSec Incident Management ! ! ! !

Business Continuity ! ! ! !

Compliance ! ! ! ! !

#RSAC

Efficiency vs. Effort

14

OperationalExcellence

CompetitiveAdvantage

Undifferentiated Heavy Lifting

CompetitiveDisadvantage Not to Do

Strategic  To  Company

Opera2onal  /“Must  Do”

HighImpact/ Growth

Low Impact/ Sustain

#RSAC

Results vs. Effort

15

Automate, SecDevOps

Focus /Invest

Outsource, Self-Service,Operations

Automate, SecDevOps

HighImpact/ Growth

Opera2onal  /“Must  Do”

Low Impact/ Sustain

Strategic  To  Company

#RSAC

Communicating vs. Talking

u Security is about influencing, selling, advising u Communications is what The Receiver Does u To be heard, use their vocabulary u To be effective, use their communications vehicle

u Avoid “Impedance Mismatches” u Operations: Change Requests & Tickets u Engineering: Bug Reports, Feature Requests u Automate filing audit tasks via your ticketing system u Create User Stories for desired security features

16

#RSAC

Feedback Loops

u Putting it all together …

u Create tight feedback loops with your stakeholders u Builds relationships, trust u Require metrics, measuring the Right Things u Establish data-based decision making u Reinforce / disprove your hypotheses u Increase your security velocity u This encourages Results, incremental improvements

17

#RSAC

Recap

#RSAC

It’s All About Results. Do The Following:

u By Next Week u Time map: Evaluate where [you | your team] is spending its energy u Take your [CIO | Operations Peer | Engineer Peer ] to lunch

u With Next Quarter u Assess what metrics are truly impactful. Eliminate the rest. u For a month, measure your time-to-remediate vulns on one critical system or subnet u Identify 3 repeatable tasks you can automate

u By the End of This Year u Take your [General Council | Chief Product Officer | etc] to lunch. Share top metrics. u Automate at least 2 repeatable audit or security tasks u Create 1+ feedback loop on a task with your Operations or Engineer peer

19