Connect Security to the Business/Mission

KATHERINE BROCKLEHURSTSANS CSC SUMMIT AUG 11-12, 2013

Connect Security to the Business/Mission

Katherine BrocklehurstSenior Product Marketing Manager

SANS CSC Summit Aug 11-12, 2013

• CONNECTING SECURITY TO THE BUSINESS/MISSION

• COMMITMENT TO THE SANS CSC FRAMEWORK

• AND COMING TECHNOLOGY…

AGENDA

GARTNER PREDICTS THAT BY 2014, 80% OF GLOBAL 2000 ORGANIZATIONS WILL

REPORT ON RISK AND SECURITY TO THEIR BOARDS OF DIRECTORS AT LEAST ANNUALLY.

-GARTNER, INC.“BUILDING AN EFFECTIVE IT RISK AND INFORMATION SECURITY

PRESENTATION FOR YOUR BOARD OF DIRECTORS” JUNE 2012

The CISO Challenge

“IN THIS RESTRICTIVE ECONOMIC ENVIRONMENT, CISOS HAVE AN OPPORTUNITY TO REFRAME THE RISK DISCUSSION [WITH MISSION

OWNERS] AND BUILD A STRATEGY…

…THIS MAY SEPARATE THE SUCCESSFUL SECURITY AND RISK PROFESSIONALS, WHO CAN ADAPT STRATEGICALLY TO THE

CURRENT CLIMATE, FROM THE UNSUCCESSFUL ONES, WHO STAY MIRED IN DAY-TO-DAY SECURITY FIREFIGHTING.”

-FORRESTER RESEARCH“UNDERSTANDING SECURITY AND RISK BUDGETING FOR 2013”

JANUARY 2013

The CISO Challenge

6

The Enterprise v. The Borg

“Understanding (IT Security) is Futile”

7

“Connect Security To the Business” (CSTB) Work-in-Progress~Two Years of Conversations

Over 1500 CISOs/CSOs and Execs and IT Mgt over nearly 2 years researching Volunteer, light touch, feedback loop “How Well Are You Doing at Connecting Security to the Business or Mission? Consistent set of questions:

Security Control Framework? Start/status/progress

Reporting Structure & Staff/Resources

Challenges & Successes

Budget (Overall + ITSec)

Company size, Industry, Annual Revenues

Job Tenure (and Staff Tenure)

What is working, what do you need?

IT SECURITY & COMPLIANCE AUTOMATION8

I need to…• Effectively govern the privacy and

security of our digital assets• Communicate the value of security to

my business/mission• Connect security to our mission• Establish relevance with my Board,

executives and colleagues• Gain insights into our information

security cyber-risks• Measure, compare and contrast our

risk posture• Get more visibility

[I don’t know what I don’t know]• Provide timely reports for many

different constituents

9

What’s the impact?“It’s not me, it’s you….”

Two-year CISO lifespan on the job (50%/CIO, 50%/CEO) 5-10% of IT budget on average Executive level needs increased visibility, but doesn’t understand Ineffective communication with executive levels. Why?

No understanding Only meet when there’s a crisis Silos – organizational and technical

Inability to demonstrate value to management Difficult to communicate and drive positive change across the organization Time and money wasted manually pulling in data and generating reports CISO doesn’t have what the CFO has in GAAP, EBDITA, P/E etc

10

The CISO’s Journey

11

The Three Types of CISOsBusiness Experience

Technical Experience

Strategic

“Technical” CISO

“Business”CISO

“Strategic”CISO

Operational

Focuses on security program that provides/guides to compliance

Has some manual, business-relevant security reporting

Thinks about metrics, starting small and establishing roadmaps

Partners with the business to manage risk

Understands how security meshes with the value chain

Aligned with all business priorities + calibrated suite of thematic metrics, some rolling up multiple security controls

Focuses on audit, security tools, ops & monitoring

Little roll up of of raw data, which don’t translate well to the business

12

The CISO needs what the CFO has….

Financial Reporting• Objective facts• Consistent definitions• Trending• Performance against goals• Performance against peers• Consistent rhythm of communication

(regardless of market conditions)• Clear communication to diverse

audiences interally and externally

A way to describe security performance like the CFO describes financial performance

Earnings Per Share

Revenues

Gross Margins

EBITDAOperating Income

Net Income

Current Assets

Accounts Receivable

Cash Flow

Current Liabilities

13

Common Strengths Verbally strong Trusted More directionality than technical precision Translates business priorities into security controls and

technical initiatives Works with executive team in non-crisis mode Predictable information – schedule + visualizations Articulates risk in terms of business consequences Forecast/predicts outcomes Demonstrates business value to other organizations Proactive, not reactive Knowledgable but not hands-on When presenting – knows the target outcome

14

What’s Been Working & SuggestionsEvery Organization Is Different

#1 – Exec buy-in, agreement, support (MBOs?)

#2 – Know your business/mission initiatives

#3 – Have the ‘risk’ discussion – especially re ‘consequences/impact’

#4 – Figure out what you can summarize in 2 slides and 5 minutes

#5 – Commit to helping the exec team understand – give business context Who’s your audience Skip the jargon, avoid technical ratholes and belly-bumping Who can help - coaches/mentors, other CISOs Meet frequently with peers, and other orgs to give valuable information Socialize your ideas, visuals, progress points, ask for input Check out both finance team & marketing/communications

#6 – Improve your public speaking

15

Great Milestone:Bringing Together the Best

Security configuration management

Best-of-breed file integrity monitoring

Log and security event management

IT Security and compliance platform

Security trending and visualization

Reporting for all audiences

Vulnerability management

Cloud based security services

Peer benchmarks

Asset management

WebApp scanning

Analytics and reporting

Agentless configuration auditing & file integrity monitoring

Best research – VERT

Wide Solution Span Integrated Partner to our customers “Connecting Security to

the Business/Mission”

Security Business Intelligence,Analytics, Visualizations, & Reporting

Tripwire Delivers Foundational Security Controls

Agent-based

Vulnerability Management & Log Management

Asset Discovery& Reconciliation

Agentless

CriticalData

Risk & Business Criticality Partners

Depth of Control

Low - Number of Devices - High

Security Configuration Management

Deep FIM

17

$150M+Annual Sales

400+Employees

$Profitable

7000+Customers

in 96 countries

Remain small enough to be nimble, innovative; Large enough to be the long-term leader in our market

18

New TripwireWorth a Roadmap Discussion

Vulnerability Management

Security Configuration Management

Log/Event Intelligence

Integrations ArcSight Remedy NetApp Core Security Skybox RSA Envision, etc

19

SANS 20 CSC – “Foundational Controls” 1-41, 2, 3, 4, 5, 6, 10, 11, 12, 14, 15, 16

r

21

FY 2013 FISMA Metrics-J.Michael Daniel, Special Assistant to the President and Cybersecurity CoordinatorCross-Agency Priority (CAP) Goal: Cybersecurity – FY2013 Q1 Update

http://my-goals.performance.gov/sites/default/files/images/Cybersecurity%20CAP%20Goal%20%20FY2013%20Quarter%201%20Update.pdf

You’ve got 2 slides and 5 minutes…Go!

25

Benchmarks, Metrics, and KPIsVM, CA, PM, AV, IAM, CIS

26

Benchmarks, Metrics, and KPIsVM, CA, PM, AV, IAM, CIS

27

Know Your Assets

“To know that I’ve got a device out there that’s not being monitored is even closer to my heart.”

-T/CISO, Telecom

SANS 1&2 Security Control Coverage

28

CSTB/M

“Once our remediation process is in place, we will roll in Vulnerability metrics.”

-ISSM, State/Local/Fed

“We aren’t good at vulnerability assessment right now. We will add the VA factor later.”

-VP IT Operations & Security, Industrials

Security Control Coverage

29

Set Goals, Track, Trend

“It doesn’t matter where you set the initial benchmark. Set it and run the data for 6 months, see how your Business Units behave.”

-CISO, Financial Services

“The math is irrelevant. Whether it goes up or down has the meaning.”

-VP, Big Oil

30

The Value of Comparison

“This is trending on steroids.”

-B/CISO, Banking

“I need flexible access to my organization’s deep hierarchy.”

-S/CISO, Big Oil

“I need to subdivide my categories.”

-Senior Security Architect, Healthcare

31

Multi-dimensional Views“That was a great chart if that was consistently what I could show senior leadership.”

-B/CISO, Retail

SANS 3 Performance for Business-Critical Assets

“Don't use Red/Amber/Green. Establish your risk tolerance and either you're compliant or you're not.”

-VP, Compliance

“I see a lot of benefits… it’s giving my execs access to see this data real time for themselves.”

-T/CISO, Tech

32

Measure, Communicate and Drive ActionAcross The Security and IT EcoSystem

Security Business

Intelligence Summary

Aggregated/Weighted

Across Business Context

SANS Controls

Operational Reports• Objective• Factual• Trustworthy• Consistent• Understandable• Actionable (or

demonstrated actions taken)

• Business Context

SANS 5: Malware

SANS 1&2: Asset Inventory

SANS 4: VA

SANS 3: SCM/CA

33

ObservationsIt’s Time We Figure Out Security Collaboration – Seriously….

Security Technology Community Information velocity Volunteering at SANS / help the Council on CyberSecurity Recruit youth/new talent into security Vendors – work and play well with others! Human Factor - People as Assets (SANS 1, 2, & ?) Metrics => KPIs => Benchmarks Mapping

tripwire.com | @TripwireInc

THANK YOU!KBROCKLEHURST@TRIPWIRE.COM

WWW.TRIPWIRE.COM/STATE-OF-SECURITY

@KAT_BROCK