Security Leadership:Enabling Business Transformation

John D. Johnson, Ph.D., CISSPJohn Deere

Agenda Our organizations desire to leverage IT to:

Gain deep customer knowledge Gain competitive advantage Move into new markets Build and maintain brand Collaborate with business partners

How do we protect IT systems and data in a world where change is accelerating? New technologies (SMAC) means new threats New business needs and processes Erosion of perimeter The adversaries have gotten serious

Defending The Castle

The Castle Model of DefenseWhat is the advantage of a castle?• The castle is built on high ground• The castle has visibility to see enemies approaching far away• The castle has thick, impervious walls• Guards watch everyone coming and going• It is very difficult and expensive for enemies to breach a castle

Why is our enterprise not a castle?• The Internet has no high ground• We don’t have good visibility to threats• We have lots of holes in our walls• We don’t inspect all the traffic coming and going• The Asymmetric problem: It is expensive to defend, but the

adversary only needs to find one hole to breach the enterprise

Extended Enterprise

IT Trends: Nexus of Forces

CoIT

Data

Mobile

SocialCloud

Internetof

Things

Threats

Regulations

Secu

rity

Arc

hit

ectu

re

Risk Opportunity

The “Wave”of CoIT

The Situation Today• The boundaries are moving, perimeter is evolving• Threats are more sophisticated and coming at us faster;

internal and external• The way we are doing business requires new

processes/technologies to spur innovation, support agility, find competitive advantage

• Customers are demanding services• Employees are demanding mobile devices,

anytime/anywhere access, flexible work/life balance• Business partners/suppliers/vendors need access to

resources and data

We cannot enable business transformationif we are still trying to defend a castle

we need a new risk-based security model of governanceand we need to be recognized as key change agents

Risk-Based Security Governance There are various risk-management models to

choose from (ISO, NIST, hybrid, etc.) Risk is a meaningful way to express what we

do to business leaders Standard frameworks allow us to compare

against other organizations and we should express IT security risk in a way that fits into enterprise risk model

Our job is not to own riskour job is to clearly explain risk and offer solutions

executives make risk-based decisions every day

ISO 31000 Risk Management Process

EISA Framework

Existence of formal RBSM function

Commitment to RBSM

Example RBSM Roadmap Understand Current State

Environment (assets (value/vulns/comp…), networks, data, applications)

Business knowledge (requirements, processes…) Regulatory environment Threats (std process for threat modeling/assessment) Capability maturity

Determine Risk Prioritize Security Portfolio

Business Alignment Reduce risk Build capabilities

Develop Metrics (tactical strategic) Measure effectiveness at risk reduction Measure efficiency

Communicate Business Value

Cyber Risk Analysis: Threat Modeling

Target•Data (DAR, DIM, DIU)•Code/Software•Services•Databases•Operating Systems•Networks/Infrastructure•Platforms/Hardware/Firmware

Threat Vector

•Copy, Exfiltrate•Modify, Corrupt•Destroy, Denial of Service

Threat Source

• Insider•Hacktivists•Motivated Hobbyist•Corporate Espionage•Cybercriminals•Nation State

Requirements• Level of

knowledgerequired

• Ability, Expertise• Proximity

required• Access required• Resources

required• Time required

Motivations• Money• Ideology• Coercion• Ego

RIS

K

{

Risk can be mitigated; the threat landscape remains unchanged.

Impact• Magnitude• Scope

Likelihood

• Event Probability

RiskScore

Risk Scoring

Magnitude• Cost• Reputation• Injury

Scope• Localized• Widespread

{ {

Sophistication of Attack

AccessMitigatingControls

Motivation ofAttacker

Risk Heat (Bubble) Map

Likelihood

Imp

act

Legend

Size = Effort

Color = Status (R/Y/G)

Arrow = Trend, Velocity (direction, length)

2

17

310

9

54

11

6

8

Risk Scenario Prioritization► Risk Scenario Prioritization – allows us to compare the

level of loss exposure from multiple scenarios, which improves our ability to prioritize effectively

Choose Effective Security Controls

As the security program matures, more fundamental pieces will be in place to support advanced toolsets and capabilities necessary to protect against more advanced

threats and respond faster to attacks

Security Capability Maturity Model

Informal

1

Planned & Tracked

2

Well Defined

3

QuantitativelyControlled

4

ContinuouslyImproving

5

Improved ability to anticipate, execute & respond

Capability Maturity Assess capabilities and develop roadmap to

mature

BSIMM

IT Security MetricsA consistent risk-based approach allows you to prioritize the

security portfolio and express security value to your executives

• You can manage things you can’t measure, • Quantitative metrics are great when you can get them

(automated, reliable)• Don’t let large error bars and uncertainty keep you

from getting started• Find consistent ways to express KRIs and KPIs that are

meaningful to business• (Scott Borg) There are things you didn’t know you

could quantify: reputation harm, customer trust & loyalty, etc.

Use of metrics to determine RBSM effectiveness

Wrap Up There are no magic buttons for

security Doing something is better than

doing nothing Questions:

How many of you use RBSM? Why? What are the results? How have you gained “business knowledge”? Do you use a CMM? Are you maturing capabilities? Are

you comparing to others? Do you have an IT security metrics program? Successful? Can you share examples of how you communicate the

value of IT Security to your executives? Are you seen as a change agent?