1 / 28

Des Ward MSc MBCS CITP A.Inst.ISP Director of Security Awareness

“ Beyond technology: Five ways to change your v alue perception as a security professional” ClaraNet, London, 19 th June 2007. Des Ward MSc MBCS CITP A.Inst.ISP Director of Security Awareness UK Chapter – Information Systems Security Association. Who am I?.

gelsey
Télécharger la présentation

Des Ward MSc MBCS CITP A.Inst.ISP Director of Security Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Beyond technology: Five ways to change your value perception as a security professional”ClaraNet, London, 19th June 2007 Des Ward MSc MBCS CITP A.Inst.ISP Director of Security Awareness UK Chapter – Information Systems Security Association

  2. Who am I? Over 13 years Information/IT security experience within government and financial organisations. • Professional member of the BCS • Profiled within the 2006-2007 ‘International Who’s Who of Professionals’ • Chartered IT Professional (CITP) • Associate Member of the IISP • Distinction pass in the MSc in IT Security, specialising in Forensics and business-aligned security Five ways to change your value perception

  3. Five ways to change your value perception • Be an effective communicator • Educate don’t dictate! • Think about risk • Be useful • Provide secure solutions – not secure systems! Five ways to change your value perception

  4. 1 – Be an effective communicator • Greatest threat to business? – Security professionals who can’t communicate risks • Misinformed knee-jerk reactions abound – “The Nationwide effect” • Security seen as an IT issue • Misunderstanding of laws and regulations • The “good enough security” trap? • Technical performance or security excellence? Five ways to change your value perception

  5. Speaking the language of the board • ‘the organisation can do new things or do things in new ways’ • ‘the organisation can do things better’ • ‘the organisation can stop doing things that are no longer needed’ • Business value occurs where: • ROI comes from tangible emergent benefits to the business, not the ‘ROSI’ of controlling risk Five ways to change your value perception

  6. Better communication of issues • Root causes provide better security metrics • Translate technical risks into laws and regulations • Liaise with compliance depts to ensure correct level of risk signoff • Use marketing depts to communicate security policies, events etc Five ways to change your value perception

  7. Time for a change? • ‘IT Security’ = technical-focussed • Lack of common reporting structure (Deloitte, 2006) • Corporate governance undermined • Consider changing department name • Talk to other related functions Five ways to change your value perception

  8. 2 – Educate, don’t dictate! • Most incidents are internal • New, intuitive hacking tools mean more attackers • People feel safer opening suspicious links at work • Ineffective AV controls • Critical Windows client vulnerabilities are on the increase • Targeted attacks on the rise “Most organisations using computers are vulnerable to fraud perpetrated by employees preparing data for entry into a computer.” (Bainbridge, 2004) "Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105bn“ (Valerie McNiven, 2005) Five ways to change your value perception

  9. Tackling the sociological threats? • Security awareness during induction or via the staff handbook is most common (dti, 2006) • Systems abuse due to a failure to communicate responsibilities to staff (Audit Commission, 2005) • Technical controls = security is not the concern of the end user Five ways to change your value perception

  10. Educating the end user • The ‘witchdoctor’ maintains mystique surrounding security awareness! • Work-related awareness training • Flexible working/BCP • Security awareness training should be home-related • Devolve responsibility to end users • You can change attitudes! Five ways to change your value perception

  11. 3 – Think about risk • Lack of communication of security risks in business terms – would a child understand the risk? • Risk perception rarely understood • Many security policies do not equate to understanding • Complex risk assessment methodologies • Lack of risk/legal training within industry • Security breaches often relate to a regulation or law – use that to your advantage Five ways to change your value perception

  12. The traditional view of the corporate network… Five ways to change your value perception

  13. M&Ms are dead – enter the limpet! • Outsourced IT operations • Mobile working • Business Intelligence – CIA in action! • External websites • Web applications • VoIP • Corporate mergers • iPods and Smartphones 75% of all attacks occur at application layer (Gartner, 2005) Five ways to change your value perception

  14. Getting the security spend right The control – a Doberman called Barney The asset to be protected - $75,000 Mabel, formerly owned by Elvis Pressley Hmm, were all risks considered in the risk assessment? ‘…If the risk assessment is not carried out effectively, then the organisation will either waste money or be exposed to an unacceptable risk’ (Jones and Ashenden, 2005) Five ways to change your value perception

  15. 4 – Be useful • Operational IT ‘useful’ to the business • Security initiatives seen as a cost, overhead or ‘tax’ – is security useful? • Is security about one-dimensional controls? • Business cases about risk protection or business benefits? • Is security a benefit to operational IT or profitability? Five ways to change your value perception

  16. Beware the end user! Don’t use/circumvent! It this useful? No? No? Disbenefit! Am I happy? (Derived from DeLone and McLean, 2003) • Emergent benefits can be achieved • However, dismiss ‘disbenefits’ at your peril! Five ways to change your value perception

  17. Involving the business • Make organisations aware of emergent benefits • Benefits often dependant on user experience and perception • Understand balance between control and functionality • Interaction at business level means more benefits from security investment Five ways to change your value perception

  18. Talking the right language The benefits dependency framework (Derived from Ward et al, 2006) Five ways to change your value perception

  19. 5 – Provide secure solutions – not secure systems! • No innovation in security controls • Reactive technical security controls • Controls typically inhibit rather than enable (UHU instead of USB?) • Convergent security functionality without converging usefulness! • No interaction with operational teams • Technology rather than due diligence • More security technicians than consultants Five ways to change your value perception

  20. Maximising benefit • Provide a balance between the control and performance of key business systems • Trust is a commodity (eg Google, Amazon, eBay) • Security can benefit business operations • ‘Risky’ technologies need security controls • Engage with the business to present strategic solutions Five ways to change your value perception

  21. Architecture needs business drivers! • Without a business driver the most beautiful and complex architecture can fail to achieve fruition. Five ways to change your value perception

  22. Mapping out the business... • Logical security domains afford better understanding of the operating environment: Five ways to change your value perception

  23. ...maximises business performance • Which, when translated into the physical architecture becomes even clearer: Five ways to change your value perception

  24. Shared application environments cause issues! DB apps Telephony apps Financial apps FTP, Telnet, RDP, TFTP etc HR apps BI apps Facilities apps Customer apps eComm apps Internal network Five ways to change your value perception

  25. Internal network Facilities apps Users DB apps BI apps eComm apps Telephony apps Availability high domain Mixed risk domain Move to CIA-risk based placement! S/FTP, SSH, hardened configs, encryption etc HR apps Financial apps Customer apps Confidentiality high domain Fault tolerance High speed links Monitoring, HIPS, encryption, f/t links etc Five ways to change your value perception

  26. Summary • Beware of corporate culture • Understand business drivers • Security value in non-financial terms can be shown • Think small first, hone your skills! • Involve stakeholders • Promote understanding of business benefits • Focus on home security awareness • See things from the end user perspective • Understand relevant laws and regulations Five ways to change your value perception

  27. So what are the ISSA doing to help? • Strategic alliances with other organisations • Provision of security days • Expansion into other areas of UK • Linking into University of Westminster and RHUL Five ways to change your value perception

  28. Questions?des.ward@issa-uk.org Five ways to change your value perception

More Related