Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Security from the C-Suite

Silhouettes of several people in business attire

Top-Down Risk Management

Presented as part of The Lost Summer Project

Presented by Donald Edwards, CISSP

linkedin.com/in/dmedwards

Non-specific organisational chart emphasising that security is a small piece of the overall priority set

At the executive level, security is a high (and increasing) priority, but it remains a supporting function for the core business.
 
One way or another, security priorities must be balanced with priorities from other parts of the business.

Agenda

Overview of typical
C-Suite roles and their priorities
 
Silhouettes of several people in business attire

Walk through of the risk management process
 
Sign showing various risks, including transport accidents, work accidents, and electric shock

How to make it easy to prioritise your needs
(and make your bosses look good)
 
Magnifying glass over finger prints

We will start by talking about some of the problems that lend themselves to being solved with technical security controls on the network.

Typical roles in the C-Suite

Every company is different, but someone usually has these responsibilities

Cartoon of six people around a table

  • Chief Executive Officer (CEO) -
    Accomplish the company's mission
  • Chief Operating Officer (COO) -
    Manage operations for services provided by the company
  • Chief Information Officer (CIO) -
    Direct internal tech operations
  • Chief Technical Officer (CTO) -
    Direct tech investments into the company's products
  • Chief Financial Officer (CFO) -
    Manage financial risk to the company
  • Chief Information Security Officer (CISO) -
    Manage information security risk to the company

a pile of cash bills

Deterrence is almost entirely focused on explaining to insiders why they should not do bad things.

Very few protective and detective controls work specifically against insider threat. Those that are focused on insider threat are very intrusive and seldom used in normal work settings.

Responding to an insider threat incident may require more or better documentation. HR and Legal departments will be engaged.

Recovery from insider incidents likely will result in process changes. In cases where data is held hostage, legal proceedings may be involved.

CISO and CFO are largely advisory roles

In most companies, "the business" (COO, CIO, CTO) makes decisions about:

Success as a security professional depends on your ability to communicate in terms "the business" understands

Two network nodes showing that direct access from one to another is blocked, but access is allowed through a control point.

Risk evaluation

Everything starts with responsibility

Tying a specific risk to one or more responsibilities a company has undertaken helps to establish its importance in real terms

  • First party responsibilities
    • Company's mission, officers, employees, shareholders
  • Second party responsibilities
    • Purchasers or users of the company's products and services
  • Third-party responsibilities
    • Partners, contractors, service providers, insurance companies, banks, regulatory bodies
In an ideal world, you would know every network path and activity that should be allowed in detail for a person and the infrastructure itself would be configured only to allow those people and activities. In the real world, you need to make compromises. Often, a mix of the two strategies applied at different levels is prudent.

Risk evaluation

Describe the threat in unjargoned terms

The people you need to convince, "the business", probably will not understand technical or security-specific terms. Donald't make them work to understand you!

  • Describe possible actors - people or entities that want to do a bad thing
  • Explain their possible motives - e.g. money, secrets, revenge, thrills
  • Give your opinion on how likely it is that the actor will make an attempt
  • Give your opinion on how likely it is that an attempt will succeed
  • Explain the impact of a successful attempt (e.g money lost, recovery cost, reputational damage)
    • Be sure to explain who is impacted! Which internal org? External parties?
  • Avoid jargon like "*ware" and "*crypt*"
As the number of nodes grows, networking equipment usually reaches a limit of how much rule complexity it can handle, so we need another principle to help in those situations

Options to deal with risks

Ways of dealing with risk

  • Remove the responsibility
  • Accept risks as they are
  • Reduce the threat likelihood
  • Reduce the threat impact
  • Transfer the risk
  • Share the risk

Mitigating (reducing) risks

Reduce the likelihood of attempt or success

  • Administrative controls
    • e.g. Separation of duties, approval processes, minimum technical standards
  • Technical controls
    • e.g Firewalls, source control software, backups
  • Physical controls
    • e.g. Locked doors, security cameras, bollards, security guards

Mitigating (reducing) risks

Reduce the impact

    • Administrative controls
      • e.g. Separation of duties, approval processes
    • Technical controls
      • e.g Data and network segmentation, egress proxies
    • Physical controls
      • e.g. Physical segmentation of security areas

Evaluating the cost of controls

All controls come at a cost in terms of:

  • People
    • Number of people (Once? Ongoing?), geographic distribution
  • Process
    • Approvals introduce delay, processes need to be re-evaluated, documented regularly (by whom?)
  • Technology
    • Process enforcement often requires technology and tools - buy vs. build (by whom? What additonal processes are required?)

Use a spacebar or arrow keys to navigate.
Press 'P' to launch speaker console.