Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.
For the best experience please use the latest Chrome, Safari or Firefox browser.
Security from the C-Suite
Top-Down Risk Management
Presented by Donald Edwards, CISSP
linkedin.com/in/dmedwards
At the executive level, security is a high (and increasing) priority, but it remains a supporting function for the core business.
One way or another, security priorities must be balanced with priorities from other parts of the business.
Copyright © 2020 Donald Edwards
Agenda
Overview of typical
C-Suite roles and their priorities
Walk through of the risk management process
How to make it easy to prioritise your needs
(and make your bosses look good)
Copyright © 2020 Donald Edwards
We will start by talking about some of the problems that lend themselves to being solved with technical security controls on the network.
Typical roles in the C-Suite
Every company is different, but someone usually has these responsibilities
- Chief Executive Officer (CEO) -
Accomplish the company's mission
- Chief Operating Officer (COO) -
Manage operations for services provided by the company
- Chief Information Officer (CIO) -
Direct internal tech operations
- Chief Technical Officer (CTO) -
Direct tech investments into the company's products
- Chief Financial Officer (CFO) -
Manage financial risk to the company
- Chief Information Security Officer (CISO) -
Manage information security risk to the company
Copyright © 2020 Donald Edwards
Deterrence is almost entirely focused on explaining to insiders why they should not do bad things.
Very few protective and detective controls work specifically against insider threat. Those that are focused on insider threat are very intrusive and seldom used in normal work settings.
Responding to an insider threat incident may require more or better documentation. HR and Legal departments will be engaged.
Recovery from insider incidents likely will result in process changes. In cases where data is held hostage, legal proceedings may be involved.
CISO and CFO are largely advisory roles
In most companies, "the business" (COO, CIO, CTO) makes decisions about:
- Acceptable risks
- Balance between improving existing vs creating new products, features, and services
- Acceptable Return on Investment (ROI) related to:
- People
- Process
- Technology
Copyright © 2020 Donald Edwards
Success as a security professional depends on your ability to communicate in terms "the business" understands
Copyright © 2020 Donald Edwards
Risk evaluation
Everything starts with responsibility
Tying a specific risk to one or more responsibilities a company has undertaken helps to establish its importance in real terms
- First party responsibilities
- Company's mission, officers, employees, shareholders
- Second party responsibilities
- Purchasers or users of the company's products and services
- Third-party responsibilities
- Partners, contractors, service providers, insurance companies, banks, regulatory bodies
Copyright © 2020 Donald Edwards
In an ideal world, you would know every network path and activity that should be allowed in detail for a person and the infrastructure itself would be configured only to allow those people and activities. In the real world, you need to make compromises. Often, a mix of the two strategies applied at different levels is prudent.
Risk evaluation
Describe the threat in unjargoned terms
The people you need to convince, "the business", probably will not understand technical or security-specific terms. Donald't make them work to understand you!
- Describe possible actors - people or entities that want to do a bad thing
- Explain their possible motives - e.g. money, secrets, revenge, thrills
- Give your opinion on how likely it is that the actor will make an attempt
- Give your opinion on how likely it is that an attempt will succeed
- Explain the impact of a successful attempt (e.g money lost, recovery cost, reputational damage)
- Be sure to explain who is impacted! Which internal org? External parties?
- Avoid jargon like "*ware" and "*crypt*"
Copyright © 2020 Donald Edwards
As the number of nodes grows, networking equipment usually reaches a limit of how much rule complexity it can handle, so we need another principle to help in those situations
Options to deal with risks
Ways of dealing with risk
- Remove the responsibility
- Accept risks as they are
- Reduce the threat likelihood
- Reduce the threat impact
- Transfer the risk
- Share the risk
Copyright © 2020 Donald Edwards
Mitigating (reducing) risks
Reduce the likelihood of attempt or success
- Administrative controls
- e.g. Separation of duties, approval processes, minimum technical standards
- Technical controls
- e.g Firewalls, source control software, backups
- Physical controls
- e.g. Locked doors, security cameras, bollards, security guards
Copyright © 2020 Donald Edwards
Mitigating (reducing) risks
Reduce the impact
- Administrative controls
- e.g. Separation of duties, approval processes
- Technical controls
- e.g Data and network segmentation, egress proxies
- Physical controls
- e.g. Physical segmentation of security areas
Copyright © 2020 Donald Edwards
Evaluating the cost of controls
All controls come at a cost in terms of:
- People
- Number of people (Once? Ongoing?), geographic distribution
- Process
- Approvals introduce delay, processes need to be re-evaluated, documented regularly (by whom?)
- Technology
- Process enforcement often requires technology and tools - buy vs. build (by whom? What additonal processes are required?)
Copyright © 2020 Donald Edwards
