ciso institute: creating a world class security organization
DESCRIPTION
As dependency on and integration of technology increases, information security leaders are inheriting the responsibility of serving as change ambassadors. Whether it is managing through risk-based governance, maturing security capabilities or determining how security can be communicated effectively, CISOs are vital in creating continued business value. John Johnson defines areas of impact and accountability for security leaders and introduces specific action steps to establish the role of the security organization in transforming companies from mediocre to world class.TRANSCRIPT
Creating a World Class Security Organization
John D. Johnson, Global Security Strategist, John Deere
CISO Institute: The University of Chicago, Booth School of Business
August 19, 2014
What it takes and why it matters…
SummaryAs dependency on and integration of technology increases, information security leaders are inheriting the responsibility of serving as change ambassadors. Whether it is managing through risk-based governance, maturing security capabilities or determining how security can be communicated effectively, CISOs are vital in creating continued business value. John Johnson defines areas of impact and accountability for security leaders and introduces specific action steps to establish the role of the security organization in transforming companies from mediocre to world class.
About Me
John DeereDeere & Company (NYSE: DE) is a world leader in providing advanced products and services and is committed to the success of customers whose work is linked to the land - those who cultivate, harvest, transform, enrich and build upon the land to meet the world’s dramatically increasing need for food, fuel, shelter and infrastructure.
Since 1837, John Deere has delivered innovative products of superior quality built on a tradition of integrity. John Deere has 130 business units operating in 30 countries, with 5000 independent dealers operating in 160 countries. Deere has 67,000 employees and an annual revenue of $38B. For more information, visit John Deere at its worldwide website at www.JohnDeere.com.
From Big Iron to Big Data
Leveraging Technologyto Lead the Way
Data-Driven Precision Farming
Big Data & Analytics
Mobility & Remote Management
Vehicle to Vehicle Communications
Back in 1999…
Defending The Castle
The Castle Model of Defense
What is the advantage of a castle? The castle is built on high ground The castle has visibility to see enemies approaching far away The castle has thick, impervious walls Guards watch everyone coming and going It is very difficult and expensive for enemies to breach a castle
Why is our enterprise not a castle? The Internet has no high ground We don’t have good visibility to threats We have lots of holes in our walls We don’t inspect all the traffic coming and going The Asymmetric Problem: It is expensive to defend, but the
adversary only needs to find one hole to breach the enterprise
The SituationOrganizational Structure Challenges
Budget Challenges
Rapidly Evolving Threat LandscapeThe volume and sophistication of attacks is up
Our future relies on our ability to take advantage of opportunities related to social, mobile, big data/analytics & cloud – faster, cheaper & securely
Security can be the enabler
Security Spend
Your Company’s Revenue
ITBudget
InfosecBudget
80% of spend is only 30% effective at securing the business
Infosec Budget
Important StuffFirewalls, IDS, AV
Aligned Risk-Based Strategy
Risk Management Framework
Threat Intelligence
Regulatory Knowledge
Environmental Knowledge
Business KnowledgeWhat do we want to really protect? Focus!!!
Meaningful Security Metrics
Communication
Capability Maturity As the security program matures, more fundamental
pieces will be in place to support advanced toolsets and capabilities necessary to protect against more advanced threats and respond faster to attacks
Informal
1
Planned & Tracked
2
Well Defined
3
Quantitatively
Controlled
4
Continuously
Improving
5
Improved ability to anticipate, execute & respond
N.B. – Ponemon Self-Assessment ranges from -2 to +2
ExerciseIdentify Top 5 Threats to Your Organization
Estimate Risk (Impact, Likelihood)
Plot on Graph (how do they trend?)
Identify Top 2-3 Business Initiatives at Your Organization
Identify Top 2-3 Security Capabilities to Improve
Prioritize Top 3-5 Security Initiatives to Mitigate Risk
Spend 10 Minutes Discussing with Neighbor
Example: Endpoint Risk
0 0.5 1 1.5 2 2.5 3 3.5 40
0.5
1
1.5
2
2.5
3
3.5
4
Likelihood
Impact
DataLoss
Advanced Threats
EventLogging
WebThreats
SystemAttacks
EndpointMgmt
BasicMalware
Example
Exercise DebriefHow difficult was it for you to:
Identify Threats Estimate Risk Identify Business Objectives Identify Weak Security Capabilities
Did your priorities change when you considered business objectives and capability maturity?
Are you aligned with organization’s risk appetite?
Will these initiatives help you answer difficult questions your executives ask?
Key Leadership QualitiesHonesty, Integrity & Trust
Seal the gap between words and action to build trust
Vision
Listener
Empathy
Humility
Communicator
PassionRef: Leadership: A 360 Degree View, ISSA CISO Forum (Aug. 2014), Jeff Snyder (SecurityRecruiter.com)*see also Servant Leadership
ConclusionUnderstanding and effectively conveying IT security risk
to executives is critical to business success when utilizing technology
The CISO must understand the business and align security strategy (risk-based) Make security a partner & change agent! Running security like a business means showing how
security adds value, instead of being seen as a cost center
Build foundational capabilities to create a proactive security program
Develop the leadership skills necessary to effectively lead this change
Contact InfoEmail: [email protected]
Website: http://www.johndjohnson.com
LinkedIn: http://www.linkedin.com/in/nullsession/
Twitter: @johndjohnson