information innovation and transformation in the digital age · pdf fileexploit known and...
TRANSCRIPT
braking bad positioning information security to drive
innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
agenda
• Context
• The business digital ecosystem and Information security
• Legacy perceptions about security and some thoughts on how we can try
to break them…
• Positioning information security to drive innovation and transformation in
the digital age
braking bad positioning information security to drive innovation and transformation in the digital age
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
3 caveats before we start…
I don’t have all the answers – but what I do have, I give to you today…
The below is a work in progress for me – still plenty of work to do at Curtin
My first principle for information security is that…
CONTEXT IS KING!
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
my context
braking bad positioning information security to drive innovation and transformation in the digital age
Notable research initiatives
WA’s largest University - ~60,000 enrolled students
Australia’s 7th largest University by student number
>4,000 staff
Revenue >$.9B in 2015 in a national sector generating $30B annually
38 schools across 5 teaching areas
>60 different research bodies across 4 faculties
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
environment characteristics (not unique to Curtin)
Varying degrees of security wherewithal (but it’s improving)
Centralised IT, but shadow/grey IT, ghost-ware persists
Presently, no Uni-wide mandate for security visibility or oversight
Limited understanding of information asset value
Security previously seen as tactical, reactive, and compliance-driven
Information risks seen as an IT or records management problem
Sound, but intuitive IT security practices
Pervasive [academic] cultural paradigm is to share information
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
braking bad positioning information security to drive innovation and transformation in the digital age
the digital context and information security
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott director IT planning, governance & security | curtin university
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
information security leaders need to recognise…
Digitisation is not going away any time soon…
87% report that Digitisation is a priority for their company
67% believe their company must become significantly more digitised to remain competitive
80% believe digitisation is a long term transformation, not a fad
66% believe that a recession won’t slow the pace of digitisation
78% actively promote digitisation in their companies
Source: CEB 2016 Digitization Enterprise Survey
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
information security and change? Pace of change will vary….as will reactions to that change…
Today, the information security team’s effectiveness (and therefore its VALUE) depends on its ability to demonstrably deal with and adapt to pervasive, ongoing digital change…
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
information security and change?
• Information security leaders need to ask themselves:
o What type of information security service do I want to build and deliver?
o What’s the perception my information security team has of its role today?
o How do my stakeholders perceive us as an information security function?
o Again, context matters…
CHANGE AGENT
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
braking bad positioning information security to drive innovation and transformation in the digital age
breaking perceptions
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
Security is too hard to engage with…they talk
techie…
Meh… That’s IT’s
problem…they’ll figure it
out…someday
some legacy perceptions…
braking bad positioning information security to drive innovation and transformation in the digital age
They just don’t understand my
business Yeah…nah,
they’re just the compliance police
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
breaking perceptions Recognise two critical things…
braking bad positioning information security to drive innovation and transformation in the digital age
That you can’t do it all – identifying internal and external opportunities for symbiotic collaboration is key…
It won’t happen overnight – it will require sustained effort and leadership
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
braking bad positioning information security to drive innovation and transformation in the digital age
positioning information security
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
positioning information security
• Build alignment between the business and security
• Build & embed bi-directional security awareness
• Build and maintain a baseline level of information security capability maturity
• Adopt a risk-driven, rather than compliance-focused, approach to information security decision making…
braking bad positioning information security to drive innovation and transformation in the digital age
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
building alignment • Defining and documenting a strategic vision, mission, strategic
roadmap aligned to business objectives is vital to breaking down legacy perceptions and gaining buy-in with the Executive…
• Must be written in business-centric language that clearly demonstrates an understanding of the enterprise’s strategic objectives;
• Identifies critical gaps and security challenges that must be met in a risk-informed manner to generate and deliver maximum business value;
• Details how security will enhance the business’ ability to exploit known and emerging opportunities in the digital ecosystem to drive innovation and transformation.
ENTERPRISE STRATEGY
INFORMATION SECURITY STRATEGY
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
Non-existent
Compliance-focused
Promoting Awareness & Behaviour Change
Long-Term Sustainment & Culture Change
Metrics Framework
building awareness • Security awareness training typically
done to meet compliance requirements and focuses on basic security principles for system users
• SALE vs SAT…
• Combined Push and Pull approach
• Security and risk wherewithal and culture must be built across multiple groups: o Users (staff, students and researchers); o Technical staff; and o Enterprise services leaders
braking bad positioning information security to drive innovation and transformation in the digital age
Diagram courtesy of SANS Institute
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
building awareness • Awareness is bi-directional - not just about the ‘user’!
• The information security team needs to be ‘aware’ of:
o the business’ strategic drivers and objectives; and
o how achieving those objectives creates business value; and
o then focus on identifying and managing critical risks to that value.
• Critical to develop a “coalition of the willing” across the organisation
o those who understand and see the business benefits of your mission; and
o have the ability (and proactively seek) to influence other key stakeholders.
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
building ‘awareness’ @curtin • Dedicated internal Information Security Advisory Services established
(softly) in Q3 2015 delivering pragmatic, risk-appropriate, and business-enabling information security and risk advice…
• Full launch scheduled for June 2016 and intent is to become a highly visible and available ‘pull’ awareness mechanism to help embed security into the IT capability acquisition from the ground up
• However, capability and capacity is limited currently to providing GRC advisory services (threat and risk assessments, PIA’s, threat modelling etc.)
• Information Security Services Panel established March 2016 to supplement & augment internal Security Advisory capabilities
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
build capability maturity • Achieving a ‘defined’ capability maturity rating is the
baseline level required to gain traction and build trust in the information security function;
• If not “defined”, then it’s likely information security hygiene practices are not standardised or applied consistently;
braking bad positioning information security to drive innovation and transformation in the digital age
• Capability maturity gaps = increased vulnerability to security threats
• Likely expectation from the Executive is to prioritise plugging gaps before investing time surfacing enabling initiatives!
5 -
Op
tim
ised
4 -
Ma
na
ged
3 -
De
fin
ed
2 –
Re
peat
ab
le/M
an
age
d
1 –
Init
ial TI
ME
CAPABILITY MATURITY LEVELS
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
curtin’s information security roadmap 2016-2018
CYBER RESILIENCE
GOVERNANCE
AWARENESS & CULTURE
• information security management system • policies, procedures, standards & guidelines • security governance framework
• classification and handling guidance • information security risk management framework • annual assurance program
• strategy & roadmap • security advisory service • information security services panel • SALE (users, technical staff, service owners)
• student & researcher security awareness campaigns • embedding secure systems development skills • ongoing communications framework • roles and responsibilities
• strengthening security monitoring & log management
• email advanced persistent threat protection • security architecture framework
• incident response enhancements • privilege management & application control • annual assurance program
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
risk over compliance… • Every business is different – remember, CONTEXT IS
KING!
• Achieving and maintaining compliance with some legislation and regulations (e.g. Privacy, CCA) is non-negotiable for most organisations;
• However, focusing on compliance and check-list driven security will not increase perceptions of value for the information security team…
• The level and pace at which compliance is achieved across the organisation’s legislative and regulatory ecosystem should be just another risk-informed decision based on risk appetite and risk tolerance…
“You don’t make friends with salad” – Homer Simpson, 1995
RISK COMPLIANCE
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
risk over compliance… • Security tends to get a lot of traction immediately after major breaches occur;
• However, using FUD to ‘sell security’ to the Executive also has limited value over time… especially when your organisation’s focused on building competitive advantage and their risk appetite and tolerance levels are very high!
• So, wherever possible, talk in the language of risk rather than compliance
• Even better, talk in terms of ‘opportunity’ rather than risk….
“We must put strong & visible security in the new app to reduce the likelihood of a breach of a user’s personal information or their credentials being harvested.
We’ll be in breach of the Privacy Act if we don’t...”
“I reckon we can give users a more positive digital experience if we embed strong & visible security into the app.
If they see we’re serious about protecting their personal information they maybe be willing to share even more with us further increasing customer data volumes & insight…”
Which sounds better to you?
V.S.
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
risk over compliance… • Information security leaders will provide most value during an
organisation’s innovation-driven digital transformation by:
o helping ‘aware’ business stakeholders recognise early any new threats, vulnerabilities that could impact their ability to leverage maximum benefit and value from their initiatives; and
o providing risk-informed, pragmatic recommendations to reduce risk exposures in the system design phase; and
o providing ongoing risk-informed advice across the system’s entire lifecycles to ensure digital capabilities are deployed, operated, maintained, and decommissioned in accordance with their agreed risk posture. RISK COMPLIANCE
BUSINESS VALUE
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
key takeaways to support digital transformation
Talk in terms of opportunity not FUD
Establish good security hygiene platform to build
trust
Bi-directional security awareness is critical
Build change management skills and leadership
through the security team
Add “customer-obsessed” to the information security
team’s ethos
Articulate a clear, business aligned Strategy, Vision and Mission for Security
Focus on:
Risk
Compliance
Knowing what business value looks like is critical
Look to build a security “coalition of the willing” to gain business traction
Innovation-driven digital transformation is not
going away
Make information security advice easy to access and
business-centric
Defined security maturity = more time to invest on
enabling initiatives CONTEXT IS KING!
+ some other elements and tips we haven’t covered today…..
Live by the principle of
“No Surprises”
Organisation structure also key to gaining traction
and buy-in
The extant IT operating model will be an influence security’s operating model
Ensure governance enables rapid security
decision making
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
braking bad positioning information security to drive innovation and transformation in the digital age
questions?
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott director IT planning, governance & security | curtin university
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
contact details
Richard Addiscott
Director IT Planning, Governance & Security, Curtin University
: 0410 566 548
: https://www.linkedin.com/in/richardaddiscott
: @raddisco
braking bad positioning information security to drive innovation and transformation in the digital age
braking bad positioning information security to drive innovation and transformation in the digital age
richard addiscott | director IT planning, governance & security SUMMIT 2016 | PERTH
reference material & further reading
braking bad positioning information security to drive innovation and transformation in the digital age
*=Subscription Based Content
Material referenced directly or that has informed the development of this presentation is listed below: • Digitization Enterprise 2020: Navigating Risks in the Digitization Journey, Corporate
Executive Board, January 2016* • Scholtz T., Managing Risk and Security at the speed of Digital Business, Gartner, 24
February 2016 • Whitworth M., McClean C., & O’Malley C., Security Leaders, Earn your Seat At The
Table, Forrester, 29 April 2015 • Whitworth M, McClean C, O’Malley C, & Dostie P, Six Steps to a Better Security
Strategy, Forrester, 22 January 2016