security governance trends and leading practices in the ... · pdf fileachieve level 3...
TRANSCRIPT
CONFIDENTIAL AND PROPRIETARYThis presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Security Governance Trends and Leading Practices in the Public Sector
Bob Smock
Gartner Security & Risk Management
California Cyber Security Symposium 2016
29 September 2016 | Sacramento, CA
1 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Security Governance Key Takeaways
I’ll Tell You What to Build and Run
(Privacy)
Am I comfortable with our current approach?
Is it meeting my needs (or my boss’s)?
Are we doing the necessary things?
Are we inadvertently limiting our success?
2 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
What Is Governance?
A theoretical concept of actions and processes by which
stable practices and organizations arise and persist.
(Wikipedia)
The exercise of authority and control.
(Dictionary.com)
Practices to provide strategic direction; achieve objectives;
manage risk; use resources responsibly.
(IT Governance Institute)
The processes that ensure that requisite actions are taken to
manage the organization’s resources, in the most appropriate and
efficient manner, in pursuit of its business goals. (Gartner)
Security governance exists to ensure that the
security programadequately meets the strategic needs of the
mission of the organization
Security management implements that program
Security operationsexecute the processes
defined by that program
3 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Traditional Security Risk Management
Coordinate and control protection
Provide consistent and cohesive policies,
processes and rights
Establish balanced and effective control
Business Risk Management via Security
Facilitate internal business conditions
Transform approaches that simply meet security
objectives into those that achieve business
objectives
Traditional Approach
Most security governance failures are not
technology-related
Security programs tend to be viewed as
controllers, not facilitators
Facilitation Approach
Ensure processes that are consistent, repeatable
and comprehensive
Ensure processes are commensurate with
organizational culture and risk tolerance
Strategic Planning Assumptions
Objectives of Security Governance Immutable Truths of Security Governance
Security governance does not have to be excessively painful, strict, formal or burdensome
4 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
4 Key Public Sector Security Governance Issues
Limited knowledge of how much is spent on security
Limited perspective forprioritizing funding across
departments and initiatives
Security-specific costs are not broken out and reported separate
from general IT
ObservationCause Result
Limited perspective on overall security posture and level of risk
exposure
Inconsistent security strategy or strategy not commensurate with
enterprise objectives
Lack periodic health checks and central authority with accountability
or empowerment to enforce
Limited strategic vision and planning horizons for the
security program
Lack of defense-in-depthsecurity architecture and improvement roadmap
Consumed with tactical vulnerability and compliance
management
Limited visibility intoweaknesses that are
process-related, not technology
Limited confidence that users, applications, devices and
infrastructure can maintain security protection objectives
Focus on short term,vulnerability assessments and
technical mitigations
5 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Improving Security Governance Maturity How to turn a vicious cycle into a virtuous one
Gartner research has shown clearly that enterprises that are more
mature from an overall governance perspective are also more effective at discussing and dealing with risk-related issues, which will, in turn,
result in improved risk management
0
1
2
3
4
5
Vulnerability Management
Risk Assessment
Process Management
Planning & Budgeting
Organization
Policy & ProcedureMonitoring & Response
Program Management &Framework
Communication & Awareness
Architecture Management
Protection Management
Due Diligence Standard
1 5
Maturity Continuum: Weak/Ad Hoc Reactive Proactive Managed Optimized
6 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
0
1
2
3
4
5
Vulnerability Management
Risk Assessment
Process Management
Planning & Budgeting
Organization
Policy & ProcedureMonitoring & Response
Program Management &Framework
Communication & Awareness
Architecture Management
Protection Management
Due Diligence Standard
State GovernmentPublic Sector
Improving Security Governance Maturity
1 5
Maturity Continuum: Weak/Ad Hoc Reactive Proactive Managed Optimized
Regular & periodic measurement & communication
Integration of security with business execution
Level of authority & separation from operations
Expected behavior standards & guidelines
Environmental feedback & adjustment
Life cycle planning & operations
Establishing a culture of security
People, process & technology
Identification & mitigation tracking & reporting
Direction setting & prioritization
Residual risk & posture management
Vulnerability Management: Table Stakes — Patching, anti-malware, scanning, testing, contingency planning, incident response.
Risk Assessment: Measurement and Enforcement — Intended as a measure of effective risk management & continuous improvement, not simply compliance.
Process Management: Goals — Governance domains are necessary to categorize and guide interactions between security management & business reporting.
Monitoring & Response: Metrics — Report meaningful security metrics showing the value of security tied to achievement of business objectives. Look for leading KRI that impact business KPI.
Program Management & Framework: Objectives vs. Controls — Control frameworks are great for developing minimum standards, but do not translate well to program management & reporting.
Communication & Awareness: Power & Influence — Security is most effective when it collaborates with, educates & influences business units and leadership.
Architecture Management:Basic Blocking & Tackling —Fundamental defense in depth before pursuit of "bright & shiny" via multiyear roadmap.
Protection Management:Supporting Function & Groups —Understand the “hidden” business risk driven by change and associated with suppliers, the SDLC & culture.
Planning & Budgeting: Funding — Security organizations continue to be reduced and cost-constrained due to lack of ability to prioritize, with corresponding limitations on maturity vs. business enablement mentality.
Policy & Procedure: The Information Security Officer — A role to "influence & inform" business decision makers & build relationships with people that can influence change.
Organization: Structure — Focus on governance process effectiveness, rather than on the organizational position of the role.
7 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
0
1
2
3
4
5
Application Security
Service Continuity
Change-Config Management
Data Security
Governace-Risk-Compliance
Endpoint Security
ID-Access Management
Mobile Security
Security Analytics
Network Security
Physical Security
Vulnerability Management
Minimum Due Diligence
Public Sector
IT Disaster Recovery and Business Continuity Support
Service Impact Analysis of Modifications/Infusion
Authorized Use of fit-for-purpose data
Security Policy, Planning, Monitoring, & Enforcement
Configuring & Protecting DevicesSecure use of Tablets and Mobile Phones
Intrusion & Exposure Detection
Layered Connection Defense
IT Gear & Hardcopy Data Protection
Software Built to Protect Transactions
Incident Response & Weakness Mitigation
Managing Who Accesses What Data and Systems and Why
Security Architecture Maturity ImpactKey Weakness Trend Areas
T
T
T
TT
T
T
.
.
.
8 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Invest — When budgets are tight or cut, focus available investments on security awareness and building the business case for projects when funding improves.
Communicate — Establish a program that identifies, measures and communicates the dangers and reasons for security initiatives and employee vigilance.
Allow for exceptions and acceptance of business risk under specific conditions.
Coordinate and Lead — Regular forums for coordination between security and other department and business unit stakeholders to cultivate credibility and influence.
Establish target objectives that can be achieved by selecting controls driven by need and risk, not compliance.
Culture — Use accepted standards and frameworks, then modify to suit the needs of the organization & business culture.
Security leadership needs participation in the enterprise risk management process with senior management.
Value — Report metrics as indicators of the effectivenessand value of protections, not simply vulnerabilities mitigated.
Influence — Collaboration, communication, and credibility are a must. Influence, not edict, is the key tool. Report at highest level through consistent, understandable taxonomy.
9 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Closing Thoughts
Effective Security Governance:
Is critical to management’s
responsibility to maintain and
protect the business.
Occurs when security has a seat
at the table with business mgmt.
Occurs when governance councils
appreciate the value of security.
Partners with the business to protect
assets, manage risk, enable business,
support compliance.
Cybersecurity
Information Security
IT Security
OT
Security
Physical Security
IoT Security
Digital Security
10 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
Achieve Level 3 Maturity in Gartner’s ITScore for Information
Security
Rob McMillan and Tom Scholtz (G00238504)
Introducing the Gartner Information Security Governance Model
Tom Scholtz (G00201410)
Security Governance, Management and Operations Are Not the
Same
Rob McMillan and Tom Scholtz (G00235293)
11 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Q&A: What are the pros and cons of your security governance?