CONFIDENTIAL AND PROPRIETARYThis presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Security Governance Trends and Leading Practices in the Public Sector

Bob Smock

Gartner Security & Risk Management

California Cyber Security Symposium 2016

29 September 2016 | Sacramento, CA

1 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Security Governance Key Takeaways

I’ll Tell You What to Build and Run

(Privacy)

Am I comfortable with our current approach?

Is it meeting my needs (or my boss’s)?

Are we doing the necessary things?

Are we inadvertently limiting our success?

2 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

What Is Governance?

A theoretical concept of actions and processes by which

stable practices and organizations arise and persist.

(Wikipedia)

The exercise of authority and control.

(Dictionary.com)

Practices to provide strategic direction; achieve objectives;

manage risk; use resources responsibly.

(IT Governance Institute)

The processes that ensure that requisite actions are taken to

manage the organization’s resources, in the most appropriate and

efficient manner, in pursuit of its business goals. (Gartner)

Security governance exists to ensure that the

security programadequately meets the strategic needs of the

mission of the organization

Security management implements that program

Security operationsexecute the processes

defined by that program

3 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Traditional Security Risk Management

Coordinate and control protection

Provide consistent and cohesive policies,

processes and rights

Establish balanced and effective control

Business Risk Management via Security

Facilitate internal business conditions

Transform approaches that simply meet security

objectives into those that achieve business

objectives

Traditional Approach

Most security governance failures are not

technology-related

Security programs tend to be viewed as

controllers, not facilitators

Facilitation Approach

Ensure processes that are consistent, repeatable

and comprehensive

Ensure processes are commensurate with

organizational culture and risk tolerance

Strategic Planning Assumptions

Objectives of Security Governance Immutable Truths of Security Governance

Security governance does not have to be excessively painful, strict, formal or burdensome

4 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

4 Key Public Sector Security Governance Issues

Limited knowledge of how much is spent on security

Limited perspective forprioritizing funding across

departments and initiatives

Security-specific costs are not broken out and reported separate

from general IT

ObservationCause Result

Limited perspective on overall security posture and level of risk

exposure

Inconsistent security strategy or strategy not commensurate with

enterprise objectives

Lack periodic health checks and central authority with accountability

or empowerment to enforce

Limited strategic vision and planning horizons for the

security program

Lack of defense-in-depthsecurity architecture and improvement roadmap

Consumed with tactical vulnerability and compliance

management

Limited visibility intoweaknesses that are

process-related, not technology

Limited confidence that users, applications, devices and

infrastructure can maintain security protection objectives

Focus on short term,vulnerability assessments and

technical mitigations

5 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Improving Security Governance Maturity How to turn a vicious cycle into a virtuous one

Gartner research has shown clearly that enterprises that are more

mature from an overall governance perspective are also more effective at discussing and dealing with risk-related issues, which will, in turn,

result in improved risk management

0

1

2

3

4

5

Vulnerability Management

Risk Assessment

Process Management

Planning & Budgeting

Organization

Policy & ProcedureMonitoring & Response

Program Management &Framework

Communication & Awareness

Architecture Management

Protection Management

Due Diligence Standard

1 5

Maturity Continuum: Weak/Ad Hoc Reactive Proactive Managed Optimized

6 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

0

1

2

3

4

5

Vulnerability Management

Risk Assessment

Process Management

Planning & Budgeting

Organization

Policy & ProcedureMonitoring & Response

Program Management &Framework

Communication & Awareness

Architecture Management

Protection Management

Due Diligence Standard

State GovernmentPublic Sector

Improving Security Governance Maturity

1 5

Maturity Continuum: Weak/Ad Hoc Reactive Proactive Managed Optimized

Regular & periodic measurement & communication

Integration of security with business execution

Level of authority & separation from operations

Expected behavior standards & guidelines

Environmental feedback & adjustment

Life cycle planning & operations

Establishing a culture of security

People, process & technology

Identification & mitigation tracking & reporting

Direction setting & prioritization

Residual risk & posture management

Vulnerability Management: Table Stakes — Patching, anti-malware, scanning, testing, contingency planning, incident response.

Risk Assessment: Measurement and Enforcement — Intended as a measure of effective risk management & continuous improvement, not simply compliance.

Process Management: Goals — Governance domains are necessary to categorize and guide interactions between security management & business reporting.

Monitoring & Response: Metrics — Report meaningful security metrics showing the value of security tied to achievement of business objectives. Look for leading KRI that impact business KPI.

Program Management & Framework: Objectives vs. Controls — Control frameworks are great for developing minimum standards, but do not translate well to program management & reporting.

Communication & Awareness: Power & Influence — Security is most effective when it collaborates with, educates & influences business units and leadership.

Architecture Management:Basic Blocking & Tackling —Fundamental defense in depth before pursuit of "bright & shiny" via multiyear roadmap.

Protection Management:Supporting Function & Groups —Understand the “hidden” business risk driven by change and associated with suppliers, the SDLC & culture.

Planning & Budgeting: Funding — Security organizations continue to be reduced and cost-constrained due to lack of ability to prioritize, with corresponding limitations on maturity vs. business enablement mentality.

Policy & Procedure: The Information Security Officer — A role to "influence & inform" business decision makers & build relationships with people that can influence change.

Organization: Structure — Focus on governance process effectiveness, rather than on the organizational position of the role.

7 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

0

1

2

3

4

5

Application Security

Service Continuity

Change-Config Management

Data Security

Governace-Risk-Compliance

Endpoint Security

ID-Access Management

Mobile Security

Security Analytics

Network Security

Physical Security

Vulnerability Management

Minimum Due Diligence

Public Sector

IT Disaster Recovery and Business Continuity Support

Service Impact Analysis of Modifications/Infusion

Authorized Use of fit-for-purpose data

Security Policy, Planning, Monitoring, & Enforcement

Configuring & Protecting DevicesSecure use of Tablets and Mobile Phones

Intrusion & Exposure Detection

Layered Connection Defense

IT Gear & Hardcopy Data Protection

Software Built to Protect Transactions

Incident Response & Weakness Mitigation

Managing Who Accesses What Data and Systems and Why

Security Architecture Maturity ImpactKey Weakness Trend Areas

T

T

T

TT

T

T

.

.

.

8 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Recommendations

Invest — When budgets are tight or cut, focus available investments on security awareness and building the business case for projects when funding improves.

Communicate — Establish a program that identifies, measures and communicates the dangers and reasons for security initiatives and employee vigilance.

Allow for exceptions and acceptance of business risk under specific conditions.

Coordinate and Lead — Regular forums for coordination between security and other department and business unit stakeholders to cultivate credibility and influence.

Establish target objectives that can be achieved by selecting controls driven by need and risk, not compliance.

Culture — Use accepted standards and frameworks, then modify to suit the needs of the organization & business culture.

Security leadership needs participation in the enterprise risk management process with senior management.

Value — Report metrics as indicators of the effectivenessand value of protections, not simply vulnerabilities mitigated.

Influence — Collaboration, communication, and credibility are a must. Influence, not edict, is the key tool. Report at highest level through consistent, understandable taxonomy.

9 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Closing Thoughts

Effective Security Governance:

Is critical to management’s

responsibility to maintain and

protect the business.

Occurs when security has a seat

at the table with business mgmt.

Occurs when governance councils

appreciate the value of security.

Partners with the business to protect

assets, manage risk, enable business,

support compliance.

Cybersecurity

Information Security

IT Security

OT

Security

Physical Security

IoT Security

Digital Security

10 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Recommended Gartner Research

Achieve Level 3 Maturity in Gartner’s ITScore for Information

Security

Rob McMillan and Tom Scholtz (G00238504)

Introducing the Gartner Information Security Governance Model

Tom Scholtz (G00201410)

Security Governance, Management and Operations Are Not the

Same

Rob McMillan and Tom Scholtz (G00235293)

11 © 2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Q&A: What are the pros and cons of your security governance?