© koen maris, 2015 who am i …. alumnus of mitga class of 2014 information security consultant...

© Koen Maris, 2015

Who am I ….

• Alumnus of MITGA class of 2014

• Information security consultant with + 15 years experience

• Emphasis on the human aspect in technology / information security

• Strong technical background

• Married, father of 2 and I live in one of Europe's smallest countries

© Koen Maris, 2015

The demise of information security

Koen Maris

© Koen Maris, 2015

On the road to nowhere…

6

One billion bank heist:The gang – dubbed “Carbanak” by Russian security company Kaspersky – has been stealing directly from banks rather than posing as customers to withdraw money in the biggest cyber heist to date.

Regin spyware:An "extremely complex" and "stealthy" spying program has been stealing data from ISPs, energy companies, airlines and research-and-development labs, a security company has said.

Heartbleed SSL vulnerability:The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content

© Koen Maris, 2015

How did we get there?

You have to know the past to understand the present

Dr. Carl Sagan

© Koen Maris, 2015

Some time later…Attention from the Management- Creation of information security policies- Procedures integrated - Some new organizational structures to appear

to house Information Security

Today… Cyber securityOrganisations know its importance BUT the landscape of attack changed drastically. Organization ≠ stronghold or fortress. Attacks shifted to the end-user. Agility and flexibility demanded by end-user from you and the organisation.

Information security evolution

III

II 4

&&2 ¶ 84

₩ 73 ¥1 2 3 4 5

In the beginning…- Emphasis on technical aspects - Security perceived as a solely IT related issue- Building a strong fortress and keeping the enemy out- The outside = evil and dangerous

Understanding that security is part of corporate governance

Information security governance, leading to transversal functions omnipresent in the organisation, aligned with business and focused on risk

Standardization : information security had more dimensions. Not only technical leaded to the creation of best practices as ISO 27001

Companies measuring compliance levels and gaining more awareness on the matter

© Koen Maris, 2015

information securityToday in

6

cyber securityHowever, we are interconnected …And we need security for…We used to build these…

© Koen Maris, 2015

We fail to assess risk

© Koen Maris, 2015

Failure to identify risk

6

Dangerous or not?

Kristina SvechinskayaCreator of ZeusBot, stole 9 million $David L. SmithReleased the Melissa worm in 1999Dries Buytaert,Founder of Drupal

© Koen Maris, 2015

Problem statementSome research…

© Koen Maris, 2015

Problem statement

6

• Information security is associated with technology

• Interest of decision makers not proportional with the dependence on information technology and related information security issues*

• Information security seen by senior management and board as a too complex and technology oriented

• Information security considered as a discretionary budget line item*

• Difficult to align information security with business requirements taken into account the defined risk appetite

* Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab

© Koen Maris, 2015

Research questions

6

Board of directors and

executive management

Awarenesslevel

Information security

governance

Identifiedpractices

Effectiveness

Adoptedtoday

Drivers forintegration

Which level of information security governance “awareness”* is present at the level of Board of Directors and executive management in a contemporary enterprise?

* knowledge or perception of a situation or fact (Oxford dictionary)

© Koen Maris, 2015

Methodology

6


Literature research

Public surveys

Custom made survey

Academic papers

Books

Papers from commercial companies

Surveys from large consultancy firms

Various industries

Different levels of hierarchy

Respondent volume ranging from + 100 to +9000

Focus on board and executive management

Peer review on which practices deemed most important

Small number of respondentsIdentification of common practiceswith focus on

Board of Directorsand

Executive Management

Frameworks, methodologies,

standards

ISO 2700x

COBIT 5

ISACA, Business model for information security

ISC2, common body of knowledge

NIST 800-53

© Koen Maris, 2015

What is information security governance?

6


Information security governance framework (ISACA)

• A comprehensive security strategy explicitly linked with business and IT objectives• An effective security organisational structure• A security strategy that talks about the value of information protected and

delivered• Security policies that address each aspect of strategy, control and regulation• A complete set of security standards for each policy to ensure that procedures and

guidelines comply with policy• Institutionalised monitoring processes to ensure compliance and provide feedback

on effectiveness and mitigation of risk• A process to ensure continued evaluation and update of security policies,

standards, procedures and risks

Definition (NIST)

Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

© Koen Maris, 2015

Information Security Governance at the Board

Identified practices

Effectiveness

Adopted

Drivers for integration

• Risk Management, setting the tone by defining the risk appetite

• Identify information security leaders, provide resources and support

• Direction, strategy and leadership, put information security on the board's agenda

• Ensure effectiveness of the information security policy

• Integrate a strategic committee

• Staff awareness and training

• Measurement, monitoring and audit

© Koen Maris, 2015


• 23% see lack of leadership as an important obstacle in the overall strategic effectiveness of their organisation’s security strategy (PWC, 2012)

• 68% assume their information security strategy is aligned with the business needs (E&Y, 2012)

• Little or no involvement when aligning risk-based security with business objectives(Tripwire-Ponemon, 2013)

• Lack of strict segregation between risk and audit committee, only 8% and half of those only oversee privacy and security (Jody R. Westby, 2012)

• 16% of board members is prepared to deviate from risk appetite (Koen Maris, 2013)

• 68% of the CRO functions have a direct reporting line to the board


Effectiveness

Adopted


© Koen Maris, 2015


• 27% indicate that their board had an outside director with cyber security experience though 64% think it is important to have it (Jody R. Westby (2012)

• 42% have their information security strategy aligned with business objectives(E&Y, 2012)

• 50% thinks information is too technical to be understood by non-technical management(Tripwire-Ponemon, 2013)

• 33% of the boards address Computer and information security (Jody R. Westby, 2012)

• 67% of board approve risk appetite statement (E&Y, 2013), • 2/3 of Forbes Global 2000 companies have full-time personnel in

key roles responsible for security and privacy


Effectiveness

Adopted


© Koen Maris, 2015


• Severe incidents

• Legal/compliance

• Regulations

• Accountability


Effectiveness

Adopted


© Koen Maris, 2015

Information Security Governance at the Executive Committee

• Information Security Framework

• Chief Security Officer / Chief Information Security Officer

• Implementation of information security

• Monitoring and assessment

• Awareness and communication


Effectiveness

Adopted


© Koen Maris, 2015


• Large majority of staff knows the security policy, at least of its existence. (Koen Maris, 2013)

• Only 26% of respondents with a security policy believe their employees have a good understanding of it. (PWC, 2012)

• Almost 40% of the CISO/CSO reports to the CIO, almost 30% to someone other than CFO, CEO/COO.(Jody R. Westby, 2012)

• 80% claim not to evaluate the ROI of security investments(PWC, 2012)

• Adopting to new risks is done by blocking for approx. 50% of the companies (E&Y, 2012)

• Only 8% of CSO/CISO measure the value and effectiveness of their enterprise cyber security organisation (Deloitte, 2012)

• Reporting only occurs in case of severe incident and happen at a too low level (Tripwire-Ponemon, 2013)


Effectiveness

Adopted


© Koen Maris, 2015


• 95% of large companies have a security policy in place (PWC, 2012)

• Majority of Exec’s agree that they should have someone responsible for information security (Koen Maris, 2013)

• 47% of the companies have an information security strategy committee in place (PWC, 2012)

• 56% claim security budgets are in a federated model, making it hard to measure and determine the real available budget. (Deloitte, 2012)

• About 50% monitor and measure trends in security/incidents costs. Approx. 20% does not evaluate at all (PWC, 2012)

• Only 32% of staff in claim to have received awareness training (ESET, 2012)


Effectiveness

Adopted


© Koen Maris, 2015


• In response during an incident, after an incident

• Legal and compliance

• Not done because it is too technical & complex

• Reduce risk


Effectiveness

Adopted


© Koen Maris, 2015

Conclusion

Board

Exec. committee

• Unclear if a company having thoughtful leadership and enterprise risk management in place also had identified a security leader

• Audit and monitoring parts are well in place but measuring effectiveness remains doubtful, not always strict separation between risk and audit committee

• Leadership, alignment and value are the least adopted

• Severe incidents and legal, regulatory and compliance remain the main drivers for integration

© Koen Maris, 2015

Conclusion

Board

Exec. committee

• An ISMS is often in place, but the level of understanding and knowledge across the company remains low

• A CSO/CISO is in place in the majority of larger companies. Measuring the effectiveness remains difficult.

• Reporting line is not always clear, and reporting bottom-up shows some clear shortcomings

• Awareness and steering committee have a low degree of adoption, though the majority recognises the importance of awareness

• Severe incidents and legal, regulatory and compliance remain the main drivers for integration

© Koen Maris, 2015

• Would good ERM and correct bottom up reporting provide better awareness and increase the alignment for information security?

• The effectiveness and the links between structures and procedures are not well addressed. How do the influence each other?

• Would good bottom-up reporting provide better strategy?

• More questions than answers….

© Koen Maris, 2015

Information security throughout the organisationIT

& S

yste

m

Engi

neer

ing

Mid

m

anag

emen

tC-

Leve

l

What we see today Enterprise wide approach

Cons

ulta

ncy

Inte

grati

on

© Koen Maris, 2015

Patch your staff

6

Raise awareness on Information security

Learn to trust your instincts or gut feeling

Provide secure toolsand guidance on the usage

Learn about the informationsecurity policy

© koen maris, 2015 who am i …. alumnus of mitga class of 2014 information security consultant...

Documents

technical aspects security

technical management

compliance governance

risk koen maris

matter koen maris

security forwe

founder of drupal koen

carl sagan koen maris