adversaries to allies
TRANSCRIPT
Adversaries to Allies
Turning
Robert KeeferCISSP, C|EH, Security+, MCSE16+ years experience in IT and InfoSecHealthcare, Automotive, Manufacturing, Software Development, and other verticals
Sound Familiar?• You’re told about a new project—as it’s being put in
place.• Security assessments are recycled more often than
read• Security initiatives go nowhere, slow• Every issue you bring up becomes an argument
Scenario OneHigher Ed• Each Department ran their own IT; only vaguely
reported to CIO• “Shadow IT” was the norm• Hard to get buy-in, Directors didn’t oversee IT well• Communication problems• Security awareness, but each group does their own
thing
Scenario TwoDevelopment house• ISO was in Detroit, but development team in Seattle• Remote location makes communication difficult (West
Coast)• Previous experience with InfoSec poor, setting up for
resistance• Need to develop quickly—Agile development• Customer heavily invested in security
Scenario threeHealthcare• Highly changeable• IT very resistant due to bad experience• Network team took over much of InfoSec duties• HIPAA sole guideline for InfoSec• Compliance-focused instead of security-focused
Common Issues• Information Security seen as additional cost or work• Previous bad experiences causing “bad blood”• Resistance to adopting InfoSec
requirements/initiatives• InfoSec not always related well to business goals• Little buy-in or support from management• Compliance focus instead of/priority over security
focus
Scenario OneApproach• Treat each department separately: what are their
needs/fears?• Keep programs small and flexible, customize as
needed• Work with each team as experts in their fields, do not
dictate solutions• Management buy-in is hard, but means greater ability
to act• Create opportunities for collaboration
Scenario TwoApproach• Leverage the customer need• Work with devs as experts; provide requirements and
let them solve• Many face-to-face meetings, don't be a voice on the
phone• Work towards a "yes" instead of from a "no"
Scenario ThreeApproach• Be approachable• Keep communication lines open• Adjust technical content to the audience• Transparent with methods as well as results• Prioritize on risk—Journey, not destination
Common Solutions• Clear requirements, goals, and reasons• Tie InfoSec requirements to business goals (Business
Enabled Security)• Stay reasonable; know when to say “yes”• Focus on good risk management• Gratitude!
Common PitfallsWatch Your Step
Dictating Solutions• Demanding specific solutions, “My way or the
highway”• Supply requests and requirements• Ask for solutions, let the SME’s supply them• Multiple solutions exist for any problem• Prepare to be flexible
The Bogeyman• Hackers, HIPAA, Government Audits• Fear as a motivator• Government standards are seen as a ceiling instead of
a floor• Remember that compliance !=secure, but secure is
usually compliant• Focus on business-enabled security, not fear-based
security
Gatekeeping• Similar to Dictating Solutions• Insisting that all risks must be resolved or project will
be blocked• Risk Management is key• Some risks are mitigated, some are accepted• Business must keep doing business!
Thank You!• Questions?
Robert [email protected]: @robbkeeferhttp://www.businessenabledsecurity.com