Download - Value added security services
![Page 1: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/1.jpg)
Value-added security
services
Carsten Maartmann-Moe
May 20, GRC 2015
![Page 2: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/2.jpg)
Powerful external forces require us to
re-think information security
Yourbusiness
Regulations
IT reliance
Increasedattack surface
Advancedthreats
New waysof working
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
![Page 3: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/3.jpg)
The greatest risk is strategic
“Only a few CEOs realize that the real cost of cybercrime
stems from delayed or lost technological innovation […] we
estimate that over the next five to seven years, $9 trillion to
$21 trillion of economic-value creation, worldwide, depends
on the robustness of the cybersecurity environment.”
McKinsey & Company: The rising strategic risk of cyberattacks
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
![Page 4: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/4.jpg)
How can the information security
function stay relevant?
Realize that:
• Failure to handle cybersecurity effectively will not only
incur security breaches
• it will also slow down the business and make us less
competitive
• traditionally our strategy for handling cybersecurity
focus on protecting the business
• we need to shift to both protect and enable.
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
![Page 5: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/5.jpg)
Protect and enablePrinciples of value-added security services
Protect
• risk-centric
• easy-to understand and
in-tune policies and
requirements
• provide solutions to lower
risk
• measure, measure, measure
Enable
• service-oriented
• a trusted advisor to the
business
• provide solutions to reduce
(security) cost and enable
your business
• measure, measure, measure
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
![Page 6: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/6.jpg)
Protect
© T
ran
scen
den
t G
rou
p 2
015
![Page 7: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/7.jpg)
Figure out what capabilities we need to
protect our modern users
Cloud Mobile Collaboration
requires these enterprise security capabilities
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
App
threat / vuln.
Mgmt.
Trust model
/ IdAM /
RBAC
Collabo-
ration for
mobile
Mobile
Device Mgmt.
![Page 8: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/8.jpg)
From “no, you can’t” to “yes, let’s do it
this way”
• Don’t create 110-page policies, requirements and standards
• Create short “do it this way” documents – communicate what’s
secure
• Support the documents with actual tools to make it easy to do it
right
• Be pragmatic and risk-centric – for instance by infusing small
risk assessments into key business processes (project
methodology, production processes, yearly reviews, etcetera)
• Pick 2-5 metrics that gauges desired behavior, and start reporting
on progress
© T
ran
scen
den
t G
rou
p 2
015
![Page 9: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/9.jpg)
Enable
© T
ran
scen
den
t G
rou
p 2
015
![Page 10: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/10.jpg)
People are nice*
• Yes, it’s true!
*) There are some caveats
© T
ran
scen
den
t G
rou
p 2
015
![Page 11: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/11.jpg)
Idiotic security
© T
ran
scen
den
t G
rou
p 2
015
• Make it easy to do it
right
• Make it hard to do it
wrong
![Page 12: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/12.jpg)
Case in point: AD Password policies
Typical policy:
• You have to change your password every 90. days
© T
ran
scen
den
t G
rou
p 2
015
Illustrative cost (NAV, Norwegian welfare administration)
• 17 000 employees
• In total 9 000 incidents per month
• 17 % of support incidents are password reset related and solved in
under an hour
• Over 10 FTEs are wasted each year in NAV due to this single policy
![Page 13: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/13.jpg)
Research shows that expiring passwords
do not have the intended effect
“To be economically justifiable, time spent by computer users changing passwords
should yield $16 billion in annual savings from averted harm.”
Microsoft: So long, and no thanks for the externalities: The rational rejection of security advice by
users (2010)
“[…] our evidence suggests it may be appropriate to do away with password
expiration altogether, perhaps as a concession while requiring users to invest the
effort to select a significantly stronger password than they would otherwise (e.g., a
much longer passphrase).”
Yinqian Zhang: The security of modern password expiration: An algorithmic framework and
empirical analysis (ACM CCS 2010)
© T
ran
scen
den
t G
rou
p 2
015
![Page 14: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/14.jpg)
Making it easier and more secure
1. Measure
1. Number of password-related support incidents
2. Current password quality (% of passwords easily cracked)
3. User satisfaction with having to change passwords every 90 days
2. Remove the “Password Expiration” policy
3. Teach your users how to select a strong password
4. Inform users that if they select a strong password, they will never
have to change their password again
5. Crack passwords every 90. days, and reset cracked passwords
6. Repeat step 1
© T
ran
scen
den
t G
rou
p 2
015
![Page 15: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/15.jpg)
Return On Investment
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
![Page 16: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/16.jpg)
Summary
© T
ran
scen
den
t G
rou
p 2
015
![Page 17: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/17.jpg)
Summary
• To avoid a security backlash where the greatest risk of security is
security itself, we must shift our focus to protect and enable
• Protect and stay relevant:
– Understand that the new ways of working will require a re-think
– Create lean protection mechanisms that focus on real risk
• Enable and be a hero:
– Understand what the user is trying to do, and help him/her do it
securely
– Don’t accept status quo and rip out worthless security
• Deliver real value by measuring and thus showing that you are both
protecting and enabling
© T
ran
scen
den
t G
rou
p N
org
e A
S 2
015
![Page 18: Value added security services](https://reader033.vdocuments.site/reader033/viewer/2022052913/55bed399bb61eb073d8b4645/html5/thumbnails/18.jpg)
www.transcendentgroup.com