IC B10 - Vision Panel Discussion: Scaling the Information Security Program Maturity Model: 3 Practitioners Perspectives

Transcription

1 Page 1 of 12 IC B10 - Vision Panel Discussion: Scaling the Information Security Program Maturity Model: 3 Practitioners Perspectives Panel Date: Thursday, April 18, 2013 Panel Time: 9-10am PST (60 minutes total, 15 minutes Q&A) Room: 112 Abstract: The Information Security Program Maturity Curve can provide an objective framework for defining, measuring and improving an organization s information security program. Listen to a panel of Symantec Managed Security Services (MSS) customers, each representing different stages of information security program development, discuss how they approached challenges inherent to each stage, as well as share key lessons learned. In addition, fifteen minutes will be provided for questions and answers. Panelists: Joseph Lee Director, IT Risk Management and Security, AARP Preston Jennings Chief Information Security Officer, PricewaterhouseCoopers Arno VanderWalt VP Information Security Operations at Wyndham Worldwide Moderator: Danny Dawes, Director, Managed Security Services Service Delivery

2 Page 2 of 12 Introduction (9:00 9:05) Danny: Thank you all for joining us for today s panel discussion on Approaching the Information Security Program Maturity Model: 3 Practitioners Perspectives. My name is Danny Dawes and I am the Director of Symantec s Managed Security Services, Service Delivery group. Let s start by level setting the concept of using a maturity curve to assess Information Security Program development. Several models exist in the industry; for example Gartner s Security Program Maturity Timeline and Forrester's Information Security Maturity Model Assessment Framework. When we talk with customers about their security programs, we find they align into three basic segments based on their awareness of their threat profile, risk adversity and overall security program maturity. Therefore, to simplify today s discussion, we ll refer to these three groups as: Adhoc Companies who are just starting to develop their Information Security Programs but no formalized security activities exist Best efforts security programs Companies who are doing their best to secure the Enterprise and hoping to mitigate most threats before they impact the business. Mature, proactive programs Companies whose goals, practices and performance metrics are fully defined.

3 Page 3 of 12 Introduction (con t) Interestingly, when we contacted customers regarding participating in this panel, most felt they fell in the middle category which makes sense. Because they are MSS customers, they have moved past the Adhoc stage, but few were hesitant to label their program as being proactive and mature. Perhaps they were afraid their CFO s were in the audience and they would lose funding if they implied their program development was complete. Therefore, we re asking our panel participants to comment on the various maturity segments based on past experience and observations of the industry. With that, I d like to ask our panelists to each take a minute or so to briefly introduce themselves: Introduction (9:05 9:10) [Brief introduction from all panelists please limit this to 90 seconds Name, title, year with company Background how did you get where you are today? Brief description of the network you manage What is your biggest concern/challenge regarding your environment, for example: o PwC employees spend considerable time on other companies networks? o AARP comprised of many different businesses (insurance, etc)? o Wyndham properties are very geographically dispersed?

4 Page 4 of 12 Please note: For each of the questions below, the panelist in the first position will take the lead for answering the question and therefore get the majority of the time. The second two panelists are welcome (and encouraged!) to contribute but need to keep it brief so we can ensure time for Q&A.

5 Page 5 of 12 The Usefulness of the Maturity Curve as an Evaluation Tool (9:10-9:15) Danny: What are your thoughts on this Maturity Curve? Is it a good summary of how different organizations might approach their information security program? Joe: understanding why security is important for your business and explaining to management why not everyone needs to be a 5 Versus highly risk adverse business that must be a 5 Preston: Arno:

6 Page 6 of 12 Assessing Your Program (9:15-9:20) Danny: A critical first step for any security professional walking into a new role is assessing where the new organization resides on this curve and where the gaps may lie. Thinking back to your most recent transition, what techniques did you use to make this assessment? Preston: team strengths, understanding what a mature program looks like, what the strengths are where the gaps are, figure out where you re going to make investments. Acknowledging that you just can t do it all. Joe: built AARP from non- existent program Arno:

7 Page 7 of 12 Top Challenges Faced While Evolving Security Programs (9:20-9:25) Danny: Once you ve come in and made the initial assessment, the next step becomes taking the program to the next level. What were the top one or two challenge you faced in trying to evolve your information security program and how did you address those challenges in your environment?. Preston: reporting structure, ability to influence change, reports to CIO, now reports in to board of senior business leaders, decisions that would have been made by IT, now being driven by the business. Cyber warfare, business impact. Takes discuss around impact to business if we don t anything used to be a line item discussion. Joe Arno

8 Page 8 of 12 Transforming less mature programs (9:25-9:30) Danny: Have you ever worked for an organization that had a less mature security program? What kinds of challenges did you face trying to move them forward? Does anyone have anything to share here? If not, I m going to cut. Joe: Preston: Arno:

9 Page 9 of 12 Is it realistic to reach for a 5? (9:30-9:35) Danny: Do you think it s realistic for most organizations to strive to reach the upper level of the maturity curve? What challenges will they face in doing so? Joe: Preston: Arno:

10 Page 10 of 12 Demonstrating Program Performance (9:35-9:40) Danny: After protecting the enterprise, the ability to demonstrate program performance in order to justify funding is Holy Grail for most information security professionals. What techniques have you found most effective for proving the value and efficacy of your security program? Joe: Preston: Arno

11 Page 11 of 12 Program Evolution (9:40-9:45) Danny: The last question for our panelists is a bit open- ended but hopefully one the audience will appreciate. When you thinking about taking your information security program to the next level, what is the most important advice you can share with members of our audience today? Preston: language change, speaking the language of the business not the language of IT, you need to be bi- lingual understand what s important to each audience. What will resonant. Joe: you need to be relevant. It s not about information security, it s about supporting the business in an appropriate manner. Arno

12 Page 12 of 12 Wrap Up and Q&A (9:45-10am) Danny: We have some time for Q&A and I d like to make sure everyone has the opportunity to interact with our guests. So, would you please use the microphone, and we ll start the Q&A section at this time. (Questions from the audience) Danny: Thank you to all of you who joined us today, this discussion would not have been possible without you. And, thank you to our distinguished panelists: Joseph Lee Director, IT Risk Management and Security, AARP Preston Jennings Chief Information Security Officer, PricewaterhouseCoopers Arno.VanderWalt VP Information Security Operations at Wyndham Worldwide Can we please have a round of applause for our panelists?