Think like an MBA not a CISSP Embracing University Culture to Achieve Security Initiatives' Matt Malone Security Services Director 512-650-0179 Matt.Malone@SLAITconsulting.com
Goals Security is a business problem not a IT support issue. Utilize business tools Provide metrics / track progress Provide analysis not argument Act like an MBA not a CISSP
Pop Quiz: When asked Who is in charge of security? Who do people think of?
Security is about Communication Policy Awareness Training / Education Roles and Responsibilities Reports / Risk GAP Assessments
Speaking the Language
Speaking the same language SWOT Top Down Approach Security Process Framework Change the culture by proving your value
The Business of Security Fund security initiatives Better serve your customers Provide metrics / track progress Act like an MBA not a CISSP Provide analysis not argument
SWOT
SWOT Strengths: Weakness: Opportunities: Threats: Resources, great access to researchers, interns, information, resources, students Conferences, share information, external organizations, etc. Decentralized authority Difficult to create governance Amount of resources Government funding Professors who want to get published Highly regulated- Use the Reg as a driver Classify the most important system: pick the most important regulation and use the regulation to format across all of the schools in the university, but first classify the data Unique; backbone of the internet and everyone s target Very little of filtering of internet Volume of traffic and attacks
How does SWOT impact you? Short on resources, but big on brain power and connections Leverage and share with other universities and get government funding Lead by examples and success Pick an example department and implement your security program, do it by the book. Start with policy, assess controls, perform risk assessment and then write a case study on it.
Top down vs. Bottom Up Strategic - Executive Sponsorship (Highly Effective) Strategic Risk and Compliance Services Risk / GAP assessments Addresses deficiencies and organizational risk Demonstrate compliance Justification of spend via risk Driven by business Tactical Assessment Services Vulnerability scans Social Eng. Web App testing Testing for adherence Technical controls testing Does not calculate risk Implementation and vulnerability mgmt. Tactical / Operational Technology Solutions Security Software and Products implementing technical and some non technical controls in accordance with organizational policy Regulations Governing Industry or Organizations (PCI, HIPAA, FISMA, FERPA, ETC) Security Framework COBIT, NIST, ISO 17799, 27001, NIST 800-53, Etc. Network Perimeter Security Security Policy Standards Guidelines, Policies Procedures Strong Authentication Wireless end Network Data Encryption and Loss Prevention End Point Security SIEM and Log Mgmt. Network Infrastructure
Balanced Scorecard
Balanced Scorecard Finance: Security Spending vs. fines paid? Damage to brand Internal Process: How efficient are you? Using metrics: If I ask you to find an IP address, how long would it take to find it? How long would it take to harden a server?
Balanced Scorecard Customer: Who is the customer of you serve? Students Alumni Government How satisfied are they? FISMA FERPA Records Learning and Growth: What kind of information security knowledge does the security staff have? What is their ability to innovate new tools and methods.
Project Oriented
Conclusions CISO / ISO Roles Management vs. Technical Educational focused Utilize business tools to better serve your customers: Achieve your security goals Track your progress Report progress to management Better serve your customer Initiatives / goals
Questions? Think like an MBA not a CISSP Embracing University Culture to Achieve Security Initiatives' Matt Malone Security Services Director 512-650-0179 Matt.Malone@SLAITconsulting.com