La Vision de Bull
advertisement
Who am I …. • Alumnus of MITGA class of 2014 • Information security consultant with + 15 years experience • Emphasis on the human aspect in technology / information security • Strong technical background • Married, father of 2 and I live in one of Europe's smallest countries © Koen Maris, 2015 The demise of information security Koen Maris © Koen Maris, 2015 On the road to nowhere… One billion bank heist: The gang – dubbed “Carbanak” by Russian security company Kaspersky – has been stealing directly from banks rather than posing as customers to withdraw money in the biggest cyber heist to date. Regin spyware: An "extremely complex" and "stealthy" spying program has been stealing data from ISPs, energy companies, airlines and research-anddevelopment labs, a security company has said. Heartbleed SSL vulnerability: The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content © Koen Maris, 2015 6 How did we get there? You have to know the past to understand the present Dr. Carl Sagan © Koen Maris, 2015 Information security evolution Standardization Some Today… In Understanding the time beginning… Cyber later… security that : information security issecurity part of corporate had more governance Attention -Organisations dimensions. Emphasis from Not on know the technical only Management itstechnical importance aspects leaded to the -BUTSecurity creation Creation the landscape of best perceived of information practices of attack as aas solely security changed ISO 27001 IT related policies drastically. issue Information security governance, leading to transversal -Organization Procedures Building a ≠strong integrated stronghold fortress orand fortress. keeping the enemy out functions omnipresent in the organisation, -Attacks Some The outside shifted new organizational to = evil theand end-user. dangerous structures to appear aligned with business and focused on risk Agility Companies to house and flexibility measuring Information demanded compliance Securityby levels end-user andfrom you and themore gaining organisation. awareness on the matter © Koen Maris, 2015 cyber security security Today in information However, We used to webuild are interconnected these… … And we need security for… © Koen Maris, 2015 6 We fail to assess risk © Koen Maris, 2015 Failure to identify risk Dangerous or not? Kristina DavidBuytaert, L.Svechinskaya Smith Dries Creator Released ofofthe ZeusBot, Melissa stole worm 9 million in 1999 $ Founder Drupal © Koen Maris, 2015 6 Some Problem research… statement © Koen Maris, 2015 Problem statement • Information security is associated with technology • Interest of decision makers not proportional with the dependence on information technology and related information security issues* • Information security seen by senior management and board as a too complex and technology oriented • Information security considered as a discretionary budget line item* • Difficult to align information security with business requirements taken into account the defined risk appetite * Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab © Koen Maris, 2015 6 Research questions Which level of information security governance “awareness”* is present at the level of Board of Directors and executive management in a contemporary enterprise? Identified practices Effectiveness Board of directors and executive management Information security governance Awareness level Adopted today Drivers for integration * knowledge or perception of a situation or fact (Oxford dictionary) © Koen Maris, 2015 6 Methodology Literature research Public surveys Custom made survey Frameworks, methodologies, standards ISO Academic Surveys 2700x papers large firms Focus onfrom board andconsultancy executive management COBIT Books Various 5 industries Peer review on which practices deemed most important ISACA, Papers Different Business from levels commercial model hierarchy companies information security Small number ofof respondents Identification of for common practices with focus on Respondent ISC2, common volume body of ranging knowledge from + 100 to +9000 NIST 800-53 Board of Directors and Executive Management * Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab © Koen Maris, 2015 6 What is information security governance? Definition (NIST) Information security governance framework (ISACA) Information security governance can be definedlinked as thewith process of establishing and • A comprehensive security strategy explicitly business and IT objectives maintaining a framework and supporting management structure and processes to • An effective security organisational structure provide assurance thatthat information security strategies are aligned with andand support • A security strategy talks about the value of information protected business objectives, are consistent with applicable laws and regulations through delivered adherence policies andaddress internal controls, provide assignment responsibility, • Securityto policies that each aspectand of strategy, control andof regulation all an effort to risk.standards for each policy to ensure that procedures and • in A complete setmanage of security guidelines comply with policy • Institutionalised monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk • A process to ensure continued evaluation and update of security policies, standards, procedures and risks * Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab © Koen Maris, 2015 6 Information Security Governance at the Board • Risk Management, setting the tone by defining the risk appetite • Identify information security leaders, provide resources and support Identified practices Effectiveness • Direction, strategy and leadership, put information security on the board's agenda • Ensure effectiveness of the information security policy • Integrate a strategic committee • Staff awareness and training • Measurement, monitoring and audit © Koen Maris, 2015 Adopted Drivers for integration Information Security Governance at the Board • 23% see lack of leadership as an important obstacle in the overall strategic effectiveness of their organisation’s security strategy (PWC, 2012) • 68% assume their information security strategy is aligned with the business needs (E&Y, 2012) • Little or no involvement when aligning risk-based security with business objectives(Tripwire-Ponemon, 2013) • Lack of strict segregation between risk and audit committee, only 8% and half of those only oversee privacy and security (Jody R. Westby, 2012) • 16% of board members is prepared to deviate from risk appetite (Koen Maris, 2013) • 68% of the CRO functions have a direct reporting line to the board © Koen Maris, 2015 Identified practices Effectiveness Adopted Drivers for integration Information Security Governance at the Board • 27% indicate that their board had an outside director with cyber security experience though 64% think it is important to have it (Jody R. Westby (2012) • 42% have their information security strategy aligned with business objectives(E&Y, 2012) • 50% thinks information is too technical to be understood by nontechnical management(Tripwire-Ponemon, 2013) • 33% of the boards address Computer and information security (Jody R. Westby, 2012) Identified practices Effectiveness Adopted • 67% of board approve risk appetite statement (E&Y, 2013), • 2/3 of Forbes Global 2000 companies have full-time personnel in key roles responsible for security and privacy © Koen Maris, 2015 Drivers for integration Information Security Governance at the Board • Severe incidents • Legal/compliance • Regulations Identified practices Effectiveness • Accountability Adopted Drivers for integration © Koen Maris, 2015 Information Security Governance at the Executive Committee • Information Security Framework Identified practices • Chief Security Officer / Chief Information Security Officer Effectiveness • Implementation of information security • Monitoring and assessment • Awareness and communication © Koen Maris, 2015 Adopted Drivers for integration Information Security Governance at the Executive Committee • Large majority of staff knows the security policy, at least of its existence. (Koen Maris, 2013) • Only 26% of respondents with a security policy believe their employees have a good understanding of it. (PWC, 2012) • Almost 40% of the CISO/CSO reports to the CIO, almost 30% to someone other than CFO, CEO/COO.(Jody R. Westby, 2012) Identified practices Effectiveness • 80% claim not to evaluate the ROI of security investments(PWC, 2012) • Adopting to new risks is done by blocking for approx. 50% of the companies (E&Y, 2012) • Only 8% of CSO/CISO measure the value and effectiveness of their enterprise cyber security organisation (Deloitte, 2012) • Reporting only occurs in case of severe incident and happen at a too low level (Tripwire-Ponemon, 2013) © Koen Maris, 2015 Adopted Drivers for integration Information Security Governance at the Executive Committee • 95% of large companies have a security policy in place (PWC, 2012) • Majority of Exec’s agree that they should have someone responsible for information security (Koen Maris, 2013) • 47% of the companies have an information security strategy committee in place (PWC, 2012) • 56% claim security budgets are in a federated model, making it hard to measure and determine the real available budget. (Deloitte, 2012) • About 50% monitor and measure trends in security/incidents costs. Approx. 20% does not evaluate at all (PWC, 2012) • Only 32% of staff in claim to have received awareness training (ESET, 2012) © Koen Maris, 2015 Identified practices Effectiveness Adopted Drivers for integration Information Security Governance at the Executive Committee • In response during an incident, after an incident • Legal and compliance Identified practices Effectiveness • Not done because it is too technical & complex • Reduce risk Adopted Drivers for integration © Koen Maris, 2015 Conclusion • Unclear if a company having thoughtful leadership and enterprise risk management in place also had identified a security leader • Audit and monitoring parts are well in place but measuring effectiveness remains doubtful, not always strict separation between risk and audit committee • Leadership, alignment and value are the least adopted • Severe incidents and legal, regulatory and compliance remain the main drivers for integration © Koen Maris, 2015 Board Exec. committee Conclusion • An ISMS is often in place, but the level of understanding and knowledge across the company remains low • A CSO/CISO is in place in the majority of larger companies. Measuring the effectiveness remains difficult. • Reporting line is not always clear, and reporting bottom-up shows some clear shortcomings • Awareness and steering committee have a low degree of adoption, though the majority recognises the importance of awareness • Severe incidents and legal, regulatory and compliance remain the main drivers for integration © Koen Maris, 2015 Board Exec. committee The real conclusion © Koen Maris, 2015 • Would good ERM and correct bottom up reporting provide better awareness and increase the alignment for information security? • The effectiveness and the links between structures and procedures are not well addressed. How do the influence each other? • Would good bottom-up reporting provide better strategy? • More questions than answers…. © Koen Maris, 2015 Some fixes in layman language © Koen Maris, 2015 Information security throughout the organisation © Koen Maris, 2015 Consultancy Enterprise wide approach Integration IT & System Engineering Mid management C-Level What we see today Patch your staff Learn about the information security policy Provide secure tools and guidance on the usage © Koen Maris, 2015 Raise awareness on Information security Learn to trust your instincts or gut feeling 6 Thank You! Any questions? KMAR@BALEO.BE © Koen Maris, 2015 6
