Special Interest Group on Security Key findings and conclusions
What’s next.
2
Introduction From April to November 2014, we engaged in a series of meetings with CIO’s and CISO’s to share insights, best practices and aspirations with regard of Security issues within organizations. These intense meetings with a select number of participants provided some profound and sometimes surprising insights into how organisations deal with this vital topic. In an era where digitization drives competitive advantage, where employee efficiency depends on mobility, and where competing business models are based on the level of openness of businesses to the external world, security becomes an issue of exponentially increasing complexity. Businesses are under attack. The number of reported daily security attacks increases with a CAGR of 66%. And the causes of these attacks are multiple. They can come from within the organization, or from the outside. They can be benign, but more often they will harm.
1. MOBILE SECURITY p3
During each of the CIONET Special Interest Group sessions on Security, we zoomed in on one particular topic in a 2hour session. From mobile security to cyber threats, organizational awareness and security strategy, the discussions went in depth on each of these issues. Accenture facilitated the discussion, though the key contribution came from the participants. They shared their experiences, achievements and lessons learned on each of the topics. The outcome of these meetings has been documented in the Best Practices documents, of which this report is part. In this report you will find the write-up and the conclusions of the discussions. We hope they will provide you with fresh insights and new ideas on how to tackle the multiple security issues within your organization. Though in the meantime we are certain that the last word hasn’t been said on this topic. We wish you an inspiring read!
Frederic De Meyer, Head of Programs & Research, CIONET
Bert Vanspauwen, BeLux Security Lead , Accenture
3. CYBER SECURITY 2. SECURITY AWARENESS & BEHAVIORAL CHANGE p9
p 15
4. SECURITY STRATEGY p 21
MOBILE SECURITY
3
April 29th, 2014 - Vilvoorde
Two main questions:
- Mobile Application Lifecycle Management - Mobile Governance and Bring Your Own Device (BYOD)
ATTENDEES BNPParibas Fortis
Jan De Blauwe
GoudenGids
Giselle Vercauteren
AXA
Wim Schuddinck
CIONET
Hendrik Deckers
CIONET
Frederic De Meyer
Deloitte
Maarten Mostmans
Accenture
Fabrice Deval
Accenture
Bert Vanspauwen
MOBILE SECURITY
4
Reference frameworks In order to frame the discussion and align thoughts, Accenture presented the reference model below . This model covers the different items that should be addressed in a complete Mobiles Security Strategy. For the discussion had, we focused on Governance and Application, but as you will see from the write-up several of the other ones were also touched upon.
MOBILE SECURITY STRATEGY A comprehensive program and strategy to embed security throughout the enterprise’s mobile lifecycle
GOVERNANCE -- Define processes and policies (ownership, connectivity, applications, privacy, audit / wipe) -- Support / Training -- Identify preferred suppliers / service level for business
DEVICE
USERS & IDENTITY
---------
-- Roles and authorization levels and authentication -- Evaluation / monitoring of usage patterns -- Program awareness and education
Security funcionality Control connectivity Secure remote connections Disposal and wipe Synchronization / Backup Ability to update Physical Access Tracking / Management
NETWORK ------
Voice Secure remote connectivity Monitoring and Testing Wireless networking Use of untrusted and/or public networks
APPLICATIONS ------
SDLC development Testing Distribution / provisioning Access Control Secure connection to backend systems and data (Ex.: Cloud) -- Monitoring / Management
DATA --------
Classification Authentication Secure connection Strong Encryption Data loss prevention Secure storage Audit and forensics
5
MOBILE APPLICATION LIFECYCLE
MAINTAIN ACCURATE INVENTORY
INCORPORATE SECURITY EARLY DURING FUNCTIONAL REQUIREMENTS GATHERING
-- Inventory all mobile apps and assign risk ratings based on sensitivity of function, data, brand and network connectivity -- Perform appropriate levels and types of security testing based on the risk rating
APPLICATION SECURITY MANAGED SECURITY SERVICES -- Industrializes the mobile application security lifecycle’s routine functions in a repeatable manner -- Provides a dedicated function to identify and respond to security defects that may lead to unauthorized access
CONTINUOUS MONITORING IN “PROD” -- Automated dynamic application vulnerability scannon on “higherrisk” applications at least twice a year or after a major code change -- Manual application penetration testing on all “critical-risk” applications at least once a year or after a major code change
Inventory and Risk Classification
Managed Security Services
Security in Design Requirements
PROCESS
PEOPLE
TECHNOLOGY
Security Testing in the Production Network
Security Testing during “Test” Phase
Security Testing during “Build” Phase
-- Security considerations should not be an afterthought or something that gets built if the application gets hacked -- Formally identify and document security requirements early on as part of the funtional requirements gatering process
SECURITY STAGED GATE TO “TEST” -- Perform security testing towards the end of the “Build” phase as a staged gate to enter into the “Test” phase -- Security testing that yields no high-risk security defects allows escalation to the “Test” phase
SECURITY STAGED GATE TO “PROD” -- Perform security testing during the “Test” phase as a staged gate to enter into the production network -- Security testing that yields no high-risk security defects allows escalation to the production network
A second model presented is an example of a mobile application lifecycle as we have implemented for several of our customers. It shows the different steps in the creation of a mobile application including the different security considerations each time. During the discussion, we used these models as well as some examples of work we conducted and cases we saw to add to the experiences of the participants and structure the discussions had. The wrap-up of those discussions can be found on the next pages.
MOBILE SECURITY
6
Current experiences / challenges Implement Mobile Security as a component of a complete Security Strategy -- Creating a 3-year plan allows to prioritize tasks -- Get Security department to talk to Senior Decision makes & get them involved -- It provides a structured process to synchronize with different stakeholders, inform them on security , the timeline for different activities and get approval early on -- Crucial to layer your message depending on who you talk to -- The model on page 16 provides a good overview of the typical area’s to cover, transport security could be added.
Business not always aware of the risks -- Depending on the maturity level of the security function (& understanding at management level), it is hard to put security on the agenda -- Business focuses on the functionality, not always on the security of the application. -- Helps when management understands the risks, allows them to make the right trade-off functionality vs security -- E.g. additional checks on bank side to reduce security complexity on user side
Across platforms -- Treat different platforms in the same way (e.g. difference between pc-based web banking from and mobile app) -- But base the controls on risk levels, e.g. mobile devices increase risk level –> require additional security controls -- Application development using a normative framework that allows to assess the risk -- Often a strong differentiation between 2 communities: -- (Internal) employees -- Customers (gets more focus)
Wide variety of needs & form factors -- It is often difficult to keep up with all the changes. -- There are very different needs within the organization for mobile (e.g. management needs IPad, traveling users,…) and a wide variety of form factors (e.g. Mobile phones, smart phones, phablets, tablets, tablet pc’s etc) -- This makes it difficult to have a consistent policy. But the policy is key. It should try to be proactive in following market evolution -- On top of that, choices are not always driven by a clear business case, but also because people have come to expect this, especially younger people -- Create a standardized model on who is allowed to use what -- Example: created a table with 6 types of users & the needs they have / solutions they are provided. -- Can range from company provided to BYOD
Customer devices -- Organizations typically have very little control over the mobile devices of customers -- No view on the vulnerabilities of those devices (e.g. password protected, jail broken, …) -- Focus should be on the education of customers rather than technical enforcement
BYOD -- In case you allow BYOD, it can be beneficial to have a Help desk / technology support that helps users to configure their (mobile) devices in a secure way e.g. corporate email -- Checklist of controls / actions they can take is sometimes to limited.
7
Legal aspects
Different types of applications
-- The legal aspects are often not very clear (e.g. providing opening hours of shops, they are published, but are they free to reuse for other services?)
-- Classify the applications created based on the information they contain / access -- Difference between applications that group publicly available information in an easy way vs applications that access e.g. customer loyalty cards or other sensitive / user specific information
Secure Development -- Ensuring secure development by a series of checks, based on the risk level of the application -- Based on a statement of applicability: -- Different level of security testing (pen testing, code review) -- Review & check as early as possible in the process (security built in vs bolt on) -- Review the results at key steps -- Includes an architecture and peer review (checklisted) -- Share information on the security development, by having regular presentations among peers & get challenged by peers
Manage who creates the applications -- As they require specific skills, they cannot always be created within the organization -- This requires additional controls to ensure development is done in a secure way (e.g. pen test before accepting application, not allowed to develop offshore)
Start small and evolve the application -- Develop the applications in an iterative way -- Limited set of requirement (including security ones!) -- Evolve the application both in functionality and in security reqs (e.g. closer to web banking platform) -- Balance Security – Usability is not always easy
Security is not a marketing item -- Current security is deliberately not chosen as a differentiator between banks (don’t draw attention, everybody can be attacked etc) -- But there is a growing attention from customers on this -- Not always easy to decide on whether to communicate on security (e.g. hartbleed bug) -- No clear view on customer’s sensitivity to security.
MOBILE SECURITY
8
Lessons learned / Best Practices Mobile Security is not a standalone activity. It should be part of the Security Strategy and it should be enforced throughout the organization as these applications are sometimes developed out of the business.
Develop all your applications in a consistent way, and review them based on the risk level they pose. Use different validation steps (arch review, peer review, security testing, ‌) and start doing this as early as possible in the process.
Often there is no clear incentive for a customer to be concerned on security (e.g. banks provide guidance, but no financial loss for customers until now). Financial institutions currently focus on educating their customer rather than enforcing certain technical compliances on them. The technical checks are implemented at bank side.
In mobile devices, if you don’t address the need of your users, they will find a way to circumvent your controls to do what they need/want to do. Train people on how to use their devices: regular trainings on what is allowed & what is not; how to use them in a secure way & what to do when things go wrong (e.g. device stolen)
SECURITY AWARENESS & BEHAVIORAL CHANGE June 17th, 2014 - Vilvoorde
Two main questions:
- Awareness within the organization - Awareness for customers
ATTENDEES BNPParibas Fortis
Wim Bartsoen
ING
Alexandre Pluvinage
KBC
Dominiek Christiaens
FSMA
Tom Plasschaert
CM
Stefan Van Gansbeke
Belgacom
RaphaĂŤl de Visser
CIONET
Frederic De Meyer
Deloitte
Maarten Mostmans
Accenture
Margriet Westerink
Accenture
Bert Vanspauwen
9
SECURITY AWARENESS & BEHAVIORAL CHANGE
10
Reference frameworks
In order to frame the discussion and align thoughts, Accenture presented the reference model below. This model provides Accenture’s view on the different steps in creating Security Awareness and more importantly behavioral change. During the discussion, we used this model as well as some examples of campaigns and experiences of the participants as a framework to share what works and what didn’t. The wrap-up of those discussions can be found on the next pages.
THE ACCENTURE BEHAVIOR CHANGE APPROACH IS DESIGNED TO SCALE INDIVIDUAL BEHAVIOR CHANGE TO THE ORGANIZATIONAL LEVEL.
Understand client context What is the business context that is driving need for behavior change?
Define outcomes
Define population
What outcomes are we driving towards?
Which people have a direct role in promoting the business outcomes?
Identify critical behaviors
Assess current state
What behaviors do we need to realize target outcomes?
Where are we now and what are the gaps?
11
BEHAVIORAL CHANGE: The intentional effort to modify critical individual behaviors which have a direct, positive and significant impact on the day-to-day functioning and desired outcomes of an organization.
Develop high-level plan
Develop Individual plans
How are we going to bridge our gaps and over what timeframe?
What are the target behaviors by individual?
Develop leadership and social network plans What is the role of leadership and supporting organization in bridging the gaps?
Practice and track How do we know if we have achieved our outcomes?
SECURITY AWARENESS & BEHAVIORAL CHANGE
12
Current experiences / challenges Make Security is everyone’s job
Help your people help the customer
-- If an incident comes up, address it with an additional control, but also educate the users -- Explain what their role in Security is (e.g. Phishing risks) -- Based on three pillars: -- Insight (How do the criminals operate) -- Self-reliance (Who to contact, what to do) -- Viral Spread of information (‘spread the news) -> This also means enabling e.g. reception staff with the information for their clients. If somebody asks, they can provide the right information
-- Assist your business in their mission. Branch employees are focused on helping their customers. Ensure they have the necessary information (in an understandable format) to share with their customers.
Focus on making people aware rather than block them -- Focus on Service delivery. If the services you offer work & are security, people will use them -- Employees typically are security aware or have an idea on how they are supposed to act -- When security concerns arise, focus on finding a solution & explaining the reasons to users: -- E.g. internal Dropbox for file-sharing + explain users the risks of publicly sharing information
Similarities between Compliance & Awareness -- Both compliance & awareness require all employees to be educated on how to act, so they can work together in doing this -- But sometimes require different channels to communicate based on the target audience: -- Information base -- Internal web site -- Different campaigns tailored to the language & work environment of the people (e.g. posters). -- Transferring the information is the first step, but how do you make it change employee behavior?
Challenging for new / heavily growing organizations -- E.g. an organization currently being rebuilt: -- Brings a lot of new people & new culture -- Challenging environment to create security awareness, people are looking for ways around the controls -> constant battle
How do you make the information stick? -- Key item for Security Awareness is sharing the right information via a number of channels. However Awareness disappears after an amount of time. -- You can only make it stick by changing the behavior. Once this happens, people will continue showing secure behavior -- The closer the information is to the people (to more adapt to their world), the better they absorb it. Gamification is an example
All bits help / Never waste a crisis -- Disruptive events can assist in raising awareness. As people are curious on what happened, they are open to new information -- A clear and present danger helps to convince people -- Also useful for upward reporting (e.g. APT, eFraud, DDos are now terms the business starts to understand). -- A burning platform helps ensuring management & organizational attention
13
Move security away from the technology
You can’t buy awareness
-- Important to bring security awareness in a language the business understands; apply it to their everyday life. -- Don’t go technical in the explanation.
-----
Playing the bad-guy opens eyes easier -- Simulate what an attacker could do by pen-testing people -- Check on Facebook how much info they share -- Create fake LinkedIn profile as see who accepts -- Sending Phishing emails and measuring clicks -- Viking-tours where a complete office space is investigated. Taking pictures and share them anonymously
Effects of a ‘shock’-campaign -- A shock campaign brings fast result, but they don’t stick as long. When doing them, the focus should be on creating the context for learning, not just shocking -- Requires strict ethical rules -- Sanctioning People is often done behind the screens, negative impact of insecure behavior often not visible. Neither is the reward for positive behavior (the Belgian way of doing things).
The positive approach -- Positive campaigns stick longer. They should focus on ‘why are you important for our company’s security’. Using employee’s engagement to motivate them for security. -- An easy/cheap example is identifying Champions, people that volunteer to get trained on security and help people in their teams (not out of leadership position) to support security. -- Putting targets on Security can be negative (e.g. punishment for not achieving) but should be positive (reward for improvement)
Social Equilibrium -- Social Equilibriums (e.g. how the group approaches security) is often temporary. When group changes, often falls back into the old behavior. -- Identified three criteria: -- Awareness (do they know how to behave) -- Willingness (are they willing to behave in that way) -- Ability (e.g. creating secure alternative)
First get your governance figured out Then bring this across to create awareness Requires support from upper management E.g. wearing badges -> make sure it is socially accepted, have management be the example. If they don’t do it, why should everybody else do it.
Differences across the organization -- Organizes a periodical survey to gather the weak points and found they are dependent on the different parts of the organization. E.g. Direct Challenges has a lot of young people, different risks compared to other departments (and the results are not always as bad as we would expect) -- There are different steps to reach a behavioral change and not everyone in the organization is at the same level -> target specific populations in your approach.
Measuring effectiveness of the campaign -- There are different stadia in the evolution of awareness -- Often expensive to measure this. -- Turning awareness from a cost to a value-adding activity is the holy grail, but difficult to achieve. -- Depends on the balance between Security & Convenience.
Reference model to create Awareness campaigns -- NICE model to focus on the user needs. Trying to look at the campaign from their view: -- Need: what is the users need -- Interest: what is he interested in -- Concern: what concern would he like to see addressed -- Expectation: what is the excepted outcome for him
Getting the budget to do awareness is difficult -- Security is deliberately not chosen as a differentiator between banks (less business interest & budget to address it) -- How to justify budgets internally: -- Fear (potential cost of attack / reputational damage) -- Compliance (we need to do this) -- Demand (clients expect it) -- Mandate to take action for awareness is often non-existing / very vague
SECURITY AWARENESS & BEHAVIORAL CHANGE
14
Lessons learned / Best Practices Awareness should be delivered in a language understandable to the business. Use examples and wording out of their business context. This ensures they relate it to their everyday life, making it stick better.
Awareness should be focused on positive learning. People should be shown their value in security rather than forcing them to behave in a certain way. Champions within the organization are an easy way to spread messages in a positive way.
Explain people why they need to do certain things. Why should they not discuss confidential information on the train? Show with examples what the impact of their behavior could be (without patronizing them).
Different parts of the organization pose different risks (e.g. marketing department vs HR). Treat them different in your awareness approach as well. Target specific groups of people based on the risks they pose.
CYBER SECURITY
15
Sept 23rd, 2014 - Vilvoorde
Two main questions:
- Threats and business challenges - The Capabilities needed for proactive Cyber Security
ATTENDEES Bridgestone
Yves Gilbert
KBC
Dominiek Christiaens
AXA
Geert Van de Brande
BNPParibas Fortis
Jan De Blauwe
CM
Stefan Van Gansebeke
ACV
Johan VandeWalle
Acerta
Noel VandenDriesche
CIONET
Frederic De Meyer
Deloitte
Maarten Mostmans
Accenture
Mike Tettero
Accenture
Bert Vanspauwen
CYBER SECURITY
16
Reference frameworks In order to frame the discussion and align thoughts, Accenture presented a couple of reference models and views on Cyber Security. The landscape of Cyber Threats is continuously changing. We listed a couple of trends as a starting point to our discussion: -- Threats become more persistent, and with that harder to identify. They are becoming more targeted and specialized on your specific context -- On the other hand, most organizations focus on: -- Monitoring – Difficulty in prioritizing critical events and handling uncertainty -- Static controls – Standard controls don’t help once the attacker is in In terms of the types of actors we see 3 big types.
3 TYPES OF ACTORS
OPPORTUNISTIC ACTS
MOB
DETERMINED ACTORS
Attacker profile: - Will move on in thwarted - Will make mistake - Can be creative
Attacker profile: - Emotional and not disciplined - Not after the crown jewels - Not well backed
Attacker profile: - Failure is not an option - Need only one vulnerability - Stick with it mentality
ACCENTURE INTELLIGENT SECURITY VISION Accenture also presented its vision on Intelligent Security as the way to combat Cyber Threats. This is a Security focused model, outlining the interactions between different capabilities needed and does not focus on the outbound integrations (e.g. interaction with the business). It does include our view of the different capabilities that should be in place to operate an industry-leading (Cyber-) Security capability. Off course different organization have different names for these capabilities and operating at a varying level of maturity, but typically see them appearing. This model goes beyond the traditional preventcapabilities, and also focusses detect & respond.
The last model presented is not an Accenture one, but a model Lockheed Martin created based on the attacks they faced. It outlines the different steps of a typical attack (the Kill Chain) from the view of an attacker. This model is very useful in defining the different moments in the cycle where an organization should act to defend itself, trying to stop/block the attack as early as possible. The complete model including details of the contents of each step can be found on their site.
17 Business Strategy
Compliance Regulations
Authoritative Standards
Security Strategy
Active Defense Extended Enterprise Security Security Orchestration
Extended Enterprise Assets
Security Analytics
Enterprise Security Enterprise Assets
Cyber Threat Intelligence Governement / Industry Consortiums
Kill Chain Phases
Reconnaissance
Weaponization
Typical Attacker Activities Passive Search
Org Charts
IP s
Payload Creation
Malware
Delivery System
Phishing
Spear Phishing
Drive-By Download
Weapon Activation
Establish foothold
3rd party compromise
Trojan, backdoor
Establish persistence
Escalate Privileges
Acquire Usernames & Passwords
Channel to Target
Lateral Movement
Internal REcon
Maintain Persistence
Further Compromise
Data Exfiltration
Additional Persistence
Hijack Systems
Delivery Exploitation
Installation
Command & Control Action on Objectives
Intelligence Feed services
Port Scans
ISP IDs
External Hosts
Infected Website
The Cyber Kill chain is a trademarked concept by Lockheed Martin Corporation, explained in the whitepaper: “Intelligence-Driven Computer Network Defence Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains� by Lockheed Martin Corporation
CYBER SECURITY
18
Current experiences / challenges Everybody is a target
Security cannot be limiting
-- Certain organizations think they are not a target, but they might be collateral, a target on the way to the real target (like RSA in the US). -- Often there is no clear view on the linkage between organizations. Organizations focus on internal risks but sometimes forget to consider their customers/suppliers (e.g. which clients do we serve and what are their risks, what happens if our supplier is attacked and e.g. we cannot pay out wages) -- Often a (small) crisis is the trigger to really get started on Cyber Security. This can be an employee who steals data or an actual hacking attempt.
-- Security should aim to be as little invasive as possible. Monitor the information flows & only step in once needed (e.g. monitor user behavior & step in once large amounts of data are being transferred). Balance Security vs Business. -- People want flexibility, but everything needs to be quick. People are unhappy if security blocks them (e.g. WebSense on tablet). -- Tried to hack information of people. Weakest point are the people (e.g. send link in email, installed & password captured). People are not aware of the impact. “IT should solve it but should not impact me”. -- Example of organization with 4 separated networks based on risk, people started copying over information via Hotmail & usb. -- People & knowledge are important, technology is only support. -- However, analytics don’t answer everything.
Find the right balance -- All companies have a different risk profile, the actions they take should be aligned to this (e.g. only basic monitoring of specific employees as this is perceived to be enough, based on the risks they pose) -- Don’t create a plan to keep the NSA out. For most companies, this goal is probably not realistic & doesn’t add much. -- A risk evaluation should help you determine your goal (e.g. do you have IP to protect…) -- Balance between perfect security & staying alive. -- Involvement of the legislators (e.g. Belgium & Europe) is defending against Cyber Treats should increase.
Compare yourself to your industry peers -- Management often asks to compare with industry peers (e.g. what are others like us doing) -- Remark: makes more sense to look at your customers, e.g. EU regulation for privacy (up to 5% of global turnover as fine).
Risk Assessment is difficult
Capability shift from prevent to detect/ respond
-- Risk Management helps provide a clear situation, but not always easy to do. How do you put a figure on a certain risk. The difference between quantitative & qualitative risk values. -- Sometimes a clear financial driver can be found (e.g. clients leaving, share drop), but often a lot of guesswork included. -- Cyber Security remains a risk mitigation action
-- Several companies are taking a proactive approach to include security in everything they do e.g. scanning of software during development, active monitoring, … -- As it is impossible to prevent all attacks, the focus has been shifting to the detection and reaction against cyber-attacks, rather than focusing on prevention only.
19
Threat landscape can shift quickly
Crisis management is key
-- The business case for using the internet is changing. Where before it was free to use the internet, it’s clear now there is a cost for protecting the assets you open up to the internet. -- Bank used to focus on tech solutions & processes (e.g. SIEM). Hackers learn this and attack the people (e.g. client gets a call from hacker & gives his personal pin). This circumvents most controls.
-- Attacks often have a cascading effort over the whole chain. This must be understood & handled during a crisis -- Don’t put technical people in charge of crisis communication. Good communication is very important at that time. -- Addressing a crisis should be done by everyone in the team (e.g. Hartbleed attack ---> people saw this via various sources & started to address this). Business looks at IT for the solution where they should work together to improve e.g. cyber risk cell sits with business.
Balance the budget -- Currently on average, companies are spending 80% on preventative security, 20% on detecting & responding. -- There should be an evolution to an information driven security approach.
Reporting on Cyber Security Threats -- Reporting on the state & evolution of Cyber Defense is important. Security departments need to be able to explain how they use the money to improve. -- Report in ways the business can understand: -- You can report that 4000 viruses were caught, but how many passed & what was the impact on the business. This is what interests the business. -- Examples are a threat barometer (every 3 months), active monitoring of news sites & blogs.
Business is part of the story -- Example of money mule, shifted from blocking the frontend (where hackers come in), to the backend (where the money goes out). e.g. I have 2 hours to validate that the transaction is a valid one, gives a lot more time to review the action. -- Cyber Security is not only IT. It should be linked to an enterprise Risk Management process and business language.
Analytics help, but are not a stand-alone solution -- Analytics help, but you need to cover your basics first: -- Find out where you are vulnerable. -- Cover your basics e.g. network security. -- Create the basic architecture first. -- Understand the links & risks first -- Once you have the basics, analytics can build on this. -- However, changing to an information driven security approach also helps to align better with the business goals. Also in terms of the tools (e.g. BigData & Visual results processing), they are used to work with tools like this to understand e.g. the customer behavior.
Hacker has a business case too -- Your hacker has a business case (monetary, conviction, ‌). If you disturb the business case, a hacker will look somewhere else.
CYBER SECURITY
20
Lessons learned / Best Practices Every organization should be concerned with Cyber Security as everyone is a potential target (even if it is as a way into another organization). A good risk assessment will help you understand where and if action is required, although risk values and impacts can be subjective.
Find the right balance in addressing Cyber Security. Once you know your risks, you can create a plan that is aligned with this. A perfect security state in nearly impossible, focus on the things important for your organization. Comparing to peers (e.g. using ISF) is often useful.
In setting up a Cyber Defense capability, align with your business. What you do can impact their capacity to operate, which should not be your goal. They are also better able to assess impacts & advice on potential actions to take. In the end you are trying to protect their business.
Move beyond the preventative security. You won’t be able to keep everything out (the castle approach), instead prepare to detect attacks & intrusions and define how you will (quickly) respond. It is not just about technology.
Understand hackers have a business case too. They attack you for a reason (financial, conviction, ‌.). The way you defend yourself should be in line with this. (e.g. making it harder for them to find relevant information drastically increases effort (cost) on their side).
SECURITY STRATEGY
21
November 18th, 2014 - Vilvoorde
Two main questions:
- How to create a Security Strategy - Making the Security Strategy work within the organization
ATTENDEES Bridgestone
Yves Gilbert
CM
Stefan Van Gansebeke
Acerta
Noel Van Den Driesche
NMBS
Tim Groenwals
CIONET
Frederic De Meyer
Deloitte
Joris Lambrechts
Accenture
Floris Van Den Dool
Accenture
Bert Vanspauwen
SECURITY STRATEGY
22
Reference frameworks In order to frame the discussion and align thoughts, Accenture presented a couple of reference models and ways of looking at Security Strategy. The model below provides Accenture’s view on intelligent Security, a graphical translation of what are key considerations in modern day Security Strategy. The model focusses on both the scope of the strategy (ranging from Enterprise Security up to the defense of the complete Digital Business, well beyond the corporate borders) as the components in it (business driven, adaptive response).
INTELLIGENT SECURITY
DEFENDING THE DIGITAL BUSINESS
Extended Enterprise Security Enterprise Security
Threat intelligence Advanced analytics Accelerated action
BUSINESS DRIVEN
THREAT CENTRIC
DIGITALLY PROTECTED
ADAPTIVE RESPONSE
AGILE DELIVERY
A second model presented was the Accenture Security Operating model. This outlines the different operational capabilities needed to translate the Security Strategy into a day-to-day operational model, capable of fulfilling the Strategy. The model does not focus on solutions (e.g. tools) only, but outlines the need for a supporting governance, a set of processes and performance metrics. Topics that were frequently mentioned by the meeting participants.
During the discussion, we used these models as well as some examples of work we conducted and cases we saw to add to the experiences of the participants and structure the discussions had. The wrap-up of those discussions can be found on the next pages.
Security Strategy defines: -- Security Vision and guiding principles -- Service Strategy -- Sourcing Strategy -- Investments objectives
How we interact to deliver consistent services
How we execute the work
How we organise ourselves to deliver services
GOVERNANCE INTERFACES
PROCESSES
SECURITY OPERATING MODEL
ORGANISATION, ROLES & SOURCING
PERFORMANCE METRICS
FUNCTIONS
How we make, sponsor and enforce the right decisions around security
Who is accountable for doing the work
How we measure security effectiveness
TOOLS What enabling technology we use to deliver IT services
Security Operating Model results are measured by: -- Business Risk Reduction -- Cost Profile -- Flexibility -- Performance Metrics -- Ability to Scale
23
SECURITY STRATEGY
24
Current experiences / challenges
Reporting line for Security
Role of the CISO
-- Where should the CISO (Chief Information Security Officer) be located in the organization? Security as part of IT or located with the business. -- The situation is varies throughout the organizations: -- NMBS: direct reporting to the CEO -- CM: reporting to CEO & CIO; as the business pushes new things, Security needs to be in touch to follow -- Bridgestone: Security is part of IT -- Acerta: Security is part of IT (functions as IT Security Officer) -- bPost: Security is part of IT -- Deloitte: CISO reports to CEO -- Accenture: CISO reports to COO -- Sometimes to CFO (mostly smaller organizations) -- Important to note that Security is not responsible for the complete implementation of security throughout an organization. At best it coordinates security efforts and provides guidance. -- Being part of IT has advantages: -- Often powerful part of the organization -- Ability to reusing the IT framework (often similarities to Security frameworks) -- Most components end up being done by IT anyway (if IT is core of the business) -- But it also has downsides: -- Out of IT, it can be very difficult to understand the business processes & drivers -- It is difficult to get outside of the IT scope, the organization sees you as an IT-guy focused on technical solutions.
-- The CISO is not only / no longer a purely technical person, he needs to communicate with the business & the organization as a whole. -- He is more of a conductor, adapting his approach depending on the occasion (Army General during incidents, coach when talking to the organization, …) -- The view on the role of the CISO has evolved over time.
Overarching Governance key -- Often, a key step in establishing a security strategy is to create an overarching governance structure. This includes outlining who approves the strategy, ensures it aligns with business objectives & ensures the required budget is split as needed. Typically this is organized through a steering committee type of team.
Two budget components -- In most organizations, there are two parts in the budget -- One part is the operational (recurrent activities) for running the security related activities. In some cases these are transferred to other parts of the organization (such as infrastructure teams). These budgets are foreseen year-over-year -- The other part is project based to build additional capabilities & tooling as required. Often these are not part of the budget and the Security department needs to find ‘sponsors’ in the business for it, which can be challenging.
25
Relate Security to business concerns
Security does not decide
-- As outlined in the figure on page 23, Security is more than tools. It can be ok to start from the technical components, but extend into the organization & the approach. -- Relate everything you do to the business value it brings. You should be able to explain why this investment / mission is important to the business.
-- It should be the role of the Security department to create the framework for identifying risks, help in finding solutions (and weigh potential options), but the business should decide on how to proceed.
Security as a business enabler -- Security is often seen as a ‘blocker’, getting involved at the end of the process to say it is not allowed to do certain things. -- The ideal situation is where security acts as a business enabler (e.g. Dutch bank: business wants SalesForce, Risk doesn’t accept the decision, Security works with the business & proposed CipherCloud) -- This requires pro-activeness from Security. -- Security is often asked to implement the requirements they position. E.g. data classification -> create it in isolation & come back when it is done & ready to use, this does not help in aligning with the business.
Security Metrics as a way of measuring success -- ISO27001 as an external certification, proving the state of security, typically with 2 assessments per year -- ISF (Information Security Forum) provides a way to benchmark against other organizations, potentially continuous benchmarking, with a quite complete checklist -- Create a consistent reporting framework: define a number of domains & a scoring, provide feedback (dashboard style) at regular intervals. Plan should include targets and evolution towards the targets. This is often triggered by a request from the board.
Security & Outsourcing -- Outsourcing is often the moment to start enforcing a security policy. 2 important points: -- Define your security strategy upfront. Typically during the contract, the conditions & policies are executed to the letter of the contract, meaning what is not in, won’t be done. Only when maturity evolves does it become a collaboration -- Define how you will measure it. As you won’t necessarily have access to all key items, ensure you have a way to track/control it
Importance of a connection between security and the organization -- Security cannot just enforce its view in the organization, it should convince them, using networking skills. -- The way a security strategy is created & positioned in the organization, does not come from the security frameworks, but follows the general patterns on strategies (e.g. like in the books on Napoleon, Churchill) and requires other than just technical skills -- Part of this is trial & error.
Shortterm vs longterm strategy -- The Security teams are often heavily involved in operational tasks/firefighting, which makes it difficult to focus on the strategical / tactical level. -- A good risk management process helps in doing this as it provides a clear view on where to focus. -- Allocate a portion of some people’s time to focus on the long run. After a while this avoids the firefighting. -- Take a couple of fixed moments a year to think about the direction. An offsite helps free the minds from the daily work. This is often easier to do in larger companies, but you always need to have a plan… -- In a lot of clients, there is no real strategy created, rather a list of the 5-10 top priorities for the next year
Architecture as a cornerstone of security -- Architecture aims to translate key concepts into guidance for their implementation (e.g. data centric security), this should be done with security in mind. -- NMBS has created a team of security architects that help other architects in defining a security solution from the bottom up -- They are currently developing a project governance that includes Security. This forces every new project to consider security. Next step will be to enforce this through the project approval board -- A strong PMO office makes it easier to enforce -- Watch out for over-control
MOBILE SECURITY
26
Lessons learned / Best Practices It is key that Security (the CISO) reports at the right level of the organization. The further away from the strategic direction they report, the harder it is to make the right decisions and be pro-active.
Security cannot afford to be only technology focused. They need to be in touch with the business & aim to enable the business in their goals. This requires a communicative Security department, with a network in the business.
It takes time to create and follow-up on a real Security strategy, which is particularly difficult with a team focused on firefighting, but it pays off to think ahead. A security department should be able to report on their progress through consistent and business focused metrics. If the business invests money in security, Security should make sure to prove the value of the investment.
Outsourcing is not an easy way to get rid of security concerns. When outsourcing, a strict and complete security vision becomes even more important, as the outsourced parties typically don’t ‘think with you’ but merely execute what they are contracted for.
27
About CIONET CIONET is the biggest community of IT executives in Europe. Bringing together What’s next. over 4500 CIOs, CTO’s and IT directors from wide ranging sectors, cultures, academic backgrounds and generations, CIONET’s membership represents an impressive body of expertise in IT management. CIONET’s mission is to feed and develop that expertise by providing top-level IT executives with the resources they need to realize their full potential. CIONET develops, manages and moderates an integrated array of tools and services from the online CIONET platform – the world’s first social network for CIOs – to a range of offline networking events, conferences, workshops and executive education programmes all tailored to top-level management. CIONET also provides exclusive access to the latest research through regular online and offline publications and a number of value adding partnerships with key players from the academic and corporate worlds.
Faced with the rapidly changing role of today’s IT executive, CIONET not only helps its members keep up with the pace of change but empowers them to take an active role in shaping the future of their field, always challenging them with “What’s next.”
Keep in touch: follow us on Twitter @cionet or through our LinkedIn page. If you are a CIO and wish to become a member please contact mieke@cionet.com If you have relevant content for our CIO members please contact frederic@cionet.com If you are an IT vendor and wish to establish a close relationship with our CIO members please contact hendrik@cionet.com
SECURITY STRATEGY SECURITY AWARENESS & BEHAVIORAL CHANGE CYBER SECURITY MOBILE SECURITY
Special Interest Group on Security
SCOPE AND MISSION During the “Value Creation with Cyber Security - CIONET Belgium Networking Event” end of February 2014, 10 Security related topics were presented. Out of these, 4 topics were selected by the CIO’s present through a vote. During each of the CIONET Special Interest Groups, we zoomed in on one particular topic in a 2hour session. Accenture facilitated the discussion, but the key contribution came from the participants. They shared their experiences, achievements and lessons learned on the selected topic. The outcome of these meetings has been documented in the Best Practices documents, of which this document makes part. In the different sections, you will find the write-up of the topics discussed and experiences shared, providing you with an overview of how different organizations are addressing the topic.
What’s next.