2 - The Rol of CISO

The Evolving Role of the CISO
The Economics of IT Exploiting Technology to Achieve Competitive Advantage 30 August 1 September 2006 Centro Banamex Mexico City, Mexico
Paul Proctor
These materials can be reproduced only with Gartner's written approval. Such approvals must be requested via email vendor.relations@gartner.com.
Strategic Planning Assumptions

By 2008, 35 percent of Global 2000 enterprises will have a risk management function that integrates information security and business continuity activities into the companywide profile of strategic, financial and operational risks (0.8 probability). By 2008, 20 percent of Global 2000 enterprises will have effectiveness assessment systems in place that will monitor the information security health of business transactions in real time (0.7 probability). Through 2008, companies that implement enduser information security awareness training will experience a 25 percent productivity saving in their information security program by not having to react to security incidents that could be avoided through workforce knowledge of threats, risks and mitigating controls (0.8 probability).
An information security risk management program manages companywide IT risk exposures systematically to minimize the effects of exploited risks and preserve the interests of management, customers and shareholders. The information security risk management program needs to address all technology products, services, delivery channels and processes because of the reliance on technology as a core component of delivering business service. This presentation examines organizational structures for information security and the relationships between the IT security and the operations groups in organizations, and it considers the potential for collaboration with those responsible for the physical security of a company.
2006 Gartner, Inc. and/or its affiliates. All rights reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Paul Proctor MEX24L_523, 8/06, AE
Page 1
Key Issues
1. How have the requirements for a good Chief Information Security Officer (CISO) changed in the last decade? 2. What are the best practices of an information security risk management program? 3. How do you get the business appropriately involved in security and risk management?
Page 2
The Evolution of the Security Officer
The security officer role has evolved as security in organizations has changed.
Page 3
1990 to 1998: The Network Administrator

Also known as: The network administrators that work on security in their spare time. Skills: Can decode an IP packet. Training: SANS. Disposition: Nobody is interested. Security is considered to be an IT problem focused on the network, so it is left to the network administrators.
From 1990 to 1998, security was not a high-profile issue. In government research, the Trusted Computer System Evaluation Criteria (known informally as the "Orange Book") and later the Common Criteria attempted to define security as a set of controls based on mathematics and theory, but these efforts were ignored by commercial industry. Security in organizations was managed by network administrators in their spare time as part of their normal network administrative duties, and they were not given the credit. It was expected of them. Early security people were deeply technical because the idea of exploits was deeply technical. It required knowledge to decode network packets to look for traffic that was attempting to bypass the firewall. During this time, the SANS (SysAdmin, Audit, Network, Security) Institute became the central resource for gathering data regarding security and techniques.
Page 4
1999 to 2002: The Security Person

Also known as: The security people that work on security part time. Skills: Can secure budget from the CIO using fear, uncertainty and doubt. Training: (ISC)2 CISSP. Disposition: "Buried" three levels deep in IT and network-focused, but at least they have a budget and are recognized as having little respect.
From 1999 to 2002, security was recognized as a significant problem and was assigned a budget, but it continued to be dismissed as a technical problem and was "buried" three levels deep in the IT organization. The security person was little more than the network administrator with recognized responsibility. In most cases, they were poor communicators, but they learned to defend their newly acquired budget. With little sophistication, they started to perfect the tradition of securing budget from executives by generating fear, uncertainty and doubt. However, the sophistication increased as security people turned to the International Information Systems Security Certification Consortium [(ISC)] for more-rounded learning and to achieve their Certified Information Systems Security Professional (CISSP) credentials.
Page 5
2003 to 2006: The CISO

Also known as: The person that says "no." Skills: Knows how to work within the system. Training: (ISC)2 CISSP. Disposition: Universally disliked because exercise of power does not always balance business needs. Respect is based on power, not necessarily ability. Only auditors and lawyers are feared and disliked more.
The CISO arrived and received due respect in 2003. Driven by compliance and "worms," security became a clear and present danger to executives. Security was elevated to become its own department, but it continued to report three levels deep in IT in many organizations. This department was integrated into many organizations, much to their dismay in many cases. Despite this new position, many of these security practitioners were poor communicators and earned the reputation of being the people that say "no." For example, "No, you cannot stand up that new system," "No you cannot 'go live'," "No, this is not ready." In the defense of many of these CISOs, organizations were not entirely ready for the cultural changes needed for the effective integration of security. Asking a security officer to approve a system on Friday afternoon that goes into production on Monday does not foster a healthy working relationship. Many security officers' response was to work within "the system," which did little to improve their popularity. In most cases, CISOs abandoned the use of fear, uncertainty and doubt in favor of return on security investment to support their budget.
Page 6
The Evolution of Security Requirements

1980 Technology Secure OS Encryption Firewall Antivirus IDS SIEM IAM IPS 2006
Acronym Key IAM = identity and access management IDS = intrusion detection system
Threats Unauthorized Access Insiders Network Threats Viruses Worms IdentityTheft Regulation
Budget Justification Fear, Uncertainty and Doubt
Return on Security Investment
Business Value
IPS = intrusion prevention system SIEM = security information and event management
Security requirements have changed, and this has driven an increase in the complexity of the role that security officers are expected to manage. Technology in the early 1980s was based on secure operating systems and encryption, but the advent of the Internet and e-commerce changed priorities. At that point, security was based almost entirely on firewalls, with a focus on unauthorized access. Secure operating systems may have been abandoned as a security technology, but antivirus became a necessary control because hosts were under attack from viruses. A dramatic growth in security technologies followed, from identity management to intrusion detection and prevention, and SIEM. In 2006, compliance and regulation are significant drivers and are considered by many to represent threats that need to be addressed. Budget justification has evolved from fear, uncertainty and doubt, which no longer sway executives. In a desire to integrate with the business, security officers learned to speak in terms of return on investment (ROI). However, to businesspeople, ROI means "invest money and receive money in return," which does not occur in security. Security is a cost center, and executives know it. Security people were trying to convince businesspeople that risk management and security represented an ROI, but businesspeople did not understand this idea. As a result, ROI has been replaced with the idea of risk management having a business value.
Page 7
Part of the Business Fabric

Security cannot be achieved by technology alone it is a core part of the culture. Requires cultural, behavioral, procedural and technical change. 100 percent security is impossible the goal is appropriate security investment.
Infusion Security Culture POLICY
Staff Partners Clients
BEHAVIOR
PROCESS
Business Process Application Infrastructure Information
TECHNOLOGY
If organizations cannot demonstrate appropriate security, their clients and partners will go elsewhere.
Page 8
Information Security Maturity

Blissful Ignorance Awareness Phase Corrective Phase
Conclude "Catch-Up" Projects
Operations Excellence Phase 5%

Continuous Process Improvement Track Technology and Business Change
Maturity
50%
Develop New Policy Set Assess Current State
Design Architecture
15%
Institute Processes
30%
Initiate Strategic Program Establish (or Re-Establish) Security Team
NOTE: Population distributions represent typical, large Global 2000-type organizations
Time
Slide 9 shows the relative maturity of organizations with regard to security programs. Key stages are marked along the maturity curve, starting with an assessment of the current state and followed by the establishment of a security team. As maturity increases, the initiation of a strategic program marks the beginning of the first significant improvement in information security. As part of this program, domains and the associated trust levels (or security baselines) are created that will characterize a mature and useful program. Organizations achieve genuine progress when they design an architecture that supports domains and trust. Instituting processes moves organizations out of the ad hoc, reactive mode and into the proactive mode. Processes are repeatable, survivable and measurable, and they can be improved on an ongoing basis. At the top of the curve, organizations have reached a maturity level at which they have organized all the processes and can focus on improving good practice. Gartner estimates that 80 percent of organizations are in the initiation phase, or the lowest levels of this maturity, and that 15 percent are working hard to mature their processes. The figure indicates that 5 percent of organizations have achieved the highest levels of maturity, but Gartner estimates that less than 5 percent of organizations have achieved this level in practice.
Page 9
Security Officer's Activity Cycle

Governance = Authority + Accountability Plan
Strategize Organize Annual Plan Controls
BUILD
Architecture
A C P
Process
RUN
Communications & Relationship Mgt Identity & Access Mgt
Risk & Control Assessment Threat & Vulnerability Mgt
Security is an immature discipline best practice changes rapidly. Security technology is immature. It frequently fails to perform as advertised. So, how does a security officer go about meeting his/her objectives, identifying risks and keeping the enterprise and its information secure? Gartner has found that most successful security officers follow a set pattern of activities and processes. Given the immaturity in technology, process and even terminology, some reference base is crucial to maintaining a focus on objectives. A documented and supported methodology for establishing and operating security programs is very attractive to many practitioners. Security imposes constraints on both business and IT operations to reduce risk. The business must control security via governance structures (committees, teams, assigned oversight roles). Three-to-five-year goals are needed. Security is a cultural artifact, and those take time to grow or change. A long-term strategy should be developed using a security methodology as a starting point. A tactical (one-year) plan should be generated from the long-term strategy. Roles and responsibilities must be clearly assigned to avoid security failures resulting from unrecognized gaps. Architecture, process and policy are three keys to reducing the common "reactive" mode of security team behavior. Increased threats demand improved architectures. Security architecture is going through a period of rapid change. Security process maturity is crucial to reducing the cost of security, as well as to prevent security failures. Security policies are the embodiment of the business requirement for security; they are the basic communications element among business, security and IT.
Page 10
What About Monitoring and Response?

Enterprise Risk Management
Governance
Re sp on se
or
or & Mo nit
Ad tio tra nis mi n

SOD?
Operations
Outsource
It is important to differentiate between two types of operational activities: administration and monitoring. Because security monitoring in essence constitutes an "operational audit" function, moving it into the network/systems operations team creates segregation of duties issues. Hence, many organizations are considering outsourcing the monitoring functions to managed security service providers. Alternatively, this function stays with the security management function (from a reporting line perspective).
Page 11
There Is No Perfect Organizational Chart for Security

Security Steering Committee Where the buy-in takes place Internal Audit Resource Owners Applications Relationship Mgmt Leadership User Provisioning Security Operations Analysis & Design
Tech Support
Architecture
Risk & Compliance
The CISO operates horizontally, so vertical org structure is less important.
Far too many organizations are spending far too much time continuously reorganizing their security function in a fruitless search for the "perfect" reporting structure. The CISO must work horizontally, across the organization, influencing multiple functions within each business unit or region. Organization structure is important, and there are distinct differences between putting the CISO inside IT, inside Corporate Security, inside a risk management office or even reporting directly to the CEO. However, the benefits of any reporting structure are most likely to be effectively used by a mature security program. Mature programs, and their managers, tend to naturally gravitate toward an optimal reporting and dotted-line arrangement. If an information security program is broken and needs to be fixed, changing the organization chart is rarely the best place to start. The most important first step in the maturation of a security program is building up the influence base. In most enterprises, the Security Steering Committee (see ISO/IEC 17799:2000, "Code of Practice for Information Security Management") is the most effective instrument for effecting organizational change and ensuring a common, synergistic approach to security across the company. If all constituent business units or locations are adequately represented by the committee and the committee sets the agenda and the policy, then the entire organization is much more likely to accept it as being based in reality and appropriate to circumstances. Note that we make a distinction between user management and other forms of security operations. User provisioning is separate from security operations, such as firewall management and SIEM monitoring. Both are operational tasks, and they both may be described as being security and will have some level of dotted line to the CISO, no matter where that person sits, but they are done by different people, in different rooms.
Page 12
More Than 30 Percent of Organizations Say Infosec Is Not Part of IT Department

Corporate decision to separate risk control from risk management
Usually for compliance reasons
A suitable reporting point exists

Chief Risk Officer Head of Security (i.e., physical security or criminal investigation)
Business model is subject to high levels of cybercrime IT department is already very large and specialized
CIO
Political Wasteland
CRO
The decision to take the CISO out of IT is not a simple one. Five years ago, such a step would have been considered very extreme. Today, it has become commonplace. Surveys vary in their results, with 30 percent to 50 percent of organizations claiming that security is independent from IT. This disparity in results suggests that the question isn't necessarily well-understood. In practice, the security function can never be totally divorced from the IT function. The CISO will always have a working relationship with the CIO, and that relationship is generally somewhat subordinate. It often amounts to a dotted-line report to the CIO, and a solid-line report to a Chief Risk Officer or some other executive with an ongoing relationship with the Board, or even a position on the Board. The reason it makes sense to take the CISO out of IT is because the CIO is not really expected to make security a top priority. Yes, organizations give lip service to it, but the CIO's annual bonus is dependent on having improved functionality or efficiency, not in having reduced risk. When the CISO steps out of the IT department, he/she takes on a risk control role. This role may include some operational tasks, but it usually does not include user provisioning or system management. We continue to experiment, looking for the ultimate organization chart, but every attempt requires a compromise. Structure alone cannot solve all problems.
Page 13
Getting the Business Involved

Risk Management Organization Security Budget
$
Translate Into Security Requirements Express Risk in Technical Terms
Explain Risk Without Technical Terms
Express Acceptable Risk
$$$
Operations
$
Business Unit
Many security practitioners are aware that security needs to become more integrated with the business if both are to be successful. However, very few know how to accomplish this. The future of security organizations provides some insight. Risk management differs from security. In most cases, security has resulted in organizations protecting themselves as much as they can within the limits of available budget. Recognizing that perfect security is unattainable, risk management is the process of making conscious decisions about appropriate levels of residual risk. Security people, buried three levels deep in the IT organization, should not be making these decisions for the business, so the business needs to become involved. The emergence of the risk management organization is an evolution of the security group. It sits between operations, where most security is implemented, and the business, where appropriate residual risk decisions based on the risk tolerance of the organization should be made. The risk management organization is able to discuss technical issues about threats and countermeasures with operations and translate them into nontechnical options and understanding for the business. The business, in turn, expresses a level of acceptable risk to the risk management organization, which translates these requirements into technical and policy directions for operations to implement. Most of the budget remains in operations, but residual risk decisions are implanted firmly where they belong with the business.
Page 14
2006 Onward: The Risk Management Officer

Also known as: The person trusted to protect the company. Skills: Communication; project management; ability to balance strategic, tactical and technical requirements. Can have a conversation about security without discussing technology. Training: Business school with an emphasis on risk management and security. Disposition: Reports to the board. Balances risk with business needs appropriately.
The risk management officer is a trusted and fully integrated member of the executive team. These officers have excellent communication and project management skills. They can balance strategic, tactical and technical requirements. They understand the importance of security to the company. They understand their own role to facilitate the culture changes necessary to guide operations away from its monopoly on security decisions and to guide reluctant executives toward their responsibility to own residual risk decisions. They can have a conversation about security without discussing technology. Risk management is a business (rather than a technical) discipline, so their education leans toward business school with an emphasis on risk management.
Page 15
Recommendations
Establish an information security office to oversee the IT risk management activities of the organization. Establish a risk management committee with purview over all risk issues in the organization. Review the daily security management procedures with IT operations to ensure consistency and timeliness in the overall security of the IT infrastructure. Assign ownership for the information security risk management function. Develop an information security risk assessment process. Develop an IT asset risk inventory as the starting point in identifying vulnerabilities and associated mitigating controls. Establish information security policies and architecture. Ensure information security covers new technology integration. Establish an information classification program to ensure the correct application of mitigating controls. Review the organization's use of outside service providers with regard to their compliance level with the organization's policies. Establish critical effectiveness metrics for each information security policy. Report the state of the information security risk management program to senior management semiannually.
Page 16

2 - The Rol of CISO

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

2 - The Rol of CISO

Caricato da

Copyright:

Formati disponibili

The Evolving Role of the CISO

The Evolving Role of the CISO

Strategic Planning Assumptions

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

The Evolution of the Security Officer

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

1990 to 1998: The Network Administrator

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

1999 to 2002: The Security Person

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

2003 to 2006: The CISO

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

The Evolution of Security Requirements

Budget Justification Fear, Uncertainty and Doubt

Return on Security Investment

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

Part of the Business Fabric

Business Process Application Infrastructure Information

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

Information Security Maturity

Operations Excellence Phase 5%

Initiate Strategic Program Establish (or Re-Establish) Security Team

NOTE: Population distributions represent typical, large Global 2000-type organizations

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

Security Officer's Activity Cycle

Communications & Relationship Mgt Identity & Access Mgt

Risk & Control Assessment Threat & Vulnerability Mgt

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

What About Monitoring and Response?

Ad tio tra nis mi n

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

There Is No Perfect Organizational Chart for Security

Risk & Compliance

The CISO operates horizontally, so vertical org structure is less important.

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

More Than 30 Percent of Organizations Say Infosec Is Not Part of IT Department

A suitable reporting point exists

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

Getting the Business Involved

Explain Risk Without Technical Terms

Express Acceptable Risk

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

2006 Onward: The Risk Management Officer

Paul Proctor MEX24L_523, 8/06, AE

The Evolving Role of the CISO

Paul Proctor MEX24L_523, 8/06, AE

Potrebbero piacerti anche