Security Governance Best Practices and Trends in State Government Workshop: Security Governance for the 21st Century Public Sector Enterprise Security Governance Best Practices and Trends in State Government Bob Smock, CISSP, CISM, PMP Vice President, Program Lead Security and Risk Management, Public Sector Gartner Consulting bob.smock@gartner.com Gartner Catalyst Conference August 11-14, 2014 Manchester Grand Hyatt San Diego, CA Bob Smock Kim May

Security Governance 1

What is Governance? A theoretical concept referring to the actions and processes by which stable practices and organizations arise and persist. The term conveys the administrative and process-oriented elements of governing. [Wikipedia] A method or system of government or management; the exercise of authority and control. [Dictionary.com] The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. [IT Governance Institute] Security Governance exists to ensure that the Security Program adequately meets the strategic needs of the business. Security Management implements that Program. Security Operations executes the processes defined by that Program. 2

Two Immutable Truths Most security program failures are not technology-related; failures are due to a lack clear priorities, a lack of clear goals and objectives, and the lack of clear decision-making processes Security programs tend to be viewed as obstacles to business, not facilitators of business Gartner is seeing a growing trend in requests for governance assistance as enterprises attempt to migrate away from the traditional definition of strict IT security risk management that includes access control and vulnerability management Security governance is beginning to take on the wider scope of business risk management that includes market protection and compliance. Most security program failures are not technology-related. Failure is more likely to occur because of poor governance or poor management of the overall program or individual projects. Many security programs lack clear priorities, goals and decision-making processes. As a result, they will likely or already suffer from cost overruns, timeline slippages, or reputational damage. The not-so-subtle transformation of the enterprise security model is being driven by today's highly competitive business climate with the emphasized need to contain costs, remove obstacles, and maintain a competitive edge. A competitive edge comes with new technology — and new threats. And many times, security controls are viewed as obstacles TO business, not facilitators OF business.

Clients Speak Hard and Crunchy: "This is not a democracy — personnel are expected to follow organizational security policies" Soft and Chewy: "Trust but verify — approach to an open business culture" Necessary Evil: "Security should not be a disruption to the business" Important but Not Urgent: "We (security) may be boring, but we’re predictably boring" Game Philosopher: "Security is a game of inches — change does not happen overnight" Auditor Antagonist: "Compliance is not equal to security" Ostrich: "We trust IT to have good judgment"

Objectives of Security Governance To coordinate and control protection within the enterprise commensurate with enterprise needs To provide consistent management through the use of cohesive policies, processes, and decision rights Establish balanced and effective control of key components of business and information operations Create the internal business conditions that allow enterprise needs to be met Migrate away from traditional security risk management toward business risk management Transform approaches that simply meet security objectives into those that achieve business objectives business Clearly delivering the right balance of protection needed for the nature of the business risk is both important to do and hard to achieve. The goal of security governance is to coordinate and control protection within the enterprise so as to make the overall security program effective and efficient for the enterprise needs Governance creates the internal business conditions that allow these needs to be met and balanced through effective control of key components of business and information operations Governance relates to consistent management and the use of cohesive policies, processes, and decision rights for a given area of responsibility There is a growing trend to migrate away from traditional security risk management toward business risk management Organizations need to transform approaches that simply meet security objectives into those that achieve business objectives

Maturity of Security Governance Identification and mitigation of infrastructure weaknesses Security posture maintenance and residual risk management Regular and periodic measurement and communication of operational risk People, Process, & Technology commensurate with objectives Systematic approach for integrating security protection and business processes Direction setting and prioritization commensurate with appropriate funding & resources Establishing a culture of security: upward, downward, outward Position and reporting level with separation of governance and operations Lifecycle Management: planning, deployment, operations, feedback Environmental feedback and adjustment Expected behavior with implementation standards and guidelines 6

What Do We Need To Do Security Governance Goals Organizational Structure Rules and Rule Sources The [Chief] Information Security Officer Power and Influence Supporting Functions and Groups Funding Assessment and Enforcement Metrics and the Enterprise Security Control System 7

The Goals of Security Governance Appropriate Examples for Goals Meet due diligence, regulatory, and contractual requirements Establish minimum standards for compliance Respond to audit findings Meet business needs for data integrity, availability, confidentiality, and accountability Ensure ongoing utility of data and systems React effectively to the business environ Meet budget objectives, control costs, and manage mandatory compliance costs Protect and manage the organization’s reputation and constituent satisfaction Protect customer data & intellectual property Monitor adherence to code of conduct Protect inside from outside and inside from inside The Trends Maturity of security governance varies due to program youth, size of the organization, and limited direct leadership Security is viewed as a “business enabler” for organizations in highly regulated industries or with requirements to protect critical infrastructure Organizations that have not experienced a recent intrusion or malware outbreak have reduced vigilance Prevention of a data breach and potential fines for compliance failure motivates organizations Near-term security plans are made on an annual basis Failing to address strategic security planning which considers a 2 to 4 year horizon Governance councils are important to formulate interactions between centralized and decentralized functions

Organizational Structure Best Practices The structure of the enterprise must be reflected in the structure of the security governance program An independent structure for the security program is necessary to its function. Other enterprise governance councils provide a forum for security to provide input on risk Mergers can result in cultures that need different approaches Governance is about controlling organizational behavior; this is accomplished by applying change strategies to organizational structures The Trends Infosec overwhelmingly still belongs to IT Leadership — At least one full time enterprise ISO; missing matrixed decentralized ISO Reporting — More than one level removed from senior staff Lack of separation between governance and operations Staffing — Insufficient resources; security team size varies based on part-time functions, extent of operational involvement, and availability of necessary skills Skills and certifications requirements growing but not always recognized Lacking coordination – Operational managers should coordinate via a security leadership council some to legal, finance/comptroller, or compliance; corporate or physical security is separate from IT security; internal audit may coordinate with security on testing. security organizations are often matrixed with functions distributed to operational groups or business units. there may be credibility issues with security managers not being at a senior level position professional training should be specifically planned and funded to support skills and certifications many business units have own IT organizations and resources, including operational security teams. Centralized security works with de-centralized resources to coordinate on programs and standards

Rules and Rule Sources Best Practices The Trends Rules for governance come from regulatory and corporate drivers They also come from industry standards for due diligence and appropriate behavior Policies, standards, and processes are put in place to create the environment that fosters appropriate behavior The overall governance process is rarely successful without a systematic application of a set of governance rules The Trends Failure to map controls to security objectives Failure to establish a "minimum standard" or "best practices" approach to controls. Leverage NIST or other frameworks as a source for control standards Failure to leverage frameworks such as ISO and ITIL as a program management benchmark for consistency No security policies defined as strategic to the enterprise Security policies not integrated with overall enterprise policies Lacking comprehensive standards and guidelines to define acceptable implementations of policy Data classification and protection, risk assessment and residual risk management, business continuity, identity and access management, incident response and vulnerability management, mobility and connectivity, audit, investigations. Encryption, platform security, application security and software development, telecommunications, change management with assurance, authentication. There are a variety of control frameworks in use with mapping of internal standards (often involving ISO 27000 or NIST)

The ISO Best Practices The Trends Exists to run the enterprise information protection function Has visibility in senior oversight/governance councils The critical decision of where the function should be placed in the org hierarchy is directly related to how important information and security are to the business The need for direct communication about key issues to top management should be seriously considered in placement Rarely owns or leads senior management review of enterprise business risk Uses a mix of relationship-based ad hoc contacts and regularly scheduled cross- organization committee meetings The CISO should not be placed below other top management because of the need to mitigate insider threats at the highest levels of the enterprise and not be subject to undue internal political influence The Trends Rule of thumb: Successful security programs are run by strong characters; less successful programs flounder because of the weakness of the ISO; influence, not edict, is the key tool Establish a security management framework; all feedback is assimilated into the framework The Security Management Plan (SMP) — Describes the overall security program and provides foundational guidance Generally not responsible for defining privacy policies, business continuity, and IT disaster recovery, but may be involved in execution Typically provides baselines, templates or standards to leverage and build on. which often include executives and business leaders. responsible for representing IT and technology risk to senior business management; direct path for communicating risks to executives and to get insight on IT projects. Should be at a level in the organization comparable to the CFO or chief counsel, but can reside at one level lower depending on the criticality of the function to the business. Do your homework, identify executive concerns on security, accept the burden of dealing with them, and report results of security initiatives to build credibility. Overall SOX compliance is under CFO, but CISO is generally responsible for IT SOX (404). A role to "influence and inform" business decision makers and build relationships with people that can influence change

Funding Best Practices The Trends However, the funding influenced or indirectly controlled by security typically ranges from 5% to 10% of total IT expenditures Funding includes personnel, operations and maintenance, and security-specific projects About half of funding is for personnel These numbers increase during program development, compliance efforts, and for high assurance situations Much of the true cost of security is hidden due to accounting processes, indirect influence on business operations, mounting requirements, legal costs, etc. The costs associated with incidents and their resolutions are typically very hard to quantify … as are those with consequences that were NOT incurred because of the effectiveness of security The Trends Security groups are required to reduce costs due to unrecognized business impact/value Organizations with strong regulatory pressure or high potential impact of data breaches are not cutting security spending Hiring restrictions, staff cuts, and low retention create trade-offs with just being able to do what is required Investment in security awareness programs remains unrecognized as a priority to mitigate security risks in the face of deep cuts or leveled funding Security-specific funding is rarely identified as a separate "line item" in the enterprise budget Security may have direct funding of only $3 million to $6 million for governance in a large enterprise; Other costs associated with security are harder to codify; extra churn associated with additional security requirements, effect on employee morale and stress, barriers to entry, surveillance, error costs, and legal costs. Operational security is typically exempted from major reductions. defining separate lines of funding for governance and operations including personnel, security initiatives, and project support Security organizations continue to be reduced and cost-constrained as stand-alone functions

Metrics and Enterprise Control Best Practices Feedback must be acquired in a form that can be applied to make corrections Effective control implies meaningful measurement and reporting with accuracy "Meaningful" means costs, consequences, and effectiveness Establish metrics as meaningful and achievable by measuring progress over time relative to standards Risk and threat metrics tend to be subjective and hard to quantify Metrics used as a performance improvement objective are highly visible and effective Transition from tactical risk metrics from point solutions to strategic risk metrics from the security architecture (people, process, technology) The Trends Organizations vary in the focus of their metrics programs as does the maturity of metrics programs Moving toward greater automation in metrics programs. Tie enterprise key risk indicator (KRI) metrics to business key performance metrics (KPI). Effective KRI metrics expands beyond monitoring typical security vulnerabilities Results of risk assessments and audits are an important metric — demonstrates continuous improvement; Data breach metrics get assigned a dollar cost. Technical metrics are tracked and reported but are usually the least useful Security still need methods to measure success; it remains difficult to demonstrate security's value to business or overall effectiveness of security programs KRI metrics that are associated with and can be shown to impact business KPI are most effective; enables transition away from tactical risk management through point solutions to strategic risk management through security architecture. Tactical operational metrics are reported on periodic basis but not necessarily useful to executives; security posture and project status are often visible to senior management and boards but don't show overall value. to monitoring the industry-specific security threat landscape. exceptions to controls are tracked. SLAs/Contracts establish some metrics that are tracked. ; trend is to establish and staff formal metrics programs and review boards; to mature organizations; low level metrics are produced by security tools, such as SIEM, antivirus, email filters, vulnerability scanning and penetration testing, DLP, audit findings, and so on. Security metrics programs are immature but becoming more common and seeking more useful and higher quality metrics

Pick-7 Key Points Review Communicate: Establish a security program that identifies, measures, and communicates the dangers and reasons for security initiatives and employee vigilance while allowing for exceptions and acceptance of business risk under specific conditions Influence: For ISO’s, collaboration, communication, and credibility are a must; influence, not edict, is the key tool Lead: Security leadership needs participation in enterprise risk management process with senior management Coordinate: Regular forums for coordination between security and other department and business unit stakeholders to cultivate credibility and influence Culture: Use accepted standards and frameworks, then modify to suit the needs of the organizational culture Invest: When budgets are tight or cut, focus available investments on security awareness and building the business case for projects when funding improves Value: Track and report metrics as indicators of the effectiveness of protections as well as the value of security, not simply vulnerabilities mitigated Progressive organizations are building effective security governance focused on good communication and collaboration practices, and a philosophy of helping others understand and manage risk

Q&A What are the pros and cons of your security governance structure?

Security Governance Best Practices and Trends in State Government Workshop: Security Governance for the 21st Century Public Sector Enterprise Security Governance Best Practices and Trends in State Government Bob Smock, CISSP, CISM, PMP Vice President, Program Lead Security and Risk Management, Public Sector Gartner Consulting bob.smock@gartner.com Gartner Catalyst Conference August 11-14, 2014 Manchester Grand Hyatt San Diego, CA Bob Smock Kim May