Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Convergence - A Building Block of Enterprise Security Risk Management Dave Tyson, MBA, CPP, CISSP Senior Manager, IT & Physical Security City.

Published byBlanche Booker Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Convergence - A Building Block of Enterprise Security Risk Management Dave Tyson, MBA, CPP, CISSP Senior Manager, IT & Physical Security City."— Presentation transcript:

1 Security Convergence - A Building Block of Enterprise Security Risk Management Dave Tyson, MBA, CPP, CISSP Senior Manager, IT & Physical Security City of Vancouver

2 1 3 rd largest city in Canada 3 rd largest city in Canada Services about 1.5 million people per day Services about 1.5 million people per day 10,000 employees 10,000 employees 4500 computer users 4500 computer users Home of the 2010 Winter Olympic Games Home of the 2010 Winter Olympic Games Departments Police Dept. (VPD) Fire Rescue (VFD) Public Library City Parks Engineering Community Services Corporate Services Community Theatres Law & HR Non-Profit Societies

3 2 My Background 23 Years in Security 23 Years in Security 16 yrs Physical Security 16 yrs Physical Security 7 yrs IT Security 7 yrs IT Security Certified Protection Professional (CPP) Certified Protection Professional (CPP) Certified Information Systems Security Professional (CISSP) Certified Information Systems Security Professional (CISSP) Master’s Degree in Business – Digital Technology Mgt. Master’s Degree in Business – Digital Technology Mgt. Member of the Professional Certification Board of ASIS International Advisory Board member for Alliance for Enterprise Security Risk Management (AESRM) Member of ISSA, ASIS Int., ISACA

4 3 The New World The world is once again flat!...or maybe round! The world is once again flat!...or maybe round! Single dimension focus Single dimension focus IP Pandemic IP Pandemic Ethernet on appliances, cars, phones, tracking devices Ethernet on appliances, cars, phones, tracking devices Global move to hold organizations accountable for security breaches Global move to hold organizations accountable for security breaches But, at the enterprise level new risks emerge But, at the enterprise level new risks emerge Centralization Centralization SSO SSO Directory Services Directory Services

5 4 Interesting numbers Globally, 40% of organizations have IT/Physical Security professionals reporting to the same leader – PWC 2006 Globally, 40% of organizations have IT/Physical Security professionals reporting to the same leader – PWC 2006 75% of organizations have some level of integration between IT and Physical Security – PWC 2006 75% of organizations have some level of integration between IT and Physical Security – PWC 2006 80% of On-line Consumers are at least somewhat afraid of Identity theft – ESG 2005 80% of On-line Consumers are at least somewhat afraid of Identity theft – ESG 2005

6 5 Convergence is a Strategic Activity Security is a weakest link discipline Security is a weakest link discipline People, processes and technology – these are about integration! People, processes and technology – these are about integration! Its about creating business value Its about creating business value Reducing costs Reducing costs Reducing risk Reducing risk Reducing duplication Reducing duplication

7 6 Convergence Defined the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings. the integration, in a formal, collaborative and strategic manner, of the cumulative security resources of an organization in order to deliver enterprise wide benefits through enhanced risk mitigation, increased operational effectiveness and efficiency, and cost savings.

8 7 Drivers for Change Booz Allen Hamilton Survey - 2005 Rapid expansion of enterprise ecosystem Rapid expansion of enterprise ecosystem Value Migration from Physical to information based & intangible assets Value Migration from Physical to information based & intangible assets New protective technologies blurring functional boundaries New protective technologies blurring functional boundaries New compliance and regulatory regimes New compliance and regulatory regimes Continuing pressure to reduce cost Continuing pressure to reduce cost

9 8 Changing Threat Paradigm for Physical Security Professions Physical security had been chiefly responsible for fraud, theft, harassment issues in the workplace Physical security had been chiefly responsible for fraud, theft, harassment issues in the workplace New people in the organization responsible for security “stuff” that may not have specific security backgrounds New people in the organization responsible for security “stuff” that may not have specific security backgrounds Threats are facilitated and enabled by the technology Threats are facilitated and enabled by the technology 2.1 Billion Cell phones (no security) and 850 Million IP Nodes in 2004 – When these phones become addressable under 2.5 & 3 G technologies……..well let the games begin…triple the size of the internet with less security 2.1 Billion Cell phones (no security) and 850 Million IP Nodes in 2004 – When these phones become addressable under 2.5 & 3 G technologies……..well let the games begin…triple the size of the internet with less security The average physical security professional knows very little about these issues at this time The average physical security professional knows very little about these issues at this time

10 9 What does this mean on the risk side of the equation? What gets worse? Fraud Fraud Harassment Harassment Stalking Stalking Identity theft Identity theft Phishing & Pharming Phishing & Pharming SPAM SPAM Viruses Viruses Delivery of Spyware, Trojan horses and Adware Delivery of Spyware, Trojan horses and Adware What gets easier? What it takes to perpetrate these activities

11 10

12 11

13 12 Docupen

14 13 Key Concepts of Security Convergence Both departments bring strengths to the table – those strengths must be capitalized on to address the inherent challenges in the other groups business Both departments bring strengths to the table – those strengths must be capitalized on to address the inherent challenges in the other groups business IT Security has technical expertise but not large numbers of staff, physical security generally has the opposite: Both groups can benefit from each other! IT Security has technical expertise but not large numbers of staff, physical security generally has the opposite: Both groups can benefit from each other! Convergence needs to be slow and measured Convergence needs to be slow and measured Groups must start by first speaking a common language Groups must start by first speaking a common language

15 14 Changes at City of Vancouver Interest in shared services approach began discussion Interest in shared services approach began discussion Governance Governance Changed reporting structure given my skills Changed reporting structure given my skills Risk Management Risk Management Combined a primarily operational group with a more tactical group Combined a primarily operational group with a more tactical group But many cracks existed in compliance, investigations, risk assessment, BCP, metrics But many cracks existed in compliance, investigations, risk assessment, BCP, metrics Over shadowing unknown Over shadowing unknown 2010 Winter Olympics 2010 Winter Olympics

16 15 Initial Integration Points Strategic Strategic Strategic Approach Strategic Approach Cost reduction Cost reduction Tactical Tactical Risk Assessment Risk Assessment Training Training Policy Policy Security Awareness & Compliance Security Awareness & Compliance Policy Development Policy Development Operational Operational Geeks and Guards working together Geeks and Guards working together Risk Mitigation Risk Mitigation Weakest Link Weakest Link

17 16 Initial Changes Trained the corporate guard force to assist in IT Security Compliance reviews Trained the corporate guard force to assist in IT Security Compliance reviews Equipped nightshift S/O staff with new detection tools Equipped nightshift S/O staff with new detection tools Began cross training investigators with IT security analysts Began cross training investigators with IT security analysts IT Security staff reviewed security of physical security department technology IT Security staff reviewed security of physical security department technology ITS staff briefed new colleagues on what we really do & what information we store in in our offices – our office quickly got a new level of security ITS staff briefed new colleagues on what we really do & what information we store in in our offices – our office quickly got a new level of security

18 17 Outcomes in the first 90 days 54% reduction in IT Security Policy violations 54% reduction in IT Security Policy violations Identification of 2 rogue wireless devices Identification of 2 rogue wireless devices Increase in customer satisfaction of the security officer force: the exact numbers are not in yet! Increase in customer satisfaction of the security officer force: the exact numbers are not in yet! Increased morale and attendance of S/O staff Increased morale and attendance of S/O staff Hardening of camera servers, access control server etc. Hardening of camera servers, access control server etc. New team round table led to changes in the control room New team round table led to changes in the control room

19 18 Moving ahead Reporting incidents and risks in a combined format to identify risk in a more comprehensive manner Reporting incidents and risks in a combined format to identify risk in a more comprehensive manner Teams are working together to be creative and innovative in defining benefit opportunities Teams are working together to be creative and innovative in defining benefit opportunities CCTV storage moving to SAN infrastructure CCTV storage moving to SAN infrastructure Maximize any opportunity to get the security message to the customer TRA’s are becoming more integrated Security Awareness training becoming more integrated Security training becoming more integrated

20 19 Convergence continues to roll out Integrating metrics collection and reporting Integrating metrics collection and reporting Starting a security dashboard project for executive mgt. team Starting a security dashboard project for executive mgt. team Integrating investigations methodology in 2006/07 Integrating investigations methodology in 2006/07 Integrating Risk Assessment methodology in 2006/07 Integrating Risk Assessment methodology in 2006/07 CCTV deployment process integration CCTV deployment process integration Re-architecting physical security systems environment Re-architecting physical security systems environment

21 20 Lessons learned Pick off the low hanging fruit to build team support and belief Pick off the low hanging fruit to build team support and belief Successes must be communicated religiously to all levels of the organization Successes must be communicated religiously to all levels of the organization Accept that not every part of each group is best converged, but try and work around it Accept that not every part of each group is best converged, but try and work around it Start with initial discussion – benefits arise from resolving mutual challenges Start with initial discussion – benefits arise from resolving mutual challenges Take as much convergence that is right for the organization Take as much convergence that is right for the organization

22 21 Convergence: So far Convergence is generally led, not directed Convergence is generally led, not directed People have an easier time with enterprise wide risk than convergence People have an easier time with enterprise wide risk than convergence Culture and training are the primary barriers to function integration Culture and training are the primary barriers to function integration Benefits Benefits Costs Costs Risk reduction Risk reduction Efficiency Efficiency Cycle time Cycle time Duplication Duplication Recovery Recovery

23 22 Essentials Components to Convergence Executive level sponsor Executive level sponsor Vision Vision The courage to lead The courage to lead Change management Change management Senior Management buy in Senior Management buy in Strategic Inventory of assets Strategic Inventory of assets $$ $$ People People Technology Technology Ability to leverage value created Ability to leverage value created

24 23

25 24 Questions? Dave Tyson MBA, CPP, CISSP Senior Manager, IT & Physical Security City of Vancouver dave.tyson@vancouver.ca (604) 871-6147

Download ppt "Security Convergence - A Building Block of Enterprise Security Risk Management Dave Tyson, MBA, CPP, CISSP Senior Manager, IT & Physical Security City."

Similar presentations

A good plan executed today is better than a perfect plan executed at some indefinite point in the future. -General George S. Patton, Jr.

A good plan executed today is better than a perfect plan executed at some indefinite point in the future. -General George S. Patton, Jr.
Www.theiia.org WHO, WHAT, HOW Your Internal Audit Team …by your side. …at your service. …in your best interests.

WHO, WHAT, HOW Your Internal Audit Team …by your side. …at your service. …in your best interests.
FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.

FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.
Should You Establish a Project Management Office (PMO)?

Should You Establish a Project Management Office (PMO)?
Business-Led IT & Central IT Scaffolding UCCSC August 4, 2014.

Business-Led IT & Central IT Scaffolding UCCSC August 4, 2014.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
A Leadership Focus Compiled by Parking & Traffic team Presented by Steve Nagle Parking &Traffic 27 November 2008.

A Leadership Focus Compiled by Parking & Traffic team Presented by Steve Nagle Parking &Traffic 27 November 2008.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Chapter 16 16-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
E-Learning, Human Capital Management and the Banking Sector Dimitris Baltas, ATC ROM.

E-Learning, Human Capital Management and the Banking Sector Dimitris Baltas, ATC ROM.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

Similar presentations

Ads by Google