Paul Rummell speaking notes for an address to the Toronto ISSA (Information Systems Security Association) Annual General Meeting on January 30, 2007

The following presentation is Paul Rummell’s Speaking notes for an address to the Toronto ISSA (Information Systems Security Association) Annual General Meeting on January 30, 2007– held at the Holiday Inn On King | Downtown Toronto Hotel 370 King St. West | Toronto, Ontario M5V 1J9

Security and Privacy “selling to the C-Suite” without just FUD (fear uncertainty and doubt)
By Paul E. Rummell

I have a perspective as a CIO, Consultant, Board member and Advisor to organizations like the GAO

Information Security is faced with Ambivalence - too complex

Like trends in real world weaponry that favor the insurgents over the conventional armed forces…  the IT worlds trends in
• massive processing,
• high speed connectivity and
• online storage
pave the way for both intentional and merely careless leakage abuse… 

It is an ongoing war with the good guys and bad guys working all the time on advancing the state-of-the-art.  Both sides are well funded.

As much an art as a science to IS Security…

There is no rest for the security weary
But are the bad guys are winning?

Risk management frameworks – built into overall risk management framework for the organization
• Agility in a slow world
• Security requires agility – new threats show much creativity and cannot be dealt with without an agile security environment
• Zero day
• Y2K

Most organizations…
• Systems are not agile need a faster / easier way
• Most systems are built without security being top of mind
• Most often security was not part of the design it was an after thought.

Flexibility vs. Complexity

Biggest perpetrator is it Msft or are they the savior - or the answer?

Some Background:

CIO office- The Information and Security Policy Division (ISPD) within TBS is responsible for the strategic direction, leadership, advice and assistance on security and service delivery issues.

Organizations:
• RCMP (physical and information technology security),
• Communications Security Establishment (communications security)
• PWGSC (contract security) with policy guidance and interpretation provided by TBS.

Other institutions with government-wide responsibilities as mandated by the Government Security Policy are:
• Canadian Security Intelligence Service (CSIS)
• Department of Foreign Affairs and International Trade (DFAIT)
• Public Safety and Emergency Preparedness Canada (PSEPC),
• Library and Archives of Canada (LAC),
• Public Works and Government Services Canada (PWGSC)
• Privy Council Office (PCO)
• Transport Canada (TC).

Effective Policies as the foundation
• Treasury Board
• Security Committees
• ‘Kitchen Cabinet’
• DP – Steering Committee
• Small Agencies
• Public Sector CIOs
• Speeches and presentations
• Individual relationships
• Vendors
• Procurements
• Contracts

Taking a media interview about security in the government of Canada
Yes but if I tell you but I can’t really tell you anything….. No CERT

Buyer behavior of Government (my experiences Paul)
Lack of security and reusable models – no real standards

What are they thinking about ISS in the C suite?

General Meyerose - discussion

Are they in denial? Or are they active supports and allies.. 

Three legged stool – of an effective security policy
• Confidentiality
• Integrity
• Availability

Security budgets need to be about 10% of budgets, what have you found

Is there a real value proposition or must it be externally legislated?
• Make us and then we will do it
• Audit relations
• Insurance approach
• Sarbanes Oxley
• California’s Security Breech Information Act SB 1386
• Scandal of a breach
• Business survivability
• Market differentiation
• Necessary evil

It happens on a personal level --- the way to get some attention in the C suite

Implication of mission failure this is a key issue
• People are being sensitized to cost of security breaches
• Are they confused about it….
• Who is at fault?
• Large portion of population will not buy online – technology optimists vs. pessimists
• Supported by Winners Breach, Air Canada, CIBC, VA
• Winners – eight months ago….time lags
• CIBC looses 400,000 accounts
Because we have a firewall and Anti Virus - We are protected?  Right? 

Selling IT Security

ROSI--- Return on Security Investment
• Are we able to deliver a functional service that adds profit and credibility to the company
• Talk clearly in plain English
• Sell internally –
• Fear and embarrassment…….
• Talk about what has happened in an open way
• Investment
• Considered like insurance
• Protect against loss in assets of organization

Implications of Vista’s UAC (User Account Control) difficult to adapt (LUA) least privileged user account –to get applications to work properly. What we can learn from the selling of Vista’s security capabilities? 

Information warfare in the future
Versus
training people work together to solve the problem
Lots of exec seen as self generated problem not real problem
Government no right to convince populace to do it…

How to lead a security organization

Some best practices learned - policies

Built into fabric of life cycle of organization
• NOT just for security specialists
• Fabric of the organization for all employees
• Learning Executives

You will get the best reception in:  should be…
• Knowledge based organizations that have huge knowledge assets
• These need to be protected

External – globalization of knowledge activities
• Home
• Office
• County
• Around the world
• In teams and collaborating
All this can be damaged by weakest link of infrastructure – India -

Part of an overall risk management plan …

Put persuasive arguments forward to senior company executives to get them interested in investing in security

Set up committees with outside advisors to enlist their support….
Disclosure to public
Insider threats
Risk Management Framework -Basic model:
• Assessment
• Prevention
• Detection
• Response
• Vigilance
IT assessment – protection should be built around - data centered and business centered view points

Disaster examples…….. Sell fear and eventual pain

University of Calgary - September 2001 not 911
• Nimda worm
• 2.2 million Machines in 24 hours
• $539 million cleanup – more than 15 of the IMF Members GDP
• Slammer worm
• $1 Billion
• 2x every 8.5 minutes
• Sasser worm -- 70% 2005 of internet traffic
• Thumb drives – USB
• Laptops

NSA = “No Such Agency”
 IAM – Information Assurance Model
 Book Security Assessment
  - Accountability
  - Non-repudiation- who made what commitments and can other approve      it? 
  - Authorization
  - Audit
  - Access Control

Root-kits –infection is like having your identify stolen - everything is suspect
  - Disconnect
  - Clean
  - Get to the source
  - Assume the worst
  - Learn your lessons
  - - - Change everything

A way out of the loop

Security as a profit centre--- you may get more business…..
• Privacy and privacy policies that can work
• Privacy and security like Amazon big in eCommerce space
• Enlist your suppliers
California SB 1386

Analogy CO2 offsets
• Offsets on security – as a metric put more for contingency
• Build internal blog to sell proactively
• Public training programs
Programs to sensitize how an organization is doing according security and privacy

Closing