What Does It Take Anyway : Leadership Skills of the Security and Privacy Officer

1
What Does It Take Anyway ? Leadership Skills of
the Security and Privacy Officer

• Todd Fitzgerald, CISSP, CISA, CISM
• NGS Medicare Systems Security Officer
• HIPAA Collaborative of Wisconsin (HCOW)
• March 30, 2007

2
PUBLIC DISCLAIMER AND APOLOGY

• I certainly understand that some of you are not
  security officers, security analysts, security
  wanabees, or in any way want anything to do with
  security. Maybe you like compliance, privacy, or
  HIPAA stuff, or EDI sounds more even less
  interesting than security
• For whatever reason you are here you will get
  something out of this session, because today, we
  are not going to bore you with the details of
  encryption unless I get off track.

3
Company Background

• Largest Processor of Medicare Claims contracted
  by the Centers for Medicare Medicaid Services
  (CMS)
• ISO 90012000 certified company
• Part of the WellPoint (NYSE WLP) - nations
  largest health insurer (43,000 associates)
  Fortune 50 Company (38)

4
The Security and Privacy Officer Protects Us From
The Storms

• Understand the probability of the event
• Reduce the impact of the event
• Reduce overall organizational risk
• That is what it is all about for a Privacy or
  Security Officer

5
We Do This By
Categorize information system
Select and tailor baseline controls
Supplement controls based on risk
Document controls in security plan
Implement controls
Assess effectiveness
Authorize system for operation
Monitor on a continuous basis
6
Leading OrganizationsAdhere To This Model
Assess Risk Determine Needs
Implement Policies Controls
Central Management
Monitor Evaluate
Promote Awareness
Source Learning from Leading Organizations
GAO/AIMD-98-68 Information Security Management
7
Dr. Security OfficerIs There A Doctor Mentality
In You ?
Security Officer
Doctor

• Diagnosis Vs reported
• problem by patient
• Knowledge and application of medical technology
• Inpatient Vs outpatient
• Side effects of prescribed medication
• Clinic or hospital rules
• X-rays, lab tests
• Accurate medical records
• Patient follow-ups

• Security incident analysis and response
• Current security Information Technology
• When to use external consultants Vs in-house
• Risk analysis and Risk Management
• Understand business environment
• Ensure audit trails, monitoring in place
• Post implementation verification

8
So.. Do You Want A Doctor With A Security MD ?

• CISSP - Certified Information Systems Security
  Professional by ISC2 Gold Standard
• GIAC - SANS technical certifications
• CISA/CISM - Certified Information Systems
  Auditor/Security Manager by ISACA
• CBCP - Certified Business Continuity Planner by
  DRI
• Community College technical security courses
• Emerging 4 Year Information Security
  Concentrations, MS Information Security, MBAs
• Vendor-related certifications

Certified!!!
9
Security/Privacy Officers Need To Have The Right
Attitude
Instead of looking for things that have gone
wrong in your organization and trying to fix
them look for things that went right and try to
build on them. - Tom Peters, Leadership
Essentials 2005
10
Where Did The These Officers Come From ?

• Raised their hand at the wrong time during a
  meeting
• Didnt attend the selection meeting
• Last IT guy in the shop
• Working on compliance/privacy must know
  something about security
• Chose this career (full deck not in order !)

11
Gartner Research Says The CISO

• Balances needs of the business with
• Increased regulated controls
• Increased complexity
• Translates technical speak
• Has a solid background
• 5-7 Years Information Security
• Additional IT Background
• Thinks strategically
• Is politically savvy
• Knowledgeable of key aspects of business
• Possesses certification

Source Emerging Role and Skills For the CISO
Gartner Report
12
Techie Core Competencies
Analytical Problem Solving
Technical Knowledge
Tool Expertise
Team Work
Best Practices
Emerging Technologies
Industry Standards
Crisis Mgmt
13
Technical Security Trends.. Leaders Must Know
Them !!

• More damage, fewer epidemics
• Accelerated legislation
• Some litigation
• Points of attack beyond Microsoft
• Mobile Phone, PDA Smartphone virus
• Spyware
• IM and P2P
• Serious messaging security
• Data protection energized due to breaches
• Network security convergence acceleration

Source Jan 2006 CSO Online
14
Shift To Leadership Competencies
Interpersonal Awareness
Self-control
Adaptability
Self-control
Perseverance
CISO Leadership Managerial Competency
Technical Competency
Results-Oriented
Flexibility
Thoroughness
Initiative
Self-Development Orientation
Efficiency
Critical Information Seeking
15
Security Officer Core Competencies
Vision Leadership
Financial/ Budgetary
Influencing Skills
Interpersonal Effectiveness
Team Work/Develop Others
Written/Oral Communication
Conceptual Strategic Thinking
Customer Focus
16
Important Security Leadership Skills
Source 2006 Fitzgerald/Krause CISO Leadership
Survey
17
Security Officers Need To Know Where Their
Bosses Are Coming From

• CIO, VP IT, CTO, Director Information Technology
• General Counsel
• Administrative Services/Human Resources
• Compliance
• Corporate/Physical Security
• Strategic Planning
• Internal Audit
• Risk Management

18
Legal Boss Security (Potential) Perspectives To
Consider

• Emphasis on compliance, laws and ethics
• Documentation important
• Access to legal expertise
• Overly focused on compliance
• Lack of understanding of technical issues
• Underestimation of costs, resources, and level of
  effort to implement solutions

19
IT Boss Security Perspective

• Familiarity with technical issues
• Easier access, stronger day-to-day working
  relationship
• Informed on projects
• Project deadlines are king
• Resource allocation issues
• Decisions kept internal, limited visibility
• Competing IT Budgets

20
Physical Security Boss Security Perspective

• Law enforcement relationships
• Increased security incident communication
• Skills education very different criminal
  justice vs IT
• Technical issue communication limited
• Police Mentality

21
Administrative Services/ HR Boss Security
Perspective

• Acknowledgement Security issue is organization
  Wide
• Short term focus
• May not receive appropriate attention
• Views data in all forms (Electronic, paper, oral)
• Limited IT knowledge

22
Compliance/Internal Audit Boss Security
Perspective

• Supportive controls perspective
• Clout with top management
• Broad organizational view
• Conflict of interest issues
• Lack of technical knowledge
• Pre-established adversarial relationships may
  carry over

23
Decision Point Techie or CISODifferences In
Thought Processes ?
Technical
Managerial

• Business relationships
• People-oriented
• Consensus building
• Many presentations
• Influence organizational
• security commitment
• Team building
• Accepting ambiguity
• and uncertainty
• Meetings,meetings, and..
• more meetings !
• Oral communication
• with all organizational
• levels

• Technical challenge
• Concrete non-ambiguous
• solutions
• Task-oriented
• Mastery of technical
• skill
• Hands-on training
• focus
• Documentation
• aversion
• High level of individual
• contribution
• Meetings are distractions

? ?
Technical Expert
Chief Information Security Officer
24
The Security Officers Sand Box Is Complex..
However

• Security Architecture
• Network Security
• Application Security
• VPNs, Firewalls, Routers, Switches
• Identity Management
• Data Classification
• Encryption
• Regulatory Compliance
• Business Continuity/Disaster Recovery
• Segregation of Duties
• Hiring/Termination Procedures
• Vulnerability Assessments/ Pen Tests
• Patch Management
• Anti-Virus, Spyware
• Remote Access

• Backup, Recovery, Offsite Storage
• Environmental Controls
• Physical Security
• Logical Access Control
• Authentication/Identification
• Hacking Techniques
• Forensic Investigations
• Intrusion Detection/Prevention
• OS Hardening Procedures
• Background Investigations
• Standards, Best Practices
• Security Incident Handling/Response
• Internal/External Audit Resolution
• Security Policies, Procedures, Standards
• New Threats, vulnerabilities
• .. And The List Goes On

25
These Are The True Effectiveness Enablers

• Reporting Relationships
• Business Acumen
• Obtaining Budget
• Management Commitment
• Organizational Structure
• CISO Traits
• Teamwork/Recognition
• Impact of Standards/Regulations
• Strategic or Tactical
• Leading Change
• Mentors Protégés
• Training/Education/Certification
• Managing Up
• Negotiating Success up front

• Technical Knowledge
• Influencing Skills
• Assessing Organizational Culture
• Maturity of Infosec
• Impact of Audits
• End User Security Acceptance
• Organizational Awareness
• Thinking on Your Feet
• Policy Creation/Enforcement
• Project Management
• Recruiting and Staff Development

26
Culture Every Organization Has One

• All organizations are perfectly aligned to get
  the results they get.
• - Arthur W. Jones, The 8th Habit By Steven Covey.

• Lead by Edict or Example
• Cost Cutting vs. Innovative
• Leading Edge vs. Follower
• Non-Profit or Bottom-line oriented
• Win/Win, Lose-Win
• Clarity of Vision
• Associate Retention
• Celebrate Team Work or Individuals
• Company Size, Industry, Demographics

• Geography
• Collaboration
• Shared Values
• Trust Level
• Hidden Agendas
• Structured vs. Non-structured
• Political Games
• Bureaucratic/Heirarchical
• /Flat Management Structure

27
Trends Information Security Focus Shifting To
Corporate Governance
GLBA
HIPAA
SOX
FISMA
28
Taking The 2006 Security Trends To Senior
Management Its A Different Language
Port 443 SSL Encyption
Business Impact/Value Risk To Operations Return
on Investment Audit Finding Resolution Regulatory
Compliance Due Diligence New Product Launch Cost
Containment
802.11b, 11 MBps, 2.4Ghz
ICMP Redirects
MD5/SHA1 Hashes
HTTP FTP TCP UDP IIS
TACACS RADIUS
29
In Other Words Present In Understandable,
Organized Business Terms
NOT THIS !!!
THIS
Incidents Per 1000 Employees
2002 2003 2004 2005 2006 (Est)
30
Focus Different, Goals Ultimately The Same
Managements Objective
Security Officers Objective

• Increase shareholder value (stock price)
• Increase revenue
• Reduce administrative costs
• Increase market share
• Increase worker productivity
• Provide innovative products
• Provide quality products and customer service
• Attract and retain talented workforce
• Accept reasonable business risk

• Protect information from loss, destruction,
  unavailability
• Reduce risk of threats to acceptable level
• Implement effective controls
• Provide efficient service
• Enable secure development of new products
• Provide assurance through continuous control
  practices

31
Ensure Communication Plan Delivers Targeted
Security Message
Tactical Plans New Policies Scheduled Activities
Strategic Initiatives Policy Approval
Security Posture Competitor Comparison
Interim Updates Issue Reinforcement
Departmental Issues Testing Reality
32
The Security Officer Must Wear Many Hats To
Communicate
33
Final Thoughts

• Develop deficient soft skill competencies
• Learn to accept change and uncertainty as a
  constant
• Innovate deliver on promises
• Resolve organizational pain
• Empower staff and leverage their technical
  expertise
• Be involved in business future directions
• Collaborate Internally and Externally
• Dont take yourself too seriously have a little
  fun !

34
TODD FITZGERALD
Todd Fitzgerald, CISSP, CISA, CISM Medicare
Systems Security Officer 6775 W. Washington
St Milwaukee, WI 53214
Todd.fitzgerald_at_ugswlp.com Todd_fitzgerald_at_yahoo.c
om