Don't Be A Data Dummy - Katie McMillan

so hi everybody I'm Katie um and I'm here to talk about not being a data dummy and protecting all of your data within your organization so let's start so once upon a time in a boardroom Far Far Away there was a stress CEO now you've got all of you well quite a few of you have got um a couple of employees and they're pretty stressed too as you can tell by their pretty awkward arms that are going all over the place and they're a bit stressed out and a bit confused so um what happened with this CEO specifically is he knew there was nothing secure he knew that he had a data problem he knew that he needed to

put some kind of security in place but he didn't know what to do really at all and he was he was really stressed out it's really really confusing so he really needed some

help I'm walking away from the laptop now so that's why it's not working isn't it I've broken it okay never mind there we go okay so this is Crash um he's designed by a very very um talented friend of mine and he's a little bit stressed on the picture as you can see now he knows that it's that security is important security is important to everybody security is important to um his organization and how they're going to work going forward so he knows that his processes need to be embedded throughout an organization he knows that but he hasn't done anything about it he's just kind of left everything there um Without Really um thinking about how he can do that for

his organization so he hasn't taken security seriously at all so crash is a dummy he a crash test dummy and don't be like crash well he is at the moment but we'll see what happens to him shall we so crash is a CEO of dummy in now dummy in is an organization that is it's a global organization you got offices all over um all over the world um he has um handles personal and financial data so things that he needs to put in place regulatory comp um compli that he needs to adhere to and he has massive aspirations to align to both nist controls and ISO 2701 but as we learned earlier on he's done none of that there's nothing in

place at all for him so the Legacy technology that he has in his organization is it's just really old Tech that's not supported um and there are vulnerabilities everywhere so he has no mechanism either of highlighting what those vulnerabilities are so he's in the dark he's got loads data out there he doesn't know what he's got and he doesn't know how to protect it because he doesn't know what's there so he has no way of scanning identifying or remediating the threats that uh that are obvious within his organization and his Workforce again are not aware of what they need to be doing and if they've never been told and they don't work in security they've

never been told what they need to do to secure things classify data make sure that the regulations are adhered to then they're in the doctor that it's completely a mess so something really has to change for the organization so what can crash do to increase his security posture do anyone got any ideas where he could start yeah do you want to give me get a new brain okay now that's that's actually not a bad idea but it's unfortunately we're not very good at replacing brains these days yet so we'll wait we'll we'll take that can be a secondary option anyone else okay so from um what crash really needs to do is start from the very very

top in the organization he needs to look at his security um his business objectives and match his business strategy to his business objectives and then feed that down to his security objectives so if you're looking at um the business strategy as a whole Within any organization it doesn't matter what size that organization is you need to have a business strategy before you can have any objectives for your business don't you you need to be able to to match what what do you want to achieve as a business now with security in the way that I've seen from my experience within the um as a security professional is that I have seen many organizations have um have just tried to shoehorn

Security in at any point now trying to yes it's all well and good to put in operational control it's well all well and good to to make all of the technical controls um and and put them in ad hoc but if you're not doing that in a process driven or a streamlined way it becomes much more complicated to uh to maintain it becomes complicated to match that to what you want to achieve as a business so the way that that crash needs to do uh to do this is to look initially as his strategy and look at his security strategy as well make sure that um his business objectives match the security controls and security

processes he needs to put in as an organization so making the most of the current tool set that that he has in place is also a really good way of doing that so if he's um you've got a security strategy um you've probably got a lot of tech within an organization that you can use already so you might have licenses for things that that you're not making the most use of so you might have additional um controls that you can put in place without actually having to spend any money which is a a really good thing for for a CEO who has never thought about security before um regularly reviewing and maintaining all processes and Technology

on a regular basis um is is really really important um and having those regular um annual reviews or quarterly reviews mean that you can make changes to your strategy or make changes to your controls um as and when you need to within the organization also continually risk assessing so having a risk assessment process risk management process within an organization really key to maintaining the security posture so starting with a risk assessment finding out what your gaps are and then applying the um the relevant controls to adhere to that so I've got basically the ways to make things easier for crash so have any of you work or being involved in organizations where security isn't the

top priority before yeah I figured that might be the case so it's um as we know when you work in an organization where security isn't the high highest priority chances are you're going to be sat in um a very difficult position because it's an afterthought security becomes an afterthought and it's shoehorned in just to to match what you need to have and to say that you need to have something for a particular contract for example having that in place um yes you might get that contract but it doesn't mean that you're maintaining and pushing forward to um to a better security posture as an organization so my sort of key I suppose the my key areas of concern key areas of

um key tips of where you should start is initially gaining a visibility of the data you actually have because within an organization um I can think of curve sort of five different areas off the top of my head that I hold my own personal data obviously there's many many more but initially if I if I think of those areas within an organization if you don't know what data you've got and where it is how are you supposed to control it um so yes it's all well and good to have security controls on your servers but what happens if you've got say a mobile device management you haven't got mobile device management you've got people with their laptops and

they can save whatever they want on those laptops and you have no control over that data because you don't know it exists if it's been saved elsewhere so knowing exactly how your landscape looks and where the data is is really really important also enabling the access to the data and security and Risk Solutions to everybody within the organization so having having your MDM Solutions in place having the um the uh the lights of say a VPN making sure that you've got um security controls on servers you've got no no default credentials being used on um on different devices all of that sort of thing is really really important as well but without matching that to

your process and your policy how are you supposed to um to maintain it make sure that it's done across the board you've got to have a process that you follow to keep that going also safeguarding and managing sensitive data across clouds apps and endpoints um is really really key now there's tools that you can help you with that going forward but it is also um the it matches the other two points as well so you need to know where that data is to safeguard it you know that you've got cloud data you might have on Prem data you might also have data on laptops you need to know that that's classified and maintained throughout the organization

and there's tool sets that can help you with that managing the endtoend data risks and Regulatory Compliance as well so I mentioned nist controls in ISO 2701 earlier on but this organization also has um uh financial data and card holder data so the likes of um PCI DSS for example so looking at um there that's a specific cont the specific controls within there that need to be adhered to to make sure that you are within your uh within compliance of that regulat regulatory standard also then once you get to the end of all this you've got all of everything in in place you need your people to be able to maintain that right you need people to be able to um

maintain the and govern protect and manage the data in the new ways that you've put that in so it's it's about making sure you've got a robust solution to carry that on and and that you can assess that as as you kind of work [Music] through so now this is the topown approach um to managing the threat landscape that I would suggest to dummy ink now we talked through this earlier on but starting with the business strategy starting with the um how what the business wants to achieve and uh how you want to how you want to move forward as a business if you've got your business strategy that's your that's your placeholder that's what you're

going to focus on all the way through this then based on that business strategy you have your key objectives you need objectives of how you will get to that that strategic um strategic Vision you can't get you can't make a make strategy and then not have a a plan of how you get there so having your business objectives laid out is really really important as well what I would never suggest is going into an organization and saying um okay yeah this is our security strategy this is what we're going to do for security without actually looking at what the business wants to achieve because otherwise people are just not going to follow that there's no way that

anybody's going to follow a security strategy that's not aligned to what the business wants to achieve also the um then once you've got your security objectives that are based on the the business objectives then you can look at your security control Gap analysis you can look at what you've got where you want to be and how you and how you plan to achieve that security um that security strategy then once you've got your um your control Gap analysis you can look at the policies processes and procedures for the organization one thing that I found in any organization that I've worked with is that documentation I've never found an organization that's got full documentation I mean does anybody had a

full organization where the everything's mapped in documented form no it's just not not been something that has uh that's at the top of everybody's priority list but having a a mechanism where your policies are written that leads to your processes and that leads to your procedures is really really key to making sure that they're maintained um so documenting everything that you possibly can is really really important if somebody leaves an organization and they have all this this great knowledge in their head You've Lost That knowledge you need that written down um looking at operational tooling comes after all of that you need to have your policies your processes and your procedures prior to have to deciding

what tooling you need you need a policy that's going to to relate to that so having um then you can look at the different tools that will achieve the um the the policy um then once you've got the Tooling in place you can embed those controls to Monitor and maintain the security of the organization so then you've got all of your Solutions you can put your seam in you can put your um you can put logging and monitoring in place you can you can even have a sock um Implement in the organization depending on size it's all very it all links to that first point where about the business strategy though if your business is too small and you

can't you don't have the capability or the budget to be able to put in a sock you're not going to be able to do that and you need something else that can put that gap for you so if crash was to do all of this for dummy Inc for example then that's what's going to U that's what's going to increase the security posture of the organization but is also going to maintain it going forward and probably do more business because if you've got a secure organization you tend to get more people interested okay so let's say that um crash is done all of this and is is now in a an organization that's fully secure

as secure as you can get because you never get a fully secure organization so these are the steps that I would expect from a a more mature organization you've gone from one um one maturity level to another I would say that embedding that security strategy across the whole organization with all of your employees involved in that uh conversation being compliant with indust security industry best practice I so things that are best practice for the industry that you're in but also the um the business um that matches the business objectives because different Industries or um different people within different within the same industry still have different objectives um maintaining the security perimeter through through embedding the security

controls providing that real-time reporting as best you can around your D data ecosystem is really really important I think if dummy Inc was to do that would know what data they have they'd have it invented and they'd be able to manage it having an accurate view of where the data is and how it's classified so having a data classification um system within the organization where you know that for example financial data needs to be kept for a certain retention period you know that you've got um certain data which needs to be to be secret certain data which needs to be confidential having that embedded is is really key to uh any organization and monitoring a secure

score however you do that is entirely up to an organization the organization themselves but having something some kind of scoring M Matrix that you can follow to say we're improving if you've got some kind of um reporting that pulls data from lots of areas it it doesn't have to be automated but great if it is having something that you something tangible you can say we're doing better than we were before is really really important too so if crash was to do all of this um crash is the CEO of dummy INC now he knows that data security is important and everybody's responsibility he also knows that um he has embedded processes now in order to secure the company data

he has used the industry proven technological controls to secure that data and he's embedded it throughout everything he does so he's a security leader now so be more like rash are there any questions on anything at all I've wish through that a bit no okay that's great yeah go for [Music]

it so I haven't used these slides this is definitely much more for this audience but no I would use slides that talk around the strategy and how you road map that into um from a um business business strategy down into a security strategy and it would be much more um I'd have danant charts and um and things that you would follow to to get into that um that position um what I also tend to do is throw up a a security um framework of of policies and processes as well within an organization to make sure that people are aware of um our of the types of of um documentation they need to be um to be pushing through but

also um I like to i' I'd probably be a little bit less agnostic and I might say these are some of the tools you could use to do that yeah that sort of thing um obviously I've said this made this very agnostic today because I don't want to make to to pinpoint anything specific but um yes I would say I'd be much more um I suppose consult I'd be a consultant and I'd go in and I'd make that yeah anything else anyone I think everybody's had lunch and everyone's really tired now I think that's what it is I I did I did joke I should have had pillows for everybody to have a thatp

yes yeah

and pict yes I think there's definitely a disconnect because you've got so I'm I'm obviously looking at quite a a small size organization um from well I've said they're a global organization but they're probably more um they they've got a few little satellite offices in different places but I would say um generally if you've got a SE Suite there um and they're making their strategy decisions there is definitely a disconnect to the people on the ground and that's where the the the embedding needs to take place um I've worked with organizations where you have um where there's there's been engineer writing a policy and I don't think that's the way that that that should be that if you've

got an engineer on the ground writing the policy and then WR in the procedure chances are that's not going up to the seite either in the same way that it should um there's a disconnecting process from um the the business strategy to the security strategy is is what I've noticed from organizations nine times out of 10 smaller organizations don't have a secury strategy anyway you you'll go in and that that's just not there um and the I find that if if they do have a security strategy it's usually that they've brought somebody in to do that for them because they don't have the the people to be able to do that um it's really important that that's embedded from the

top down there really really important

yeah

yeah yeah

so if somebody said um that their E5 licensing isn't um is so they want E5 but that's too expensive so they're not going for it because they can't afford it and so how would they they and plug that Gap is that that question

yeah so there's there's other way there's ways to do that and there's ways of of compensating controls and that's all clinched on the risk assessment so if somebody says yes absolutely they they want the best of the best they're not going to get necessarily the best of the best because their budget's this small they have a certain risk appetite and that risk appetite will then um that will be what influences the decisions that they make going forward so having that discussion with them um if they say yes this is what we want we can't afford it we want that control then you look at the different tool set that they can afford or the different add-ons because

if they can't afford E5 but they want to go for say E3 or um or similar or they want to go if they're smaller and they want to go for a business license and they want um add-ons for certain tools but they can't have everything then um there's mechanisms there's other tools out there that can be used for to plug that Gap um I would be inclined depending on the organization to have that discussion as to whether or not they um whether or not they need e if they need E5 um for the uh mechanisms and the tools that they want to implement then they um they either need to uh look at the the ways and means of

uh quantifying why that's important so I'm costing and costing that into their budget going forward so they they either cost it further down the line or they work out how much they're going to save by doing that and that's if they do um great if they can't then then look at the compensating controls and different ways of working [Music] any other questions

yeah sorry I missed

that so my personal opinion is that everything within a business strategy has to have some kind of a security link to it there's um so you you might look at the B the budgetary constraints but you're also going to have um so there's obviously it elements to to the security strategy but you've got physical security as well which is a big concern across the organization and environmental as well hits on security um you've got uh every element every everything that they do is really really important to look at a security through through a security lens as well and that should feed directly into the security strategy uh there's business objectives specifically um the now if the if the

organization is lucky enough to have a ceso or or somebody who's leading security within the organization they should then uh be part of that discussion around the business strategy anyway so that's how they build the their security strategy out um but yes absolutely everything within the business strategy needs to hit on security anything else no okay excellent thank you very much