Main Nav

EDUCAUSE Security Conference: Influencing the future of security in your organization

Influencing the future of security in your organization
Pamela Fusco, Former EVP and Head Global Information Security, Citigroup Inc.
2007 Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
Fusco began by talking of the importance of having a business process as an anchor for your work. She has worked at a number of different companies (Merck, Digex, WorldCom, Citigroup, etc.), each of which was different and had a specific kind of security need.
What people normally do but you shouldn’t and then what you should do
The normal first step is to identify and validate the existing security program in support of building an enterprise wide security risk management program   90% is the same but 10% is indigenous to the field. The second normal step is to enlist a phased approach to the work to be done that has tactical and strategic objects. This, however, she said was BORING…and apparently not an efficient way to move forward.   Fusco also said “Don’t kill people with PowerPoints!”
Her advice was to “state the obvious and back it up with reality”
  • Unknowingly accepting risk levels far beyond an organization’s risk tolerance
  • Gaps in information security capabilities have business impacts
  • Underinvestment results in unacceptable risk tolerance
  • Security must become an enabler for business strategies – so be current, strategize, innovate, and have fun!
  • Launch a comprehensive information security program that meets today’s needs but prepares for the future
  • Business and Information Security leaders must own the process of moving information security to the next level
Value of information security (to the boss)
In one position, Fusco’s boss said “Why did I hire you? We haven’t had an incident so why do I need you?” It was her opportunity to be creative and show, graphically, what the risks were that were unknown. She created innovative visuals to get her messages across to those she needed to convince to fund information security work. She said that when you ask for money you must state the gaps in your current security to get what you need to do the work and plan towards the future. It’s not about the technology it’s about the power of influence.  
Understanding compliance requirements
Fusco said we are all impacted by understanding compliance requirements today. Critical to your work of planning and implementing information security is to
  • Meet with your stakeholders AND listen to them
  • Know your audience, know your stakeholders, know their terminology and speak at their level. It’s critical to communicate appropriately. There is difference between knowledge and understanding such as the difference in the terms “delete” and “deleted”
    • She described a situation in the pharmaceutical world where data retention compliance was taken to the letter of the law but without understanding what data retention actually is. Stacks and racks of laptops, desktops, servers, etc were warehoused because they had information on them and in the pharmaceutical world it has to be kept for 100 years. However, no one knew what was actually on these computers and there was no way to get to information if you actually needed it. 
  • Ask for volunteers, both internal and external, and organize a sampling of users for a pilot group. This kind of activity fosters a sense of participation and encourages acceptance of new business process and security measures. 
  • Test, evaluate, validate and document the experience.
Security begins at home, your employee’s home…
Fusco quoted InfoWorld that 93% of Bots and security issues are unknowingly generated via employees using consumer electronics in their homes. As more consumer communications and devices enter the corporate enterprise security professionals need to consider the risks for business security. Things to consider included IM, gmail, iphones, un-secure home networks, etc. Employees are using these devices at home and in the workplace. 
If we can not say “no” to using them in the workplace, then we need to figure out how to permit it safely. Critical to this is awareness training but we can also look at low cost technology controls and practices, deploy AUP and content monitoring, disable port tunneling of unmanaged systems, and restrict downloads.
Cybercrime is a billion dollar business
  • Bot-herders, fraudsters and exploit writers
  • Super Trojan selling on the net for $600
  • Email address lists and login details for sites
  • Hacked root servers
  • Hosting servers for financial scams
Investing in information security
  • Use your power of influence.
  • Underinvestment in information security results in unacceptable risk tolerance.
  • Annual spending on information security is between 5-12% from the IT budget, though Finance always spends more (12=15%)
  • As a business model, figure out what percentage you spend on information security and compare it to what your competitors are spending.
  • You need metrics and reporting; both hard numbers and benchmarking
  • You have to monitor & manage the information security program with such factors as compliance & oversight, data overload, standards & common builds.
Fusco noted that “making your own pizza can be more expensive than calling for a delivery” in other words, customization is expensive and supporting it can be a problem. Building a standard (one to many) is important.   Also, it can be hard to test and evaluate “home grown” in a Sarbanes-Oxley world. She suggested that we look for solutions where we can leverage partnerships.
Introducing Security Changes in the Workplace
Change happens and most people think of change as negative so you must clearly tell them WHY you are doing what you need to do (outcomes). Change should not be pushed on people so be positive, involve them collaboratively so they are a part of the solution, celebrate successes and milestones as a community effort. Also, be upfront in setting expectations and owning up to mistakes or shortcomings.
Advice for the Future
  • Keep current and look forward to what may be coming by looking at where we’ve been and where we are.
  • Strategize where we want our organizations to be in 5 yrs and determine what will grow us to that point. Go from being reactive to being proactive and be predictive.
Re: information security practice:
  • Look to see what’s coming in and hitting us low now because it may be bigger later. 
  • Look at what’s going out also because we may already have been compromised.
  • Understanding that no one will have 100% security, but we must show where we will be in 2 or 3 years (Be realistic – show initial stages and keep it flowing)
From Fusco’s experience
  • How do we know what’s happening when we have no reported incidents or disclosure?
  • Patches for everything – is everything patched?
  • Mountains of logs – how are they used?
  • Data information owners – who are they?
  • Key aspects of a holistic, sustainable, realistic and reliable compliance and security strategy include measurable controls and Point In Time (P-I-T) assessments but keep in mind that PIT assessments may provide a false sense of security
Rushing through closing comments Fusco said that security must become an enabler for business strategy and innovation and to have fun in the process and practice. She offered a few ideas for what security challenges we may see in the future including “anything” mobile being an computing information mechanism and more regulation.
Her final summary:
Security starts at the top but must be embraced by everyone in the organization
Create a culture of compliance and risk thought
People and their behavior are the key ingredients to good security
Process is important for reliability and “repeatability”
Collect and use data and facts to measure progress and success
Make information security part of the annual performance and business objectives
Leverage information security organizations for keeping current, directional advice and guidance.
Pamela Fusco’s presentation slides are posted to the conference web site at

Tags from the EDUCAUSE Library

Tags from the Community