IC B10 -‐ Vision Panel Discussion: “Scaling the Information Security Program Maturity Model:
3 Practitioners’ Perspectives”
Panel Date: Thursday, April 18, 2013
Panel Time: 9-‐10am PST (60 minutes total, 15 minutes Q&A) Room: 112
Abstract: The Information Security Program Maturity Curve can provide an objective framework for defining, measuring and improving an organization’s information security program. Listen to a panel of Symantec Managed Security Services (MSS) customers, each representing different stages of information security program development, discuss how they approached challenges inherent to each stage, as well as share key lessons learned. In addition, fifteen minutes will be provided for questions and answers.
Panelists:
• Joseph Lee – Director, IT Risk Management and Security, AARP
• Preston Jennings – Chief Information Security Officer, PricewaterhouseCoopers • Arno VanderWalt – VP Information Security Operations at Wyndham Worldwide
Moderator:
Introduction (9:00 – 9:05)
Danny: Thank you all for joining us for today’s panel discussion on “Approaching the Information Security Program Maturity Model: 3 Practitioners’ Perspectives”. My name is Danny Dawes and I am the Director of Symantec’s Managed Security Services, Service Delivery group.
Let’s start by level setting the concept of using a maturity curve to assess Information Security Program development. Several models exist in the industry; for example Gartner’s Security Program Maturity Timeline and Forrester's Information Security Maturity Model Assessment Framework.
When we talk with customers about their security programs, we find they align into three basic segments based on their awareness of their threat profile, risk adversity and overall security program maturity. Therefore, to simplify today’s discussion, we’ll refer to these three groups as:
• Adhoc – Companies who are just starting to develop their Information Security Programs but no formalized security activities exist
• “Best efforts” security programs – Companies who are “doing their best” to secure the Enterprise and hoping to mitigate most threats before they impact the business.
• Mature, proactive programs – Companies whose goals, practices and performance metrics are fully defined.
Introduction (con’t)
Interestingly, when we contacted customers regarding participating in this panel, most felt they fell in the middle category – which makes sense. Because they are MSS customers, they have moved past the Adhoc stage, but few were hesitant to label their program as being proactive and mature. Perhaps they were afraid their CFO’s were in the audience and they would lose funding if they implied their program development was complete.
Therefore, we’re asking our panel participants to comment on the various maturity segments based on past experience and observations of the industry. With that, I’d like to ask our panelists to each take a minute or so to briefly introduce themselves:
Introduction (9:05 – 9:10)
[Brief introduction from all panelists – please limit this to 90 seconds • Name, title, year with company
• Background – how did you get where you are today? • Brief description of the network you manage
• What is your biggest concern/challenge regarding your environment, for example: o PwC – employees spend considerable time on other companies’ networks? o AARP – comprised of many different businesses (insurance, etc)?
Please note:
For each of the questions below, the panelist in the first position will take the lead for answering the question and therefore get the majority of the time. The second two panelists are welcome (and encouraged!) to contribute but need to keep it brief so we can ensure time for Q&A.
The Usefulness of the Maturity Curve as an Evaluation Tool (9:10-‐9:15)
Danny: What are your thoughts on this Maturity Curve? Is it a good summary of how different organizations might approach their information security program?
• Joe: understanding why security is important for your business and explaining to management why not
everyone needs to be a 5… Versus highly risk adverse business that must be a 5
• Preston: • Arno:
Assessing Your Program (9:15-‐9:20)
Danny: A critical first step for any security professional walking into a new role is assessing where the new organization resides on this curve and where the gaps may lie. Thinking back to your most recent transition, what techniques did you use to make this assessment?
• Preston: team strengths, understanding what a mature program looks like, what the strengths are
where the gaps are, figure out where you’re going to make investments. Acknowledging that you just can’t do it all.
• Joe: built AARP from non-‐existent program… • Arno:
Top Challenges Faced While Evolving Security Programs (9:20-‐9:25)
Danny: Once you’ve come in and made the initial assessment, the next step becomes taking the program to the next level. What were the top one or two challenge you faced in trying to evolve your information security program and how did you address those challenges in your environment? .
• Preston: reporting structure, ability to influence change, reports to CIO, now reports in to board of
senior business leaders, decisions that would have been made by IT, now being driven by the business. Cyber warfare, business impact. Takes discuss around impact to business if we don’t anything… used to be a line item discussion.
• Joe
• Arno
Transforming less mature programs (9:25-‐9:30)
Danny: Have you ever worked for an organization that had a less mature security program? What kinds of challenges did you face trying to move them forward?
Does anyone have anything to share here? If not, I’m going to cut. • Joe: • Preston: • Arno:
Is it realistic to reach for a 5? (9:30-‐9:35)
Danny: Do you think it’s realistic for most organizations to strive to reach the upper level of the maturity curve? What challenges will they face in doing so?
• Joe: • Preston: • Arno:
Demonstrating Program Performance (9:35-‐9:40)
Danny: After protecting the enterprise, the ability to demonstrate program performance in order to justify funding is Holy Grail for most information security professionals. What techniques have you found most effective for proving the value and efficacy of your security program?
• Joe: • Preston: • Arno
Program Evolution (9:40-‐9:45)
Danny: The last question for our panelists is a bit open-‐ended but hopefully one the audience will appreciate. When you thinking about taking your information security program to the next level, what is the most
important advice you can share with members of our audience today?
• Preston: language change, speaking the language of the business not the language of IT, you need to be
bi-‐lingual… understand what’s important to each audience. What will resonant.
• Joe: you need to be relevant. It’s not about information security, it’s about supporting the business in
an appropriate manner. • Arno
Wrap Up and Q&A (9:45-‐10am)
Danny: We have some time for Q&A and I’d like to make sure everyone has the opportunity to interact with our guests. So, would you please use the microphone, and we’ll start the Q&A section at this time.
(Questions from the audience)
Danny: Thank you to all of you who joined us today, this discussion would not have been possible without you.
And, thank you to our distinguished panelists:
• Joseph Lee – Director, IT Risk Management and Security, AARP
• Preston Jennings – Chief Information Security Officer, PricewaterhouseCoopers • Arno.VanderWalt – VP Information Security Operations at Wyndham Worldwide
Can we please have a round of applause for our panelists?
