Security: Building an Enterprise Capability

1
Security Building an Enterprise Capability

• David Spaziani CIO

2
Agenda

• Where we were in 2006
• What is an Enterprise Capability, and
  specifically Security?
• Making the change
• Where are we now?
• What next?

3
Disclaimer
4
A bit about DIA

• Highly secured
• Investigation
• Identity documents and identity data
• Ministerial support
• Commissions
• Shared but controlled access
• Office automation, document management
• Sensitive / restricted
• payroll

5
Current State Indicators

• Enterprise Architecture
• Current state
• Governance
• The EA process
• Change Management
• Process breadth and depth
• Degree of adherence
• Note not policy

6
The result

• We had some work to do

7
A Few Rules
8
Laws to apply to IT Capability

• Newtons First Law of motion
• Every object in a state of uniform motion tends
  to remain in that state of motion unless an
  external force is applied to it.
• Newtons Third Law of motion
• For every action there is an equal and opposite
  reaction.

9
And a few more
Laws of Thermodynamics

• First law (James Prescott Joule)
• Energy can neither be created nor destroyed. It
  can only change forms
• Second law (Robert Clausius)
• The entropy of an isolated system not in
  equilibrium will tend to increase over time,
  approaching a maximum value at equilibrium.

• or
• You cannot win (that is, you cannot get
  something for nothing, because matter and energy
  are conserved)
• and
• You cannot break even (you cannot return to
  the same energy state, because there is always an
  increase in disorder entropy always increases)

10
And finally

• Not a rule but a commonly held understanding
• There is a correlation between importance and
  simplicity in mathematical theorems

11
Enterprise Capability (and Enterprise Security)
12
Enterprise Capability

• Capability People, Process, Information and
  Technology
• An Enterprise Capability requires a conscious
  commitment by the organisation to developing that
  capability
• An Enterprise Capability requires A Capable
  Enterprise
• A capability must have ongoing investment to be
  maintained
• It must be cheaper than the alternatives

13
Security?
14
Security

• It isnt something that
• stops people doing their jobs
• Just happens because you say its important
• just happens because we have experienced people
  who use good practice
• I cant explain to you because you wouldnt
  understand
• I cant explain because I dont really understand
  it

• It is something that
• enables a business to operate in the way it needs
  to in order to meet its business objectives
• is something you commit to supporting because it
  supports your business
• people believe helps them to do their jobs
• is simple
• should save you money

15
Scope of Security

• Any point where a decision needs to be made to
  permit or deny access.

16
Making the Change
17
Establish Capability

• Align organisational structures and processes
  with the desired outcome
• Governance
• Accountabilities
• Organisational change
• Build the capability
• People with the right attitude
• People with the right skills
• People with the right motivation

18
Establish Capability (continued)

• Start with a few key processes
• Invest at the start of the service chain first
• Policy ? Standards ? Capability / Sourcing ?
  Delivery ? Support
• Drive the change from within your organisation

19
What we did

• Agree to invest in the capability
• Run an organisational change process
• Clear accountabilities
• Remove the gaps and overlaps
• Get the right people, and get them to own and
  drive the implementation process
• Targeted use of external expertise
• Develop policies and standards, starting with
  Security and Change
• Define the processes we wanted to implement
• Deploy, monitor, improve
• Continue to invest

20
What we did (cont)

• We didnt get any extra money beyond that already
  allocated to working on core system upgrades
• Saved money, and invested part of that in further
  change

21
What we would do differently

• Manage the process of defining and changing
  accountabilities differently
• Track and report savings / quality improvements /
  risk reduction / service improvements right from
  the start
• Be patient there is no shortcut to increasing
  maturity
• Dont try and do everything at once
• Dont let the project process get in the way of
  the creative process
• Make sure that we can continue to invest in the
  system to maintain the capability

22
What we would do differently

• Manage all IT business systems and processes as
  assets
• Long term investment plans
• Performance reporting against business objectives
• Benefits realisation / review
• Consolidate / reuse / refresh / replace

23
Where are we now?
24
Internal security capabilities

• Specific security and assurance practice
• Policies and standards in place and
  operationalised
• Mature (enough) Change Management
• EA processes and a new EA, including business
  architecture
• Investment in security related capabilities
• Identity Management
• Intrusion detection
• Targeted use of external expertise
• Audit assessments

25
Services

• Identity Verification Service
• Transition of the Government Logon Service into
  the DIA security model

26
What next?

• Savings to drive capability to deliver further
  savings
• Use Asset Management practices to deliver
  efficiencies
• Implementation and rollout of Identity Management
  for the enterprise
• Continue to invest in the capability

27
Final word

• In this decade, we will send a man to the moon
  and return him safely to the Earth

• This isnt rocket science
• All that is required is commitment.
• And then a lot of hard work.

28
Thank you.