Security: Building an Enterprise Capability - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

Security: Building an Enterprise Capability

Description:

'In this decade, we will send a man to the moon and return him safely to the Earth' ... This isn't rocket science. All that is required is commitment. And then ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 29
Provided by: obrie
Category:

less

Transcript and Presenter's Notes

Title: Security: Building an Enterprise Capability


1
Security Building an Enterprise Capability
  • David Spaziani CIO

2
Agenda
  • Where we were in 2006
  • What is an Enterprise Capability, and
    specifically Security?
  • Making the change
  • Where are we now?
  • What next?

3
Disclaimer
4
A bit about DIA
  • Highly secured
  • Investigation
  • Identity documents and identity data
  • Ministerial support
  • Commissions
  • Shared but controlled access
  • Office automation, document management
  • Sensitive / restricted
  • payroll

5
Current State Indicators
  • Enterprise Architecture
  • Current state
  • Governance
  • The EA process
  • Change Management
  • Process breadth and depth
  • Degree of adherence
  • Note not policy

6
The result
  • We had some work to do

7
A Few Rules
8
Laws to apply to IT Capability
  • Newtons First Law of motion
  • Every object in a state of uniform motion tends
    to remain in that state of motion unless an
    external force is applied to it.
  • Newtons Third Law of motion
  • For every action there is an equal and opposite
    reaction.

9
And a few more
Laws of Thermodynamics
  • First law (James Prescott Joule)
  • Energy can neither be created nor destroyed. It
    can only change forms
  • Second law (Robert Clausius)
  • The entropy of an isolated system not in
    equilibrium will tend to increase over time,
    approaching a maximum value at equilibrium.
  • or
  • You cannot win (that is, you cannot get
    something for nothing, because matter and energy
    are conserved)
  • and
  • You cannot break even (you cannot return to
    the same energy state, because there is always an
    increase in disorder entropy always increases)

10
And finally
  • Not a rule but a commonly held understanding
  • There is a correlation between importance and
    simplicity in mathematical theorems

11
Enterprise Capability (and Enterprise Security)
12
Enterprise Capability
  • Capability People, Process, Information and
    Technology
  • An Enterprise Capability requires a conscious
    commitment by the organisation to developing that
    capability
  • An Enterprise Capability requires A Capable
    Enterprise
  • A capability must have ongoing investment to be
    maintained
  • It must be cheaper than the alternatives

13
Security?
14
Security
  • It isnt something that
  • stops people doing their jobs
  • Just happens because you say its important
  • just happens because we have experienced people
    who use good practice
  • I cant explain to you because you wouldnt
    understand
  • I cant explain because I dont really understand
    it
  • It is something that
  • enables a business to operate in the way it needs
    to in order to meet its business objectives
  • is something you commit to supporting because it
    supports your business
  • people believe helps them to do their jobs
  • is simple
  • should save you money

15
Scope of Security
  • Any point where a decision needs to be made to
    permit or deny access.

16
Making the Change
17
Establish Capability
  • Align organisational structures and processes
    with the desired outcome
  • Governance
  • Accountabilities
  • Organisational change
  • Build the capability
  • People with the right attitude
  • People with the right skills
  • People with the right motivation

18
Establish Capability (continued)
  • Start with a few key processes
  • Invest at the start of the service chain first
  • Policy ? Standards ? Capability / Sourcing ?
    Delivery ? Support
  • Drive the change from within your organisation

19
What we did
  • Agree to invest in the capability
  • Run an organisational change process
  • Clear accountabilities
  • Remove the gaps and overlaps
  • Get the right people, and get them to own and
    drive the implementation process
  • Targeted use of external expertise
  • Develop policies and standards, starting with
    Security and Change
  • Define the processes we wanted to implement
  • Deploy, monitor, improve
  • Continue to invest

20
What we did (cont)
  • We didnt get any extra money beyond that already
    allocated to working on core system upgrades
  • Saved money, and invested part of that in further
    change

21
What we would do differently
  • Manage the process of defining and changing
    accountabilities differently
  • Track and report savings / quality improvements /
    risk reduction / service improvements right from
    the start
  • Be patient there is no shortcut to increasing
    maturity
  • Dont try and do everything at once
  • Dont let the project process get in the way of
    the creative process
  • Make sure that we can continue to invest in the
    system to maintain the capability

22
What we would do differently
  • Manage all IT business systems and processes as
    assets
  • Long term investment plans
  • Performance reporting against business objectives
  • Benefits realisation / review
  • Consolidate / reuse / refresh / replace

23
Where are we now?
24
Internal security capabilities
  • Specific security and assurance practice
  • Policies and standards in place and
    operationalised
  • Mature (enough) Change Management
  • EA processes and a new EA, including business
    architecture
  • Investment in security related capabilities
  • Identity Management
  • Intrusion detection
  • Targeted use of external expertise
  • Audit assessments

25
Services
  • Identity Verification Service
  • Transition of the Government Logon Service into
    the DIA security model

26
What next?
  • Savings to drive capability to deliver further
    savings
  • Use Asset Management practices to deliver
    efficiencies
  • Implementation and rollout of Identity Management
    for the enterprise
  • Continue to invest in the capability

27
Final word
  • In this decade, we will send a man to the moon
    and return him safely to the Earth
  • This isnt rocket science
  • All that is required is commitment.
  • And then a lot of hard work.

28
Thank you.
Write a Comment
User Comments (0)
About PowerShow.com