1 / 28

Security: Building an Enterprise Capability

David Spaziani – CIO. Security: Building an Enterprise Capability . Agenda. Where we were in 2006 What is an Enterprise Capability, and specifically Security? Making the change Where are we now? What next?. Disclaimer. A bit about DIA. Highly secured Investigation

arion
Download Presentation

Security: Building an Enterprise Capability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. David Spaziani – CIO Security: Building an Enterprise Capability

  2. Agenda • Where we were in 2006 • What is an Enterprise Capability, and specifically Security? • Making the change • Where are we now? • What next?

  3. Disclaimer

  4. A bit about DIA • Highly secured • Investigation • Identity documents and identity data • Ministerial support • Commissions • Shared but controlled access • Office automation, document management • Sensitive / restricted • payroll

  5. Current State Indicators • Enterprise Architecture • Current state • Governance • The EA process • Change Management • Process breadth and depth • Degree of adherence • Note – not policy

  6. The result… We had some work to do

  7. A Few Rules

  8. Laws to apply to IT Capability Newton’s First Law of motion “Every object in a state of uniform motion tends to remain in that state of motion unless an external force is applied to it.” Newton’s Third Law of motion “For every action there is an equal and opposite reaction.”

  9. First law (James Prescott Joule) “Energy can neither be created nor destroyed. It can only change forms” Second law (Robert Clausius) “The entropy of an isolated system not in equilibrium will tend to increase over time, approaching a maximum value at equilibrium.” or “You cannot win (that is, you cannot get something for nothing, because matter and energy are conserved)” and “You cannot break even (you cannot return to the same energy state, because there is always an increase in disorder; entropy always increases)” And a few more… Laws of Thermodynamics

  10. And finally… Not a rule but a commonly held understanding There is a correlation between importance and simplicity in mathematical theorems

  11. Enterprise Capability (and Enterprise Security)

  12. Enterprise Capability • Capability: People, Process, Information and Technology • An Enterprise Capability requires a conscious commitment by the organisation to developing that capability • An Enterprise Capability requires A Capable Enterprise • A capability must have ongoing investment to be maintained • It must be cheaper than the alternatives

  13. Security?

  14. It isn’t something that stops people doing their jobs Just happens because you say it’s important just happens because we have experienced people who use good practice I can’t explain to you because you wouldn’t understand I can’t explain because I don’t really understand it It is something that enables a business to operate in the way it needs to in order to meet it’s business objectives is something you commit to supporting because it supports your business people believe helps them to do their jobs is simple should save you money Security

  15. Scope of Security Any point where a decision needs to be made to permit or deny access.

  16. Making the Change

  17. Establish Capability • Align organisational structures and processes with the desired outcome • Governance • Accountabilities • Organisational change • Build the capability • People with the right attitude • People with the right skills • People with the right motivation

  18. Establish Capability (continued) • Start with a few key processes • Invest at the start of the service chain first Policy → Standards → Capability / Sourcing → Delivery → Support • Drive the change from within your organisation

  19. What we did • Agree to invest in the capability • Run an organisational change process • Clear accountabilities • Remove the “gaps and overlaps” • Get the right people, and get them to own and drive the implementation process • Targeted use of external expertise • Develop policies and standards, starting with Security and Change • Define the processes we wanted to implement • Deploy, monitor, improve • Continue to invest

  20. What we did (cont) • We didn’t get any extra money beyond that already allocated to working on core system upgrades • Saved money, and invested part of that in further change

  21. What we would do differently • Manage the process of defining and changing accountabilities differently • Track and report savings / quality improvements / risk reduction / service improvements right from the start • Be patient – there is no shortcut to increasing maturity • Don’t try and do everything at once • Don’t let the project process get in the way of the creative process • Make sure that we can continue to invest in the system to maintain the capability

  22. What we would do differently • Manage all IT business systems and processes as assets • Long term investment plans • Performance reporting against business objectives • Benefits realisation / review • Consolidate / reuse / refresh / replace

  23. Where are we now?

  24. Internal security capabilities • Specific security and assurance practice • Policies and standards in place and operationalised • Mature (enough) Change Management • EA processes and a new EA, including business architecture • Investment in security related capabilities • Identity Management • Intrusion detection • Targeted use of external expertise • Audit assessments

  25. Services • Identity Verification Service • Transition of the Government Logon Service into the DIA security model

  26. What next? • Savings to drive capability to deliver further savings • Use Asset Management practices to deliver efficiencies • Implementation and rollout of Identity Management for the enterprise • Continue to invest in the capability

  27. “In this decade, we will send a man to the moon and return him safely to the Earth” This isn’t rocket science All that is required is commitment. And then a lot of hard work. Final word

  28. Thank you.

More Related