A company experienced a significant data breach from a malicious source which led to the loss of strategically sensitive information. I was called in to manage a security remediation project. Given that data at rest is a critical asset, remediating and hardening the company’s business critical databases was a key component of this program.
The client designed a solution for database security but was struggling to implement it and gain the required stakeholder buy-in. Furthermore, the client’s business critical landscape was highly dispersed – with application management spread across multiple business units based out of a number of countries and database management was overseen by third-party IT vendor.
I was a part of the project management team, which was established to coordinate multiple stakeholders in order to implement the end-to-end solution for database security consisting of monitoring, reporting and remediation of business critical databases.
I identified that the most significant obstacle was business application owner understanding of the system, the processes, and the benefits of implementation. I initially engaged in extensive stakeholder communication and business change management to ensure the required buy-in.
I drove the progress of system implementation through stakeholder management, delivery management, information gathering and providing technical expertise and management reporting. I worked within the client’s project management methodology whilst leveraging my experience and expertise in project management to ensure timely delivery.
As a result, the business critical databases in scope were brought into the known state of compliance, drastically reducing the attack surface. Moreover, awareness of the importance of application security and secure behaviours to support databases was raised significantly.
I embedded the processes to implement the system into the client’s run and maintain activities, ensuring that future changes to their business critical landscape do not introduce new database vulnerabilities. I also developed an asset inventory for business critical databases which improved upon any previous client efforts.
Image courtesy ddpavumba / FreeDigitalPhotos.net
I’m happy to announce that the registration for the NextSec June 2014 Conference is still open.
Location: Investec Bank plc, 2 Gresham Street, London, EC2V 7QP, United Kingdom
Date: 5th June, 2014
18:00 – The role of a CISO in a cloud, mobile and social world
Speaker: David Cripps, Investec CISO
David is the Information Security Officer for the Investec Group and is responsible for the Group’s information security programme; ensuring that the risks to their information assets are identified and appropriately managed. He has a strong technical and networking back- ground in the finance and telecommunications industry. David has also worked as an elec- tronics instructor in Sri Lanka.
David has been awarded a master’s degree in Internet and Telecommunications Law (LLM). He is a Certified Information Security Manager (CISM), Information Systems Auditor (CISA) and Information System Security Professional (CISSP). David has also been awarded an Ad- vanced Professional Certificate in Investigative Practices (APCIP).
18:25 – The rule of three: cyber resilience in a fast-changing world
The rule of three: cyber resilience in a fast-changing world
- Three walls to structure controls and contingencies against cyber attack
- Three principles to drive the design of practical and focused cyber defences
- Three strategies to maintaining agile, adaptive and sustainable counter-measures to meet the cyber challenge
Speaker: Daniel Barriuso, BP CISO
Daniel Barriuso is the Chief Information Security Officer (CISO) at BP. He is responsible for cyber security across the Group, including strategy, governance, architecture, education, counter threat operations and incident response. Daniel is a frequent speaker and contribu- tor at security forums and events. Prior to joining BP, Daniel was CISO at Credit Suisse and coordinated a number of security initiatives across the financial services sector including the ‘Waking Shark’ response exercise. Daniel also dedicates his time as a Professor at the ‘Universidad Politecnica de Madrid’, where he lectures and researches in the areas of IT governance and information security investment.
18:50 – From Graduate to VP: My journey in the realm of Network Security
Speaker: Raghu Nandakumara , Citi Network Security Manager
Following completion of his MSc, Raghu joined Citi in 2004 as part of the UK Technology Graduate Programme and was placed in the EMEA Information Security Services team. Initially working in Operational Support he was part of a team that were responsible for the maintenance and stability of all perimeter security infrastructure in EMEA, including firewalls, proxies and remote access. He moved into the Network Security Engineering organisation in 2008 and was initially responsible for security service delivery on business projects (including handling large scale divestitures and acquisitions) as well as build out of security infrastructure in Citi’s new strategic data centre in the region. Having spent the last few years being the SME for a few Network Security products he now runs the Net- work Security Engineering Tools and Automation team.
19:10 – ISACA’s Cyber security Nexus (CSX) Program
Overview of ISACA including Cybersecurity Nexus (CSX), ISACA’s recently launched pro- gram that provides insights and resources for cybersecurity professionals.
Speaker: Allan Boardman, ISACA International Vice President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, is a risk officer at Morgan Stanley and International Vice President at ISACA. He began his career with Deloitte in Cape Town and has over 30 years experience in IT assurance, risk, security and consultan- cy roles at organizations including JPMorgan, Goldman Sachs, KPMG, PwC, Marks and Spencer, and the London Stock Exchange. He is a past president of ISACA London Chapter and has served on the BCS’ Information Risk Management and Audit Committee. He is a member of ISACA’s International Board of Directors, currently chairing its Credentialing and Career Management Board, and is a member of ISACA’s Strategic Advisory Coun- cil. He has served on ISACA’s Leadership Development Committee and chaired ISACA’s CISM Certification Committee. He was a volunteer at the Paralympics in London 2012 and Sochi 2014, and is a school governor where he chairs the Finance Committee.