Northern Nevada Chapter # 164

Site Sponsored by A-1 Security
NNASIS - Northern Nevada ASIS Chapter #164
American Society for Industrial Security

 

 

 

 

                                   

                                               

 

 

Links

 

News Letter

 

Contact Us

 

 

Membership Application

 

  New Links!   

  Mailroom Security Posters

 

 

Article: Physical & Data Security Will Become One           
Local Meetings
NNASIS Board
About ASIS
NNASIS Home

 

 

Physical & Data Security Will Become One

 Why?

 Asset Protection major part of job

Value of Data

Most valuable resource

Value of your A/R

Value of your customer database

Company resources on internet

 

Company have multiple properties?    If so, your access control and video systems may already be internet based.   Your IT professionals/techies have control of your systems.

Where does your responsibility begin and theirs ends?

What about your customer systems?

Physical IOUs to your company, investigate if missing

 

A virtual IOU is an A/R, how do you secure those?   What if tampered?

 

All these questions have to be answered by you as the Security Professional

 

You can't know everything, but you need to know how to find out and from who to find out.   Techies don't know everything and fall further behind every day.   How to talk to techies.   2 Rules.

            Can't Argue w/ Techies

            Must Argue w/ Techies

 

 Impacts on Security Professionals

 Simple, There will be a CSO in your future.

Do you want to work for him/her or be him/her

Your current CIO won't know much more about data security than you

You know more about how it should function.

You know about who commits computer fraud, its Rosie or Ted.

  

HOW DO YOU GET STARTED BEING ONE?

 Talk to techies - find out your common ground

Do they support your security systems?   Coffee & donuts.

You definitely support them.   Secure their access to computers, servers.

Build on it.

Everything you deal w/ in real world, they deal with in virtual world.

Punks testing your security,  they have script kiddies testing, hacking their systems.

Most of our work is preventative- harden the target stuff -  same with them.

Our VALUE is after the breach.  

We deal w/ criminals daily.    IT does not.

Banks deal w/ hacking - COVER UP    Investors, Customers lose faith

 

Remember the GhostBusters' song "Who Ya Gonna Call?"   You

Why don't they really report criminal hacking?

They don't know anybody in law enforcement!

They don't know how to conduct a confidential investigation.

Has anyone in here ever met a cop?   Conducted a CI?

Data Security Techies have to have confidence in YOU to report it to you,  ie. They probably should know you first. 

 HOW DO YOU EDUCATE YOURSELF?

 ASIS  Conferences around country

 Security Management Magazine  look at the November issue

Cover article "Computer Forensics"

            Drowning in Data re: network analysis tools

            Don't Hack Back re:  emerg response to IT breaches

            Linkin Logs to Fraud re:  computer fraud investigations

            Chalk it up to Experience re: ID by wireless hackers

 

CSO Magazine, The Resource for Security Executives

            www.csoonline.com

 Talk to Techies.

  WHAT ARE YOU TRYING TO ACCOMPLISH?

 Know how to do Risk Assessment, Site Surveys, get professional help?

With a Risk/Assess in hand, we know how to determine response.

No Problem! But what does your CEO want?

 Total and complete security, w/ no inconvenience to employees or customers, at NO COST.   Right?

 Get real, what the CEO wants is the max. ROSI.  Physical or Data.

 ROSI = (Cost) X (Cost of Breach) X (Probability of Breach)

 A return of 3:1 is what you need to see.

 Factoid:   70% of senior IT professionals will do a physical security review this year.

 Remember do you want to work for or be CSO?

Company better off  If you are CSO.   

 Look at budgeting, you know how to budget, techies are assigned a miniscule budget because they don't know how to make a business case

 You can get them visibility, attention, and money!

What does the company need from security - Protect assests

DATA is M.V.A.

 Commonalities:           Risk Assessment

                                    Max Protect/ Min Cost

                                    Layered approach to security

                                    Observe & Report  aka Detect

                                    Analyze & Investigate

                                    Prosecute  

 We know these things better than they do!

 They need us to heighten awareness of their issues, to bring focus

To their problems & find creative, inexpensive solutions.

 Techies think differently than the rest of us.

They think in black & white, it 0 or 1, its off or on, it works or it doesn't

It's all in code.

 Security is different.   We know we can't eliminate risk, we want to mitigate risk, to harden the target.

 All this being said about taking over Data Security, DON'T have a coup.

Revolution is usually NOT a good corporate option.   Besides you would scare the hell out of the techies until they get to know you better.

 

Thanks for listening.

 Steve Moyer

Chief, Corporate Security

Sierra Pacific Power Co.

(775) 834-5807

smoyer@sppc.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 ___________________________________________________________________

NNASIS - Northern Nevada ASIS Chapter #164  - P.O. Box 7738, Reno, Nevada 89510

 *   info@nnasis.org

    Copyright © 2004 NNASIS  All rights reserved.
Revised: 05/10/05