The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Gene Kim - Tripwire, Inc

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Prioritizing Processes and Controls for Effective and Measurable Security

Sep 20, 2006

Download: Video Icon MP4 Video Size: 221.4MB  
Watch on Youtube Watch on YouTube


Are your security & IT controls really effective? Do you know how your security & IT operations compare to high performers?

In this presentation, Gene Kim will share the work he has been doing over the last six years with the IT Process Institute (ITPI), Software Engineering Institute, and Institute of Internal Auditors, codifying the observed practices of high-performing IT organizations. These high performers have a culture of change management, a culture of causality and a perpetual desire to detect variance before it causes a catastrophic event.

Specifically, Gene will discuss the ITPI IT Controls Benchmarking Survey of practice, a recently completed research project which has quantified the value, effectiveness, efficiency and security of controls. This landmark research has uncovered an alternative approach to being an effective security executive, based on measuring security by its ability to maintain its existing commitments; integrate controls into daily IT operations (prevent); put automated controls in place to variance before loss events (detect); reduce the percent of security incidents that result in loss events (detect); and successfully investigate and conclude security investigations.

Attendees will learn about the key research findings:
* That high performers have 5-8x higher operational and security
effectiveness and efficiency measures
* The 20% of IT controls that have 80% of the measurable benefits, and
how to implement and the prescriptive steps to take in order to achieve
defined security results
* The certain processes and controls that have shown catalytic and
sustaining properties, meaning that the value they add demonstrably
exceeds the cost to implement, and report out on them.

About the Speaker

Gene Kim is the CTO and founder of Tripwire, Inc. In 1992, he
co-authored Tripwire while at Purdue University with Dr. Gene Spafford.
Since then, Tripwire has been adopted by more than 5,000 enterprises
worldwide. In 2004, Kim co-founded the IT Process Institute, which is
dedicated to research, benchmarking and developing prescriptive guidance
for IT operations and security management and auditors. He also
co-authored the "Visible Ops Handbook: Implementing ITIL in Four
Practical And Auditable Steps" and was a principal investigator on the
IT Controls Performance Study project, completed in 2006 Kim currently
serves on the Advanced Technology Committee for the Institute of
Internal Auditors, and was part of the team that defined change
management best practices for the recently released IIA Global
Technology Guide "Change and Patch Management Controls: Critical for
Organizational Success."

Since 1999, Kim has been working with SANS, the Software Engineering
Institute and the IIA to capture how "best in class" organizations have
IT operations, security, management, governance and audit working
together to solve common business objectives. Kim holds a M.S. in
computer science from University of Arizona and a B.S. in computer
sciences from Purdue University. Gene is certified on both IT
management and audit processes, possessing both ITIL Foundations and
CISA certifications.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!