SlideShare una empresa de Scribd logo

CIOs and CSOs Becoming Mission-Critical Business Partners

Jay McLaughlin
Jay McLaughlin

This document is a presentation about how CIOs and CSOs are becoming mission-critical business partners. The presentation covers how information is the lifeblood of organizations and how events involving data loss are rising. It discusses moving to an information-centric security approach and developing critical partnerships across organizations. The presentation emphasizes that security is not about checking boxes for compliance, but rather focusing on behavior change through education and building relationships.

TecnologíaEconomía y finanzas
1 de 44
Descargar para leer sin conexión
Wednesday, October 12, 11
Protecting the Information Infrastructure: Why CIOs and CSOs are Becoming Mission-Critical Business Partners SNW Fall 2011 Jay McLaughlin, CISSP Chief Security Officer, Q2ebanking Wednesday, October 12, 11
DISCLAIMER The materials, thoughts, comments, ideas and opinions expressed throughout this presentation are entirely my own and do not necessarily represent the thoughts or opinions of my employer (past or present). Wednesday, October 12, 11
AGENDA • Information..the lifeblood of an organization • Events involving loss of data are rising - who is to blame? • Mitigating our vulnerabilities • A shift to Information-Centric Security • Developing critical partnerships across the organization Wednesday, October 12, 11
Information is the lifeblood of organizations, and considered a critical factor in a company’s effective pursuit of its business goals and success. Wednesday, October 12, 11
Information is not only valuable to an organization…but also to... Wednesday, October 12, 11
WHAT ARE WE TRYING TO PROTECT? Regulated information is the type of data most often thought of when the subject of information protection is raised. • Includes personally identifiable information (PII) of individuals, such as social security numbers, bank and credit card numbers and medical records. A great deal of public outrage, lawsuits, fines and loss of brand trust can accompany the compromising of this information. Confidential information may involve marketing plans, financial projections, sales reports and M&A discussions. • Breaches on this information can range from public embarrassment to catastrophe Intellectual property (IP) is arguably the most critical type of information. • According to the FBI, $600 billion worth of intellectual property is stolen every year in the U.S • Companies tend to focus on regulated data while doing comparatively little to secure the IP that is critical to their business. Wednesday, October 12, 11
Setting the Stage - Recent Attacks – Defense Contractors »Lockheed Martin »Northrop Grumman »L-3 – Commercial Organizations »SONY »GOOGLE – Security Firms »RSA »Barracuda Networks »HB Gary Federal »Comodo / Digitar – Government »United States DoD »Texas Comptroller’s Office Wednesday, October 12, 11
It gets worse... Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011 Wednesday, October 12, 11
Change in Tactics • Highlighted that in 2010, the largest number of data breach incidents occurred, yet the volume of records dropped significantly • Criminals are engaging in small, opportunistic attacks rather than large- scale, difficult attacks using relatively low sophistication attacks to penetrate organizations. Wednesday, October 12, 11
Will your organization be on this list? • University of Texas: 688 students' and prospective students' personal information accessed by employees after configuration error made data available on intranet • Blackpool Coastal Housing: 80 tenants' names, addresses, national insurance numbers, telephone numbers and confidential care plans transferred to employee's home computer where they were accessible to others • Guilford County Tax Dept: 1,000 taxpayers' SSNs, names and addresses, and images of checks paid were accessible on internet • Bright House Networks: Customer names, addresses, phone numbers and account numbers exposed in unauthorized access • California State Assembly: 50 employees' personal information may have been acquired by hacker • Montgomery County Dept of Job and Family Svcs: Names and Social Security numbers of 1,200 individuals seeking agency assistance were on lost thumb drive Wednesday, October 12, 11
Organizations are sloppy Wednesday, October 12, 11
Overly Confident? Ninth Annual Global Information Security Survey 9,600-plus business and technology execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively. http://www.pwc.com/gx/en/information-security-survey/giss.jhtmx Wednesday, October 12, 11
Source: Information Security Magazine, October 2010 Wednesday, October 12, 11
CIOs: Call to Action • Delivery of effective • Maximizing the technology solutions value of technology to external customers investments to and internal improve business constituents performance • Reducing related • Increasing agility of operational costs the organization, across business enabling it to adapt units to changing needs Wednesday, October 12, 11
Roles of the CSO • ENABLE • AUDIT • ENFORCE • EDUCATE Wednesday, October 12, 11
Influencing Behavior • Education is critical • Security awareness is a start...but not good enough • “Behavioral change” is required Wednesday, October 12, 11
Wednesday, October 12, 11
Overly Confident? To a fault... • “...we haven’t been attacked before” • “...why would someone target our company?” • “...we undergo routine internal/external audits” Why do we remiss security? • CIOs and C-Level executives often don’t hear about security until an incident occurs • CIOs are value-focused managers • is security NOT viewed AS value-adding? Wednesday, October 12, 11
Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011 Wednesday, October 12, 11
...in fact, we are spending more on security solutions to protect our information systems Wednesday, October 12, 11
...but we’re not making investments in our processes Management Security Physical Operational Wednesday, October 12, 11
COMPLIANCE Wednesday, October 12, 11
Compliance Security • This isn’t about checking the box • Compliance Defined : conformity in fulfilling official requirements. standard It is the that is the problem, not the compliance with the standard. Wednesday, October 12, 11
CSOs tend to fixate on building an “EXCELLENT” information security program Wednesday, October 12, 11
Where does the CSO fit in? Wednesday, October 12, 11
• Security is new to the executive table • Security discussions in today’s enterprise tend to The Business be focused on the qualitative aspects Problem instead of the quantitative Topology • CSOs speak a language that is NOT understood by others executives • CSOs struggle with creating awareness and changing behaviors Wednesday, October 12, 11
But, Security is often viewed as a BOTTLENECK Wednesday, October 12, 11
The “R” Word • Developing those critical RELATIONSHIPS within the organization • WALK A MILE • Breaking down the walls...we’re all fighting the same battle Wednesday, October 12, 11
Wednesday, October 12, 11
Current Environment • Regulations and compliance requirements are demanding more time and attention • Regulators and auditors including PCI-DSS, GLBA, SOX/ 404, HIPAA, etc. are demanding more executive time and attention • Greater interest from CIOs and other business stakeholders regarding information security • Routine communication around information security, compliance, investment and risk is critical...but challenging. Wednesday, October 12, 11
Management Differences CIO CSO Value- Risk- focused focused managers managers LEADERSHIP PHILOSOPHIES RISK MITIGATION translates to VALUE Wednesday, October 12, 11
Effective Risk Managers? • Generally, human beings struggle at managing risk • We often overestimate risks that are highly visible or catastrophic and underestimate the risks that are slower to develop or not easily seen • CIOs tend to overestimate risks that they have less control over, and underestimate the risks that they have more control over ex: flying an airplane vs driving a car Wednesday, October 12, 11
Assessing Risk • Engagement of business • Top-Down Approach, ranking information assets • Business Impact Analysis • Quantitative vs. Qualitative Wednesday, October 12, 11
Understanding Risk Risk Management involves identifying threats and applying mitigating controls to effectively reduce the risk of those threats: • RISK=(THREAT x VULNERABILITY) COUNTERMEASURES • Multiple by VALUE for quantitative • Controls can mitigate risk… ...but can rarely fully eliminate risk Wednesday, October 12, 11
Calculating Loss Expectancy • The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE) Mathematically expressed: ALE = ARO * SLE -> calculating SLE SLE = AV * EF • Suppose than an asset is valued at $100,000, and the exposure factor (EF) for this asset is 25%. The SLE then, is (25% * $100,000), or $25,000. • For an annual rate of occurrence of 1, the annualized loss expectancy is (1 * $25,000) Wednesday, October 12, 11
Applying Countermeasures Our Approach is CRITICAL COUNTERMEASURES RONG W THREATS • Focus efforts on the mitigating the ACTUAL vulnerabilities that are specific to the organization • Avoid industry marketing FUD Wednesday, October 12, 11
Defense By Layer • Acknowledges that reliance on any single control or mitigating factor is not sufficient • This approach is commonly recommended Scenario: Protecting Hosted Customer Data from an external attacker • Database tables are encrypted • Role-based access levels are applied • Data Storage Encryption Wednesday, October 12, 11
Paradigm Shift Information-Centric Security • Emphasizes security of the INFORMATION itself...rather than the security of networks, systems, and applications. • 4 Principles: 1. Information (data) must be self describing and defending. 2. Policies and controls must account for business context. 3. Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business context. 4. Policies must work consistently through the different defensive layers and technologies we implement. Source: Rich Mogull, CEO/Principal Analyst, Securosis Wednesday, October 12, 11
Developing A Strategy • Creating an information protection strategy – understanding the business and its specific needs for information protection. – defining a set of objectives to deliver quick wins and address long- term goals. • Locating and classifying the information that means the most – An impact analysis should be performed to identify the information with the greatest impact to strategic, tactical and operational objectives. • Weaving information protection into the fabric of the organization • Developing the necessary capabilities to protect their information assets – Organizations need to determine the technologies and processes that best support their information protection objectives Source: Dr. Alastair MacWillson, Security Week Aug 2011 Wednesday, October 12, 11
Summary • Educate by establishing a foundation for communication (e.g. metrics, scorecards) • Embrace an information-centric approach • Play offense (ACT vs. REACT) • Leverage leading edge technology that enables agility within the organization • Security is NOT perfect, and it requires ACCOUNTABILITY • START with the BASICS Wednesday, October 12, 11
Be Prepared The future ain’t what it used to be. - Yogi Berra, New York Yankees Wednesday, October 12, 11
QUESTIONS? Wednesday, October 12, 11
THANK YOU linkedin.com/in/mclaughlinjay @jaymclaughlin Wednesday, October 12, 11

Recomendados

The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Information Retention & eDiscovery Exchange Brochure
Information Retention & eDiscovery Exchange BrochureInformation Retention & eDiscovery Exchange Brochure
Information Retention & eDiscovery Exchange Brochureandrewwillow
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record managementGreenLeafInst
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2olambel
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Secure Times Spring 2010
Secure Times Spring 2010Secure Times Spring 2010
Secure Times Spring 2010NayakStrategies
 
Mcafee dyntek
Mcafee dyntekMcafee dyntek
Mcafee dyntekliquidnetzero
 

Recomendados

The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Information Retention & eDiscovery Exchange Brochure
Information Retention & eDiscovery Exchange BrochureInformation Retention & eDiscovery Exchange Brochure
Information Retention & eDiscovery Exchange Brochureandrewwillow
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentse.law International
 
Electronic data & record management
Electronic data & record managementElectronic data & record management
Electronic data & record managementGreenLeafInst
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2olambel
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Secure Times Spring 2010
Secure Times Spring 2010Secure Times Spring 2010
Secure Times Spring 2010NayakStrategies
 
Mcafee dyntek
Mcafee dyntekMcafee dyntek
Mcafee dyntekliquidnetzero
 
Prepare For Breaches Like a Pro
Prepare For Breaches Like a ProPrepare For Breaches Like a Pro
Prepare For Breaches Like a ProResilient Systems
 
Wk White Paper
Wk White PaperWk White Paper
Wk White PaperCreus Moreira Carlos
 
Risky Business
Risky BusinessRisky Business
Risky BusinessSamantha Park
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small BusinessJulius Clark, CISSP, CISA
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File VirtualizationFindWhitePapers
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformationSaraJayneTerp
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark, CISSP, CISA
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48Resilient Systems
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery2 7-2013-big data and e-discovery
2 7-2013-big data and e-discoveryExterro
 
Winferno: Protecting Personal Information
Winferno: Protecting Personal InformationWinferno: Protecting Personal Information
Winferno: Protecting Personal InformationWinferno
 
My presentation
My presentationMy presentation
My presentationvladimere
 

Más contenido relacionado

La actualidad más candente

Prepare For Breaches Like a Pro
Prepare For Breaches Like a ProPrepare For Breaches Like a Pro
Prepare For Breaches Like a ProResilient Systems
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)KP Naidu
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File VirtualizationFindWhitePapers
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformationSaraJayneTerp
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark, CISSP, CISA
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery2 7-2013-big data and e-discovery
2 7-2013-big data and e-discoveryExterro
 

La actualidad más candente (20)

Prepare For Breaches Like a Pro
Prepare For Breaches Like a ProPrepare For Breaches Like a Pro
Prepare For Breaches Like a Pro
 
Wk White Paper
Wk White PaperWk White Paper
Wk White Paper
 
Risky Business
Risky BusinessRisky Business
Risky Business
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File Virtualization
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
 
2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery2 7-2013-big data and e-discovery
2 7-2013-big data and e-discovery
 

Destacado

Winferno: Protecting Personal Information
Winferno: Protecting Personal InformationWinferno: Protecting Personal Information
Winferno: Protecting Personal InformationWinferno
 
My presentation
My presentationMy presentation
My presentationvladimere
 
Backing up your data
Backing up your dataBacking up your data
Backing up your dataaaberra
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...yaminohime
 
Presentation on backup and recoveryyyyyyyyyyyyy
Presentation on backup and recoveryyyyyyyyyyyyyPresentation on backup and recoveryyyyyyyyyyyyy
Presentation on backup and recoveryyyyyyyyyyyyyTehmina Gulfam
 

Destacado (7)

Winferno: Protecting Personal Information
Winferno: Protecting Personal InformationWinferno: Protecting Personal Information
Winferno: Protecting Personal Information
 
My presentation
My presentationMy presentation
My presentation
 
Wordpress backing Up and Updating
Wordpress backing Up and UpdatingWordpress backing Up and Updating
Wordpress backing Up and Updating
 
SLVA - Privacy Framework and Approach
SLVA - Privacy Framework and ApproachSLVA - Privacy Framework and Approach
SLVA - Privacy Framework and Approach
 
Backing up your data
Backing up your dataBacking up your data
Backing up your data
 
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
Understanding Computers: Today and Tomorrow, 13th Edition Chapter 9 - Network...
 
Presentation on backup and recoveryyyyyyyyyyyyy
Presentation on backup and recoveryyyyyyyyyyyyyPresentation on backup and recoveryyyyyyyyyyyyy
Presentation on backup and recoveryyyyyyyyyyyyy
 

Similar a CIOs and CSOs Becoming Mission-Critical Business Partners

Cloud Security: Trust and Transformation
Cloud Security: Trust and TransformationCloud Security: Trust and Transformation
Cloud Security: Trust and TransformationPeter Coffee
 
JNeiditz NLJ Trailblazers 2016
JNeiditz NLJ Trailblazers 2016JNeiditz NLJ Trailblazers 2016
JNeiditz NLJ Trailblazers 2016Jon Neiditz
 
Tailored Interactions
Tailored InteractionsTailored Interactions
Tailored InteractionsSimon King
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
Presentation2 [Autosaved].pdf
Presentation2 [Autosaved].pdfPresentation2 [Autosaved].pdf
Presentation2 [Autosaved].pdfMustafasahibZada3
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentationwhmillerjr
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Exploring Data Privacy - SQL Saturday Louisville 2011
Exploring Data Privacy - SQL Saturday Louisville 2011Exploring Data Privacy - SQL Saturday Louisville 2011
Exploring Data Privacy - SQL Saturday Louisville 2011John Magnabosco
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelCristian Garcia G.
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Preventioncentralohioissa
 
Identity Theft and Data Compromise - TWCA Fall 2012
Identity Theft and Data Compromise - TWCA Fall 2012Identity Theft and Data Compromise - TWCA Fall 2012
Identity Theft and Data Compromise - TWCA Fall 2012The Texas Network, LLC
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkFlaskdata.io
 

Similar a CIOs and CSOs Becoming Mission-Critical Business Partners (20)

Cloud Security: Trust and Transformation
Cloud Security: Trust and TransformationCloud Security: Trust and Transformation
Cloud Security: Trust and Transformation
 
JNeiditz NLJ Trailblazers 2016
JNeiditz NLJ Trailblazers 2016JNeiditz NLJ Trailblazers 2016
JNeiditz NLJ Trailblazers 2016
 
Tailored Interactions
Tailored InteractionsTailored Interactions
Tailored Interactions
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology
 
Ht t17
Ht t17Ht t17
Ht t17
 
Presentation2 [Autosaved].pdf
Presentation2 [Autosaved].pdfPresentation2 [Autosaved].pdf
Presentation2 [Autosaved].pdf
 
Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011Dean carey - data loss-prevention - atlseccon2011
Dean carey - data loss-prevention - atlseccon2011
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
One of 2 protect your business
One of 2 protect your businessOne of 2 protect your business
One of 2 protect your business
 
Exploring Data Privacy - SQL Saturday Louisville 2011
Exploring Data Privacy - SQL Saturday Louisville 2011Exploring Data Privacy - SQL Saturday Louisville 2011
Exploring Data Privacy - SQL Saturday Louisville 2011
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust model
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
Identity Theft and Data Compromise - TWCA Fall 2012
Identity Theft and Data Compromise - TWCA Fall 2012Identity Theft and Data Compromise - TWCA Fall 2012
Identity Theft and Data Compromise - TWCA Fall 2012
 
Information Security
Information SecurityInformation Security
Information Security
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest link
 

Más de Jay McLaughlin

Evaluating your Cybersecurity Preparedness - FFIEC Assessment
Evaluating your Cybersecurity Preparedness - FFIEC AssessmentEvaluating your Cybersecurity Preparedness - FFIEC Assessment
Evaluating your Cybersecurity Preparedness - FFIEC AssessmentJay McLaughlin
 
Securing the Virtual Branch
Securing the Virtual BranchSecuring the Virtual Branch
Securing the Virtual BranchJay McLaughlin
 
Exploring DDoS Attacks: Impact to Community Financial Institutions
Exploring DDoS Attacks: Impact to Community Financial InstitutionsExploring DDoS Attacks: Impact to Community Financial Institutions
Exploring DDoS Attacks: Impact to Community Financial InstitutionsJay McLaughlin
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingJay McLaughlin
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 
Social Media: Infiltrating The Enterprise
Social Media: Infiltrating The EnterpriseSocial Media: Infiltrating The Enterprise
Social Media: Infiltrating The EnterpriseJay McLaughlin
 

Más de Jay McLaughlin (6)

Evaluating your Cybersecurity Preparedness - FFIEC Assessment
Evaluating your Cybersecurity Preparedness - FFIEC AssessmentEvaluating your Cybersecurity Preparedness - FFIEC Assessment
Evaluating your Cybersecurity Preparedness - FFIEC Assessment
 
Securing the Virtual Branch
Securing the Virtual BranchSecuring the Virtual Branch
Securing the Virtual Branch
 
Exploring DDoS Attacks: Impact to Community Financial Institutions
Exploring DDoS Attacks: Impact to Community Financial InstitutionsExploring DDoS Attacks: Impact to Community Financial Institutions
Exploring DDoS Attacks: Impact to Community Financial Institutions
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile Banking
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
Social Media: Infiltrating The Enterprise
Social Media: Infiltrating The EnterpriseSocial Media: Infiltrating The Enterprise
Social Media: Infiltrating The Enterprise
 

Último

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

CIOs and CSOs Becoming Mission-Critical Business Partners

  • 2. Protecting the Information Infrastructure: Why CIOs and CSOs are Becoming Mission-Critical Business Partners SNW Fall 2011 Jay McLaughlin, CISSP Chief Security Officer, Q2ebanking Wednesday, October 12, 11
  • 3. DISCLAIMER The materials, thoughts, comments, ideas and opinions expressed throughout this presentation are entirely my own and do not necessarily represent the thoughts or opinions of my employer (past or present). Wednesday, October 12, 11
  • 4. AGENDA • Information..the lifeblood of an organization • Events involving loss of data are rising - who is to blame? • Mitigating our vulnerabilities • A shift to Information-Centric Security • Developing critical partnerships across the organization Wednesday, October 12, 11
  • 5. Information is the lifeblood of organizations, and considered a critical factor in a company’s effective pursuit of its business goals and success. Wednesday, October 12, 11
  • 6. Information is not only valuable to an organization…but also to... Wednesday, October 12, 11
  • 7. WHAT ARE WE TRYING TO PROTECT? Regulated information is the type of data most often thought of when the subject of information protection is raised. • Includes personally identifiable information (PII) of individuals, such as social security numbers, bank and credit card numbers and medical records. A great deal of public outrage, lawsuits, fines and loss of brand trust can accompany the compromising of this information. Confidential information may involve marketing plans, financial projections, sales reports and M&A discussions. • Breaches on this information can range from public embarrassment to catastrophe Intellectual property (IP) is arguably the most critical type of information. • According to the FBI, $600 billion worth of intellectual property is stolen every year in the U.S • Companies tend to focus on regulated data while doing comparatively little to secure the IP that is critical to their business. Wednesday, October 12, 11
  • 8. Setting the Stage - Recent Attacks – Defense Contractors »Lockheed Martin »Northrop Grumman »L-3 – Commercial Organizations »SONY »GOOGLE – Security Firms »RSA »Barracuda Networks »HB Gary Federal »Comodo / Digitar – Government »United States DoD »Texas Comptroller’s Office Wednesday, October 12, 11
  • 9. It gets worse... Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011 Wednesday, October 12, 11
  • 10. Change in Tactics • Highlighted that in 2010, the largest number of data breach incidents occurred, yet the volume of records dropped significantly • Criminals are engaging in small, opportunistic attacks rather than large- scale, difficult attacks using relatively low sophistication attacks to penetrate organizations. Wednesday, October 12, 11
  • 11. Will your organization be on this list? • University of Texas: 688 students' and prospective students' personal information accessed by employees after configuration error made data available on intranet • Blackpool Coastal Housing: 80 tenants' names, addresses, national insurance numbers, telephone numbers and confidential care plans transferred to employee's home computer where they were accessible to others • Guilford County Tax Dept: 1,000 taxpayers' SSNs, names and addresses, and images of checks paid were accessible on internet • Bright House Networks: Customer names, addresses, phone numbers and account numbers exposed in unauthorized access • California State Assembly: 50 employees' personal information may have been acquired by hacker • Montgomery County Dept of Job and Family Svcs: Names and Social Security numbers of 1,200 individuals seeking agency assistance were on lost thumb drive Wednesday, October 12, 11
  • 12. Organizations are sloppy Wednesday, October 12, 11
  • 13. Overly Confident? Ninth Annual Global Information Security Survey 9,600-plus business and technology execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively. http://www.pwc.com/gx/en/information-security-survey/giss.jhtmx Wednesday, October 12, 11
  • 14. Source: Information Security Magazine, October 2010 Wednesday, October 12, 11
  • 15. CIOs: Call to Action • Delivery of effective • Maximizing the technology solutions value of technology to external customers investments to and internal improve business constituents performance • Reducing related • Increasing agility of operational costs the organization, across business enabling it to adapt units to changing needs Wednesday, October 12, 11
  • 16. Roles of the CSO • ENABLE • AUDIT • ENFORCE • EDUCATE Wednesday, October 12, 11
  • 17. Influencing Behavior • Education is critical • Security awareness is a start...but not good enough • “Behavioral change” is required Wednesday, October 12, 11
  • 19. Overly Confident? To a fault... • “...we haven’t been attacked before” • “...why would someone target our company?” • “...we undergo routine internal/external audits” Why do we remiss security? • CIOs and C-Level executives often don’t hear about security until an incident occurs • CIOs are value-focused managers • is security NOT viewed AS value-adding? Wednesday, October 12, 11
  • 20. Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011 Wednesday, October 12, 11
  • 21. ...in fact, we are spending more on security solutions to protect our information systems Wednesday, October 12, 11
  • 22. ...but we’re not making investments in our processes Management Security Physical Operational Wednesday, October 12, 11
  • 24. Compliance Security • This isn’t about checking the box • Compliance Defined : conformity in fulfilling official requirements. standard It is the that is the problem, not the compliance with the standard. Wednesday, October 12, 11
  • 25. CSOs tend to fixate on building an “EXCELLENT” information security program Wednesday, October 12, 11
  • 26. Where does the CSO fit in? Wednesday, October 12, 11
  • 27. Security is new to the executive table • Security discussions in today’s enterprise tend to The Business be focused on the qualitative aspects Problem instead of the quantitative Topology • CSOs speak a language that is NOT understood by others executives • CSOs struggle with creating awareness and changing behaviors Wednesday, October 12, 11
  • 28. But, Security is often viewed as a BOTTLENECK Wednesday, October 12, 11
  • 29. The “R” Word • Developing those critical RELATIONSHIPS within the organization • WALK A MILE • Breaking down the walls...we’re all fighting the same battle Wednesday, October 12, 11
  • 31. Current Environment • Regulations and compliance requirements are demanding more time and attention • Regulators and auditors including PCI-DSS, GLBA, SOX/ 404, HIPAA, etc. are demanding more executive time and attention • Greater interest from CIOs and other business stakeholders regarding information security • Routine communication around information security, compliance, investment and risk is critical...but challenging. Wednesday, October 12, 11
  • 32. Management Differences CIO CSO Value- Risk- focused focused managers managers LEADERSHIP PHILOSOPHIES RISK MITIGATION translates to VALUE Wednesday, October 12, 11
  • 33. Effective Risk Managers? • Generally, human beings struggle at managing risk • We often overestimate risks that are highly visible or catastrophic and underestimate the risks that are slower to develop or not easily seen • CIOs tend to overestimate risks that they have less control over, and underestimate the risks that they have more control over ex: flying an airplane vs driving a car Wednesday, October 12, 11
  • 34. Assessing Risk • Engagement of business • Top-Down Approach, ranking information assets • Business Impact Analysis • Quantitative vs. Qualitative Wednesday, October 12, 11
  • 35. Understanding Risk Risk Management involves identifying threats and applying mitigating controls to effectively reduce the risk of those threats: • RISK=(THREAT x VULNERABILITY) COUNTERMEASURES • Multiple by VALUE for quantitative • Controls can mitigate risk… ...but can rarely fully eliminate risk Wednesday, October 12, 11
  • 36. Calculating Loss Expectancy • The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE) Mathematically expressed: ALE = ARO * SLE -> calculating SLE SLE = AV * EF • Suppose than an asset is valued at $100,000, and the exposure factor (EF) for this asset is 25%. The SLE then, is (25% * $100,000), or $25,000. • For an annual rate of occurrence of 1, the annualized loss expectancy is (1 * $25,000) Wednesday, October 12, 11
  • 37. Applying Countermeasures Our Approach is CRITICAL COUNTERMEASURES RONG W THREATS • Focus efforts on the mitigating the ACTUAL vulnerabilities that are specific to the organization • Avoid industry marketing FUD Wednesday, October 12, 11
  • 38. Defense By Layer • Acknowledges that reliance on any single control or mitigating factor is not sufficient • This approach is commonly recommended Scenario: Protecting Hosted Customer Data from an external attacker • Database tables are encrypted • Role-based access levels are applied • Data Storage Encryption Wednesday, October 12, 11
  • 39. Paradigm Shift Information-Centric Security • Emphasizes security of the INFORMATION itself...rather than the security of networks, systems, and applications. • 4 Principles: 1. Information (data) must be self describing and defending. 2. Policies and controls must account for business context. 3. Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business context. 4. Policies must work consistently through the different defensive layers and technologies we implement. Source: Rich Mogull, CEO/Principal Analyst, Securosis Wednesday, October 12, 11
  • 40. Developing A Strategy • Creating an information protection strategy – understanding the business and its specific needs for information protection. – defining a set of objectives to deliver quick wins and address long- term goals. • Locating and classifying the information that means the most – An impact analysis should be performed to identify the information with the greatest impact to strategic, tactical and operational objectives. • Weaving information protection into the fabric of the organization • Developing the necessary capabilities to protect their information assets – Organizations need to determine the technologies and processes that best support their information protection objectives Source: Dr. Alastair MacWillson, Security Week Aug 2011 Wednesday, October 12, 11
  • 41. Summary • Educate by establishing a foundation for communication (e.g. metrics, scorecards) • Embrace an information-centric approach • Play offense (ACT vs. REACT) • Leverage leading edge technology that enables agility within the organization • Security is NOT perfect, and it requires ACCOUNTABILITY • START with the BASICS Wednesday, October 12, 11
  • 42. Be Prepared The future ain’t what it used to be. - Yogi Berra, New York Yankees Wednesday, October 12, 11
  • 44. THANK YOU linkedin.com/in/mclaughlinjay @jaymclaughlin Wednesday, October 12, 11