SlideShare una empresa de Scribd logo

Does IT Security Matter?

Luke O'Connor
Luke O'Connor

The title comes from a list of conclusions I gave at a presentation called Does IT Security Matter? just before Christmas in 2007. The wonderful thing about the writing process is that every now and again you hit upon a pithy phrase like that which communicates so much. But it's like mining for gold - you have to move a lot of earth to find the nuggets.

TecnologíaEmpresariales
1 de 21
Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007
2 Outline • A bit about Zurich and myself • Nicholas Carr and knowing your neighbours • Security Tectonics • The Explanation is Mightier than the Action • Risk and the New Math • Final Grains of Wisdom
3 Introduction to Zurich • Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets • Servicing capabilities to manage programs with risk exposure in more than 170 countries • Approximately 58,000 employees worldwide • Insurer of the majority of Fortune’s Global 100 companies • Net income attributable to shareholders of USD 4.5 billion in 2006 • Business operating profit of USD 5.9 billion in 2006
4 My Background Industrial Research (6 yr) Wha t pe o ple m ig ht want Consulting (5 yr) Wha t pe o ple say the y want In house (2 yr) What pe o ple e xpe ct (Se curity) (Risk)
5 Service ProvidersZurich Business G-IT Risk stakeholders GITR GSM Investigations Project risk management Capabilities Finance GITAG Process/QM Sourcing Audit Compliance Legal Risk Group functions G-IT support functions Industry Bodies & Suppliers GITRPartnerFocus G-ISP Consume information and Services External functions Business A Supplier ABusiness B Business C Business x Account Exec A Account Exec B Account Exec C Account Exec x SupplierB Supplier x Co-operate Service risk management Primary interface for G-IT
6 Does IT Matter? • Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003 • Carr, N, “Does IT Matter?”, 2004 “IT doesn’t matter and can’t bring strategic advantage at present!“ • Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities • IT m anag e m e nt sho uld be co m e “bo ring ” • Manag e risks and co sts
7 Good Neighbours, but Good Friends?
8 The Continental Drift of C, I, A CIA better known to business as “Call in Accenture”
9 The Explanation is Mightier Than the Action Security Business
10 Security Bingo
11 Notable Security Setbacks • Regulatory Frameworks over Security Frameworks (SOX over 7799) • Excel over FUD (Fear, Uncertainty and Doubt) • Reactive over Proactive • SLAs over Security Program • Commerical over Military
12 The New-ish Security Model From Castle to Airport Castle Airport Security mechanisms are static and difficult to change. Security mechanisms are dynamic and responsive to threats. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Uses multiple overlapping technologies for defence in depth. Known community have unrestricted access within security boundary. Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Silo mentality in organisation. Requires an open, co-ordinated, global approach to security.
13 The next Big Thing: Network Access Control (NAC) How do you sell this to your IT Department or Business?
14 From Security …. Objectives Controls Testing Report • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Po licie s and Standards • e tc … • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Se rvice Catalo g ue • e tc … • Do cum e ntatio n • Que stio nnaire s • Inte rvie ws • De m o nstratio ns • Inspe ctio ns • To o ling • 3rd Party Analysis • Co ntro l Effe ctive ne ss • Co m pliance • Risk • Mitig atio n • Prio ritie s Pe rce ive d De sire d Re ality The Plan
15 … to Risk Description Trigger Consequence What could happen? How could it happen? What is the impact? Probability Severity How often? How bad?
16 Controls as Risk (as is) Control C2 Needs Im provem ent Not Effective Effective Control Objective Risk? Risk? Risk? Control Assessment Risk Scenarios are reformulations of control deficiencies (gaps) Control C4 Control C3 Control C1 e.g. CoBIT, C2 C3 C4C1 NO ! Contr ol Gaps are poten tial trigg ers of Risk
17 IT Risk – Com ponents IT Risk Components IT Projects Risk • Financial & Resources • Compliance & Audit • Contract & Supplier Mgmt • IT Architecture & Strategy • IT Project Management Risks • Facilities & Environment • IT Operations & Support • Time to Deliver • IT Security IT Services Risk • Service Level Management • Capacity Planning • Contingency Planning • Availability Management • Cost Management • Configuration Management • Problem Management • Change Management • Help Desk • Software Control & Distribution • IT Security
18 Zurich’s IT Risk Managem ent Fram ework Below threshold Above threshold The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Object to be assessed ABC1 Optimised risk analysis for projects Project Project Risk Tool Risk assessment Within PMO process 2 Risk register provides single global data store for analysis reporting Group IT - Risk Register (Central) 4 Project Risk Consulting Services Risk Consulting IT Security Risk Assessments Service Service Risk Tool Facilitated Assessments and Self-Assessments 3 Optimised risk analysis for services Group IT Risk Reporting Dashboard Actions monitoring QRR 5 Reporting, Escalation and Action Monitoring 1 2 3 4 5 No further Analysis Apply Policies and Standards
19 Relation to Operational Risk
20 Conclusion: Does IT Security Matter? • IT Security in general is not an end in itself • IT Security is one area competing for attention and funding, amongst many • If you don’t make IT security matter, it won’t • Keeping business secure is the main end • Focus on securing business processes not the process of securing • Excel is your new best friend • Make your spreadsheets work with their spreadsheets • A risk-based approach is the opportunity to speak business language • Don’t replace FUD with GIGO (garbage in, garbage out)
21 Over to you

Recomendados

Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk ManagementSocial Tables
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurityCade Zvavanjanja
 
Cse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project ManagementCse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project ManagementGirija Sankar Dash
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cade Zvavanjanja
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101Srinivasan Vanamali
 
The Datacenter Security Continuum
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security ContinuumMartin Hingley
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling youCore Security
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat KeynoteJohn D. Johnson
 

Recomendados

Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk ManagementSocial Tables
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurityCade Zvavanjanja
 
Cse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project ManagementCse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project ManagementGirija Sankar Dash
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cade Zvavanjanja
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101Srinivasan Vanamali
 
The Datacenter Security Continuum
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security ContinuumMartin Hingley
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling youCore Security
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat KeynoteJohn D. Johnson
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: IntroductionSam Bowne
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningPECB
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk managementInfosys
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroPriyanka Aash
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
isicg - 3 r's v4
isicg - 3 r's v4isicg - 3 r's v4
isicg - 3 r's v4Elliott Franklin
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence AnalystsRecorded Future
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPriyanka Aash
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingTony Martin-Vegue
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC Advisory Group
 

Más contenido relacionado

La actualidad más candente

Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: IntroductionSam Bowne
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningPECB
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk managementInfosys
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroPriyanka Aash
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence AnalystsRecorded Future
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPriyanka Aash
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingTony Martin-Vegue
 

La actualidad más candente (20)

Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planning
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
 
isicg - 3 r's v4
isicg - 3 r's v4isicg - 3 r's v4
isicg - 3 r's v4
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of Cybersecurity
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
 

Similar a Does IT Security Matter?

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC Advisory Group
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarLumension
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 
Where data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattssonWhere data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattssonUlf Mattsson
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
Embracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptxEmbracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptxSymptai Consulting Limited
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Livingstone Advisory
 

Similar a Does IT Security Matter? (20)

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint Webinar
 
"Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!" "Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!"
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Where data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattssonWhere data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattsson
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Embracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptxEmbracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptx
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
 
Infosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptInfosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.ppt
 

Último

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Último (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Does IT Security Matter?

  • 1. Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007
  • 2. 2 Outline • A bit about Zurich and myself • Nicholas Carr and knowing your neighbours • Security Tectonics • The Explanation is Mightier than the Action • Risk and the New Math • Final Grains of Wisdom
  • 3. 3 Introduction to Zurich • Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets • Servicing capabilities to manage programs with risk exposure in more than 170 countries • Approximately 58,000 employees worldwide • Insurer of the majority of Fortune’s Global 100 companies • Net income attributable to shareholders of USD 4.5 billion in 2006 • Business operating profit of USD 5.9 billion in 2006
  • 4. 4 My Background Industrial Research (6 yr) Wha t pe o ple m ig ht want Consulting (5 yr) Wha t pe o ple say the y want In house (2 yr) What pe o ple e xpe ct (Se curity) (Risk)
  • 5. 5 Service ProvidersZurich Business G-IT Risk stakeholders GITR GSM Investigations Project risk management Capabilities Finance GITAG Process/QM Sourcing Audit Compliance Legal Risk Group functions G-IT support functions Industry Bodies & Suppliers GITRPartnerFocus G-ISP Consume information and Services External functions Business A Supplier ABusiness B Business C Business x Account Exec A Account Exec B Account Exec C Account Exec x SupplierB Supplier x Co-operate Service risk management Primary interface for G-IT
  • 6. 6 Does IT Matter? • Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003 • Carr, N, “Does IT Matter?”, 2004 “IT doesn’t matter and can’t bring strategic advantage at present!“ • Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities • IT m anag e m e nt sho uld be co m e “bo ring ” • Manag e risks and co sts
  • 7. 7 Good Neighbours, but Good Friends?
  • 8. 8 The Continental Drift of C, I, A CIA better known to business as “Call in Accenture”
  • 9. 9 The Explanation is Mightier Than the Action Security Business
  • 11. 11 Notable Security Setbacks • Regulatory Frameworks over Security Frameworks (SOX over 7799) • Excel over FUD (Fear, Uncertainty and Doubt) • Reactive over Proactive • SLAs over Security Program • Commerical over Military
  • 12. 12 The New-ish Security Model From Castle to Airport Castle Airport Security mechanisms are static and difficult to change. Security mechanisms are dynamic and responsive to threats. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Uses multiple overlapping technologies for defence in depth. Known community have unrestricted access within security boundary. Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Silo mentality in organisation. Requires an open, co-ordinated, global approach to security.
  • 13. 13 The next Big Thing: Network Access Control (NAC) How do you sell this to your IT Department or Business?
  • 14. 14 From Security …. Objectives Controls Testing Report • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Po licie s and Standards • e tc … • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Se rvice Catalo g ue • e tc … • Do cum e ntatio n • Que stio nnaire s • Inte rvie ws • De m o nstratio ns • Inspe ctio ns • To o ling • 3rd Party Analysis • Co ntro l Effe ctive ne ss • Co m pliance • Risk • Mitig atio n • Prio ritie s Pe rce ive d De sire d Re ality The Plan
  • 15. 15 … to Risk Description Trigger Consequence What could happen? How could it happen? What is the impact? Probability Severity How often? How bad?
  • 16. 16 Controls as Risk (as is) Control C2 Needs Im provem ent Not Effective Effective Control Objective Risk? Risk? Risk? Control Assessment Risk Scenarios are reformulations of control deficiencies (gaps) Control C4 Control C3 Control C1 e.g. CoBIT, C2 C3 C4C1 NO ! Contr ol Gaps are poten tial trigg ers of Risk
  • 17. 17 IT Risk – Com ponents IT Risk Components IT Projects Risk • Financial & Resources • Compliance & Audit • Contract & Supplier Mgmt • IT Architecture & Strategy • IT Project Management Risks • Facilities & Environment • IT Operations & Support • Time to Deliver • IT Security IT Services Risk • Service Level Management • Capacity Planning • Contingency Planning • Availability Management • Cost Management • Configuration Management • Problem Management • Change Management • Help Desk • Software Control & Distribution • IT Security
  • 18. 18 Zurich’s IT Risk Managem ent Fram ework Below threshold Above threshold The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Object to be assessed ABC1 Optimised risk analysis for projects Project Project Risk Tool Risk assessment Within PMO process 2 Risk register provides single global data store for analysis reporting Group IT - Risk Register (Central) 4 Project Risk Consulting Services Risk Consulting IT Security Risk Assessments Service Service Risk Tool Facilitated Assessments and Self-Assessments 3 Optimised risk analysis for services Group IT Risk Reporting Dashboard Actions monitoring QRR 5 Reporting, Escalation and Action Monitoring 1 2 3 4 5 No further Analysis Apply Policies and Standards
  • 20. 20 Conclusion: Does IT Security Matter? • IT Security in general is not an end in itself • IT Security is one area competing for attention and funding, amongst many • If you don’t make IT security matter, it won’t • Keeping business secure is the main end • Focus on securing business processes not the process of securing • Excel is your new best friend • Make your spreadsheets work with their spreadsheets • A risk-based approach is the opportunity to speak business language • Don’t replace FUD with GIGO (garbage in, garbage out)

Notas del editor

  1. IT Risks are assessed according to the IT assets these have been defined by G-IT as being IT Projects or IT Services. The diagram above provides a high level summary of the broad risk categories for each asset group The risks identified from each asset class are recorded into Risk Registers which are then transferred to a Central Risk Register used to aggregate all risks Underlying IT Risk assessment within ZFS is the need to consider IT Security and the risks to the business associated with IT Security. This is explained more in later slides however the Framework includes a specific service for IT Risk Assessments