Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Risk mngt gov compliance security cyber
1. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
STKI is here to serve you………
1
2. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Technology Risk Management:
Governance, Compliance,
Security & Cyber
ENGAGE
&
INNOVATE
GOVERN
&
PROTECT
DELIVER
&
MAINTAIN
2
3. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
IT Complexity
SocialAPIs
Systems
of Records Systems of
Engagement
Legacy
Cost Center
eCommerce
Enterprise
App Store
Enterprise
Mobility
Engage &
Innovate
Govern &
Protect
Deliver &
Maintain
Engage &
Innovate
Govern &
Protect
Deliver &
Maintain
IT
strategy
3
4. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Govern and Protect
4
5. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Strategic direction may change by
the time a final budget is approved
Increasing Pace Of Business Changes
5
Traditional IT Governance methods:
no longer work in a business world
demanding speed & value
6. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Bi-model IT
6
Invest
in new
systems
Reduce
Operating
Expenses
Long development and
deployment cycles
Touch people
In-moment decisions
Personalized & in-context
Social and analytics driven
Short & rapid releases
Doing IT right,
efficiency, safely
Doing IT fast
IT don't have to be
perfect, just quick
IT with different
⁻ people,
⁻ set of skills
⁻ processes,
⁻ tools
supporting each
Systems of
Records
evolving
to
Transactions
Systems of
Engagement
evolving
to
Immersion
7. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Balance and re-balance IT assets allocation
7
70%
30%
Email, upgrade,
maintenance, operations
Transformational investments,
new capabilities
8. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Provide visibility into IT
“…And that in quick view what
we have in our IT today”
Programs
& projects
HW & SW
assets
ContractsVendors
Partners
Costs
Accountability is ultimately more important today
than cost cutting 8
9. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
IT Governance – Office of the CIO
9
Programs
& projects
HW & SW
assets
ContractsVendors
Partners
CostsChargeback
Service catalog
Business models
Financial stability
Vendor evaluation
& mngt
Demand mngt
Agility
Project mngt
EA
Asset mgt
Agreement mgt
Benchmarks
SOW
SLA mngt
Skill mngt
Resource
mngt
ITIL
Risk
mngt
Accountability
Future roadmaps
Business – IT
Orchestrator
Navigator
IT
10. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Highest business value possible
10
Internal
IT
XaaSExternal
provider
• Demand identification
shaping, aggregation
& prioritization;
• Expectation mngt
• Business value
• Business changes
hatmaa
• Services & products
supply in terms of
quality and capacity
• Resources coordination
• IT services & products
catalog
• Agility
Explore technology trends and
new potential business review
Align to business strategy
and risk appetite
BRM
Internal impact
External impact
LoB
LoBLoB
11. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
IT Governance evolvement: 3 types of CIOs
11
Conservative
CIO
PMO
Modern
CIO
Early adaptor
CIO
Strategic
BRM
• Demand mngt
• Portfolio mngt
• Project mngt
• Resource mngt to ensure
correct services & products supply
• Project tool
• Reporting
• Project risk mngt
• Demand coordination and
aggregation, PPM
• Enterprise architecture
• Resource mngt
• PPM / Governance tool
• Business & IT executives
dashboards
• Technology risk mngt –
compliance & reliable reporting
• Facilitate business and IT
convergence
• Removing boundaries – embeds
IT capabilities with LoBs to
increase agility and business value
• Innovation
• Enterprise architecture
• PPM
• Holistic IT Governance tool
• Proactive technology risk mngt
Tactical
Office of the CIO
12. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Technology
Risk
Management
12
13. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
The dark side of innovation & new business models
13
• Emerging technologies bring completely new and often unknown challenges and risks:
Digital information is growing exponentially
Access to enterprise info is often done from customers and employees' private smart devices
Boundaries between customer and organization are blurred
• Same is with new business models:
Managing privacy, regulatory compliance and legal aspects
in public cloud technology.
On demand or sharing economy leads us to a necessity
to manage our own online reputation
• Growing risk of security breach or data loss
14. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Start with your own personal data
14
Ministry of Defense's personal security online educational campaign:
'Think Before You... Share'
15. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Sharing (on-demand) economy
15
share our living spaces
share our knowledge
share our cars
share our parking space
How do I know Airbnb guest won’t ransack my apartment?
Is it guaranteed that a Getaround user will return my car?
16. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Reputation economy
16
- portable measure of trust
17. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Who are you Galit Fein?
Who is responsible for the
personal risk management? 17
18. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Why Manage Risks?
Corporate catastrophes are all too common
18
BP will plead guilty to manslaughter charges stemming from the 2010 Deepwater Horizon explosion
and oil spill in the Gulf of Mexico, and agreed to pay $4.5 billion in government penalties, Attorney
General Eric Holder announced Thursday.
19. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Risk equals new opportunity
19
20. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
What is Risk?
• Risk is intentional interaction with uncertainty
• Enterprise risk is the effect of uncertainty on
objectives and organization goals
• Risk mngt - In today’s uncertain times we have
to prepare response for unwanted events
in advance
• Accepting risk is OK; ignoring risk is tragic
20
21. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Managing technology risk is now a business priority
• With the increasing importance of technology and business
reliance on technology – focus is shifting to
technology risk
• It’s not about project risks, it will continue to run in PMO
• It’s not limited to security
• For the first time business executives ask IT:
“What may be the impact on the organization,
from all IT-related risks?”
21
Source: Riskjournal
22. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
22
23. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Technology risks
Project related
• Entering (NOT) to new technology
• Difficulties related to new technology
hatmaa
• Big project failure
• Is the project technically feasible?
• Could the technology be obsolete
before a useful product be produced?
• Late project delivery
Non project related
• Obsolete or inflexible IT architecture
• Cloud based solution
• Unstable systems
• Not achieving enough value from IT
• Compliance
• Misalignment
• IT service delivery problems
• Employee related fraud
23
24. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Tsunami of Regulations
•Data Privacy Laws
•Freedom of Information Act
•HIPAA
•Payment Card Industry Data Security Standard
•Homeland Security
•Sarbanes-Oxley
•BAZEL II
•Industry specific regulations (HACCP)
•Federal Rules of Civil Procedure
24
Legal costs, fines and
damages could be
reduced by 25% if
organizations applied
best practice
procedures to records
management, security
and e-Discovery.
Source: Monica Crocker, Land O’Lakes at #AIIM13
25. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Technology Risks Compliance
•Technology Risks Compliance = legal requirements + industry standards +
organizational policies and guidelines, and more...
• Finding and retrieving information on demand
• Controlling access and confidentiality
• Monitoring and reporting for enforcement
• Comprehensive auditing
• Secure retention and destruction
25
Compliance is key:
deceptive marketing,
debt traps, dead ends,
discrimination, retailer
data breaches,
emerging technologies
protections
There’s a huge price
for non-compliance!
26. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Technology Risk Mngt evolvement: 3 types of CIOs
26
Conservative
CIO
Modern
CIO
Early adaptor
CIO
IT risk mngt: their own risk
department
• Risks being managed in silos
per specific project, tech, etc.
• GRC as unnecessary and
burdensome reactions to
regulations and risk events
• Policy & methodology
• Random risk assessment
• Regulatory Compliance
• Holistic & continues approach
• Substantial need
• Proper processes & activities of
the IT supporting & promoting
business goals
Strategic & proactive
technology risk mngt
Risks being managed
as part of IT projects
or security
ValueBurden
Risk mngtCrisis mngt
27. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
And Remember:
27
AND
WHEN IT WENT WRONG
DO YOU KNOW THE RISK?
28. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Why effective cyber security platform is a vital component of risk management?
2828
ENGAGE
& INNOVATE
GOVERN
&
PROTECT
DELIVER
&
MAINTAIN
IT Strategy
29. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Cyber Insurance
Cybersecurity insurance is designed to mitigate losses from a variety of cyber
incidents, including data breaches, business interruption, and network damage.
A cybersecurity insurance market could help reduce the number of successful cyber
attacks by:
(1) promoting the adoption of preventative measures in return for more coverage;
(2) encouraging the implementation of best practices by basing premiums on an
insured’s level of self-protection.
29
30. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Cyber insurance solutions
30
31. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
IT GRCs General Control Areas
Source: Menny Barzilay
31
32. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Be prepared for the worst
32Source: http://id.lockheedmartin.com/blog/risky-business-the-role-of-risk-management-in-cyber-security
Cyber security executives can leverage the risk management toolset to communicate
clearly to their executive teams and more importantly secure funding for important
security programs.
33. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Which “Security” type are you? Your winning hand is…
33
Conservative CIO
Systems to support clients’
functional needs efficiently
Customers IDM
API security
Common technologies
NAC
SIEM
DLP
FW+IPS
SSL+ OTP
IDM
Application Security Testing
Modern CIO
Systems to spur intimacy
with customers and turns
them into advocates
Adaptive Access Control
Security as a service
Cyber risk management
Security analysis
behavior
Cyber SOC
Cyber intelligence
Early adopter CIO
Systems that bond with
customers and immerses them
into the company’s story
Big data cyber analytics
IoT and wearables
Cyber insurance
Cloud security
SDN security
Open source security
Systems of
records
Systems of
Engagement
Systems of
Immersion
34. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
A Changing Battle-Space: Prevention Is Not Enough
Source:http://www.battery.com/powered/general/2014/09/11/why-
breach-detection-is-your-new-must-have-cyber-security-tool/
34
35. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Security Risks in house
Sensitive Data
leak (SCADA)
System Admins
BYOD
35
36. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
SIEM
Access
Management-IDM
Forensic Tools
DLP
Malware scanning
& Sandbox -WAF
Endpoint security
Steps to govern Security inside threats
Mobile Security
Next generation SOC
36
37. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Cyber threats outside
S.O.S
Zero day
malware & APT
37
38. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
FW+IPS
Access
Management
IDM
Cyber
intelligence
Malware scanning
& Sandbox
API Security
Steps to govern Cyber external threats
Network security
virtualization
Cloud application
Security
38
39. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Cyber Risks
Any organization that:
(1) uses technology in its operations &/or
(2) handles/collects/stores confidential information has Cyber Risks:
Legal liability to others for computer security breaches
Legal liability to others for privacy breaches of confidential information
Regulatory actions, fines and scrutiny
Loss or damage to data / information
Loss of revenue due to a computer attack
Extra expense to recover / respond to a computer attack
Loss or damage to reputation
Cyber-extortion
Cyber-terrorism 39
40. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
2015 cybersecurity predictions
40
41. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Cloud Security
41
42. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Data Breaches Data Loss
Account
Hijacking
Insecure APIs
Denial Of
Service
Malicious
Insiders
Abuse of
Cloud Services
Insufficient
Due Diligence
Shared
Technology
issues
Source: https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
Moshe Ferber, Cloud Security Alliance Israel
The notorious 9 Cloud computing threats
As described the Cloud Security Alliance
40
43. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Cloud
attack
vectors
Provider
administration
Management
console
Multi tenancy
&
virtualization
Automation
& API
Chain of
supply
Side
channel
attack
Insecure
instances
Source:MosheFerber,CloudSecurityAllianceIsrael
41
44. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Israel cloud adoption - by sector
Private
Cloud
Army, Banks,
Government,
Utility
Cloud curious
checking the
technology
Government
Finance
Telecom
Operators
Health
Cloud adopters
running 2-5 application in
cloud
Telecom
Vendor
Industry
services
Utilities
Cloud focus
most application in
the cloud
High-Tech
Startups
SMB
Source:MosheFerber,CloudSecurityAllianceIsrael
42
45. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Regulations, ordinances and laws in Israel
Laws
• The privacy
laws are
currently
address cloud
as form of
outsourcing.
State level
efforts
• INCB are
working on
cyber
guidelines for
SMB and
private sector.
Sector level
efforts
• Finance: Bank
of Israel
published draft
of guidelines
for Cloud
adoption.
Source:MosheFerber,CloudSecurityAllianceIsrael
45
46. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Tools & Technologies to secure cloud services:
• Encryption gateways
• Governance and compliance
• Identity gateway
SaaS
• Database monitoring and
encryption
• Dynamic and static analysis tools
PaaS
• Governance & compliance
• Encryption
• Multi cloud management
IaaS
Source:MosheFerber,CloudSecurityAllianceIsrael
46
47. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Security is NOT obstacle
Identify information assets
Conduct periodic risk assessments to identify the specific
vulnerabilities your company faces
Develop and implement a security program to manage and control
the risks identified
Monitor and test the program to ensure that it is effective
Continually review and adjust the program in light of ongoing
changes
Oversee third party service provider arrangements
Maintain training for all staff on Information Security
47
48. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Which “Security” type are you? Your winning hand is…
48
Conservative CIO
Systems to support clients’
functional needs efficiently
Customers IDM
API security
Common technologies
NAC
SIEM
DLP
FW+IPS
SSL+ OTP
IDM
Application Security Testing
Modern CIO
Systems to spur intimacy
with customers and turns
them into advocates
Adaptive Access Control
Security as a service
Cyber risk management
Security analysis
behavior
Cyber SOC
Cyber intelligence
Early adopter CIO
Systems that bond with
customers and immerses them
into the company’s story
Big data cyber analytics
IoT and wearables
Cyber insurance
Cloud security
SDN security
Open source security
Systems of
records
Systems of
Engagement
Systems of
Immersion
49. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Technology Risk Mngt evolvement: 3 types of CIOs
49
Conservative
CIO
Modern
CIO
Early adaptor
CIO
IT risk mngt: their own risk
department
• Risks being managed in silos
per specific project, tech, etc.
• GRC as unnecessary and
burdensome reactions to
regulations and risk events
• Policy & methodology
• Random risk assessment
• Regulatory Compliance
• Holistic & continues approach
• Substantial need
• Proper processes & activities of
the IT supporting & promoting
business goals
Strategic & proactive
technology risk mngt
Risks being managed
as part of IT projects
or security
ValueBurden
Risk mngtCrisis mngt
50. Galit Fein & Sigal Russin’s work/ Copyright@2015
Do not remove source or attribution from any slide, graph or portion of graph
Sigal Russin
Sigalr@stki.info
50
Galit Fein
Galit@stki.info