6. [ why ]
Company & Stakeholder awareness of risk
• “Its never happened to us before”
Stakeholder Focus: Profit, Cost, Opportunity
7. [ why ]
CIO = Chief IT Officer
Security is Only for Computers
8. [ why ]
Self Inflicted Wounds
Techno-babble
F.U.D.
•
• Fear mongering – FUD & Hype
Security is a Cost Center
• Security does not generate revenue
• Security is restrictive
9. [ change ]
Create a shared Governance Function
HR
Finance Sales
Security
IT Steering Legal
Committee
10. [ change ]
Security as “Business Risk Management”
• Security is a process inside The Company
• People, Processes, Information
• Participate in the Business
Chief Risk
Officer
Physical Information
Legal
Security & IT Security
11. [ change ]
Use security to enhance business
Give back to the business
Focus on:
• Efficiency & Effectiveness
• Availability
ITIL: Process Improvement, Predictability
12. [ change ]
Promote a security as a cultural and
behavioral change.
Focus on changing long term patterns and
attitudes about security.
Focus on security enabling people, not as
restricting rules.
Make security something everyone can
understand and act on.
Show how security applies to all parts of life
- at work and home.
13. [ change ]
How do you lead to achieve this?
• Have a New Attitude
• NO FUD
• Put your business hat on!
• Think of good business practices that reflect security
• Think of business opportunities
• Be a Team Player - Include everyone on the team