SlideShare une entreprise Scribd logo

The Business Of Information Security V2.0

Télécharger en tant que PPT, PDF
T
theonassiokas

Information Security Business Alignment Regulatory alignment Feasible projects Corporate culture

1  sur  30
The Business of Information Security: Theo Nassiokas APAC regional head of IT risk, audit & regulatory – Investment banking sector 2006 National Executive Chair – Australian Information Security Association (AISA) Version 2.0 Information Security 2010 Regulatory, business and cultural alignment is critical
Overview ,[object Object],[object Object],[object Object],[object Object],[object Object]
Information Security defined ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],* Security Convergence and ERM – pg. 7 – The Convergence of IT Security and Enterprise Security Risk Management – The Alliance for Enterprise Security Risk Management - www.aesrm.org – A partnership of ISACA and ASIS International
Security silos to risk convergence What’s the value?
Security’s perception of business? ,[object Object],[object Object],[object Object],[object Object]
Security silos to risk convergence ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],** Security Convergence and ERM, The Convergence of IT Security and Enterprise Security Risk Management – pg. 5 – http://www.aesrm.org/convergence_security_prof_view.html – AESRM - 2009 – A partnership of ISACA and ASIS International * Convergence – The Semantics Trap – http://www.csoonline.com/article/560063/Convergence_The_Semantics_Trap - Steve Hunt - March 1, 2010
Who are the stakeholders? Security Convergence Physical IT Legal, Regulatory Industry codes IP Data Protection Act (UK) Sarbanes Oxley S302, 404, 409 USA PATRIOT Act ISO 27001 California Senate Bill 1386 BCP failure Phishing Cyber crime Basel II ISO 27002 Virus incidents Physical Theft Of Info Unauthorised Software Usage System Access Control License Breach Staff screening Checks Outsourced Service Provider Control Information Access Control Network domain access Unauthorised Physical access Targeted Attack – Mass Extinction Event Privacy laws
Why is risk convergence important? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],The Alliance for Enterprise Security Risk Management - www.aesrm.org – A partnership of ISACA and ASIS International
Business ‘assurance’ to ‘enabler’ The objective of security?
Business’ perception of security? ,[object Object],[object Object],[object Object],[object Object]
Research re: security as an enabler ,[object Object],[object Object]
Research re: security as enabler ,[object Object]
Research re: security as enabler ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Good security strategy Aligned to the emerging regulatory framework
It is part of Corporate Governance ,[object Object],CORPORATE GOVERNANCE Risk/Security Governance IT Governance Administrative And Financial Governance Operational Governance Regulatory And Legal Governance Security governance is a component of corporate governance
Why is it part of Corporate Governance? ,[object Object],Basel II Capital Adequacy Accord 2005 Bank for International Settlements (Basel, Switzerland) Domestic Security Enhancement Act 2003 (PATRIOT II) USA Vital Interdiction of Criminal Terrorist Organizations (VICTORY) Act 2003 USA Public Company Accounting Reform and Investor Protection (Sarbanes Oxley) Act 2002 USA SEC registered/NYSE or NASDAQ listed Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act 2001 Financial Modernization (Gramm-Leach-Bliley Act [GLB]) Act 1999 (USA) (US banking & finance) Data Protection Act 1998 UK California Security Breach Information Act 2003 (SB1386) California, USA Data Protection Directive 1995 (Directive 95/46/EC) European Union
Why is it part of Corporate Governance? ,[object Object],Anti Money Laundering (AML) and Counter Terrorism Financing (CTF) Act 2006 Commonwealth of Australia (banks and insurance) Terrorism Insurance Act 2003 Commonwealth of Australia (insurance) Criminal Code Act 1995 Commonwealth of Australia Privacy Act 1988 (as amended) Commonwealth of Australia Liquid Fuel Emergency Act 1984 Commonwealth of Australia (fuel industry) Crimes Act 1914 Commonwealth of Australia The regulatory environment is the DNA of security strategy
Good security operations Aligned to business objectives
What is strategic risk? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Alignment to business strategy ,[object Object],Assessment of Support Services Requirements Vision and mission for Support Services Support Services Strategy Support Services Strategic Plan Support Services Operational Plans And Budgets Assessment of Security Requirements Vision and mission for Security Security Strategy Security Operational Plans And Budgets Security Strategic Plan Assessment of the Business Vision and mission for the Business Business Strategy Business Operational Plans and Budgets Business Strategic Plan “ Support services” may be risk, property or IT reporting lines depending on the security service e.g. physical or information and operational or governance
Example – Capability Growth Strategy ,[object Object],Convergence strategy ,[object Object],Strategic Planning achieves strategy Capability Today Capability Tomorrow ,[object Object],[object Object],[object Object],[object Object],[object Object],achieved through:
Show me the money! Increasing likelihood of budget approvals
Is leading an innovation easy? ,[object Object],[object Object]
Aligning projects to corporate culture ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ROI - Broad programs Vs focussed projects
Know your organisation’s project governance process
Conclusion ,[object Object],[object Object],[object Object],[object Object],[object Object]
A message from a past leader ,[object Object],[object Object],[object Object],[object Object]
Questions? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Thank you for your time!
Appendix ,[object Object],(Source: Forrester Research, "Trends 2005: Security Convergence Gets Real“) Actual ‘security convergence’ project budgets, based on surveying 60 end users from Canada, Europe and the United States: Spending on Converged Security Projects (per year in millions)   2004 2005 2006 2007 2008 Public sector $250 $500 $1,200 $2,600 $5,001 Physical/logical access control projects $30 $90 $248 $542 $994 Large-scale convergence projects $10 $36 $93 $202 $453 Small projects $10 $30 $81 $172 $277 Other projects performed jointly by IT and physical security departments $10 $35 $92 $191 $315 Total $311 $691 $1,713 $3,707 $7,039

Recommandé

The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0
theonassiokas
 
Introduction to nudging in IT
Introduction to nudging in ITIntroduction to nudging in IT
Introduction to nudging in IT
Christian F. Nissen
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
Cyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and GovernanceCyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and Governance
Srinidhi Aithal
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 

Recommandé

The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0
theonassiokas
 
Introduction to nudging in IT
Introduction to nudging in ITIntroduction to nudging in IT
Introduction to nudging in IT
Christian F. Nissen
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
Cyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and GovernanceCyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and Governance
Srinidhi Aithal
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
Shaun Sloan
 
The developing world of cyber litigation and compliance
The developing world of cyber litigation and complianceThe developing world of cyber litigation and compliance
The developing world of cyber litigation and compliance
PECB
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
digitallibrary
 
PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?
PECB
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identities
Matthew Zielinski, CISSP, CBCP
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
PECB
 
The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]
jdimaria
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
InfinIT - Innovationsnetværket for it
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
Joseph Wynn
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Priyanka Aash
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
IBM Security
 
India security conclave brochure 2016
India security conclave brochure 2016India security conclave brochure 2016
India security conclave brochure 2016
Cruxcreative
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2
candy_alexander
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
David Kennedy
 
The Cloud Around The Cloud
The Cloud Around The CloudThe Cloud Around The Cloud
The Cloud Around The Cloud
theonassiokas
 
Information security awareness for business people 18mb
Information security awareness for business people 18mbInformation security awareness for business people 18mb
Information security awareness for business people 18mb
theonassiokas
 

Contenu connexe

Tendances

PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?
PECB
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Cohesive Networks
 
The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]
jdimaria
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
David Kennedy
 

Tendances (20)

The developing world of cyber litigation and compliance
The developing world of cyber litigation and complianceThe developing world of cyber litigation and compliance
The developing world of cyber litigation and compliance
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identities
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 
Implementing a Security Management Framework
Implementing a Security Management FrameworkImplementing a Security Management Framework
Implementing a Security Management Framework
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
India security conclave brochure 2016
India security conclave brochure 2016India security conclave brochure 2016
India security conclave brochure 2016
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
 

En vedette

Information security awareness for business people 18mb
Information security awareness for business people 18mbInformation security awareness for business people 18mb
Information security awareness for business people 18mb
theonassiokas
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
SafeNet
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
centralohioissa
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 

En vedette (15)

The Cloud Around The Cloud
The Cloud Around The CloudThe Cloud Around The Cloud
The Cloud Around The Cloud
 
Information security awareness for business people 18mb
Information security awareness for business people 18mbInformation security awareness for business people 18mb
Information security awareness for business people 18mb
 
Vegemite Toast - Banking IT Regulation In Asia
Vegemite Toast - Banking IT Regulation In AsiaVegemite Toast - Banking IT Regulation In Asia
Vegemite Toast - Banking IT Regulation In Asia
 
Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State Government
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Role of compliance in security audits
Role of compliance in security auditsRole of compliance in security audits
Role of compliance in security audits
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 

Similaire à The Business Of Information Security V2.0

Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13
subramanian K
 

Similaire à The Business Of Information Security V2.0 (20)

Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
Whitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfWhitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover Story
 
CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)CRI-Exec-Cyber-Briefings (1)
CRI-Exec-Cyber-Briefings (1)
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
Security risk
Security riskSecurity risk
Security risk
 
The State of Cyber
The State of CyberThe State of Cyber
The State of Cyber
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 

The Business Of Information Security V2.0

  • 1. The Business of Information Security: Theo Nassiokas APAC regional head of IT risk, audit & regulatory – Investment banking sector 2006 National Executive Chair – Australian Information Security Association (AISA) Version 2.0 Information Security 2010 Regulatory, business and cultural alignment is critical
  • 2.
  • 3.
  • 4. Security silos to risk convergence What’s the value?
  • 5.
  • 6.
  • 7. Who are the stakeholders? Security Convergence Physical IT Legal, Regulatory Industry codes IP Data Protection Act (UK) Sarbanes Oxley S302, 404, 409 USA PATRIOT Act ISO 27001 California Senate Bill 1386 BCP failure Phishing Cyber crime Basel II ISO 27002 Virus incidents Physical Theft Of Info Unauthorised Software Usage System Access Control License Breach Staff screening Checks Outsourced Service Provider Control Information Access Control Network domain access Unauthorised Physical access Targeted Attack – Mass Extinction Event Privacy laws
  • 8.
  • 9. Business ‘assurance’ to ‘enabler’ The objective of security?
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. Good security strategy Aligned to the emerging regulatory framework
  • 15.
  • 16.
  • 17.
  • 18. Good security operations Aligned to business objectives
  • 19.
  • 20.
  • 21.
  • 22. Show me the money! Increasing likelihood of budget approvals
  • 23.
  • 24.
  • 25. ROI - Broad programs Vs focussed projects
  • 26. Know your organisation’s project governance process
  • 27.
  • 28.
  • 29.
  • 30.

Notes de l'éditeur

  1. Methodology: From April 25 to May 7, 2006 a total of 1,037 surveys were completed in the U.S. and 1,203 in Europe (UK 235; France 238; Germany 242; Spain 245; Italy 243). The statistical confidence interval for the U.S. and the European results is plus or minus 3% at a 95% level of significance.
  2. Methodology: From April 25 to May 7, 2006 a total of 1,037 surveys were completed in the U.S. and 1,203 in Europe (UK 235; France 238; Germany 242; Spain 245; Italy 243). The statistical confidence interval for the U.S. and the European results is plus or minus 3% at a 95% level of significance.
  3. Methodology: From April 25 to May 7, 2006 a total of 1,037 surveys were completed in the U.S. and 1,203 in Europe (UK 235; France 238; Germany 242; Spain 245; Italy 243). The statistical confidence interval for the U.S. and the European results is plus or minus 3% at a 95% level of significance.
  4. As mentioned earlier, Security Governance has emerged to become a key component of Corporate Governance. Googling “security governance” returns 39,000 hits (@July 31 2005). The number of hits that are not a subset of IT Governance a far fewer. On the first 10 pages of Google hits, less that 10 of these was non-IT centric Security Governance.
  5. Let’s consider the Trade Practices Act 1974 (Cth)… Sec. 74 – Warranties Implied in the Provision of a Service, requires certain warranties to be in place, e.g. When money is deposited into a bank branch, and the branch is held up by an armed robber, the money is not debited from customer accounts. However, in a hypothetical situation where an internet banking account is compromised, although money stolen could be replaced, how are identities replaced, where the customer’s name and address are stolen from the compromised account?
  6. Let’s consider the Trade Practices Act 1974 (Cth)… Sec. 74 – Warranties Implied in the Provision of a Service, requires certain warranties to be in place, e.g. When money is deposited into a bank branch, and the branch is held up by an armed robber, the money is not debited from customer accounts. However, in a hypothetical situation where an internet banking account is compromised, although money stolen could be replaced, how are identities replaced, where the customer’s name and address are stolen from the compromised account?
  7. Building stakeholder relationships to leverage synergies Vision, mission and strategy formation, planning and implementation that is aligned to business objectives Security capabilities developed in the context of business need to provide a clear value proposition
  8. Raising Your Return on Innovation Investment By Alexander Kandybin and Martin Kihn   5/11/04 Each company has an intrinsic innovation effectiveness curve. Here are three ways to lift it. Pillar One: Understand Your Innovation Effectiveness Curve Pillar Two: Master the Entire Innovation Value Chain Pillar Three: Don’t Do It All Yourself
  9. Raising Your Return on Innovation Investment By Alexander Kandybin and Martin Kihn   5/11/04 Each company has an intrinsic innovation effectiveness curve. Here are three ways to lift it. Pillar One: Understand Your Innovation Effectiveness Curve Pillar Two: Master the Entire Innovation Value Chain Pillar Three: Don’t Do It All Yourself