SlideShare ist ein Scribd-Unternehmen logo

Does IT Security Matter?

Luke O'Connor
Luke O'Connor

The title comes from a list of conclusions I gave at a presentation called Does IT Security Matter? just before Christmas in 2007. The wonderful thing about the writing process is that every now and again you hit upon a pithy phrase like that which communicates so much. But it's like mining for gold - you have to move a lot of earth to find the nuggets.

TechnologieBusiness
1 von 21
Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007
2 Outline • A bit about Zurich and myself • Nicholas Carr and knowing your neighbours • Security Tectonics • The Explanation is Mightier than the Action • Risk and the New Math • Final Grains of Wisdom
3 Introduction to Zurich • Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets • Servicing capabilities to manage programs with risk exposure in more than 170 countries • Approximately 58,000 employees worldwide • Insurer of the majority of Fortune’s Global 100 companies • Net income attributable to shareholders of USD 4.5 billion in 2006 • Business operating profit of USD 5.9 billion in 2006
4 My Background Industrial Research (6 yr) Wha t pe o ple m ig ht want Consulting (5 yr) Wha t pe o ple say the y want In house (2 yr) What pe o ple e xpe ct (Se curity) (Risk)
5 Service ProvidersZurich Business G-IT Risk stakeholders GITR GSM Investigations Project risk management Capabilities Finance GITAG Process/QM Sourcing Audit Compliance Legal Risk Group functions G-IT support functions Industry Bodies & Suppliers GITRPartnerFocus G-ISP Consume information and Services External functions Business A Supplier ABusiness B Business C Business x Account Exec A Account Exec B Account Exec C Account Exec x SupplierB Supplier x Co-operate Service risk management Primary interface for G-IT
6 Does IT Matter? • Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003 • Carr, N, “Does IT Matter?”, 2004 “IT doesn’t matter and can’t bring strategic advantage at present!“ • Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities • IT m anag e m e nt sho uld be co m e “bo ring ” • Manag e risks and co sts
7 Good Neighbours, but Good Friends?
8 The Continental Drift of C, I, A CIA better known to business as “Call in Accenture”
9 The Explanation is Mightier Than the Action Security Business
10 Security Bingo
11 Notable Security Setbacks • Regulatory Frameworks over Security Frameworks (SOX over 7799) • Excel over FUD (Fear, Uncertainty and Doubt) • Reactive over Proactive • SLAs over Security Program • Commerical over Military
12 The New-ish Security Model From Castle to Airport Castle Airport Security mechanisms are static and difficult to change. Security mechanisms are dynamic and responsive to threats. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Uses multiple overlapping technologies for defence in depth. Known community have unrestricted access within security boundary. Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Silo mentality in organisation. Requires an open, co-ordinated, global approach to security.
13 The next Big Thing: Network Access Control (NAC) How do you sell this to your IT Department or Business?
14 From Security …. Objectives Controls Testing Report • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Po licie s and Standards • e tc … • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Se rvice Catalo g ue • e tc … • Do cum e ntatio n • Que stio nnaire s • Inte rvie ws • De m o nstratio ns • Inspe ctio ns • To o ling • 3rd Party Analysis • Co ntro l Effe ctive ne ss • Co m pliance • Risk • Mitig atio n • Prio ritie s Pe rce ive d De sire d Re ality The Plan
15 … to Risk Description Trigger Consequence What could happen? How could it happen? What is the impact? Probability Severity How often? How bad?
16 Controls as Risk (as is) Control C2 Needs Im provem ent Not Effective Effective Control Objective Risk? Risk? Risk? Control Assessment Risk Scenarios are reformulations of control deficiencies (gaps) Control C4 Control C3 Control C1 e.g. CoBIT, C2 C3 C4C1 NO ! Contr ol Gaps are poten tial trigg ers of Risk
17 IT Risk – Com ponents IT Risk Components IT Projects Risk • Financial & Resources • Compliance & Audit • Contract & Supplier Mgmt • IT Architecture & Strategy • IT Project Management Risks • Facilities & Environment • IT Operations & Support • Time to Deliver • IT Security IT Services Risk • Service Level Management • Capacity Planning • Contingency Planning • Availability Management • Cost Management • Configuration Management • Problem Management • Change Management • Help Desk • Software Control & Distribution • IT Security
18 Zurich’s IT Risk Managem ent Fram ework Below threshold Above threshold The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Object to be assessed ABC1 Optimised risk analysis for projects Project Project Risk Tool Risk assessment Within PMO process 2 Risk register provides single global data store for analysis reporting Group IT - Risk Register (Central) 4 Project Risk Consulting Services Risk Consulting IT Security Risk Assessments Service Service Risk Tool Facilitated Assessments and Self-Assessments 3 Optimised risk analysis for services Group IT Risk Reporting Dashboard Actions monitoring QRR 5 Reporting, Escalation and Action Monitoring 1 2 3 4 5 No further Analysis Apply Policies and Standards
19 Relation to Operational Risk
20 Conclusion: Does IT Security Matter? • IT Security in general is not an end in itself • IT Security is one area competing for attention and funding, amongst many • If you don’t make IT security matter, it won’t • Keeping business secure is the main end • Focus on securing business processes not the process of securing • Excel is your new best friend • Make your spreadsheets work with their spreadsheets • A risk-based approach is the opportunity to speak business language • Don’t replace FUD with GIGO (garbage in, garbage out)
21 Over to you

Empfohlen

Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
Social Tables
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurity
Cade Zvavanjanja
 
Cse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project ManagementCse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project Management
Girija Sankar Dash
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
Cade Zvavanjanja
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
Srinivasan Vanamali
 
The Datacenter Security Continuum
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security Continuum
Martin Hingley
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling you
Core Security
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote
John D. Johnson
 

Empfohlen

Technology Risk Management
Technology Risk ManagementTechnology Risk Management
Technology Risk Management
Social Tables
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurity
Cade Zvavanjanja
 
Cse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project ManagementCse it seminar ppt1, An Approach To IT Project Management
Cse it seminar ppt1, An Approach To IT Project Management
Girija Sankar Dash
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
Cade Zvavanjanja
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
Srinivasan Vanamali
 
The Datacenter Security Continuum
The Datacenter Security ContinuumThe Datacenter Security Continuum
The Datacenter Security Continuum
Martin Hingley
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling you
Core Security
 
2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote2011 SC Magazine Insider Threat Keynote
2011 SC Magazine Insider Threat Keynote
John D. Johnson
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
Sam Bowne
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planning
PECB
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
Infosys
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Priyanka Aash
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
Forcepoint LLC
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
Interset
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
Dell EMC World
 
isicg - 3 r's v4
isicg - 3 r's v4isicg - 3 r's v4
isicg - 3 r's v4
Elliott Franklin
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts
Recorded Future
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
Donald Tabone
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
EnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
Chaitanya Bhatt
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of Cybersecurity
Priyanka Aash
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
Tony Martin-Vegue
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC Advisory Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts
Recorded Future
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
EnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
Tony Martin-Vegue
 

Was ist angesagt? (20)

Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
CISSP Preparation: Introduction
CISSP Preparation: IntroductionCISSP Preparation: Introduction
CISSP Preparation: Introduction
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planning
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
 
isicg - 3 r's v4
isicg - 3 r's v4isicg - 3 r's v4
isicg - 3 r's v4
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Rapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk ManagementRapid Risk Assessment: A New Approach to Risk Management
Rapid Risk Assessment: A New Approach to Risk Management
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of Cybersecurity
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
 

Ähnlich wie Does IT Security Matter?

Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Livingstone Advisory
 

Ähnlich wie Does IT Security Matter? (20)

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint Webinar
 
"Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!" "Navigate the MDR Marketplace Like a Pro!"
"Navigate the MDR Marketplace Like a Pro!"
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
Where data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattssonWhere data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattsson
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
Embracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptxEmbracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptx
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
Navigating the risks in implementing Hybrid Cloud, Agile and Project Manageme...
 
Infosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptInfosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.ppt
 

Kürzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Does IT Security Matter?

  • 1. Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007
  • 2. 2 Outline • A bit about Zurich and myself • Nicholas Carr and knowing your neighbours • Security Tectonics • The Explanation is Mightier than the Action • Risk and the New Math • Final Grains of Wisdom
  • 3. 3 Introduction to Zurich • Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets • Servicing capabilities to manage programs with risk exposure in more than 170 countries • Approximately 58,000 employees worldwide • Insurer of the majority of Fortune’s Global 100 companies • Net income attributable to shareholders of USD 4.5 billion in 2006 • Business operating profit of USD 5.9 billion in 2006
  • 4. 4 My Background Industrial Research (6 yr) Wha t pe o ple m ig ht want Consulting (5 yr) Wha t pe o ple say the y want In house (2 yr) What pe o ple e xpe ct (Se curity) (Risk)
  • 5. 5 Service ProvidersZurich Business G-IT Risk stakeholders GITR GSM Investigations Project risk management Capabilities Finance GITAG Process/QM Sourcing Audit Compliance Legal Risk Group functions G-IT support functions Industry Bodies & Suppliers GITRPartnerFocus G-ISP Consume information and Services External functions Business A Supplier ABusiness B Business C Business x Account Exec A Account Exec B Account Exec C Account Exec x SupplierB Supplier x Co-operate Service risk management Primary interface for G-IT
  • 6. 6 Does IT Matter? • Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003 • Carr, N, “Does IT Matter?”, 2004 “IT doesn’t matter and can’t bring strategic advantage at present!“ • Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities • IT m anag e m e nt sho uld be co m e “bo ring ” • Manag e risks and co sts
  • 7. 7 Good Neighbours, but Good Friends?
  • 8. 8 The Continental Drift of C, I, A CIA better known to business as “Call in Accenture”
  • 9. 9 The Explanation is Mightier Than the Action Security Business
  • 11. 11 Notable Security Setbacks • Regulatory Frameworks over Security Frameworks (SOX over 7799) • Excel over FUD (Fear, Uncertainty and Doubt) • Reactive over Proactive • SLAs over Security Program • Commerical over Military
  • 12. 12 The New-ish Security Model From Castle to Airport Castle Airport Security mechanisms are static and difficult to change. Security mechanisms are dynamic and responsive to threats. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Uses multiple overlapping technologies for defence in depth. Known community have unrestricted access within security boundary. Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Silo mentality in organisation. Requires an open, co-ordinated, global approach to security.
  • 13. 13 The next Big Thing: Network Access Control (NAC) How do you sell this to your IT Department or Business?
  • 14. 14 From Security …. Objectives Controls Testing Report • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Po licie s and Standards • e tc … • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Se rvice Catalo g ue • e tc … • Do cum e ntatio n • Que stio nnaire s • Inte rvie ws • De m o nstratio ns • Inspe ctio ns • To o ling • 3rd Party Analysis • Co ntro l Effe ctive ne ss • Co m pliance • Risk • Mitig atio n • Prio ritie s Pe rce ive d De sire d Re ality The Plan
  • 15. 15 … to Risk Description Trigger Consequence What could happen? How could it happen? What is the impact? Probability Severity How often? How bad?
  • 16. 16 Controls as Risk (as is) Control C2 Needs Im provem ent Not Effective Effective Control Objective Risk? Risk? Risk? Control Assessment Risk Scenarios are reformulations of control deficiencies (gaps) Control C4 Control C3 Control C1 e.g. CoBIT, C2 C3 C4C1 NO ! Contr ol Gaps are poten tial trigg ers of Risk
  • 17. 17 IT Risk – Com ponents IT Risk Components IT Projects Risk • Financial & Resources • Compliance & Audit • Contract & Supplier Mgmt • IT Architecture & Strategy • IT Project Management Risks • Facilities & Environment • IT Operations & Support • Time to Deliver • IT Security IT Services Risk • Service Level Management • Capacity Planning • Contingency Planning • Availability Management • Cost Management • Configuration Management • Problem Management • Change Management • Help Desk • Software Control & Distribution • IT Security
  • 18. 18 Zurich’s IT Risk Managem ent Fram ework Below threshold Above threshold The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Object to be assessed ABC1 Optimised risk analysis for projects Project Project Risk Tool Risk assessment Within PMO process 2 Risk register provides single global data store for analysis reporting Group IT - Risk Register (Central) 4 Project Risk Consulting Services Risk Consulting IT Security Risk Assessments Service Service Risk Tool Facilitated Assessments and Self-Assessments 3 Optimised risk analysis for services Group IT Risk Reporting Dashboard Actions monitoring QRR 5 Reporting, Escalation and Action Monitoring 1 2 3 4 5 No further Analysis Apply Policies and Standards
  • 20. 20 Conclusion: Does IT Security Matter? • IT Security in general is not an end in itself • IT Security is one area competing for attention and funding, amongst many • If you don’t make IT security matter, it won’t • Keeping business secure is the main end • Focus on securing business processes not the process of securing • Excel is your new best friend • Make your spreadsheets work with their spreadsheets • A risk-based approach is the opportunity to speak business language • Don’t replace FUD with GIGO (garbage in, garbage out)

Hinweis der Redaktion

  1. IT Risks are assessed according to the IT assets these have been defined by G-IT as being IT Projects or IT Services. The diagram above provides a high level summary of the broad risk categories for each asset group The risks identified from each asset class are recorded into Risk Registers which are then transferred to a Central Risk Register used to aggregate all risks Underlying IT Risk assessment within ZFS is the need to consider IT Security and the risks to the business associated with IT Security. This is explained more in later slides however the Framework includes a specific service for IT Risk Assessments