1. S The New C I O ^ SECURITY The 3rd Kuwait InfoSecurityConference May 26, 2011 Pradeep Menon Executive Vice President and Director Quadrant Risk Management >

2. AGENDA The Evolving Role of the CISO Selling Security Internally 2

4. Some of the Key Drivers for this Strategic Visibility include:S C I O ^ 3

5. Why should organizations have a CISO? Fraud Insider Theft Lack of single source of truth Third party exposure ? S Rate of Adoption of New Technologies C I O Hacking ^ Evolving Technologies Lack of monitoring and controls 4

6. Evolution of the role for Information Security Since last 2-3 years 5-8 years ago 9-12 years ago Source: Forrester Research 5

8. Marketing and selling of Information Security within the organization

9. Quantifying benefits

10. Controller to Business Enabler

11. Program Managing Security rather than Project Managing

12. Representation in the Senior Management Decision Making Bodies6

13. The Major Roadblocks that still CISOs face 7

14. AGENDA The Evolving Role of the CISO Selling Security Internally 8

16. Creating characters, voices and visuals that represent security in a meaningful way

17. E.g. - Salim from aeCERT9

19. Make the CEO speak about security

20. Educate the CEO with important news and reports through periodic meetingsCEO Involvement 10

22. Let Business Users express their views

23. Conduct white paper sessions to demonstrate how security issues can lead to loss of customers CEO Involvement Business Involvement 11

25. Celebrate security practices and achievements

26. Place Kiosks, Stalls etc. to create awareness about following security practices

27. Let the CEO inaugurate the proceedings of the Day

28. Involve people from business units

29. Conduct contestsCEO Involvement Business Involvement Security Awareness Day 12

31. Influence regulatory bodies and excellence centers such as CAIT and Central Banks

32. e.g., SAMA regulation for Multi Factor Authentication

33. ADSIC – Information Security ProgramCEO Involvement Business Involvement Security Awareness Day ‘External Agencies’ 13

35. Creating a web portal for users to view various reports on the metrics based on which their contribution to IS initiatives are rated CEO Involvement Business Involvement Security Awareness Day External Agencies Annual ISMS Reporting 14

37. Their experience is wide and deep in an area

38. Utilizing consultancies for specific programs might be easier to get a management buy-in

39. Organizational hierarchy could be a bottleneck to express views and concerns regarding security issues

40. Look upon consultancies as partners or change agents, not as vendors or spendersCEO Involvement Business Involvement Security Awareness Day External Agencies Annual ISMS Reporting External Consultancies 15

42. Forums such as LinkedIn and Facebook have been instrumental in generating “Networking”

43. Involvement in joint research initiatives through organizations such as CAIT (The Central Agency for Information technology) , KITS (Kuwait Information Technology Society), aeCERT, OCERT etc.CEO Involvement Business Involvement Security Awareness Day External Agencies Annual ISMS Reporting External Consultants Other CISO Involvement 16

45. Encourage publishing of white papers on popular websites and journals, on behalf of the organizationCEO Involvement Business Involvement Security Awareness Day External Agencies Annual ISMS Reporting External Consultants Other CISO Involvement External Involvement 17

46. Thank You Pradeep Menon Executive Vice President and Director Quadrant Risk Management pradeep.menon@qrmi-me.com Tel: +971-4-6091970 Mob: +971-50-4815260