SlideShare ist ein Scribd-Unternehmen logo

Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05

S
sucesuminas
Technologie
1 von 26
Downloaden Sie, um offline zu lesen
Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Information Security Technology and Services Claudio Neiva Research Director – Network Security Claudio.neiva@gartner.com
Fear, Uncertainty and Doubt
Brasil
DDoS Attacks Increasing in Size; Frequency of Attacks Is High Source: Arbor Networks — Worldwide Infrastructure Security Report 2013 0 20 40 60 80 100 120 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 0 5 10 15 20 25 30 35 40 45 50 Most Common Motivations Behind DDOSLargest Bandwidth Attacks Reported
Phishing e-mails Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action Source: Verizon 2013 security report
Likely Impacts • Loss of availability: 1. Several hours 2. Several days 3. Forever • Confidentiality failure: 1. Embarrassment 2. Privacy loss, fine and PR damage 3. Loss of competitive advantage • Data loss: 1. Recoverable in several days 2. Partially corrupted data 3. Never fully recoverable
Confidentiality and Accessibility Cannot Be Simultaneously Optimized Confidentiality Accessibility/Availability • Secrecy and reliability are negatively linked goals • Time and money can partially raise the overall level of both Nobody can see data Everybody can see data Optimized Trade-off Curve
Business Security
Consumer Security
Low Risk High Cost High Maturity What Is Appropriate Risk? There is no such thing as "perfect protection" Manufacturing Healthcare Financial Services Production Engineering High Risk Low Cost Low Maturity … More risk! Business Model More customers, more locations, more complexity, more aggressive use of personally identifiable information in marketing, more regulatory scrutiny, … Station Access Govern
The Nexus of Forces Is Driving Innovation in Government Extreme Networking Rampant Access Global Class Delivery Rich Context, Deep Insights
Data Loss Prevention Secure Web Gateway Secure Web Gateway Risk Security Application Testing Security Information and Event Management Cryptography Firewalls Managed Security Services Intrusion Prevention Mobile Security Endpoint Protection Social Media Security Monitoring Digital Surveillance Information Security and the Nexus of Forces Identity and Access Management NEXUS NEXUS
The 4 Phases of BYOD (Device or Disaster?) Don't Ask, Don't Tell Corporate-Owned Devices Only Focus: Productivity • Desktop Virtualization • Adoption of New Enterprise-Grade Services • Enterprise App Stores • Self-Service and P2P Platforms Focus: Data Protection, Cost • BYO Policies • Formal Mobile Support Roles • MDM • NAC • Limited Support • Extend Existing Capabilities Realization of the Personal Cloud • Context Awareness • Identity-Aware NAC • Workspace Aggregators • "Walk-Up" Services Avoid AdoptAccommodate Assimilate
How's This Working for You? 2002 2010 2018 Security is in the control of IT & Operations Security is in the control of business units and users
Strategic Planning Assumption By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices. Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring. By 2020, 75% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012.
Can Your Board Handle the Truth? 100% of U.S. public company boards are required annually to disclose their ability to oversee risk, yet … fewer than 2% of U.S.-based companies, and fewer than 9% of global companies, actually have robust and mature risk oversight practices.
You Must Get Right
Information Security Privacy Risk Management Business Continuity Management Compliance Identity and Access Management
Identity Single-Sign-On Auto provisionamento Hootsuite – Redes Sociais GRC & Auditing Analise de Vulnerabilidades Pentest Auditoria interna PCI Gestão de Risco Legal & Policy Revisão de Política Contrato para fornecedores Contrato para colaboradores Information Security Management Scenario Software Auditoria de código Fortify - Métodos Ágeis Whitelisting SO Assessment Endpoint VPN NAC AV, Malware & Host IPS DLP & Criptografia Proxy Internet AntiSpam Awareness E-learning Hotspots E-mails educativos Palestras Treinamentos específicos Intel & Operation SOC SIEM Perimeter IPS Firewall Firewall Aplicação (WAF) VPN Gestão de Segurança da Informação Composto por diversas áreas da empresa, não é exclusivo da TI. Incorpora a Segurança da Informação, TI, mas também usuários, controladores, auditoria, RH, Jurídico etc. A segurança deve estar presente em cada um, a preocupação deve ser de todos. Política de Segurança  Documenta as responsabilidades de cada um, os pontos de atenção e os controles necessários.  Para os controles define procedimentos e checklists para implantação e monitoramento Perímetro: primeira barreira – reativa – entre a Internet e redes internas. Base em redes.  IPS: bloqueia ataques de volume ou diversos;  Firewall: realiza o controle de acesso  WAF: blinda aplicações Web  VPN permite acesso externo como se estivesse na rede interna. Software – segunda barreira – proativa – código e aplicações seguras  Auditoria de código: com ferramenta adequada realizado pela equipe de segurança  Fortify: parte do processo de desenvolvimento com deploy ágil  Whitelisting: controle das aplicações o servidor de aplicação pode executar  Assessment: validação cíclica dos servidores de aplicação quanto a checklists Endpoint – proteção de estacoes, notebooks e dispositivos moveis  VPN: permite o acesso externo seguro  NAC: permite o acesso interno seguro  AV, Anti-malware, Host IPS, DLP e Criptografia: protege a estação e os dados  Proxy e AntiSpam: protege o usuário e a produtividade Conscientização e educação dos usuários  e-learning e e-mail educativos com curiosidades e dicas  Hotspots de tecnologia (folhetos, paineis)  Palestras e treinamentos realizados pela área  Palestras e treinamentos contratados Gestão de Identidade  Single-sign-on: login automático em aplicações após o login no Windows  Auto provisionamento: criação e exclusão de contas em único workflow  Hootsuite: gestão de acesso a perfis de redes sociais Inteligência e Gestão de Logs  SIEM: concentração de logs e aplicação de regras de segurança e de negocio no correlacionamento dos eventos detectados  SOC: equipe especializada em monitorar incidentes e executar tarefas operacionais de segurança da informação GRC e Auditoria  Auditoria, PCI e Gestão de Risco: monitoramento das vulnerabilidades e gestão dos riscos  Analise de vulnerabilidades: analise manual de todos os ativos de informação da empresa por consultoria especializada  Pentest: teste de intrusão manual nas vulnerabilidades encontradas e input para gestão de riscos Legal e Política  Revisões cíclicas da Política: reuniões entre pessoas chaves do comitê de segurança ou similar para elaboração de Políticas e aprovação  Contrato para fornecedores: contrato com os requisitos de segurança impostos aos fornecedores de ativos de informação  Contrato para colaboradores: adendo ao contrato de trabalho regulando o uso de ativos de TI Implemented GapRevision Information Security – Framework
From Control-Centric Security to People-Centric Security Policy Rules People Punishment Control Rights Principles Policy Responsibilities People Monitor Educate
Kickin' it old school • Threat-based • Tool-focused • Tactical • Reactive • Project-oriented • Ignored by business • Take ownership of risk The new paradigm • Risk-based • Process-focused • Strategic • Proactive • Programmatic • Engaged with business • Educate about risk New Goals of Information Security The function of information security management is to support the business's ability to deliver on its goals in a risk-resilient manner. Cost Center Value-Add
Transform: Mapping KRIs and KPIs Revenue Loss Miss the Quarter Leading Indicator That… Leading Indicator That… Leading Indicator That… Critical Application Fault Supply Chain Support Application Key Risk Indicator Open Incidents Poor Patching Negative Impact KPI Supply Chain Slows CRO/CISO CIO The Business
Reading Gartner’s reports, but not speaking to an analyst Path to Failure:
What product and vendor selection tools are appropriate for my enterprise?
Gartner Methodologies Gartner IT Market Clock Gartner Hype Cycle Gartner MarketScope Gartner Magic Quadrant Technology Evolution Market Overview Gartner Critical Capabilities Should you move or wait? Maintain or retire? Evaluate risks in emerging and mature markets Map providers against business requirements Identify use cases and compare vendors
Recommended Gartner Research  The Structure and Scope of an Effective Information Security Program Tom Scholtz (G00210133)  Security Management Strategy Planning Best Practices Tom Scholtz (G00223694)  The Security Processes You Must Get Right Rob McMillan (G00209848)  Seven Techniques for More Proactive Risk and Security Management Tom Scholtz (G00224578)  The Keep-It-Simple Approach for CIO Risk Reporting to the Board Richard Hunter, French Caldwell (G00211351)  Introducing Risk-Adjusted Value Management Paul E. Proctor, Michael Smith (G00225409)  The Gartner Business Risk Model: A Framework for Integrating Risk and Performance Paul E. Proctor, Michael Smith (G00214758)  Information Security and Risk Governance: Forums and Committees Tom Scholtz, F. Christian Byrnes (G00207477) For more information, stop by Experience Gartner Research Zone.

Empfohlen

CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
TI Safe
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
Exemplo de política BYOD
Exemplo de política BYODExemplo de política BYOD
Exemplo de política BYOD
Fernando Palma
 
ITrust Cybersecurity Services - Datasheet EN
ITrust Cybersecurity Services - Datasheet ENITrust Cybersecurity Services - Datasheet EN
ITrust Cybersecurity Services - Datasheet EN
ITrust - Cybersecurity as a Service
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
Tonex
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira
 
Presentation ibm info sphere guardium enterprise-wide database protection a...
Presentation ibm info sphere guardium enterprise-wide database protection a...Presentation ibm info sphere guardium enterprise-wide database protection a...
Presentation ibm info sphere guardium enterprise-wide database protection a...
solarisyougood
 
Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...
Twinkle Sebastian
 

Empfohlen

CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
TI Safe
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
Exemplo de política BYOD
Exemplo de política BYODExemplo de política BYOD
Exemplo de política BYOD
Fernando Palma
 
ITrust Cybersecurity Services - Datasheet EN
ITrust Cybersecurity Services - Datasheet ENITrust Cybersecurity Services - Datasheet EN
ITrust Cybersecurity Services - Datasheet EN
ITrust - Cybersecurity as a Service
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On Training
Tonex
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira
 
Presentation ibm info sphere guardium enterprise-wide database protection a...
Presentation ibm info sphere guardium enterprise-wide database protection a...Presentation ibm info sphere guardium enterprise-wide database protection a...
Presentation ibm info sphere guardium enterprise-wide database protection a...
solarisyougood
 
Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...
Twinkle Sebastian
 
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
Peter Tutty
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
TRUSTe
 
Gartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhangGartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhang
ColloqueRISQ
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework
Raleigh ISSA
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
S.E. CTS CERT-GOV-MD
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges
Bloxx
 
50 Shapes of Network & Information Security
50 Shapes of Network & Information Security50 Shapes of Network & Information Security
50 Shapes of Network & Information Security
Hatem ElSahhar
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
yuliana_mar
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
Isaiah Edem
 
Application Security
Application SecurityApplication Security
Application Security
onenolesguy
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
PECB
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
Shah Sheikh
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
ethanBrownusa
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Introdução a Segurança da Informação e mecanismos de Proteção
Introdução a Segurança da Informação e mecanismos de ProteçãoIntrodução a Segurança da Informação e mecanismos de Proteção
Introdução a Segurança da Informação e mecanismos de Proteção
Neemias Lopes
 
Roadsec PRO - Segurança Cibernética Através da ITIL Security
Roadsec PRO - Segurança Cibernética Através da ITIL SecurityRoadsec PRO - Segurança Cibernética Através da ITIL Security
Roadsec PRO - Segurança Cibernética Através da ITIL Security
Rafael Maia
 
Segurança da informação
Segurança da informaçãoSegurança da informação
Segurança da informação
imsp2000
 

Weitere ähnliche Inhalte

Was ist angesagt?

Application Security
Application SecurityApplication Security
Application Security
onenolesguy
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
PECB
 

Was ist angesagt? (19)

Information security principles
Information security principlesInformation security principles
Information security principles
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
 
Gartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhangGartner presentation risq dec 2016 jie zhang
Gartner presentation risq dec 2016 jie zhang
 
2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
 
Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges Cyber Security Landscape: Changes, Threats and Challenges
Cyber Security Landscape: Changes, Threats and Challenges
 
50 Shapes of Network & Information Security
50 Shapes of Network & Information Security50 Shapes of Network & Information Security
50 Shapes of Network & Information Security
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
 
Cyber Security & User's Privacy Invasion
Cyber Security & User's Privacy InvasionCyber Security & User's Privacy Invasion
Cyber Security & User's Privacy Invasion
 
Application Security
Application SecurityApplication Security
Application Security
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 

Andere mochten auch

SLIDES serviço social- metodologia para melhoria da gestão em organização do ...
SLIDES serviço social- metodologia para melhoria da gestão em organização do ...SLIDES serviço social- metodologia para melhoria da gestão em organização do ...
SLIDES serviço social- metodologia para melhoria da gestão em organização do ...
Rosane Domingues
 

Andere mochten auch (11)

Introdução a Segurança da Informação e mecanismos de Proteção
Introdução a Segurança da Informação e mecanismos de ProteçãoIntrodução a Segurança da Informação e mecanismos de Proteção
Introdução a Segurança da Informação e mecanismos de Proteção
 
Roadsec PRO - Segurança Cibernética Através da ITIL Security
Roadsec PRO - Segurança Cibernética Através da ITIL SecurityRoadsec PRO - Segurança Cibernética Através da ITIL Security
Roadsec PRO - Segurança Cibernética Através da ITIL Security
 
Segurança da informação
Segurança da informaçãoSegurança da informação
Segurança da informação
 
Segurança da informação golpes, ataques e riscos
Segurança da informação golpes, ataques e riscosSegurança da informação golpes, ataques e riscos
Segurança da informação golpes, ataques e riscos
 
Crimes digitais e Seguranca da Informacao OAB Santos
Crimes digitais e Seguranca da Informacao OAB SantosCrimes digitais e Seguranca da Informacao OAB Santos
Crimes digitais e Seguranca da Informacao OAB Santos
 
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoDesenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
 
(Transformar 16) aspectos financeiros 2.1
(Transformar 16) aspectos financeiros 2.1(Transformar 16) aspectos financeiros 2.1
(Transformar 16) aspectos financeiros 2.1
 
Segurança da informação: Proteja seu Escritório de Contabilidade
Segurança da informação: Proteja seu Escritório de ContabilidadeSegurança da informação: Proteja seu Escritório de Contabilidade
Segurança da informação: Proteja seu Escritório de Contabilidade
 
SLIDES serviço social- metodologia para melhoria da gestão em organização do ...
SLIDES serviço social- metodologia para melhoria da gestão em organização do ...SLIDES serviço social- metodologia para melhoria da gestão em organização do ...
SLIDES serviço social- metodologia para melhoria da gestão em organização do ...
 
Aula inaugural strong
Aula inaugural strongAula inaugural strong
Aula inaugural strong
 
COMUNICAÇÃO SEGURA USANDO A CRIPTOGRAFIA PARA PROTEGER INFORMAÇÕES SENSÍVEIS
COMUNICAÇÃO SEGURA USANDO A CRIPTOGRAFIA PARA PROTEGER INFORMAÇÕES SENSÍVEISCOMUNICAÇÃO SEGURA USANDO A CRIPTOGRAFIA PARA PROTEGER INFORMAÇÕES SENSÍVEIS
COMUNICAÇÃO SEGURA USANDO A CRIPTOGRAFIA PARA PROTEGER INFORMAÇÕES SENSÍVEIS
 

Ähnlich wie Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05

Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
Jyothi Satyanathan
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
Cloudera, Inc.
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Decisions
 

Ähnlich wie Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 (20)

Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
2010 Sc World Congress Nyc
2010 Sc World Congress Nyc2010 Sc World Congress Nyc
2010 Sc World Congress Nyc
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
 
G05.2013 gartner top security trends
G05.2013 gartner top security trendsG05.2013 gartner top security trends
G05.2013 gartner top security trends
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical Security
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 

Mehr von sucesuminas

Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...
Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...
Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...
sucesuminas
 
Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014
Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014 Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014
Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014
sucesuminas
 

Mehr von sucesuminas (9)

Engaging Your CFO in Business Analytics | Palestrante: Celso Chapinotte
Engaging Your CFO in Business Analytics | Palestrante: Celso ChapinotteEngaging Your CFO in Business Analytics | Palestrante: Celso Chapinotte
Engaging Your CFO in Business Analytics | Palestrante: Celso Chapinotte
 
Business analytics from basics to value
Business analytics from basics to valueBusiness analytics from basics to value
Business analytics from basics to value
 
Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...
Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...
Como ser empreendedor no Brasil. Na música e tecnologia. Burocracia e seguran...
 
Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014
Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014 Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014
Governança de TI | Café Empresarial Sucesu Minas e WTI - 24/04/2014
 
Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...
Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...
Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...
 
Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...
Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...
Central de Serviço e Governança de IT | Encontro de Cios CTIS e Sucesu Minas ...
 
Dominando o 'Dragão Digital' | Encontro de Cios DTI e Sucesu Minas 27/02/2014
Dominando o 'Dragão Digital' | Encontro de Cios DTI e Sucesu Minas 27/02/2014Dominando o 'Dragão Digital' | Encontro de Cios DTI e Sucesu Minas 27/02/2014
Dominando o 'Dragão Digital' | Encontro de Cios DTI e Sucesu Minas 27/02/2014
 
Café Empresarial Sucesu Minas e Websense -11/02/2014 | Ameaças Modernas e Cy...
Café Empresarial Sucesu Minas e Websense -11/02/2014 | Ameaças Modernas e Cy...Café Empresarial Sucesu Minas e Websense -11/02/2014 | Ameaças Modernas e Cy...
Café Empresarial Sucesu Minas e Websense -11/02/2014 | Ameaças Modernas e Cy...
 
Retrospectiva Encontro de CIOs 2013 - Gartner
Retrospectiva Encontro de CIOs 2013 - Gartner Retrospectiva Encontro de CIOs 2013 - Gartner
Retrospectiva Encontro de CIOs 2013 - Gartner
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05

  • 1. Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Information Security Technology and Services Claudio Neiva Research Director – Network Security Claudio.neiva@gartner.com
  • 4. DDoS Attacks Increasing in Size; Frequency of Attacks Is High Source: Arbor Networks — Worldwide Infrastructure Security Report 2013 0 20 40 60 80 100 120 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 0 5 10 15 20 25 30 35 40 45 50 Most Common Motivations Behind DDOSLargest Bandwidth Attacks Reported
  • 5. Phishing e-mails Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action Source: Verizon 2013 security report
  • 6. Likely Impacts • Loss of availability: 1. Several hours 2. Several days 3. Forever • Confidentiality failure: 1. Embarrassment 2. Privacy loss, fine and PR damage 3. Loss of competitive advantage • Data loss: 1. Recoverable in several days 2. Partially corrupted data 3. Never fully recoverable
  • 7. Confidentiality and Accessibility Cannot Be Simultaneously Optimized Confidentiality Accessibility/Availability • Secrecy and reliability are negatively linked goals • Time and money can partially raise the overall level of both Nobody can see data Everybody can see data Optimized Trade-off Curve
  • 10. Low Risk High Cost High Maturity What Is Appropriate Risk? There is no such thing as "perfect protection" Manufacturing Healthcare Financial Services Production Engineering High Risk Low Cost Low Maturity … More risk! Business Model More customers, more locations, more complexity, more aggressive use of personally identifiable information in marketing, more regulatory scrutiny, … Station Access Govern
  • 11. The Nexus of Forces Is Driving Innovation in Government Extreme Networking Rampant Access Global Class Delivery Rich Context, Deep Insights
  • 12. Data Loss Prevention Secure Web Gateway Secure Web Gateway Risk Security Application Testing Security Information and Event Management Cryptography Firewalls Managed Security Services Intrusion Prevention Mobile Security Endpoint Protection Social Media Security Monitoring Digital Surveillance Information Security and the Nexus of Forces Identity and Access Management NEXUS NEXUS
  • 13. The 4 Phases of BYOD (Device or Disaster?) Don't Ask, Don't Tell Corporate-Owned Devices Only Focus: Productivity • Desktop Virtualization • Adoption of New Enterprise-Grade Services • Enterprise App Stores • Self-Service and P2P Platforms Focus: Data Protection, Cost • BYO Policies • Formal Mobile Support Roles • MDM • NAC • Limited Support • Extend Existing Capabilities Realization of the Personal Cloud • Context Awareness • Identity-Aware NAC • Workspace Aggregators • "Walk-Up" Services Avoid AdoptAccommodate Assimilate
  • 14. How's This Working for You? 2002 2010 2018 Security is in the control of IT & Operations Security is in the control of business units and users
  • 15. Strategic Planning Assumption By 2018, 70% of mobile professionals will conduct all of their work on personal smart devices. Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and will be detectable via security monitoring. By 2020, 75% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012.
  • 16. Can Your Board Handle the Truth? 100% of U.S. public company boards are required annually to disclose their ability to oversee risk, yet … fewer than 2% of U.S.-based companies, and fewer than 9% of global companies, actually have robust and mature risk oversight practices.
  • 17. You Must Get Right
  • 18. Information Security Privacy Risk Management Business Continuity Management Compliance Identity and Access Management
  • 19. Identity Single-Sign-On Auto provisionamento Hootsuite – Redes Sociais GRC & Auditing Analise de Vulnerabilidades Pentest Auditoria interna PCI Gestão de Risco Legal & Policy Revisão de Política Contrato para fornecedores Contrato para colaboradores Information Security Management Scenario Software Auditoria de código Fortify - Métodos Ágeis Whitelisting SO Assessment Endpoint VPN NAC AV, Malware & Host IPS DLP & Criptografia Proxy Internet AntiSpam Awareness E-learning Hotspots E-mails educativos Palestras Treinamentos específicos Intel & Operation SOC SIEM Perimeter IPS Firewall Firewall Aplicação (WAF) VPN Gestão de Segurança da Informação Composto por diversas áreas da empresa, não é exclusivo da TI. Incorpora a Segurança da Informação, TI, mas também usuários, controladores, auditoria, RH, Jurídico etc. A segurança deve estar presente em cada um, a preocupação deve ser de todos. Política de Segurança  Documenta as responsabilidades de cada um, os pontos de atenção e os controles necessários.  Para os controles define procedimentos e checklists para implantação e monitoramento Perímetro: primeira barreira – reativa – entre a Internet e redes internas. Base em redes.  IPS: bloqueia ataques de volume ou diversos;  Firewall: realiza o controle de acesso  WAF: blinda aplicações Web  VPN permite acesso externo como se estivesse na rede interna. Software – segunda barreira – proativa – código e aplicações seguras  Auditoria de código: com ferramenta adequada realizado pela equipe de segurança  Fortify: parte do processo de desenvolvimento com deploy ágil  Whitelisting: controle das aplicações o servidor de aplicação pode executar  Assessment: validação cíclica dos servidores de aplicação quanto a checklists Endpoint – proteção de estacoes, notebooks e dispositivos moveis  VPN: permite o acesso externo seguro  NAC: permite o acesso interno seguro  AV, Anti-malware, Host IPS, DLP e Criptografia: protege a estação e os dados  Proxy e AntiSpam: protege o usuário e a produtividade Conscientização e educação dos usuários  e-learning e e-mail educativos com curiosidades e dicas  Hotspots de tecnologia (folhetos, paineis)  Palestras e treinamentos realizados pela área  Palestras e treinamentos contratados Gestão de Identidade  Single-sign-on: login automático em aplicações após o login no Windows  Auto provisionamento: criação e exclusão de contas em único workflow  Hootsuite: gestão de acesso a perfis de redes sociais Inteligência e Gestão de Logs  SIEM: concentração de logs e aplicação de regras de segurança e de negocio no correlacionamento dos eventos detectados  SOC: equipe especializada em monitorar incidentes e executar tarefas operacionais de segurança da informação GRC e Auditoria  Auditoria, PCI e Gestão de Risco: monitoramento das vulnerabilidades e gestão dos riscos  Analise de vulnerabilidades: analise manual de todos os ativos de informação da empresa por consultoria especializada  Pentest: teste de intrusão manual nas vulnerabilidades encontradas e input para gestão de riscos Legal e Política  Revisões cíclicas da Política: reuniões entre pessoas chaves do comitê de segurança ou similar para elaboração de Políticas e aprovação  Contrato para fornecedores: contrato com os requisitos de segurança impostos aos fornecedores de ativos de informação  Contrato para colaboradores: adendo ao contrato de trabalho regulando o uso de ativos de TI Implemented GapRevision Information Security – Framework
  • 20. From Control-Centric Security to People-Centric Security Policy Rules People Punishment Control Rights Principles Policy Responsibilities People Monitor Educate
  • 21. Kickin' it old school • Threat-based • Tool-focused • Tactical • Reactive • Project-oriented • Ignored by business • Take ownership of risk The new paradigm • Risk-based • Process-focused • Strategic • Proactive • Programmatic • Engaged with business • Educate about risk New Goals of Information Security The function of information security management is to support the business's ability to deliver on its goals in a risk-resilient manner. Cost Center Value-Add
  • 22. Transform: Mapping KRIs and KPIs Revenue Loss Miss the Quarter Leading Indicator That… Leading Indicator That… Leading Indicator That… Critical Application Fault Supply Chain Support Application Key Risk Indicator Open Incidents Poor Patching Negative Impact KPI Supply Chain Slows CRO/CISO CIO The Business
  • 23. Reading Gartner’s reports, but not speaking to an analyst Path to Failure:
  • 24. What product and vendor selection tools are appropriate for my enterprise?
  • 25. Gartner Methodologies Gartner IT Market Clock Gartner Hype Cycle Gartner MarketScope Gartner Magic Quadrant Technology Evolution Market Overview Gartner Critical Capabilities Should you move or wait? Maintain or retire? Evaluate risks in emerging and mature markets Map providers against business requirements Identify use cases and compare vendors
  • 26. Recommended Gartner Research  The Structure and Scope of an Effective Information Security Program Tom Scholtz (G00210133)  Security Management Strategy Planning Best Practices Tom Scholtz (G00223694)  The Security Processes You Must Get Right Rob McMillan (G00209848)  Seven Techniques for More Proactive Risk and Security Management Tom Scholtz (G00224578)  The Keep-It-Simple Approach for CIO Risk Reporting to the Board Richard Hunter, French Caldwell (G00211351)  Introducing Risk-Adjusted Value Management Paul E. Proctor, Michael Smith (G00225409)  The Gartner Business Risk Model: A Framework for Integrating Risk and Performance Paul E. Proctor, Michael Smith (G00214758)  Information Security and Risk Governance: Forums and Committees Tom Scholtz, F. Christian Byrnes (G00207477) For more information, stop by Experience Gartner Research Zone.