1
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Marc Vael International Vice-President
Information Security
(un)awareness
“My management
just does not “get”
information
security!” Anonymous CISO of a large financial institution
2
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
“I am overwhelmed with
all the passwords I have
to remember. I just write
them down & leave them
with my executive
assistant.” Anonymous manager working in an insurance company
“Management has
authorized acquisition of
security monitoring tools,
but they did not give me
any budget for people to
do this monitoring.” Anonymous CISO of a multinational service organisation
3
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
“Sure, I support
information security,
but my people need to
work and make money.”
Anonymous CEO of a retailer
“Our information security
department keeps getting
more tools, but I do not
think we are any more
secure.” Anonymous CRO of a large financial institution
4
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
“Security policy is one
thing. Reality is another.”
Anonymous COO from a consulting company
“All that information security people do is
say “No!”.
They should learn how
we really work.
Angry manager of a governmental agency
5
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
6
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
7
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
8
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Cyberwarfare is
"the fifth domain of
warfare“
9
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Impact of an attack on the business
10
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
People are the weakest link.
You can have the best technology, firewalls, intrusion-detection systems,
biometric devices - and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything.
Kevin Mitnick, ex hacker, IT security consultant.
11
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Business Model for Information Security
12
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
13
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
14
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Managing risks appropriately
15
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Risk always exists! (whether or not it is
detected / recognised by the organisation).
16
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
EDUCATION!
17
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
18
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Corporate governance : ERM = COSO
Support from Board of Directors & Executive Management
19
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Policies & Standards
Project Management
20
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Providing proper funding
Providing proper resources
21
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Measuring performance
Review / Audit
22
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
Your security solution
is as strong …
… as its weakest link
23
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
24
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
www.isaca.org/knowledgecenter
25
Marc Vael CONFENIS
ISACA September 2012
Information Security (Un)Awareness
www.isaca.org/cobit
Marc Vael
International Vice-President
Chairman of the Knowledge Board
ISACA
http://www.isaca.org/
For more information…
http://www.linkedin.com/in/marcvael
@marcvael