Download - Security beyond compliance
Security Beyond Compliance
http://www.isaca.lk/ [email protected] work is licensed under a Creative Commons Attribution 3.0 Unported License.
Parakum [email protected], FBCS, CISA, CISM, CGEIT, CISSP, ISO 27001 LA, MCP, CHFI, QCS, ITIL
Disclaimer
• I’m employed in the #infosec industry, however not authorized to speak on behalf of my employer/ clients
• Everything I say can be blamed on the voices in your head
My credentials
• 10+ years in #Infosec field
• Tutor, consultant/ advisor, auditor, head of InfoSec
• Sectors: financial, leisure, manufacturing, advertising, gov, insurance, etc.
• Crazy about #cycling, #infosec, #socialmedia
• Still learning and not an expert at anything
• lk.linkedin.com/pub/parakum-pathirana/2/a52/2a2/
Agenda
• The World Today !
• Bangladeshi Central Bank Hack
• Problem?
• Solution?
The Compliance myth?
The World Today
The World Today
The World Today
The World Today
Recent high profile breaches
Bangladeshi Central Bank Hack
1. Malware/ spear-phishing
2. Partner Networks
3. Infrastructure
Findings from a survey done in 2008
1. Protecting reputation and brand has become a significant driver for information security.
2. Despite economic pressures, organizations continue to invest in information security.
3. International information security standards are gaining greater acceptance and adoption.
4. Many organizations still struggle to achieve a strategic view of information security.
5. Privacy is now a priority, but actions are falling short.
6. People remain the weakest link for information security.
7. Growing third-party risks are not being addressed.
8. Business continuity is still bound to information technology.
9. Most organizations are unwilling to outsource key information security activities.
10. Few companies hedge information security risks with cyber insurance.
Problem Statement
How many have deployed Information Security solutions purely to meet the compliance requirements? - According to a survey carried out at RSA Conference in 2015,
• over 61% of attendees admitted that they had
• nearly 70% of organizations don't believe they are getting the most from their security products because they think they are either too complicated, too time consuming or they don't believe they have the right expertise
So, what needs to be done?
Improve on
• Expert Knowledge
• User behavior
• Technology
“No Compliance for Compliance sake”
