the business of information security v2.0
DESCRIPTION
Information SecurityBusiness AlignmentRegulatory alignmentFeasible projectsCorporate cultureTRANSCRIPT
The Business of Information Security:
Theo NassiokasAPAC regional head of IT risk, audit & regulatory– Investment banking sector
2006 National Executive Chair– Australian Information Security Association (AISA)
Version 2.0
Information Security 2010
Regulatory, business and culturalalignment is critical
2
Overview
Security silos to risk convergence
Business assurance to enabler
Good security strategy
Good security operations
Show me the money!
3
Information Security defined
Information Security is− Assurance that the Confidentiality, Integrity & Availability (CIA) of
information assets are within the corporate risk appetite (policy)− It involves Process, People and Technology
This requires the use of− Enterprise Risk Management Framework*
Determine scopeIdentify riskAnalysis and evaluate riskCommunicate and treat riskMonitor risk
*Security Convergence and ERM – pg. 7 – The Convergence of IT Security and Enterprise Security Risk Management
– The Alliance for Enterprise Security Risk Management - www.aesrm.org – A partnership of ISACA and ASIS International
4
Security silos to risk convergenceWhat’s the value?
5
Security’s perception of business?
“Security is excessive until… it’s not enough”
- Robbie Sinclair -Head of Security
Country Power
6
Security silos to risk convergence
What is Security Convergence? Meaning 1: Technology savvy physical security teams that have
converged with IT – i.e. with the computers, software and networks of IT* Meaning 2: Correlated IT and physical security related data that is
analysed and turned into useful risk management information* Meaning 3: The merging of IT security people and process with physical
security people and processes*
What do we mean by Risk Convergence? The convergence of IT security and Enterprise Risk Management (ERM)
Effective and consistent information security management in the context of broader organisational risks**
Security risks explained as ‘real’ business risks (‘ripple effect’) Aligned to the well known COSO and CObIT frameworks
**Security Convergence and ERM, The Convergence of IT Security and Enterprise Security Risk Management – pg. 5
– http://www.aesrm.org/convergence_security_prof_view.html – AESRM - 2009 – A partnership of ISACA and ASIS International
*Convergence – The Semantics Trap – http://www.csoonline.com/article/560063/Convergence_The_Semantics_Trap - Steve Hunt - March 1, 2010
7
Who are the stakeholders?
SecurityConvergence
Physical
ITIT
Legal,Regulatory
Industry codes
IP
Data Protection Act (UK)
Sarbanes OxleyS302, 404, 409
USA PATRIOT Act
ISO 27001
California Senate Bill 1386
BCPfailure
Phishing
Cyber crime
Basel II
ISO 27002
Virus incidents
Physical TheftOf Info
UnauthorisedSoftware Usage
System Access Control
License Breach
Staff screeningChecks
Outsourced ServiceProvider Control
Information Access Control
Network domain access
UnauthorisedPhysical access
Targeted Attack – Mass Extinction Event
Privacy laws
8
Why is risk convergence important?
Security viewed in a business context Sustainable competitive advantage
Competitive intelligence Corporate Strategy Mergers & acquisitions Client confidentiality Customer information
Optimal stakeholder leverage (influence) Business lines Operational risk management Legal counsel Compliance (regulatory and internal policy) Auditors (external and internal assurance)
The Alliance for Enterprise Security Risk Management - www.aesrm.org – A partnership of ISACA and ASIS International
9
Business ‘assurance’ to ‘enabler’The objective of security?
10
Business’ perception of security?
“It is difficult to get a man to understand something, when his salary depends upon his not
understanding it”
- Upton Sinclair -Prolific American author and investigative journalist
1878 - 1968
11
Research re: security as an enabler
CMO (Chief Marketing Officer) Council (USA) “Secure the Trust of Your Brand” – Aug 2006
12
Research re: security as enabler
“Secure the Trust of Your Brand” – Aug 2006
13
Research re: security as enabler
“Secure the Trust of Your Brand” – Aug 2006
65% of European and U.S. respondents, on average, have experienced computer security problems
1 in 6 respondents have had their personal information lost or compromised
40% of respondents have actually stopped a transaction due to a security incident
Over one third would consider taking their business elsewhere if personal information were compromised
25% would definitely take their business elsewhere if their personal information were compromised
14
Good security strategyAligned to the emerging regulatory framework
15
It is part of Corporate Governance
− It is one of the five main areas of corporate governance, the significance of which would depend on the industry and its jurisdiction.
CORPORATE GOVERNANCE
Risk/SecurityGovernance
IT Governance
Administrative
And Financial
Governance
OperationalGovernance
Regulatory
And Legal
Governance
Security governance is a component of corporate governance
16
Why is it part of Corporate Governance?
International regulatory framework includes:
Basel IICapital Adequacy Accord 2005
Bank for International Settlements
(Basel, Switzerland)
Domestic Security Enhancement Act 2003
(PATRIOT II) USA
Vital Interdiction of Criminal Terrorist Organizations
(VICTORY) Act 2003 USA
Public Company AccountingReform and Investor Protection
(Sarbanes Oxley) Act 2002 USA
SEC registered/NYSE or NASDAQ listed
Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and
Obstruct Terrorism(USA PATRIOT) Act 2001
Financial Modernization (Gramm-Leach-Bliley Act [GLB])
Act 1999 (USA) (US banking & finance)
Data Protection Act 1998 UK
California Security BreachInformation Act 2003
(SB1386)California, USA
Data Protection Directive 1995(Directive 95/46/EC)
European Union
17
Why is it part of Corporate Governance?
Australian regulatory framework includes:
Anti Money Laundering (AML) and Counter Terrorism
Financing (CTF) Act 2006 Commonwealth of Australia
(banks and insurance)
Terrorism InsuranceAct 2003
Commonwealth of Australia(insurance)
Criminal Code Act 1995 Commonwealth of Australia
Privacy Act 1988 (as amended)Commonwealth of Australia
Liquid Fuel Emergency Act 1984Commonwealth of Australia
(fuel industry)
Crimes Act 1914 Commonwealth of Australia
The regulatory environment is the DNA of security strategy
18
Good security operationsAligned to business objectives
19
What is strategic risk?
The risk of a loss arising from a poor multi-year business decision
It is the failure to monitor, correctly interpret and respond to business and market change
Reduction in business relevance and value of security capabilities
Loss of a clear ‘line-of-sight’ between security activities and business objectives
How do we minimise strategic risk ?
20
Alignment to business strategy
Example –Security ‘line of sight’ to business
Assessment ofSupport Services
Requirements
Vision and missionfor
Support Services
Support ServicesStrategy
Support ServicesStrategic
Plan
Support ServicesOperational Plans
And Budgets
Assessment ofSecurity
Requirements
Vision and missionfor
Security
SecurityStrategy
SecurityOperational Plans
And Budgets
SecurityStrategic Plan
Assessment ofthe Business
Vision and missionfor the
Business
BusinessStrategy
BusinessOperational Plans
and Budgets
BusinessStrategic Plan
“Support services” may be risk, property or IT reporting lines depending on the security service e.g. physical or information and operational or governance
21
Example – Capability Growth Strategy
Strategy is “how the mission will be achieved” i.e. security convergence
Convergence strategy
Strategic Planning is “how the strategy will be delivered”
Strategic Planning achieves strategy
•Identification of stakeholders
•Leveraging synergies
•Identification of Synergiesbetween stakeholders
achieved through:
Capability Today Capability Tomorrow
Trajectory is “the time required to deliver the strategy”
22
Show me the money!Increasing likelihood of budget approvals
23
Is leading an innovation easy?
“Let it be noted that there is no more delicate matter to take in hand, nor more dangerous to conduct, nor more doubtful in its success, than to set up as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order, and only lukewarm supporters in those who might be better off under the new.”
− [Niccolò Machiavelli (1469-1527), The Prince, 1513, Chapter VI, para.5]
24
Aligning projects to corporate culture
The prevailing corporate culture will ‘flavour’ the risk and security governance in place, for example:
− Conservative cultures - formal governance model i.e. more formal committees and deeper vertical structures
− Innovative cultures - flexible governance model i.e. greater autonomy and flatter horizontal structures
Understanding the prevailing corporate culture provides an insight into the governance model
− Stronger understanding of business priorities− Greater chance of initial project budget approvals (opex, capex)
25
ROI - Broad programs Vs focussed projects
26
Know your organisation’s project governance process
27
Conclusion
Risk Convergence allows security to be viewed in a business context, creating optimal stakeholder buy-in
Perception of security is moving from ‘business assurance’ to ‘business enabler’
Security strategy must be aligned to the regulatory environment and business strategy
Security operations must be aligned to business objectives to demonstrate value
Projects must be aligned to corporate culture and deliver measurable business value
28
A message from a past leader
“The era of procrastination, of half-measures, of soothing and baffling expedients, of delays, is coming to its close.
In its place, we are entering a period of consequences.”
- Sir Winston Churchill -November 12, 1936
29
Questions?
Contact details:
Theo Nassiokas, MBA (Tech Mgt), CISM, CPPAPAC regional head, IT risk, audit & regulatory– Investment banking sector
2006 National Executive Chair- Australian Information Security Association (AISA)
[email protected]+65 9225 4449 (Singapore)+61 (0)406 198 380 (Australia)
Thank you for your time!
30
Appendix
Security convergence project budgets
Spending on Converged Security Projects (per year in millions)
2004 2005 2006 2007 2008
Public sector $250 $500 $1,200 $2,600 $5,001
Physical/logical access control projects $30 $90 $248 $542 $994
Large-scale convergence projects $10 $36 $93 $202 $453
Small projects $10 $30 $81 $172 $277
Other projects performed jointly by IT and physical security departments
$10 $35 $92 $191 $315
Total $311 $691 $1,713 $3,707 $7,039
(Source: Forrester Research, "Trends 2005: Security Convergence Gets Real“)
Actual ‘security convergence’ project budgets, based on surveying 60 end users from Canada, Europe and the United States: