safe knowledge
Download
Skip this Video
Download Presentation
SAFE KNOWLEDGE

Loading in 2 Seconds...

play fullscreen
1 / 22

SAFE KNOWLEDGE - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

SAFE KNOWLEDGE. GEOFF ROBERTS Implementation Partner AUSTRALIAN PROJECTS PTY LIMITED IT Security and Data Protection. The Management versus Technical Staff Challenge.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SAFE KNOWLEDGE' - estrella


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
safe knowledge
SAFE KNOWLEDGE

GEOFF ROBERTS

Implementation Partner

AUSTRALIAN PROJECTS PTY LIMITED

IT Security and Data Protection

the management versus technical staff challenge
The Management versus Technical Staff Challenge

Create win-win IT security outcomes that meet management objectives for the enterprise, and realistic productivity expectations of the IT department

differing cultures
Differing cultures
  • Non-technical managers are mostly in a world of budgets, timeframes, deadlines, deliverables, results and the “big picture”
  • IT staff are mostly in a world of rapid change, uncertainties, threats, complexity and detail, as well as timeframes, deadlines and deliverables
  • The difference is often clear to IT staff but unclear to non-technical managers
the management versus technical staff conundrum
The Management versus Technical Staff Conundrum
  • Corporate structure that fails to acknowledge a rapidly changing security landscape
  • Poorly defined IT security roles and responsibilities for non-technical management and IT management teams
  • Failure of technical expectations to be fulfilled due to unrealistic low budgets and failure of non technical management to approve sufficient human resources to meet the requirements of the IT department
  • No common approach and a lack of language clarity between management and technical staff
enterprise structure
Enterprise Structure
  • Enterprise management and IT department in separate isolated silos
  • These silos fail to share accountability and responsibility for IT security policy and practice
  • The silo approach does not work because shared responsibilities and communications are often neglected
  • Silos can address isolated work area requirements but will leave gaps across the whole enterprise (including legal)
roles and responsibilities
Roles and Responsibilities
  • Inappropriate delegation of responsibilities and tasks is a common weakness
  • Legal responsibilities and associated liabilities delegated to the technical team with little or no ownership by senior non-technical management
  • Accountability that should be shared, erroneously devolved to the IT technical department instead of being “owned” from top management down
expectations and resources
Expectations and resources
  • Failure of management to articulate the IT security expectations of the enterprise
  • Management often underestimates the human resources needed to implement and manage IT security across the enterprise
  • Management often underestimates the financial cost to deliver a whole of enterprise security solution
  • Failure of technical team to communicate realistic requirements and timelines to meet the management expectation
what about it security
What about IT Security?
  • Management perceives IT security as a given
  • Therefore management tends to take it for granted
  • This can create a false sense of security
  • New IT security implementations are given low priority
  • IT security solutions often implemented after an incident has occurred … (reactive management, rather than proactive management)
  • Management failure to understand that IT security is a valid cost of doing business
bridging the gap how mgmt sees it department
Bridging the GAP – How Mgmt sees IT Department

Management want RESULTS

Potential

Results

(Output)

IT is uniquely positioned to bridge the gap!

GAP

Momentum

Time

key challenges
Key challenges
  • Achieve a strategic whole-of-enterprise IT security solution to manage risk
  • Address strategic outcomes based on well informed and realistic expectations set by top management
  • Allocation of appropriate resources for each step of the process
  • Think strategically, act tactically, because each step is is only a part of the whole
management role
Management Role
  • Set a realistic agenda in concert with the IT department ensuring expectations are deliverable
  • Assume overall responsibility and liability
  • Provide appropriate resources, human and financial to deliver the desired outcome
  • Engage in continuing review with the IT department to ensure minimisation of risk associated with new and emerging threats
it department role
IT Department Role
  • Provide management with accurate and timely information that will aid the planning and decision making process
  • Evaluate new and emerging products and services that may meet the IT security needs of the enterprise
  • Ensure language is clear and unambiguous for non-technical senior decision makers
  • Work to each pre-agreed management brief to ensure on-time and on-budget delivery
closing the gap

Risk Management

Regulatory Requirements

The Information Risk Spectrum

Logical

Process

Physical

IT Security

IT Contingency

Personnel

Security

Business

Continuity

Physical

Security

Closing the gap

John Meaking – Standard Chartered Bank

risk a common dialogue
Risk – a common dialogue
  • Asset Values ($)
  • Vulnerabilities (access to assets)
  • Threats (scenario exploits vulnerability)
  • RISK
risk analysis
Risk analysis

EXPOSURE

FACTOR

CONTROLS

THREAT

VULNERABILITY

ASSET

Unknown and Unquantifiable in absolute terms

LIKELIHOOD

X

= RISK

IMPACT

Frequency & Exposure

Consequence – some guesswork

Control Effectiveness

John Meakin – Standard Chartered Bank

matrix a common dialogue
Matrix – a common dialogue

Consequence

Severity

Think generically about using Risk Assessments

where to start
Where to start?
  • Look for High Likelihood High Impact (HH)
  • Pareto
  • Demonstrate Cost/Benefit. Don’t emphasise ROI
prioritising
Prioritising

Trivial Many

Critical Few

demonstrate value results
Demonstrate value & results
  • Through appropriate metrics
    • In terms management understands
    • Avoid measuring too much or inappropriately (let risk drive what is measured)
  • Communicate trends and changes regularly
successful team attributes
Successful Team Attributes
  • Plan and work as an enterprise team with shared responsibilities and accountabilities
  • Focus on realistic pre-agreed outcomes
  • Avoid “isolated empire” thinking and engage in “whole of enterprise” thinking
  • Undertake an ongoing, regular review process
  • Be nice to each other
three final thoughts
Three final thoughts

Computers are incredibly fast accurate and stupid.

People are unbelievably slow, inaccurate and brilliant.

Despite the foregoing, the marriage of the two is a positive force beyond calculation.

geoff roberts
Geoff Roberts

[email protected]

Tel: +61 2 4228 6213

www.apro.com.au

Reflex – PC Guardian – SecuriKey – Trust Digital – Zondex

ad