Safe knowledge l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

SAFE KNOWLEDGE PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

SAFE KNOWLEDGE. GEOFF ROBERTS Implementation Partner AUSTRALIAN PROJECTS PTY LIMITED IT Security and Data Protection. The Management versus Technical Staff Challenge.

Download Presentation

SAFE KNOWLEDGE

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Safe knowledge l.jpg

SAFE KNOWLEDGE

GEOFF ROBERTS

Implementation Partner

AUSTRALIAN PROJECTS PTY LIMITED

IT Security and Data Protection


The management versus technical staff challenge l.jpg

The Management versus Technical Staff Challenge

Create win-win IT security outcomes that meet management objectives for the enterprise, and realistic productivity expectations of the IT department


Differing cultures l.jpg

Differing cultures

  • Non-technical managers are mostly in a world of budgets, timeframes, deadlines, deliverables, results and the “big picture”

  • IT staff are mostly in a world of rapid change, uncertainties, threats, complexity and detail, as well as timeframes, deadlines and deliverables

  • The difference is often clear to IT staff but unclear to non-technical managers


The management versus technical staff conundrum l.jpg

The Management versus Technical Staff Conundrum

  • Corporate structure that fails to acknowledge a rapidly changing security landscape

  • Poorly defined IT security roles and responsibilities for non-technical management and IT management teams

  • Failure of technical expectations to be fulfilled due to unrealistic low budgets and failure of non technical management to approve sufficient human resources to meet the requirements of the IT department

  • No common approach and a lack of language clarity between management and technical staff


Enterprise structure l.jpg

Enterprise Structure

  • Enterprise management and IT department in separate isolated silos

  • These silos fail to share accountability and responsibility for IT security policy and practice

  • The silo approach does not work because shared responsibilities and communications are often neglected

  • Silos can address isolated work area requirements but will leave gaps across the whole enterprise (including legal)


Roles and responsibilities l.jpg

Roles and Responsibilities

  • Inappropriate delegation of responsibilities and tasks is a common weakness

  • Legal responsibilities and associated liabilities delegated to the technical team with little or no ownership by senior non-technical management

  • Accountability that should be shared, erroneously devolved to the IT technical department instead of being “owned” from top management down


Expectations and resources l.jpg

Expectations and resources

  • Failure of management to articulate the IT security expectations of the enterprise

  • Management often underestimates the human resources needed to implement and manage IT security across the enterprise

  • Management often underestimates the financial cost to deliver a whole of enterprise security solution

  • Failure of technical team to communicate realistic requirements and timelines to meet the management expectation


What about it security l.jpg

What about IT Security?

  • Management perceives IT security as a given

  • Therefore management tends to take it for granted

  • This can create a false sense of security

  • New IT security implementations are given low priority

  • IT security solutions often implemented after an incident has occurred … (reactive management, rather than proactive management)

  • Management failure to understand that IT security is a valid cost of doing business


Bridging the gap how mgmt sees it department l.jpg

Bridging the GAP – How Mgmt sees IT Department

Management want RESULTS

Potential

Results

(Output)

IT is uniquely positioned to bridge the gap!

GAP

Momentum

Time


Key challenges l.jpg

Key challenges

  • Achieve a strategic whole-of-enterprise IT security solution to manage risk

  • Address strategic outcomes based on well informed and realistic expectations set by top management

  • Allocation of appropriate resources for each step of the process

  • Think strategically, act tactically, because each step is is only a part of the whole


Management role l.jpg

Management Role

  • Set a realistic agenda in concert with the IT department ensuring expectations are deliverable

  • Assume overall responsibility and liability

  • Provide appropriate resources, human and financial to deliver the desired outcome

  • Engage in continuing review with the IT department to ensure minimisation of risk associated with new and emerging threats


It department role l.jpg

IT Department Role

  • Provide management with accurate and timely information that will aid the planning and decision making process

  • Evaluate new and emerging products and services that may meet the IT security needs of the enterprise

  • Ensure language is clear and unambiguous for non-technical senior decision makers

  • Work to each pre-agreed management brief to ensure on-time and on-budget delivery


Closing the gap l.jpg

Risk Management

Regulatory Requirements

The Information Risk Spectrum

Logical

Process

Physical

IT Security

IT Contingency

Personnel

Security

Business

Continuity

Physical

Security

Closing the gap

John Meaking – Standard Chartered Bank


Risk a common dialogue l.jpg

Risk – a common dialogue

  • Asset Values ($)

  • Vulnerabilities (access to assets)

  • Threats (scenario exploits vulnerability)

  • RISK


Risk analysis l.jpg

Risk analysis

EXPOSURE

FACTOR

CONTROLS

THREAT

VULNERABILITY

ASSET

Unknown and Unquantifiable in absolute terms

LIKELIHOOD

X

= RISK

IMPACT

Frequency & Exposure

Consequence – some guesswork

Control Effectiveness

John Meakin – Standard Chartered Bank


Matrix a common dialogue l.jpg

Matrix – a common dialogue

Consequence

Severity

Think generically about using Risk Assessments


Where to start l.jpg

Where to start?

  • Look for High Likelihood High Impact (HH)

  • Pareto

  • Demonstrate Cost/Benefit. Don’t emphasise ROI


Prioritising l.jpg

Prioritising

Trivial Many

Critical Few


Demonstrate value results l.jpg

Demonstrate value & results

  • Through appropriate metrics

    • In terms management understands

    • Avoid measuring too much or inappropriately (let risk drive what is measured)

  • Communicate trends and changes regularly


Successful team attributes l.jpg

Successful Team Attributes

  • Plan and work as an enterprise team with shared responsibilities and accountabilities

  • Focus on realistic pre-agreed outcomes

  • Avoid “isolated empire” thinking and engage in “whole of enterprise” thinking

  • Undertake an ongoing, regular review process

  • Be nice to each other


Three final thoughts l.jpg

Three final thoughts

Computers are incredibly fast accurate and stupid.

People are unbelievably slow, inaccurate and brilliant.

Despite the foregoing, the marriage of the two is a positive force beyond calculation.


Geoff roberts l.jpg

Geoff Roberts

[email protected]

Tel: +61 2 4228 6213

www.apro.com.au

Reflex – PC Guardian – SecuriKey – Trust Digital – Zondex


  • Login