1 / 21

Does IT Security Matter?

Does IT Security Matter?. Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007. Outline. A bit about Zurich and myself Nicholas Carr and knowing your neighbours Security Tectonics

cachez
Download Presentation

Does IT Security Matter?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007

  2. Outline • A bit about Zurich and myself • Nicholas Carr and knowing your neighbours • Security Tectonics • The Explanation is Mightier than the Action • Risk and the New Math • Final Grains of Wisdom

  3. Introduction to Zurich • Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets • Servicing capabilities to manage programs with risk exposure in more than 170 countries • Approximately 58,000 employees worldwide • Insurer of the majority ofFortune’s Global 100 companies • Net income attributable to shareholders of USD 4.5 billionin 2006 • Business operating profit of USD 5.9 billion in 2006

  4. My Background Industrial Research (6 yr) What people might want Consulting (5 yr) What people say they want In house (2 yr) What people expect (Security) (Risk)

  5. G-IT Risk stakeholders Service Providers Zurich Business GSM G-ISP Account Exec A Business A Supplier A Account Exec B Business B Supplier B Account Exec C Business C Supplier x Account Exec x Business x Project risk management Service risk management Capabilities Finance GITAG Process/QM Sourcing GITR Investigations Co-operate Primary interface for G-IT Consumeinformation and Services GITR Partner Focus Audit Compliance Legal Risk Group functions Industry Bodies & Suppliers G-IT support functions External functions

  6. Does IT Matter? • “IT doesn’t matter and can’t bring strategic advantage at present!“ • Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities • IT management should become “boring” • Manage risks and costs • Carr, N, “IT Doesn’t Matter”, Harvard Business Review, Vol 81, 5, May 2003 • Carr, N, “Does IT Matter?”, 2004

  7. Good Neighbours, but Good Friends?

  8. The Continental Drift of C, I, ACIA better known to business as “Call in Accenture”

  9. The Explanation is Mightier Than the Action Business Security

  10. Security Bingo

  11. Notable Security Setbacks • Regulatory Frameworks over Security Frameworks (SOX over 7799) • Excel over FUD (Fear, Uncertainty and Doubt) • Reactive over Proactive • SLAs over Security Program • Commerical over Military

  12. The New-ish Security ModelFrom Castle to Airport

  13. The next Big Thing: Network Access Control (NAC)How do you sell this to your IT Department or Business?

  14. From Security …. Perceived Desired Reality The Plan Objectives Controls Testing Report • Documentation • Questionnaires • Interviews • Demonstrations • Inspections • Tooling • 3rd Party Analysis • Control • Effectiveness • Compliance • Risk • Mitigation • Priorities • ISO 17799 • ISF • Cobit • NIST • Your Policies • and Standards • etc … • ISO 17799 • ISF • Cobit • NIST • Your Service • Catalogue • etc …

  15. … to Risk What could happen? How could it happen? What is the impact? Description Trigger Consequence Probability Severity How often? How bad?

  16. Controls as Risk (as is) Control Objective e.g. CoBIT, Risk Scenarios are reformulations of control deficiencies (gaps) Control C1 NO ! Control Gaps are potential triggers of Risk Effective Risk? Risk? Control C2 Risk? Needs Improvement Control C3 Not Effective Control C4 C2 C1 C4 C3 Control Assessment

  17. IT Risk – Components IT Risk Components IT Services Risk IT Projects Risk • Service Level Management • Capacity Planning • Contingency Planning • Availability Management • Cost Management • Configuration Management • Problem Management • Change Management • Help Desk • Software Control & Distribution • IT Security • Financial & Resources • Compliance & Audit • Contract & Supplier Mgmt • IT Architecture & Strategy • IT Project Management Risks • Facilities & Environment • IT Operations & Support • Time to Deliver • IT Security

  18. Zurich’s IT Risk Management Framework Object to be assessed The ABC (Assessment of Business Criticality) risk analysis prioritizes resources 1 ABC 1 Above threshold 2 Optimised risk analysis for projects Service Project Below threshold 2 3 Optimised risk analysis for services 3 No further Analysis Apply Policies and Standards Project Risk ToolRisk assessment Within PMO process Service Risk ToolFacilitated Assessments and Self-Assessments IT Security Risk Assessments Project Risk Consulting Services Risk Consulting 4 Risk register providessingle global datastore for analysisreporting Group IT - RiskRegister (Central) 4 5 Reporting,Escalation andAction Monitoring Group ITRisk Reporting QRR Dashboard Actions monitoring 5

  19. Relation to Operational Risk

  20. Conclusion: Does IT Security Matter? • IT Security in general is not an end in itself • IT Security is one area competing for attention and funding, amongst many • If you don’t make IT security matter, it won’t • Keeping business secure is the main end • Focus on securing business processes not the process of securing • Excel is your new best friend • Make your spreadsheets work with their spreadsheets • A risk-based approach is the opportunity to speak business language • Don’t replace FUD with GIGO (garbage in, garbage out)

  21. Over to you

More Related