The title comes from a list of conclusions I gave at a presentation called Does IT Security Matter? just before Christmas in 2007. The wonderful thing about the writing process is that every now and again you hit upon a pithy phrase like that which communicates so much. But it's like mining for gold - you have to move a lot of earth to find the nuggets.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Does IT Security Matter?
1. Does IT Security Matter?
Dr. Luke O’Connor
Group IT Risk
Zurich Financial Services, Switzerland
Faculty of Information Technology, QUT
November 27th, 2007
2. 2
Outline
• A bit about Zurich and myself
• Nicholas Carr and knowing your neighbours
• Security Tectonics
• The Explanation is Mightier than the Action
• Risk and the New Math
• Final Grains of Wisdom
3. 3
Introduction to Zurich
• Offices in North America and Europe as well as in Asia
Pacific, Latin America and other markets
• Servicing capabilities to manage programs with risk
exposure in more
than 170 countries
• Approximately 58,000 employees worldwide
• Insurer of the majority of Fortune’s Global 100
companies
• Net income attributable to shareholders of USD 4.5
billion in 2006
• Business operating profit of USD 5.9 billion in 2006
4. 4
My Background
Industrial Research (6 yr)
Wha t pe o ple m ig ht want
Consulting (5 yr)
Wha t pe o ple say the y want
In house (2 yr)
What pe o ple e xpe ct
(Se curity)
(Risk)
5. 5
Service ProvidersZurich Business
G-IT Risk stakeholders
GITR
GSM
Investigations
Project risk management
Capabilities
Finance
GITAG
Process/QM
Sourcing
Audit
Compliance
Legal
Risk
Group functions
G-IT support functions
Industry Bodies &
Suppliers
GITRPartnerFocus
G-ISP
Consume
information and
Services
External functions
Business A
Supplier ABusiness B
Business C
Business x
Account Exec A
Account Exec B
Account Exec C
Account Exec x
SupplierB
Supplier x
Co-operate
Service risk management
Primary interface for G-IT
6. 6
Does IT Matter?
• Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003
• Carr, N, “Does IT Matter?”, 2004
“IT doesn’t matter and can’t bring strategic
advantage at present!“
• Spend less
• Follow, don't lead
• Focus on vulnerabilities, not on opportunities
• IT m anag e m e nt sho uld be co m e “bo ring ”
• Manag e risks and co sts
11. 11
Notable Security Setbacks
• Regulatory Frameworks over Security Frameworks (SOX over 7799)
• Excel over FUD (Fear, Uncertainty and Doubt)
• Reactive over Proactive
• SLAs over Security Program
• Commerical over Military
12. 12
The New-ish Security Model
From Castle to Airport
Castle Airport
Security mechanisms are static and difficult to
change.
Security mechanisms are dynamic and responsive
to threats.
Reliance on a few mechanisms. Castle walls are
impregnable. Once inside security mechanisms are
minimal.
Uses multiple overlapping technologies for defence
in depth.
Known community have unrestricted access within
security boundary.
Security must be maintained whilst an unknown
population traverse. Security of inclusion (ensuring
the right people have access to the right resources)
and Security of exclusion (ensuring that assets are
protected). Use of roles to determine security
requirements.
Silo mentality in organisation. Requires an open, co-ordinated, global approach to
security.
13. 13
The next Big Thing: Network Access Control (NAC)
How do you sell this to your IT
Department or Business?
14. 14
From Security ….
Objectives Controls Testing Report
• ISO 1 7 7 9 9
• ISF
• Co bit
• NIST
• Yo ur Po licie s
and Standards
• e tc …
• ISO 1 7 7 9 9
• ISF
• Co bit
• NIST
• Yo ur Se rvice
Catalo g ue
• e tc …
• Do cum e ntatio n
• Que stio nnaire s
• Inte rvie ws
• De m o nstratio ns
• Inspe ctio ns
• To o ling
• 3rd Party Analysis
• Co ntro l
Effe ctive ne ss
• Co m pliance
• Risk
• Mitig atio n
• Prio ritie s
Pe rce ive d De sire d Re ality The Plan
15. 15
… to Risk
Description Trigger Consequence
What could happen? How could it happen? What is the impact?
Probability Severity
How often? How bad?
16. 16
Controls as Risk (as is)
Control C2
Needs Im provem ent
Not Effective
Effective
Control
Objective
Risk?
Risk?
Risk?
Control Assessment
Risk Scenarios are
reformulations
of control
deficiencies (gaps)
Control C4
Control C3
Control C1
e.g. CoBIT,
C2 C3 C4C1
NO !
Contr
ol
Gaps
are
poten
tial
trigg
ers
of
Risk
17. 17
IT Risk – Com ponents
IT Risk Components
IT Projects Risk
• Financial & Resources
• Compliance & Audit
• Contract & Supplier Mgmt
• IT Architecture & Strategy
• IT Project Management Risks
• Facilities & Environment
• IT Operations & Support
• Time to Deliver
• IT Security
IT Services Risk
• Service Level Management
• Capacity Planning
• Contingency Planning
• Availability Management
• Cost Management
• Configuration Management
• Problem Management
• Change Management
• Help Desk
• Software Control & Distribution
• IT Security
18. 18
Zurich’s IT Risk Managem ent Fram ework
Below threshold
Above threshold
The ABC (Assessment of
Business Criticality) risk
analysis prioritizes
resources
Object to be
assessed
ABC1
Optimised risk analysis
for projects Project
Project Risk Tool
Risk assessment
Within PMO process
2
Risk register provides
single global data
store for analysis
reporting Group IT - Risk Register (Central)
4
Project Risk Consulting Services Risk Consulting
IT Security Risk Assessments
Service
Service Risk Tool
Facilitated Assessments
and Self-Assessments
3
Optimised risk analysis
for services
Group IT
Risk Reporting
Dashboard
Actions
monitoring
QRR
5 Reporting,
Escalation and
Action Monitoring
1
2 3
4
5
No further Analysis
Apply Policies
and Standards
20. 20
Conclusion: Does IT Security Matter?
• IT Security in general is not an end in itself
• IT Security is one area competing for attention and funding, amongst many
• If you don’t make IT security matter, it won’t
• Keeping business secure is the main end
• Focus on securing business processes not the process of securing
• Excel is your new best friend
• Make your spreadsheets work with their spreadsheets
• A risk-based approach is the opportunity to speak business language
• Don’t replace FUD with GIGO (garbage in, garbage out)
IT Risks are assessed according to the IT assets these have been defined by G-IT as being IT Projects or IT Services. The diagram above provides a high level summary of the broad risk categories for each asset group The risks identified from each asset class are recorded into Risk Registers which are then transferred to a Central Risk Register used to aggregate all risks Underlying IT Risk assessment within ZFS is the need to consider IT Security and the risks to the business associated with IT Security. This is explained more in later slides however the Framework includes a specific service for IT Risk Assessments