Publicité
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level
Selling security to the C-level

Check these out next

Mastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
Information technology risks
Information technology risks
salman butt
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin
Disaster recovery & business continuity
Disaster recovery & business continuity
Dhani Ahmad
Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
Lesson 3- Fair Approach
Lesson 3- Fair Approach
MLG College of Learning, Inc
1 sur 21

Selling security to the C-level

17 Jan 2016
Technologie

Information security is often misunderstood, undervalued and often tackled as an afterthought. This presentation was given in 2014 during an ISACA educational event.

Donald Tabone
CTO, Information Security Expert à University of Malta
Publicité
Publicité
Publicité

Recommandé

Information Security Risk Management OverviewInformation Security Risk Management Overview
Information Security Risk Management OverviewWesley Moore321 vues34 diapositives
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti161 vues42 diapositives
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams432 vues29 diapositives
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI546 vues4 diapositives
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada1.1K vues35 diapositives
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill613 vues20 diapositives

Contenu connexe

Présentations pour vous(20)

Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar9.9K vues
Information technology risksInformation technology risks
Information technology risks
salman butt2.8K vues
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge307 vues
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank985 vues
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin413 vues
Disaster recovery & business continuityDisaster recovery & business continuity
Disaster recovery & business continuity
Dhani Ahmad2.5K vues
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger87 vues
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
MLG College of Learning, Inc35 vues
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
Siddharth Janakiram2.3K vues
Risk management iiRisk management ii
Risk management ii
Dhani Ahmad1.9K vues
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher3213.7K vues
Security-BrochureSecurity-Brochure
Security-Brochure
Tyler Carlson49 vues
Security-BrochureSecurity-Brochure
Security-Brochure
Prahlad Reddy114 vues
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019272 vues
Business information security requirementsBusiness information security requirements
Business information security requirements
gurneyhal445 vues
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai739 vues
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
MLG College of Learning, Inc116 vues
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick1.2K vues
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production2.4K vues
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian5K vues

Similaire à Selling security to the C-level(20)

Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
George Goodall378 vues
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone1.4K vues
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
ciso_insights622 vues
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
FirstMutualHoldings274 vues
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
FERMA1.8K vues
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
Livingstone Advisory545 vues
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
William McBorrough456 vues
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough446 vues
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr186 vues
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
Anne Starr74 vues
)k)k
)k
Anne Starr76 vues
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
EC-Council131 vues
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel1.8K vues
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah593 vues
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs443 vues
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr97 vues
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema349 vues
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
SelectedPresentations429 vues
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
David X Martin638 vues
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
John Rapa763 vues
Publicité

Plus de Donald Tabone(7)

Manning Information Security StrategyManning Information Security Strategy
Manning Information Security Strategy
Donald Tabone460 vues
ICTSA v2ICTSA v2
ICTSA v2
Donald Tabone229 vues
ISACA_21st century technologistISACA_21st century technologist
ISACA_21st century technologist
Donald Tabone145 vues
ELPUB_2015ELPUB_2015
ELPUB_2015
Donald Tabone208 vues
MARM State of Security v2MARM State of Security v2
MARM State of Security v2
Donald Tabone174 vues
Mca Erg Oct 09Mca Erg Oct 09
Mca Erg Oct 09
Donald Tabone245 vues
The Realm Of Digital ForensicsThe Realm Of Digital Forensics
The Realm Of Digital Forensics
Donald Tabone503 vues

Dernier(20)

5G INSTALLATION .pptx5G INSTALLATION .pptx
5G INSTALLATION .pptx
Karan12220 vue
HypeOrHero3.pdfHypeOrHero3.pdf
HypeOrHero3.pdf
Avi Bar-Zeev0 vue
Breaking Boundaries: Unveiling Web Development Trends 2019 Thoroughly.pptxBreaking Boundaries: Unveiling Web Development Trends 2019 Thoroughly.pptx
Breaking Boundaries: Unveiling Web Development Trends 2019 Thoroughly.pptx
Sagar Salvi0 vue
INTRODUCTION TO AERO WEAPONS.pptxINTRODUCTION TO AERO WEAPONS.pptx
INTRODUCTION TO AERO WEAPONS.pptx
bvmohan10 vue
CRYPTO-BIKE Pitch deck.pdfCRYPTO-BIKE Pitch deck.pdf
CRYPTO-BIKE Pitch deck.pdf
CryptoBikeMailer0 vue
Arduino Nano V3 CH340 Arduino Nano V3 CH340
Arduino Nano V3 CH340
pragyasharma3618080 vue
Action Transformer.pdfAction Transformer.pdf
Action Transformer.pdf
StephenAmell40 vue
Management By Objective (MBO).pptxManagement By Objective (MBO).pptx
Management By Objective (MBO).pptx
Toran Lal Nishad0 vue
Top 10 Amazon Gadgets for Students Under 999.pdfTop 10 Amazon Gadgets for Students Under 999.pdf
Top 10 Amazon Gadgets for Students Under 999.pdf
arnav2084890 vue
AERO 55 600V Single Core Shielded Wires by Rohit DamodaranAERO 55 600V Single Core Shielded Wires by Rohit Damodaran
AERO 55 600V Single Core Shielded Wires by Rohit Damodaran
Rohit Damodaran0 vue
wire-all-the-things-lambda-days-2023.pdfwire-all-the-things-lambda-days-2023.pdf
wire-all-the-things-lambda-days-2023.pdf
Eric Torreborre0 vue
synthesisofevidenceresource.pdfsynthesisofevidenceresource.pdf
synthesisofevidenceresource.pdf
abdelkhaleqelhaddad50 vue
How to build machine learning apps.pdfHow to build machine learning apps.pdf
How to build machine learning apps.pdf
AnastasiaSteele100 vue
Server Architecture.pptxServer Architecture.pptx
Server Architecture.pptx
IraRoniYuda0 vue
Tuning Traditional Language Processing Approaches for Pashto Text ClassificationTuning Traditional Language Processing Approaches for Pashto Text Classification
Tuning Traditional Language Processing Approaches for Pashto Text Classification
kevig2 vues
How to build machine learning apps.pdfHow to build machine learning apps.pdf
How to build machine learning apps.pdf
StephenAmell40 vue
Invaluable insight of Mix panel !Invaluable insight of Mix panel !
Invaluable insight of Mix panel !
AlexHill8766652 vues
Perfecting Customer Management Using Jira Service ManagementPerfecting Customer Management Using Jira Service Management
Perfecting Customer Management Using Jira Service Management
Cprime0 vue
A Complete Guide to Flutter App Development Cost in 2023 A Complete Guide to Flutter App Development Cost in 2023
A Complete Guide to Flutter App Development Cost in 2023
CMARIX TechnoLabs2 vues
Discover Centralized Management and Administration for Excel to SAP® AutomationDiscover Centralized Management and Administration for Excel to SAP® Automation
Discover Centralized Management and Administration for Excel to SAP® Automation
Precisely0 vue
Publicité

Selling security to the C-level

  1. Selling Security to the C-Level: A Security Strategy ISACA - Malta Chapter Donald Tabone 22 November 2012
  2. 1 Agenda [Part one] ■ Introduction: Realities we face ■ Information on the move ■ The balancing act ■ A matter of economics ■ The triggers ■ Going forward [Part two] ■ Implementing a security strategy ■ Conducting a risk assessment ■ Conclusions
  3. 2 Introduction: Realities we face Investments in security don’t produce revenue When data breaches happen, the hammer falls on IT IT has to justify investments.. • .. and make sure security policies are up to date CEO’s primary objectives • Ensure that the company remains profitable • Ensure that the company has a solid system in place
  4. 3 Information on the move Company data resides in virtual NOT physical hands According to Forrester, corporate data loss and security breaches occur as a result of 1. Employee misuse and 2. Non-comprehensive IT security policies 31% of breaches were as a result of theft 27% of breaches were as caused a result of mishandling As a result organisations face legal, financial and reputational crises As much as 70% of a company’s intellectual property (IP) lies in email A huge percentage of data assets are “out there” on somebody’s smartphone / tablet Trends show that volumes of data that need to be protected are proliferating.. .. as fast as the devices themselves • Examine employees’ devices in greater detail • Implement a Mobile Device Management (MDM) solution One typical solution to manage the concern
  5. 4 The balancing act Bring Your own Device (BYOD) Some companies are more at risk than others, but no company is completely protected from risk (or ever can be) Choices regarding security policies and solutions can dramatically impact a company’s bottom line At the same time, compliance must be met What about employee privacy? Secure data in the enterprise whilst protecting access to non-work related areas on employee-owned devices Privacy concerns often result in fines and lawsuits C-Levels often don’t see employee privacy as a bottom-line concern But the damage of non compliance can be costly to the corporate wallet Ensuring Enterprise Security and Compliance Protecting employee privacy Compliance has become untenable
  6. 5 A matter of economics Securing the enterprise with the lowest investment possible If a security policy results in one lost hour of productivity per employee per week may result in massive costs to the organisation The least expensive solution ≠ the cheapest solution Technology cannot dictate policy. Policies need to flexible.. .. to deal with today’s rapidly changing technology environment Scalable solutions Though investing in security measures may not turn a profit, it will ensure the sustainability of a company by eliminating compliance concerns and reducing the risks of data breaches It will also maintain workforce productivity in the event of a breach or unforeseen intrusion A secure enterprise is a productive one Mobile, social and cloud technologies have forced IT Departments to adapt policies and procedures
  7. 7 The Triggers..1 Cyber Crime • The cyber crime threat is actual and here to stay • It’s NOT a question of if but when • Be prepared for incidents • Ensure adequate crisis management between departments • Ensure security awareness between departments • Align individual goals with the organisations’ cyber security ambitions Incidents • From panic to business as usual • Dealing with incidents in state of panic is inefficient and ineffective • Assign topic ownership and setup management reporting • Discuss what reporting and information the board needs to govern information security properly • What information and resources can the organisation acquire itself? • What resources, intelligence and threat information is to be acquired externally?
  8. 8 The Triggers..2 Perspectives • Take a look at your organisation from an attacker’s perspective • What is interesting for an attacker might not be immediately obvious to the organisation itself • Identify your crown jewels and your position in the ecosystem / supply & demand chain. Understand what attackers are doing (and why!) • Make sure that these risks and your defences are aligned. 100% Security • 100% security is not possible. And undesirable! • Every large organisation has security holes. Period. • Completely securing all technology, processes and people is impossible and undesirable from a risk management perspective • Goal should be to be free from incidents, but able to properly react when inevitable incidents happen.
  9. 9 Going forward Challenges • Policies • Security awareness • Risk averse attitudes • Security strategy • Governance • System scalability Solutions • Technical controls • Risk management • Perspectives • Being proactive rather than reactive • Security Strategy Triggers • New technology • Cyber crime • Incidents • Culture Push for a security strategy ... ... backed by a risk management mindset Prevention is insufficient. Invest in detection and response. Organisations have bet on prevention of security incidents for decades. During the last few years (APT, zero days attacks, etc) we have learned that prevention alone will not protect us. Make significant investments in detection and response Proactive cost effective resilience
  10. 10 Implementing a security strategy – a holistic approach Information security requirements • Business objectives • Legal and regulatory compliance • New technologies • New vulnerabilities Obtaining management commitment • Will require an understanding of high-level information security concepts • Will facilitate the implementation of a strategy • Not crucial for a risk based approach but ideally should be present at each stage “ As shown during the survey, having management commitment greatly helps towards the implementation of a strategy. ” Information Security Strategy Technical Controls Risk Assessments Information Security Requirements Policies ManagementCommitment Awareness Periodic reviews Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Policies
  11. 11 Implementing a security strategy – a holistic approach “ Risk is the potential for unwanted event to have a negative impact upon an activity, by exploiting an exposure. ” The process of conducting a risk assessment involves • Identifying associated threats, vulnerabilities and impact • Determine the acceptable risk and report • Determining the significant risks A risk assessment will • Build the foundation for employing safeguards • Help align the safeguards with the IS requirements • Allow for a better understanding of the organisations exposure to risk • Reduce the risk of over or under spending on Information Security • Help bolster top management commitment Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Technical Controls Risk Assessments Information Security Requirements Policies ManagementCommitment Awareness Periodic reviews Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Policies Risk Assessments
  12. 12 Implementing a security strategy – a holistic approach When mitigating it is critical that safeguards are focused on the following 3 areas 1. Policies formally define the structure for a consistent and cohesive approach towards implementing controls 2. Awareness concerns the need to make employees aware of their obligations and responsibilities 3. Technical controls reflect the need to secure systems and the information within them Treating the risk • Once risks are identified, they need to be treated by either accepting, transferring, avoiding or mitigating it. “ Security is only as good as the weakest link therefore its imperative that each process is given the right importance. ” Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Technical Controls Risk Assessments Information Security Requirements Policies ManagementCommitment Awareness Periodic reviews Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Policies Risk Assessments Awareness Technical Controls Policies Risk Assessments
  13. 13 Implementing a security strategy – a holistic approach Periodic reviews have the following objectives • Verify the effectiveness of the policies, awareness levels and technical controls • Verify the validity of previous risk assessments taking into account any new information security requirements • Renewing management commitment Why are periodic reviews necessary? • Is the residual risk at an acceptable level? • Are the implemented controls effective? • Do company policies need to be updated? • How effective are your awareness efforts? “ The overlying process ensures that any required corrective measures are taken in a timely manner to ensure a sound security strategy. ” Information Security Strategy Technical Controls Risk Assessments Information Security Requirements Policies ManagementCommitment Awareness Periodic reviews Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Technical Controls Risk Assessments Information Security Requirements Policies ManagementCommitment Awareness Periodic reviews Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Information Security Requirements Policies ManagementCommitment Information Security Strategy Awareness Technical Controls Risk Assessments Periodic reviews Policies Risk AssessmentsRisk Assessments Periodic reviews
  14. 14 Example of a Risk Assessment for Organisation XYZ Ltd Potential Security Incident Result Likelihood Impact Risk Action Error in use due to lack of awareness of how to use a system’s function Compromise of the integrity of critical information Abuse of rights due to no ‘logout’ when leaving the workstation Compromise of the Confidentiality and integrity of information Theft of documents (or media) due to lack of physical protection of the building, doors and windows. Compromise of confidentiality Failure of network due to single point of failure Loss in the availability of information
  15. 15 Example of a Risk Assessment for Organisation XYZ Ltd Calculation of the likelihood Security Incident Likelihood Error in use due to lack of awareness of how to use a system’s function High Abuse of rights due to no ‘logout’ when leaving the workstation Medium Theft of documents (or media) due to lack of physical protection of the building, doors and windows. Low Failure of network due to single point of failure Very high Likelihood is the probability of a threat occurring and exploiting a vulnerability. Very Low An event that is highly unlikely to occur Low An event that is unlikely to occur; perhaps once every 3 years Medium An event likely to occur relatively frequently; perhaps once a year High An even that is fairly probable, and could be expected to occur several times a year Very high An event that could be reasonably expected to occur at least every month or more frequently
  16. 16 Example of a Risk Assessment for Organisation XYZ Ltd Calculation of the impact Security Incident Impact Error in use due to lack of awareness of how to use a system’s function Medium Abuse of rights due to no ‘logout’ when leaving the workstation Low Theft of documents (or media) due to lack of physical protection of the building, doors and windows. High Failure of network due to single point of failure Very High Impact is the result of an information security incident, caused by a threat, which affects an assets. Potential impact Business operations and financial health Legal and regulatory obligations Reputation and loss of goodwill Low Little or no disruption / financial loss No legal or regulatory obligation Minor and limited embarrassment internal to the organisation Medium Detrimental to business efficiency or financial health Technical breach of a legal or regulatory obligation Adversely effect relations with customers or shareholders High Causes serious disruption / financial loss Serious breach of legal or regulatory obligation Seriously effect relations with customers or shareholders Very high Could lead to bankruptcy Could lead to the organisation being closed down Threaten the future of the business
  17. 17 Example of a Risk Assessment for Organisation XYZ Ltd Calculation of the impact Potential impact Business operations and financial health Legal and regulatory obligations Reputation and loss of goodwill Low Little or no disruption / financial loss No legal or regulatory obligation Minor and limited embarrassment internal to the organisation Medium Detrimental to business efficiency or financial health Technical breach of a legal or regulatory obligation Adversely effect relations with customers or shareholders High Causes serious disruption / financial loss Serious breach of legal or regulatory obligation Seriously effect relations with customers or shareholders Very high Could lead to bankruptcy Could lead to the organisation being closed down Threaten the future of the business
  18. 18 Example of a Risk Assessment for Organisation XYZ Ltd Calculation of the risk Security Incident Likelihood Impact Risk Error in use due to lack of awareness of how to use a system’s function High Medium 5 Abuse of rights due to no ‘logout’ when leaving the workstation Medium Low 3 Theft of documents (or media) due to lack of physical protection of the building, doors and windows. Low High 4 Failure of network due to single point of failure Very High Very high 8 The risk is identified by mapping the likelihood of a threat exploiting a vulnerability to the impact if such incident scenario occurs. Likelihood Very low Low Medium High Very high Businessimpact Low 1 2 3 4 5 Medium 2 3 4 5 6 High 3 4 5 6 7 Very High 4 5 6 7 8
  19. 19 Example of a Risk Assessment for Organisation XYZ Ltd Security Incident Result Likelihood Impact Risk Action Error in use due to lack of awareness of how to use a system’s function Compromise of the integrity of critical information High Medium 5 Mitigate through awareness and training Abuse of rights due to no ‘logout’ when leaving the workstation Compromise of the Confidentiality and integrity of information Medium Low 3 Accept residual risk since it lower less than the acceptable level Theft of documents (or media) due to lack of physical protection of the building, doors and windows. Compromise of confidentiality Low High 4 Accept residual risk since it lower less than the acceptable level Failure of network due to single point of failure Loss in the availability of information Very High Very high 8 Mitigate by eliminating single point of failure by duplicating equipment within the network Risk treatment After having communicated the results to the interested parties, top management has decided that the acceptable risk level should be less than 5.
  20. 20 Conclusions • Take a holistic approach to implementing a sound security system which is dynamic • Vulnerabilities need to be looked at from different angles to assess risk • Adopt a robust risk management process to assessing risk • Ensure business alignment when adopting a security strategy • No two approaches to implementing a strategy will be the same • Ensure continuous reviewing to maximise the effectiveness of controls • C-Level buy-in is achieved by giving repeated clear messages that suit their influence level (which is culture, strategy and governance - definitely not technology) • Keep in mind that you are only as secure as your weakest link The threat of what an organization could lose is worth the investment to keep enterprises secure in a constantly evolving IT era
  21. Thank you! Donald Tabone LL.M (Strath.), B.Sc (Hons.)  donaldtabone@kpmg.com.mt
Publicité