In an age of increasing Participation and Consumerisation how do you “ Sell Security To The Board ” Alan Mather 30.03.2006

Doom and Gloom Zero Day Exploit - Microsoft's Internet Explorer browser crashes when attacked through a new unpatched vulnerability, FBI says that dealing with viruses, spyware, PC theft and other computer-related crimes costs US businesses a massive $67.2 billion a year new Internet hazard known as “ ransomware ” is hitting personal computers, scrambling users’ files and leaving a ransom note Medical and financial information gathered on millions of Americans by Medicare, is vulnerable to thieves or pranksters because of inadequate computer security Virus infections accounted for roughly half of the worst security incidents for U.K. companies in the past two years, according to a new survey 60% of email is spam ; 91% of mail in India is spam The names, addresses and Social Security numbers of 200,000 customers were compromised when a laptop was stolen from the largest mutual fund IDC estimated that global financial institutions lost during the year US$400 million due to phishing schemes

Doom and Gloom Zero Day Exploit - Microsoft's Internet Explorer browser crashes when attacked through a new unpatched vulnerability, FBI says that dealing with viruses, spyware, PC theft and other computer-related crimes costs US businesses a massive $67.2 billion a year new Internet hazard known as “ ransomware ” is hitting personal computers, scrambling users’ files and leaving a ransom note Medical and financial information gathered on millions of Americans by Medicare, is vulnerable to thieves or pranksters because of inadequate computer security Virus infections accounted for roughly half of the worst security incidents for U.K. companies in the past two years, according to a new survey Don’t open e-mails with subject lines such as "Slobodan Milosevic was killed." The names, addresses and Social Security numbers of 200,000 customers were compromised when a laptop was stolen from the largest mutual fund IDC estimated that global financial institutions lost during the year US$400 million due to phishing schemes “ Viruses are on a Moore’s Law curve. Security cannot keep pace with attacks on the Internet” Stewart Baker, Asst Sec Dept Homeland Security

Fully Comprehensive? Or just 3 rd party fire and theft?

The Internet Is Not A Nice Neighbourhood Hoodies abound

Product versus Consequence From CLEF to CCTM – Does it pass the “Ronseal Test”? 5

Speaking To The Board Of the new threats detected last year by PandaLabs, which is a virus laboratories network, 42 percent were trojans, 26 percent were bots, 11 percent were backdoor trojans, 8 percent were dialers, 6 percent were worms and 3 percent were versions of adware and spyware

Use The Right Words Policy Business Case Secret Cost Control Insurance Product Service Technology Necessary Tested Business Risk Integration Manageability User Consequence Limitations Minimum “ Secure” Probability

What Goes Down Will Go Up Somewhere Else Credit card fraud falls 13% in 2005, reducing by £65 million Cardholder not present fraud goes up 21%

Convincing .gov – an example 2001 2002 2003 2004 2005 1in500 1in20 Cost to deploy, manage and upgrade > 100,000 desktops Vs Annual cost per head of a service

Cost to deploy, manage and upgrade > 100,000 desktops

Vs

Annual cost per head of a service

Some Things To Think About Exposures Business Case Affordability User Consequence Outstanding Exposures Procedural Mitigation (not “policy”) Risk versus Reward Don’t make false choices Plan for SECURITY and EASE OF USE What’s Left? (after testing) Not just about technology INTERNAL and EXTERNAL Stay Up To Date ANTICIPATE!

Today’s Trends The Participation Age … Consumerisation … More devices … From more places … Doing more things … More “virtualisation” … More involved architectures ... Eventually simplifying to grids for some … More off-shoring … More 3 rd parties connecting to your network … More transactions … More customers But not enough Management Tools … Too many products … Too little integration to create a known outcome How will your board grapple with the increasing exposure … what do you need to tell them? “ Viruses are on a Moore’s Law curve. Security cannot keep pace with attacks on the Internet” Stewart Baker, Asst Sec Dept Homeland Security

The Participation Age … Consumerisation … More devices … From more places … Doing more things …

More “virtualisation” … More involved architectures

... Eventually simplifying to grids for some …

More off-shoring … More 3 rd parties connecting to your network … More transactions … More customers

But not enough Management Tools … Too many products … Too little integration to create a known outcome

How will your board grapple with the increasing exposure … what do you need to tell them?