Does IT Security Matter?


Published on

The title comes from a list of conclusions I gave at a presentation called Does IT Security Matter? just before Christmas in 2007. The wonderful thing about the writing process is that every now and again you hit upon a pithy phrase like that which communicates so much. But it's like mining for gold - you have to move a lot of earth to find the nuggets.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • IT Risks are assessed according to the IT assets these have been defined by G-IT as being IT Projects or IT Services. The diagram above provides a high level summary of the broad risk categories for each asset group The risks identified from each asset class are recorded into Risk Registers which are then transferred to a Central Risk Register used to aggregate all risks Underlying IT Risk assessment within ZFS is the need to consider IT Security and the risks to the business associated with IT Security. This is explained more in later slides however the Framework includes a specific service for IT Risk Assessments
  • Does IT Security Matter?

    1. 1. Does IT Security Matter?Dr. Luke O’ConnorGroup IT RiskZurich Financial Services, SwitzerlandFaculty of Information Technology, QUTNovember 27th, 2007
    2. 2. 2Outline• A bit about Zurich and myself• Nicholas Carr and knowing your neighbours• Security Tectonics• The Explanation is Mightier than the Action• Risk and the New Math• Final Grains of Wisdom
    3. 3. 3Introduction to Zurich• Offices in North America and Europe as well as in AsiaPacific, Latin America and other markets• Servicing capabilities to manage programs with riskexposure in morethan 170 countries• Approximately 58,000 employees worldwide• Insurer of the majority of Fortune’s Global 100companies• Net income attributable to shareholders of USD 4.5billion in 2006• Business operating profit of USD 5.9 billion in 2006
    4. 4. 4My BackgroundIndustrial Research (6 yr)Wha t pe o ple m ig ht wantConsulting (5 yr)Wha t pe o ple say the y wantIn house (2 yr)What pe o ple e xpe ct(Se curity)(Risk)
    5. 5. 5Service ProvidersZurich BusinessG-IT Risk stakeholdersGITRGSMInvestigationsProject risk managementCapabilitiesFinanceGITAGProcess/QMSourcingAuditComplianceLegalRiskGroup functionsG-IT support functionsIndustry Bodies &SuppliersGITRPartnerFocusG-ISPConsumeinformation andServicesExternal functionsBusiness ASupplier ABusiness BBusiness CBusiness xAccount Exec AAccount Exec BAccount Exec CAccount Exec xSupplierBSupplier xCo-operateService risk managementPrimary interface for G-IT
    6. 6. 6Does IT Matter?• Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003• Carr, N, “Does IT Matter?”, 2004“IT doesn’t matter and can’t bring strategicadvantage at present!“• Spend less• Follow, dont lead• Focus on vulnerabilities, not on opportunities• IT m anag e m e nt sho uld be co m e “bo ring ”• Manag e risks and co sts
    7. 7. 7Good Neighbours, but Good Friends?
    8. 8. 8The Continental Drift of C, I, ACIA better known to business as “Call inAccenture”
    9. 9. 9The Explanation is Mightier Than the ActionSecurity Business
    10. 10. 10Security Bingo
    11. 11. 11Notable Security Setbacks• Regulatory Frameworks over Security Frameworks (SOX over 7799)• Excel over FUD (Fear, Uncertainty and Doubt)• Reactive over Proactive• SLAs over Security Program• Commerical over Military
    12. 12. 12The New-ish Security ModelFrom Castle to AirportCastle AirportSecurity mechanisms are static and difficult tochange.Security mechanisms are dynamic and responsiveto threats.Reliance on a few mechanisms. Castle walls areimpregnable. Once inside security mechanisms areminimal.Uses multiple overlapping technologies for defencein depth.Known community have unrestricted access withinsecurity boundary.Security must be maintained whilst an unknownpopulation traverse. Security of inclusion (ensuringthe right people have access to the right resources)and Security of exclusion (ensuring that assets areprotected). Use of roles to determine securityrequirements.Silo mentality in organisation. Requires an open, co-ordinated, global approach tosecurity.
    13. 13. 13The next Big Thing: Network Access Control (NAC)How do you sell this to your ITDepartment or Business?
    14. 14. 14From Security ….Objectives Controls Testing Report• ISO 1 7 7 9 9• ISF• Co bit• NIST• Yo ur Po licie sand Standards• e tc …• ISO 1 7 7 9 9• ISF• Co bit• NIST• Yo ur Se rviceCatalo g ue• e tc …• Do cum e ntatio n• Que stio nnaire s• Inte rvie ws• De m o nstratio ns• Inspe ctio ns• To o ling• 3rd Party Analysis• Co ntro lEffe ctive ne ss• Co m pliance• Risk• Mitig atio n• Prio ritie sPe rce ive d De sire d Re ality The Plan
    15. 15. 15… to RiskDescription Trigger ConsequenceWhat could happen? How could it happen? What is the impact?Probability SeverityHow often? How bad?
    16. 16. 16Controls as Risk (as is)Control C2Needs Im provem entNot EffectiveEffectiveControlObjectiveRisk?Risk?Risk?Control AssessmentRisk Scenarios arereformulationsof controldeficiencies (gaps)Control C4Control C3Control C1e.g. CoBIT,C2 C3 C4C1NO !ControlGapsarepotentialtriggersofRisk
    17. 17. 17IT Risk – Com ponentsIT Risk ComponentsIT Projects Risk• Financial & Resources• Compliance & Audit• Contract & Supplier Mgmt• IT Architecture & Strategy• IT Project Management Risks• Facilities & Environment• IT Operations & Support• Time to Deliver• IT SecurityIT Services Risk• Service Level Management• Capacity Planning• Contingency Planning• Availability Management• Cost Management• Configuration Management• Problem Management• Change Management• Help Desk• Software Control & Distribution• IT Security
    18. 18. 18Zurich’s IT Risk Managem ent Fram eworkBelow thresholdAbove thresholdThe ABC (Assessment ofBusiness Criticality) riskanalysis prioritizesresourcesObject to beassessedABC1Optimised risk analysisfor projects ProjectProject Risk ToolRisk assessmentWithin PMO process2Risk register providessingle global datastore for analysisreporting Group IT - Risk Register (Central)4Project Risk Consulting Services Risk ConsultingIT Security Risk AssessmentsServiceService Risk ToolFacilitated Assessmentsand Self-Assessments3Optimised risk analysisfor servicesGroup ITRisk ReportingDashboardActionsmonitoringQRR5 Reporting,Escalation andAction Monitoring12 345No further AnalysisApply Policiesand Standards
    19. 19. 19Relation to Operational Risk
    20. 20. 20Conclusion: Does IT Security Matter?• IT Security in general is not an end in itself• IT Security is one area competing for attention and funding, amongst many• If you don’t make IT security matter, it won’t• Keeping business secure is the main end• Focus on securing business processes not the process of securing• Excel is your new best friend• Make your spreadsheets work with their spreadsheets• A risk-based approach is the opportunity to speak business language• Don’t replace FUD with GIGO (garbage in, garbage out)
    21. 21. 21Over to you