• Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

CyberSecurity Transformation Briefing Note

  • 948 views
Published

CyberSecurity Transformation Briefing Note

CyberSecurity Transformation Briefing Note

Published in Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
948
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
13
Comments
2
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com “Business transformation is about making fundamental changes in how business is conducted in order to help cope with a shift in market environment”, Harvard Business Review January 2007 Kotter. The transformation of any organization is a delicate strategic initiative that requires careful planning and execution. When talking about Transformation and CyberSecurity in the same sentence most Executives will be immediately concerned with the potential for delays to current business plans and complaints because generally people don’t like change. The adoption of a CyberSecurity framework like ISO/IEC 27001 doesn’t automatically result in delays, complaints or extraordinary costs unless management makes a decision based on incomplete or inaccurate information. Over the last decade the escalating cost of CyberCrime has been estimated to exceed $445 billion globally. In addition there are growing threats to our national security and critical infrastructure that supports our economy. These developments are forcing adjustments in strategic thinking. The probability of reputational and financial damage is at its highest in the last 40 years of computing. The need to transform organizations from ad-hoc security to full programs is changing Boardroom priorities. The CyberSecurity transformation project requires planning, the following questions should be asked: What assets are we attempting to protect? Within each organization there is a governance structure, so who are the portfolio Executives? What is the predominate management style? What is our business model? What is our mission, strategic goals and objectives? Do we currently have the capability and competencies to design, implement and maintain a CyberSecurity Program? How are we going to communicate decisions and sustain awareness once the ball starts rolling? A well thought-out communication strategy will play an important role in the success of this transformation project. The initial strategy will need to take all the above into consideration. Begin with a review by talking to middle management and subject matter experts to verify, validate the assets and risks. This will act as input into version two of the strategy. A risk assessment needs to be facilitated against six key assets (1).People, (2).Information,(3).Software, (4).Hardware,(5).Telecommunica tions and (6).Physical locations or facilities in scope. Risk based decisions are made to accept, mitigate or reject the identified risk by the Governance Committee followed by corrective action plans and/or preventive action plans. These plans can be added to projects as necessary. Establishing a risk management Policy can speed up the process by documenting the risk appetite and empowering managers and employees to make risk based decisions further avoiding a potential bottle neck. In the perfect world the Enterprise Information Security program should be established first. This program would naturally flow into the CyberSecurity program. See table A. The CyberSecurity program scope is much narrower. The Enterprise Information Security Program, addresses risks to data, information and knowledge flowing across the Enterprise and its vendors and service providers. In contrast the CyberSecurity program is concerned with the protection of data, information and knowledge flowing outside physical locations across open networks like the Internet. Table A