• Save
Managing Corporate Information Security Risk in Financial Institutions
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Managing Corporate Information Security Risk in Financial Institutions

  • 7,471 views
Uploaded on

Asia Business Forum. Audit type audience.

Asia Business Forum. Audit type audience.

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
7,471
On Slideshare
7,435
From Embeds
36
Number of Embeds
5

Actions

Shares
Downloads
0
Comments
0
Likes
12

Embeds 36

http://22by7tech.blogspot.in 12
http://22by7tech.blogspot.com 11
http://www.slideshare.net 10
http://translate.googleusercontent.com 2
http://www.slideee.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Managing Corporate Information Security Risk in Financial Institutions Mark Curphey and Bill Hau
  • 2. Have you ever been hacked?
  • 3. Could you have ever been hacked?
  • 4. Would you know?
  • 5. Would you REALLY know?
  • 6. Agenda
    • What is information security?
    • What is security risk?
    • What does a typical security program look like today?
    • Why is that wrong?
    • What’s a better approach
      • ISBPM
  • 7. How did others answer our survey?
  • 8. What does security mean anyway? confidentiality, integrity and authenticity C.I.A
  • 9. ALWAYS REMEMBER You are not in business to run a secure network or building secure software, you are in business to running a secure enough network and build secure enough software
  • 10. What is security risk? R = V x T x BI
  • 11. Risk ($) = Vulnerabilities (#) x Threats (%) x Business Impact ($)
  • 12. security people as the thought police Today's Information Security Departments
  • 13. Security people are from Mars , business people are from Venus
  • 14. “ In the future everyone will have their 15 minutes of fame” – Andy Warhol
  • 15. NEWS FLASH: The world is not falling down because of cross site scripting Security < Performance < Functionality Start caring about the important stuff (before security becomes ignored)
  • 16. Security people like gadgets and kudos , business people like numbers and money
  • 17. A fool with a tool … .is still a fool
  • 18. News for people who run tools
  • 19. China!
  • 20. China!
  • 21. China!
  • 22. China!
  • 23. traditional security departments are dead (or dying fast) so traditional security people are becoming less relevant
  • 24. Stop stopping security as a business enabler Start facilitating
  • 25. So What Should Companies Be Doing? People PROCESS Technology
  • 26. Information Security Maturity: 1998 18% 2% 0% (Re-) Establish Security Team Develop New Policy Set Initiate Strategic Program Design Architecture Institute Processes Track Technology and Business Change Continuous Process Improvement Maturity 80% time NOTE: Population distributions represent typical, large G2000-type organizations Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Conclude Catch-Up Projects Review Status Quo
  • 27. Information Security Maturity: 2002 Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Maturity time 28% Track Technology and Business Change Continuous Process Improvement 2% Conclude Catch-Up Projects Design Architecture Institute Processes 10% Initiate Strategic Program Develop New Policy Set Review Status Quo 60%
  • 28. Information Security Maturity: 2006 (Re-) Establish Security Team Initiate Strategic Program Institute Processes Conclude Catch-Up Projects Track Technology and Business Change Continuous Process Improvement Maturity time 15% 5% Review Status Quo 50% 30% Develop New Policy Set Design Architecture Awareness Phase Corrective Phase Blissful Ignorance Operational Excellence Phase Duration 3+ years
  • 29. Don’t spend 10 dollars to protect 5 dollars Zero risk is a fallacy Silver bullets don’t work Security Fortune Cookies
  • 30.
    • That’s all folks!