Managing Corporate Information Security Risk in Financial Institutions Mark Curphey and Bill Hau

Have you ever been hacked?

Could you have ever been hacked?

Would you know?

Would you REALLY know?

Agenda What is information security? What is security risk? What does a typical security program look like today? Why is that wrong? What’s a better approach ISBPM

What is information security?

What is security risk?

What does a typical security program look like today?

Why is that wrong?

What’s a better approach

ISBPM

How did others answer our survey?

What does security mean anyway? confidentiality, integrity and authenticity C.I.A

ALWAYS REMEMBER You are not in business to run a secure network or building secure software, you are in business to running a secure enough network and build secure enough software

What is security risk? R = V x T x BI

Risk ($) = Vulnerabilities (#) x Threats (%) x Business Impact ($)

security people as the thought police Today's Information Security Departments

Security people are from Mars , business people are from Venus

“ In the future everyone will have their 15 minutes of fame” – Andy Warhol

NEWS FLASH: The world is not falling down because of cross site scripting Security < Performance < Functionality Start caring about the important stuff (before security becomes ignored)

Security people like gadgets and kudos , business people like numbers and money

A fool with a tool … .is still a fool

News for people who run tools

China!

China!

China!

China!

traditional security departments are dead (or dying fast) so traditional security people are becoming less relevant

Stop stopping security as a business enabler Start facilitating

So What Should Companies Be Doing? People PROCESS Technology

Information Security Maturity: 1998 18% 2% 0% (Re-) Establish Security Team Develop New Policy Set Initiate Strategic Program Design Architecture Institute Processes Track Technology and Business Change Continuous Process Improvement Maturity 80% time NOTE: Population distributions represent typical, large G2000-type organizations Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Conclude Catch-Up Projects Review Status Quo

Information Security Maturity: 2002 Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Maturity time 28% Track Technology and Business Change Continuous Process Improvement 2% Conclude Catch-Up Projects Design Architecture Institute Processes 10% Initiate Strategic Program Develop New Policy Set Review Status Quo 60%

Information Security Maturity: 2006 (Re-) Establish Security Team Initiate Strategic Program Institute Processes Conclude Catch-Up Projects Track Technology and Business Change Continuous Process Improvement Maturity time 15% 5% Review Status Quo 50% 30% Develop New Policy Set Design Architecture Awareness Phase Corrective Phase Blissful Ignorance Operational Excellence Phase Duration 3+ years

Don’t spend 10 dollars to protect 5 dollars Zero risk is a fallacy Silver bullets don’t work Security Fortune Cookies

That’s all folks!

That’s all folks!