• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Meraj Ahmad - Information security in a borderless world
 

Meraj Ahmad - Information security in a borderless world

on

  • 911 views

 

Statistics

Views

Total Views
911
Views on SlideShare
911
Embed Views
0

Actions

Likes
0
Downloads
14
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Meraj Ahmad - Information security in a borderless world Meraj Ahmad - Information security in a borderless world Presentation Transcript

    • Information security in a borderless world
      Time for a re-think: Transform your security programto improve business performance
      The 3rd Kuwait Information Security Conference
      25 - 26 May 2011
    • Meraj Ahmed
      Partner, Advisory Services Kuwait
      Technology Sector Leader, Ernst & Young – Middle East & North Africa
      Meraj is a partner in Ernst & Young MENA and leads the Technology Sector for this region.
      He has extensive international experience in IT governance and strategy, technology management and enablement, and IT risk and security, gained during more than 25 years of advisory services experience, of which 15 have been in regional leadership roles,. He has worked widely within the public/government, financial and telecom sectors.
      Meraj earned his MBA from the Wharton Business School, University of Pennsylvania, and has been a speaker at numerous international and regional seminars and conferences.
    • Introduction
      Over the last year, we have witnessed a significant increase in the use of external service providers and the business adoption of new technologies such as cloud computing, social networking and Web 2.0.
      We have also seen technology advances that have provided an increasingly mobile workforce with seemingly endless ways to connect and interact with colleagues, customers and clients. Together, these changes are extending the enterprise, blurring the lines between home and office, co-worker and competitor and removing the traditional enterprise boundaries.
      It is within this changing business environment that our 2010 Global Information Security Survey specifically examines how organizations are adapting and addressing their information security needs.
    • Insights on information security
      60% of organizations see increased risk from using social networking,cloud computing and personal mobile devices at work.
      While only 52% of organizations indicate data leakage is a top “new”increased risk.
      87% of organizations believe the damage to reputation and brand is themost significant issue related to data loss.
      Yet, only 10% of respondents indicated that examining new and emergingtrends is a very important activity for the information security function.
      However, 61% are not making policy adjustments or increasing securityawareness to address these new threats.
      Source – Ernst & Young’s 2010 Global Information Security Survey
    • Borderless securityNew technology means new risk
      Given current trends toward the use of such things as social networking, cloud computing and personal devices in the enterprise, have you seen or perceived a change in the risk environment facing your organization?
      60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise.
      Shown: percentage of participants
    • Mobile computingOrganizations are recognizing the increased risks associated with mobile computing and are taking steps to address the issues
      Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the next year for the following activities?
      50% of respondents plan on spending more over the next year on data leakage/data loss prevention technologies and processes.
      Shown: Percentage of participants
    • Cloud computingRisks associated with cloud computing are not going undetected and must be addressed before business applications are moved to a public cloud
      Which of the following “new” or increased risks have you identified?
      39% of respondentscited the loss of visibility of what happens to company data as an increasing risk when using cloud-based solutions.
      Note: Multiple responses permitted
      Shown: Percentage of participants
    • Social mediaFew companies have thoroughly examined the social media issue and developed an approach that will balance the business opportunity with the risk exposure
      How important is information security in supporting the followingactivities in your organization?
      Only 10% of respondents indicated that examining new and emerging IT trends was a very important activity forthe information security function to perform.
      Shown: Percentage of participants
    • Our perspective
      Borderless security
      • Establish a comprehensive IT risk management program that identifies and addresses the risks associated with new and emerging technologies.
      • Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based responses.
      • Take an “information-centric” view of security, which is better aligned with the organization’s business and information flows.
      • Increase the investment in data leakage prevention technologies, encryption and identity and access management solutions — focusing on the people who use the technology.
      • Gain an understanding of the risks created by the use of new technologies — including technologies adopted personally by employees that may be used for business purposes.
      • Information security policies should be reviewed and adjusted appropriately to establish the acceptable use and any specific restrictions related to mobile computing devices.
      • Increase security awareness training activities for the mobile workforce.
      • Push enterprise security out to end-point devices to protect critical business information and provide better alignment with the organization’s risk profile.
      • Assess the legal, organizational and technological risks as well as the security issues related to placing information into the public cloud.
      • Develop a company strategy, a governance model and an operational approach to cloud computing use, including the information security function to help define policies and guidelines.
      • Set standards and minimum requirements to enable your organization to adopt cloud computing in as secure a manner as possible.
      • Provide the online communities and social collaboration tools that the new workforce expects, but do so with a view that aligns enterprise requirements with personal responsibility to protect sensitive business information.
      • Raise security awareness and personal responsibility to levels that have not been achieved before.
      • Inform every member of the organization on the risks and issues related to social media.
      Mobile computing
      Cloud computing
      Social
      media
    • Transforming your security program
    • Begin a process to transform your security program
      Scan internal and external environment
      Define goals and evaluate posture
      Develop transformation
      road map
      Step 1:Focus on current business drivers relevant to security and privacy
      Step 5:Identify short-term “wins” and long-term objectives
      Step 3:Set security transformation goals
      Step 2:Gain management and external perspective on pressing IT and security/compliance issues
      Step 4:Diagnose current state vs. goals and identify gaps
      Step 6: Document expected outcomes, sequence activities and summarize program road map
    • Transform your security program to improve business / operational performance
      Protect what matters most
      Identify the real risks
      • Develop a security strategy focused onbusiness drivers and protectinghigh-value data
      • Assume breaches will occur —improve processes that plan, protect,detect and respond
      • Balance fundamentals withemerging threat management
      • Establish and rationalizeaccess control modelsfor applications and information
      • Define the organization’s overall risk appetiteand how information risk fits
      • Identify the most important informationand applications, where they reside and who has or needs access
      • Assess the threat landscape and develop predictive models highlighting your real exposures
      Enable
      business performance
      Security transformation goals
      Current state
      Pressing IT andsecurity issues
      Key business drivers
      Needed or in-process improvements
      Short-term
      Long-term
      • Make security everyone’s responsibility
      • Don’t restrict newer technologies; use the forces of change to enable them
      • Broaden program to adopt enterprise-wide information risk management concepts
      • Set security program goals and metrics that influence businessperformance
      • Align all aspects ofsecurity (information,privacy, physical and business continuity)with the business
      • Spend wisely in controls andtechnology — invest more inpeople and processes
      • Consider selectively outsourcing operational security program areas
      • Get governanceright — make securitya board-level priority
      • Allow good security to drivecompliance, not vice versa
      • Measure leading indicators to catch problems while they are still small
      • Accept manageable risks that improve performance
      Sustain an enterprise program
      Optimizefor business performance
    • Framework to enable your security programto address business / operational needs
      Security risk governance & risk management
      Risk culture
      Policy framework
      Governance
      Integratedsecurityprogram
      Key business drivers
      Integrated capabilities
      External challenges
      Internal Audit
      Compliance
      Reporting and metrics
      Business-level performance
    • Transform your security program to improve business performance
      Five questions forthe C-suite
      • Do you know how much damage a security breach can do to your reputation or brand?
      • Are internal and external threats considered when aligning your security strategy to your risk management efforts?
      • How do you align key risk priorities in relation to your spending?
      • Do you understand your risk appetite and how it allows you to take controlled risks?
      • How does your IT risk management strategy support your overall business strategy?
      Protectwhat matters most
      Identifythereal risks
      Enablebusiness performance
      Sustain
      an enterprise program
      Optimize
      for business performance
    • Identify the real risks
      Budget and organize a security program focused primarily on meeting immediate compliance needs
      Protect the perimeter and keep external threats out
      Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident
      Define the organization’s overall risk appetite and how information risk fits
      Identify the most important information and applications, where they reside and who has/needs access
      Assess the threat landscape and develop predictive models highlighting your real exposures
      What is your organization’s risk culture?
      Are you detecting and monitoring threats inside and outside the organization?
      Have you anticipated new technology risks, such as mobile devices, social media and cloud computing?
    • Protect what matters most
      Security program budget and organization focused primarily on meeting immediate compliance needs
      Set goal and expectation to stop all attacks and threats
      Disproportionate focus on maintaining lower-risk/lower-value security activities
      User access and roles are set up based on last employee hired
      Develop a security strategy focused on business drivers and protecting high-value data
      Assume breaches will occur — improve processes that plan, protect, detect and respond
      Balance fundamentals with emerging threat management
      Establish and rationalize access control models for applications and information
      Have you considered automating security controls?
      Are you using predictive indicators to analyze seemingly legitimate network activity?
      Are your resources focused on emerging threats?
    • Optimize for business performance
      Various security aspects exist in silos and are driven by compliance only
      Largest portion of security budget goes to technology solutions
      Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives
      Align all aspects of security (information, privacy, physical and business continuity) with the business
      Spend wisely in controls and technology — invest more in people and processes
      Consider selectively outsourcing operational security program areas
      Are you balancing spending money among key risk priorities?
      Have you investigated the latent functionality of your existing tools?
      Are you outsourcing any of your information security?
    • Sustain an enterprise program
      Security viewed as sub-function of IT with little top management visibility
      Security program budget and organization focused on meeting immediate compliance needs
      Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents
      Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite
      Get governance right — make security a board-level priority
      Allow good security to drive compliance, not vice versa
      Measure leading indicators to catch problems while they are still small
      Accept manageable risks that improve performance
      Are you taking controlled risks rather than striving to eliminate risks altogether?
      Are your key indicators trailing or leading?
    • Enable business performance
      Security viewed as merely a function of the security team
      Ban emerging technologies (social media, mobile) until they are mature
      Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)
      Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers
      Make security everyone’s responsibility
      Don’t restrict newer technologies; use the forces of change to enable them
      Broaden program to adopt enterprise-wide information risk management concepts
      Set security program goals/metrics that impact business performance
      Do all of the organization’s stakeholders understand the importance of information security?
      Is your organization up-to-date with the new technologies hitting the workforce?
      Does your organization have the right measures to create a scorecard on information security at the enterprise level?
    • Thank You!