Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Does IT Security Matter?Dr. Luke O’ConnorGroup IT RiskZurich Financial Services, SwitzerlandFaculty of Information Technol...
2Outline• A bit about Zurich and myself• Nicholas Carr and knowing your neighbours• Security Tectonics• The Explanation is...
3Introduction to Zurich• Offices in North America and Europe as well as in AsiaPacific, Latin America and other markets• S...
4My BackgroundIndustrial Research (6 yr)Wha t pe o ple m ig ht wantConsulting (5 yr)Wha t pe o ple say the y wantIn house ...
5Service ProvidersZurich BusinessG-IT Risk stakeholdersGITRGSMInvestigationsProject risk managementCapabilitiesFinanceGITA...
6Does IT Matter?• Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003• Carr, N, “Does IT Matter?...
7Good Neighbours, but Good Friends?
8The Continental Drift of C, I, ACIA better known to business as “Call inAccenture”
9The Explanation is Mightier Than the ActionSecurity Business
10Security Bingo
11Notable Security Setbacks• Regulatory Frameworks over Security Frameworks (SOX over 7799)• Excel over FUD (Fear, Uncerta...
12The New-ish Security ModelFrom Castle to AirportCastle AirportSecurity mechanisms are static and difficult tochange.Secu...
13The next Big Thing: Network Access Control (NAC)How do you sell this to your ITDepartment or Business?
14From Security ….Objectives Controls Testing Report• ISO 1 7 7 9 9• ISF• Co bit• NIST• Yo ur Po licie sand Standards• e t...
15… to RiskDescription Trigger ConsequenceWhat could happen? How could it happen? What is the impact?Probability SeverityH...
16Controls as Risk (as is)Control C2Needs Im provem entNot EffectiveEffectiveControlObjectiveRisk?Risk?Risk?Control Assess...
17IT Risk – Com ponentsIT Risk ComponentsIT Projects Risk• Financial & Resources• Compliance & Audit• Contract & Supplier ...
18Zurich’s IT Risk Managem ent Fram eworkBelow thresholdAbove thresholdThe ABC (Assessment ofBusiness Criticality) riskana...
19Relation to Operational Risk
20Conclusion: Does IT Security Matter?• IT Security in general is not an end in itself• IT Security is one area competing ...
21Over to you
Upcoming SlideShare
Loading in …5
×

Does IT Security Matter?

295 views

Published on

The title comes from a list of conclusions I gave at a presentation called Does IT Security Matter? just before Christmas in 2007. The wonderful thing about the writing process is that every now and again you hit upon a pithy phrase like that which communicates so much. But it's like mining for gold - you have to move a lot of earth to find the nuggets.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Does IT Security Matter?

  1. 1. Does IT Security Matter?Dr. Luke O’ConnorGroup IT RiskZurich Financial Services, SwitzerlandFaculty of Information Technology, QUTNovember 27th, 2007
  2. 2. 2Outline• A bit about Zurich and myself• Nicholas Carr and knowing your neighbours• Security Tectonics• The Explanation is Mightier than the Action• Risk and the New Math• Final Grains of Wisdom
  3. 3. 3Introduction to Zurich• Offices in North America and Europe as well as in AsiaPacific, Latin America and other markets• Servicing capabilities to manage programs with riskexposure in morethan 170 countries• Approximately 58,000 employees worldwide• Insurer of the majority of Fortune’s Global 100companies• Net income attributable to shareholders of USD 4.5billion in 2006• Business operating profit of USD 5.9 billion in 2006
  4. 4. 4My BackgroundIndustrial Research (6 yr)Wha t pe o ple m ig ht wantConsulting (5 yr)Wha t pe o ple say the y wantIn house (2 yr)What pe o ple e xpe ct(Se curity)(Risk)
  5. 5. 5Service ProvidersZurich BusinessG-IT Risk stakeholdersGITRGSMInvestigationsProject risk managementCapabilitiesFinanceGITAGProcess/QMSourcingAuditComplianceLegalRiskGroup functionsG-IT support functionsIndustry Bodies &SuppliersGITRPartnerFocusG-ISPConsumeinformation andServicesExternal functionsBusiness ASupplier ABusiness BBusiness CBusiness xAccount Exec AAccount Exec BAccount Exec CAccount Exec xSupplierBSupplier xCo-operateService risk managementPrimary interface for G-IT
  6. 6. 6Does IT Matter?• Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003• Carr, N, “Does IT Matter?”, 2004“IT doesn’t matter and can’t bring strategicadvantage at present!“• Spend less• Follow, dont lead• Focus on vulnerabilities, not on opportunities• IT m anag e m e nt sho uld be co m e “bo ring ”• Manag e risks and co sts
  7. 7. 7Good Neighbours, but Good Friends?
  8. 8. 8The Continental Drift of C, I, ACIA better known to business as “Call inAccenture”
  9. 9. 9The Explanation is Mightier Than the ActionSecurity Business
  10. 10. 10Security Bingo
  11. 11. 11Notable Security Setbacks• Regulatory Frameworks over Security Frameworks (SOX over 7799)• Excel over FUD (Fear, Uncertainty and Doubt)• Reactive over Proactive• SLAs over Security Program• Commerical over Military
  12. 12. 12The New-ish Security ModelFrom Castle to AirportCastle AirportSecurity mechanisms are static and difficult tochange.Security mechanisms are dynamic and responsiveto threats.Reliance on a few mechanisms. Castle walls areimpregnable. Once inside security mechanisms areminimal.Uses multiple overlapping technologies for defencein depth.Known community have unrestricted access withinsecurity boundary.Security must be maintained whilst an unknownpopulation traverse. Security of inclusion (ensuringthe right people have access to the right resources)and Security of exclusion (ensuring that assets areprotected). Use of roles to determine securityrequirements.Silo mentality in organisation. Requires an open, co-ordinated, global approach tosecurity.
  13. 13. 13The next Big Thing: Network Access Control (NAC)How do you sell this to your ITDepartment or Business?
  14. 14. 14From Security ….Objectives Controls Testing Report• ISO 1 7 7 9 9• ISF• Co bit• NIST• Yo ur Po licie sand Standards• e tc …• ISO 1 7 7 9 9• ISF• Co bit• NIST• Yo ur Se rviceCatalo g ue• e tc …• Do cum e ntatio n• Que stio nnaire s• Inte rvie ws• De m o nstratio ns• Inspe ctio ns• To o ling• 3rd Party Analysis• Co ntro lEffe ctive ne ss• Co m pliance• Risk• Mitig atio n• Prio ritie sPe rce ive d De sire d Re ality The Plan
  15. 15. 15… to RiskDescription Trigger ConsequenceWhat could happen? How could it happen? What is the impact?Probability SeverityHow often? How bad?
  16. 16. 16Controls as Risk (as is)Control C2Needs Im provem entNot EffectiveEffectiveControlObjectiveRisk?Risk?Risk?Control AssessmentRisk Scenarios arereformulationsof controldeficiencies (gaps)Control C4Control C3Control C1e.g. CoBIT,C2 C3 C4C1NO !ControlGapsarepotentialtriggersofRisk
  17. 17. 17IT Risk – Com ponentsIT Risk ComponentsIT Projects Risk• Financial & Resources• Compliance & Audit• Contract & Supplier Mgmt• IT Architecture & Strategy• IT Project Management Risks• Facilities & Environment• IT Operations & Support• Time to Deliver• IT SecurityIT Services Risk• Service Level Management• Capacity Planning• Contingency Planning• Availability Management• Cost Management• Configuration Management• Problem Management• Change Management• Help Desk• Software Control & Distribution• IT Security
  18. 18. 18Zurich’s IT Risk Managem ent Fram eworkBelow thresholdAbove thresholdThe ABC (Assessment ofBusiness Criticality) riskanalysis prioritizesresourcesObject to beassessedABC1Optimised risk analysisfor projects ProjectProject Risk ToolRisk assessmentWithin PMO process2Risk register providessingle global datastore for analysisreporting Group IT - Risk Register (Central)4Project Risk Consulting Services Risk ConsultingIT Security Risk AssessmentsServiceService Risk ToolFacilitated Assessmentsand Self-Assessments3Optimised risk analysisfor servicesGroup ITRisk ReportingDashboardActionsmonitoringQRR5 Reporting,Escalation andAction Monitoring12 345No further AnalysisApply Policiesand Standards
  19. 19. 19Relation to Operational Risk
  20. 20. 20Conclusion: Does IT Security Matter?• IT Security in general is not an end in itself• IT Security is one area competing for attention and funding, amongst many• If you don’t make IT security matter, it won’t• Keeping business secure is the main end• Focus on securing business processes not the process of securing• Excel is your new best friend• Make your spreadsheets work with their spreadsheets• A risk-based approach is the opportunity to speak business language• Don’t replace FUD with GIGO (garbage in, garbage out)
  21. 21. 21Over to you

×