Managing Corporate Information Security Risk in Financial Institutions

4,970 views

Published on

Asia Business Forum. Audit type audience.

Published in: Business, Technology
0 Comments
12 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,970
On SlideShare
0
From Embeds
0
Number of Embeds
82
Actions
Shares
0
Downloads
0
Comments
0
Likes
12
Embeds 0
No embeds

No notes for slide
  • Managing Corporate Information Security Risk in Financial Institutions

    1. 1. Managing Corporate Information Security Risk in Financial Institutions Mark Curphey and Bill Hau
    2. 2. Have you ever been hacked?
    3. 3. Could you have ever been hacked?
    4. 4. Would you know?
    5. 5. Would you REALLY know?
    6. 6. Agenda <ul><li>What is information security? </li></ul><ul><li>What is security risk? </li></ul><ul><li>What does a typical security program look like today? </li></ul><ul><li>Why is that wrong? </li></ul><ul><li>What’s a better approach </li></ul><ul><ul><li>ISBPM </li></ul></ul>
    7. 7. How did others answer our survey?
    8. 8. What does security mean anyway? confidentiality, integrity and authenticity C.I.A
    9. 9. ALWAYS REMEMBER You are not in business to run a secure network or building secure software, you are in business to running a secure enough network and build secure enough software
    10. 10. What is security risk? R = V x T x BI
    11. 11. Risk ($) = Vulnerabilities (#) x Threats (%) x Business Impact ($)
    12. 12. security people as the thought police Today's Information Security Departments
    13. 13. Security people are from Mars , business people are from Venus
    14. 14. “ In the future everyone will have their 15 minutes of fame” – Andy Warhol
    15. 15. NEWS FLASH: The world is not falling down because of cross site scripting Security < Performance < Functionality Start caring about the important stuff (before security becomes ignored)
    16. 16. Security people like gadgets and kudos , business people like numbers and money
    17. 17. A fool with a tool … .is still a fool
    18. 18. News for people who run tools
    19. 19. China!
    20. 20. China!
    21. 21. China!
    22. 22. China!
    23. 23. traditional security departments are dead (or dying fast) so traditional security people are becoming less relevant
    24. 24. Stop stopping security as a business enabler Start facilitating
    25. 25. So What Should Companies Be Doing? People PROCESS Technology
    26. 26. Information Security Maturity: 1998 18% 2% 0% (Re-) Establish Security Team Develop New Policy Set Initiate Strategic Program Design Architecture Institute Processes Track Technology and Business Change Continuous Process Improvement Maturity 80% time NOTE: Population distributions represent typical, large G2000-type organizations Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Conclude Catch-Up Projects Review Status Quo
    27. 27. Information Security Maturity: 2002 Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Maturity time 28% Track Technology and Business Change Continuous Process Improvement 2% Conclude Catch-Up Projects Design Architecture Institute Processes 10% Initiate Strategic Program Develop New Policy Set Review Status Quo 60%
    28. 28. Information Security Maturity: 2006 (Re-) Establish Security Team Initiate Strategic Program Institute Processes Conclude Catch-Up Projects Track Technology and Business Change Continuous Process Improvement Maturity time 15% 5% Review Status Quo 50% 30% Develop New Policy Set Design Architecture Awareness Phase Corrective Phase Blissful Ignorance Operational Excellence Phase Duration 3+ years
    29. 29. Don’t spend 10 dollars to protect 5 dollars Zero risk is a fallacy Silver bullets don’t work Security Fortune Cookies
    30. 30. <ul><li>That’s all folks! </li></ul>

    ×