The document outlines 10 essential security practices for CXOs to enhance their organization's security posture amidst evolving cyber threats. Key points include understanding security essentials, assessing security maturity, and addressing risks tied to cloud services and third-party compliance. IBM also emphasizes the importance of automation and integration in security operations to inform business decisions and manage risks effectively.

1. © 2015 IBM Corporation
Glen Holland
Privacy and Security Consultant
IBM Security
Wendy Terrien
Senior Product Manager
IBM Security Services
10 Security Essentials Every CxO
Should Know

2. 2© 2015 IBM Corporation2
Today’s panelists
Wendy Terrien
Senior Product Manager
IBM Security
Email: wbterrie@us.ibm.com
Glenn Holland
IBM Security and Privacy Consultant
IBM Security
Email: glen.r.Holland@us.ibm.com

3. 3© 2015 IBM Corporation
Agenda Welcome and Intros
Market Landscape
Security Program Essentials: The 10 Best Practices
How IBM Can Help
Q+A

4. 4© 2015 IBM Corporation
Security is a board room discussion, and security leaders are more
accountable than ever before
Loss of market
share and
reputation
Legal exposure
Audit failure
Fines and
criminal charges
Financial loss
Loss of data
confidentiality,
integrity and/or
availability
Violation of
employee privacy
Loss of customer
trust
Loss of brand
reputation
CEO CFO/COO CIO CHRO CMO
Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series

5. 5© 2015 IBM Corporation
What is happening in the threat landscape - the challenges of
keeping up with a perpetually evolving cyber security environment.
61%
data theft and cybercrime
are the greatest threats
to their reputation
of organizations say
Average data
breach in the
US cost
$6.5million
2015 Cost of Data Breach Study: Global Analysis
Ponemon Institute
2012 IBM Global Reputational Risk & IT Study
80%
of enterprises
have difficulty finding the
security skills they need
tools from
vendors
85
45
IBM client example
2013 Forrester Consulting, “Surviving the
Technical Security Skills Crisis”
70%
11.6M
2013 IBM CISO Survey
IBM X-Force® Threat Intelligence Quarterly 1Q 2015
Mobile malware is affecting
of security execs
are concerned about cloud
and mobile security
mobile devices

6. 6© 2015 IBM Corporation6
For the average client, IBM filters 81,342,747 security events to
identify the 109 security incidents that can potentially do harm.
Annual security events, attacks and incidents
2013 2014
109
Incidents
18,856
Attacks
91,765,453
Events
109
Incidents
12,017
Attacks
81,342,747
Events
.91%
incident-
to-attack
ratio
.65%
incident-
to-attack
ratio
Incident Attack serious enough
to warrant deeper
investigation
Attack Malicious activity attempting to
collect, disrupt or destroy
information or system resources
Event Activity on a system or network
detected by a security device or
application
*IBM 2015 Cyber Security Intelligence Index

7. 7© 2015 IBM Corporation
Understanding the essential practices is critical to creating a more
effective and actionable security leadership capability
An effective and actionable security leadership capability informs critical business decisions.
How do I automate
and integrate to
provide actionable
intelligence?
What security capabilities do I need to help better
manage risk, protect competitiveness, support new
business models, and better manage compliance?
What are current exposures,
and what risks should the
business address?
What security
roadmap will help my
business grow and
operate safely, now
and in the future?
How do I effectively
communicate
security?
Am I allocating
resources and
governing to the
right issues?

8. 8© 2015 IBM Corporation
Key imperatives can help you understand and address these threats,
and protect the business
1
Understand security
essentials
2
Assess security
maturity
3
Determine critical gaps
and prioritize actions

9. 9© 2015 IBM Corporation
10 Manage the digital
identity lifecycle
8 Manage third-
party security
compliance
7 Address security
complexity of cloud
and virtualization
3 Secure collaboration in
social and mobile
workplace
6 Create a security-rich
and resilient network
Based on extensive experience, IBM has outlined 10
essential practices for a stronger security posture
9 Assure data
security and
privacy
5 Manage IT
hygienically
4 Develop security-
rich products, by
design
2 Establish intelligent
security operations
and rapid threat
response
1 Build a risk-aware
culture and
management
system
Understand security essentials
1 2 3

10. 10© 2015 IBM Corporation
We can leverage this knowledge base with a maturity
model to assess your company versus best practices
Assess security maturity
Capability maturity
model (CMM)
1
2
3
Defined: Processes are
documented, standardized
and integrated into all
processes for the
organization.
4
5
Managed: Detailed
measures of the process and
its outputs are collected,
quantitatively understood and
controlled.
Optimizing: Continuous
process improvement is
enabled by quantitative
feedback from the processes.
Reactive Proactive
ManualAutomated
Initial: Process is ad hoc,
even chaotic. Few processes
are defined, and success
depends on individual effort
and heroics.
Repeatable: Basic project
management processes are
established, and process
discipline is in place to repeat
earlier successes.
1 2 3

11. 11© 2015 IBM Corporation
Desired states and critical gaps can then be determined
and actions prioritized to address and close them
Determine critical gaps and prioritize actions
Inform prioritized action plans and
strategic roadmaps
Security posture reviews and
maturity gap analyses
1 2 3

12. 12 © 2014 IBM Corporation
The 10 Essential practices

13. 13© 2015 IBM Corporation
Essential practice 1 Essential practice 2
Essential practices 1 and 2
Build a risk aware culture
and management system
! Management of IT and security risk
across the company
! Risk process identification and
remediation
! Communication and education
! Policies, measurements and tools
Establish intelligent security operations
and rapid threat response
! Incident management and response
! Incident handling policy and process
! Security intelligence and forensic tooling
! Security Information Event Management
(SIEM)
! Security operations roles and
responsibilities

14. 14© 2015 IBM Corporation
Essential practice 3 Essential practice 4
Essential practices 3 and 4
Secure collaboration in social
and mobile workplace
! BYOD1 and social media
! Business and personal data segmentation
! Secure end-user computing platforms
! Endpoint security across all workstations,
laptops and smart devices
! Business, client and personal data isolation
and protection
Develop secure products, by design
! SDLC2 security policy and governance
! Embedded security in the design process
! Ethical hacking and penetration testing of
applications
! Implement secure interfaces and COTS3
solutions

15. 15© 2015 IBM Corporation
Essential practice 5 Essential practice 6
Essential practices 5 and 6
Manage IT hygienically
! IT infrastructure components inventory
! Retiring legacy components
! Routine health checks
! Data integration compliance
! Patch management compliance
! Scanning and compliance testing functions
Create a security-rich and resilient
network
! Network threat protection
! Malicious network activity detection
! Filtering, logging, monitoring and
advanced analytics solutions
! Network infrastructure optimization

16. 16© 2015 IBM Corporation
Essential practice 7 Essential practice 8
Essential practices 7 and 8
Address security complexity of cloud
and virtualization
! Better secure cloud services
! Security controls of cloud providers
! Vulnerabilities of cloud architecture,
policies and practices
! Defined cloud security objectives
Manage third-party security compliance
! M&A1, joint ventures, divestitures
! 3rd-party vendors’ risk policies and practices
! Education on 3rd-party compliance policies
and processes
! Education on incident handling and reporting

17. 17© 2015 IBM Corporation
Essential practice 9 Essential practice 10
Essential practices 9 and 10
Assure data security and privacy
! Data classification
! Data protection and privacy strategy
and technologies
! Data loss prevention
! Data management architecture
! Data security policy and governance
Manage the digital identity lifecycle
! Identity and access management
! Standard, policy based control
mechanisms
! Intelligent monitoring
! Separation of duties management
! Single-sign-on

18. 18© 2015 IBM Corporation
Bank enhances
compliance and security
posture
Client requirements:
The bank needed to ensure compliance with the central bank of the Netherlands and increase
control and visibility of its security posture. Top priorities were to enhance intrusion prevention
logging and monitoring capabilities, to verify the effectiveness of system investments, and to
develop a strong partnership with a managed security services provider.
Solution:
To meet the bank’s solution requirements, IBM provided managed security services through
which the bank was able to comply with its security policies and regulatory mandates.
Outsourcing its logging and monitoring tasks provided increased control and visibility over the
client’s security posture.
Benefits:
• Helps achieve compliance with regulatory requirements
• Increases control and visibility over security posture
• Provides enhanced capability to solve complex or ongoing security challenges with help
from IBM security experts
Industry:
Banking
Location:
The Netherlands
Solutions and Services provided:
Software:
• IBM Security QRadar SIEM
• IBM Security Network Intrusion
Prevention System
• IBM Security Network Protection
Services:
• IBM Managed Security Services
We have helped clients across industries implement the Essential Practices

19. 19© 2015 IBM Corporation
IBM Can help clients design more effective IT risk and security organizations
Automated IT Risk
Management Services
Security Strategy and
Planning Services
Risk & Compliance
Management Services
SAP Security Services
Critical Infrastructure
Security Services
IBM Security Strategy, Risk and Compliance Services
Help clients increase risk visibility, streamline compliance reporting and reduce cost of
ongoing management
Provide a methodical and efficient approach to a client’s security program to help reduce
time, cost and resources needed to plan and deploy a comprehensive strategy
Bring “big picture” approach to assessing and managing risks across variety of regulatory
requirements
Increase client’s security across their ERP infrastructure and data by assessing the
vulnerabilities and compliance risks
Enable clients who use industrial control systems (ICS) to better operate their critical
infrastructure, and helps protect the infrastructure from cyber threats
Cloud Security
Strategy Consulting
Define the client’s cloud initiatives and goals, identifies associated security and privacy
risks while assessing cloud computing scenarios and outlining risk mitigation strategies

20. Next steps
Download the Interactive Whitepaper
– ABCs of Security Strategy
Visit ibm.com/services/security
to learn how IBM Security Services
can help protect your organization
Visit: YouTube HERE
to watch the 10 Essential Practices
Video Series -

21. 21© 2015 IBM Corporation
133 countries where IBM delivers
managed security services
20 industry analyst reports rank
IBM Security as a LEADER
TOP 3 enterprise security software
vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan,
North America, and Australia
Learn more about IBM Security
Visit our web page
IBM.com/Security
Watch our videos
IBM Security YouTube Channel
View upcoming webinars & blogs
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity

22. © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or
both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on
others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security