This document discusses common challenges with information security from the perspective of various executives and IT professionals. It highlights issues such as lack of management support and understanding of security, non-compliance with security policies, insufficient resources and budget for security programs, and people being the weakest link for attacks. The document also emphasizes the importance of education, governance, risk management, project management, performance measurement, and regular reviews to effectively manage information security risks.

1. Information Security
(un)awareness
Marc Vael
International Vice-President

2. “My management
just does not “get”
information
security!”
Anonymous CISO of a large financial institution

3. “I am overwhelmed with
all the passwords I have
to remember. I just write
them down & leave them
with my executive
assistant.”
Anonymous manager working in an insurance company

4. “Management has
authorized acquisition of
security monitoring tools,
but they did not give me
any budget for people to
do this monitoring.”
Anonymous CISO of a multinational service organisation

5. “Sure, I support
information security,
but my people need to
work and make money.”
Anonymous CEO of a retailer

6. “Our information security
department keeps getting
more tools, but I do not
think we are any more
secure.”
Anonymous CRO of a large financial institution

7. “Security policy is one
thing. Reality is another.”
Anonymous COO from a consulting company

8. “All that information
security people do is
say “No!”.
They should learn how
we really work.
Angry manager of a governmental agency

16. Cyberwarfare is
"the fifth domain of
warfare“

17. Impact of an attack on the business

21. People are the weakest link.
You can have the best technology,
firewalls, intrusion-detection systems,
biometric devices - and somebody
can call an unsuspecting employee.
That's all she wrote, baby.
They got everything.
Kevin Mitnick, ex hacker, IT security consultant.

24. Business Model for Information Security

30. Managing risks appropriately

31. Risk always exists!
(whether or not it is
detected / recognised
by the organisation).

33. EDUCATION!

38. Corporate governance : ERM = COSO
Support from Board of Directors &
Executive Management

39. Policies & Standards

40. Project Management

41. Providing proper funding

42. Providing proper resources

43. Measuring performance

44. Review / Audit

46. Your security solution
is as strong …
… as its weakest link

49. www.isaca.org/knowledgecenter

51. www.isaca.org/cobit

52. For more information…
Marc Vael
International Vice-President
Chairman of the Knowledge Board
ISACA
http://www.isaca.org/
marc@vael.net
http://www.linkedin.com/in/marcvael
@marcvael