SlideShare a Scribd company logo
Managing Corporate Information Security Risk in Financial Institutions Mark Curphey and Bill Hau
Have you ever been hacked?
Could you have ever been hacked?
Would you know?
Would you  REALLY know?
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
How did others answer our survey?
What does security mean anyway? confidentiality, integrity and authenticity C.I.A
ALWAYS REMEMBER You are not in business to run a secure network or building secure software, you are in business to running a secure enough network and build secure enough software
What is security risk? R = V x T x BI
Risk ($) = Vulnerabilities (#) x Threats (%) x Business Impact ($)
security people as the thought police Today's Information Security Departments
Security people are from  Mars ,  business people are from  Venus
“ In the future everyone will have their 15 minutes of fame”  – Andy Warhol
NEWS FLASH: The world is not falling down because of cross site scripting Security <  Performance < Functionality  Start caring about the important stuff (before security becomes ignored)
Security people like  gadgets  and  kudos ,  business people like  numbers  and  money
A fool with a tool … .is still a fool
News for people who run tools
China!
China!
China!
China!
traditional security departments are dead (or dying fast) so traditional security people are becoming less relevant
Stop stopping security as a business enabler  Start facilitating
So What Should Companies Be Doing? People PROCESS Technology
Information Security Maturity: 1998 18% 2% 0% (Re-) Establish Security Team  Develop New Policy Set Initiate Strategic Program Design Architecture Institute Processes Track Technology and Business Change Continuous Process Improvement Maturity 80% time NOTE: Population distributions represent typical, large G2000-type organizations Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Conclude Catch-Up Projects Review Status Quo
Information Security Maturity: 2002 Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Maturity time 28% Track Technology and Business Change Continuous Process Improvement 2% Conclude Catch-Up Projects Design Architecture Institute Processes 10% Initiate Strategic Program Develop New Policy Set Review Status Quo 60%
Information Security Maturity: 2006 (Re-) Establish Security Team  Initiate Strategic Program Institute Processes Conclude Catch-Up Projects Track Technology and Business Change Continuous Process Improvement Maturity time 15% 5% Review Status Quo 50% 30% Develop New Policy Set Design Architecture Awareness Phase Corrective Phase Blissful Ignorance Operational Excellence Phase Duration 3+ years
Don’t spend 10 dollars to protect 5 dollars Zero risk is a fallacy Silver bullets don’t work Security Fortune Cookies
[object Object]

More Related Content

What's hot

From Identity to Ownership Theft
From Identity to Ownership TheftFrom Identity to Ownership Theft
From Identity to Ownership Theft
University of Hertfordshire
 
Cite conference intralinks_industrialization_or_consumerization_final
Cite conference intralinks_industrialization_or_consumerization_finalCite conference intralinks_industrialization_or_consumerization_final
Cite conference intralinks_industrialization_or_consumerization_final
Intralinks
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
Priyanshu Ratnakar
 

What's hot (20)

The Real Risks of Artificial Intelligence
The Real Risks of Artificial IntelligenceThe Real Risks of Artificial Intelligence
The Real Risks of Artificial Intelligence
 
Woody Goulart presentation 10-10-15 Las Vegas, NV
Woody Goulart presentation 10-10-15 Las Vegas, NVWoody Goulart presentation 10-10-15 Las Vegas, NV
Woody Goulart presentation 10-10-15 Las Vegas, NV
 
Digital Citizenship: Parent Presentation
Digital Citizenship: Parent PresentationDigital Citizenship: Parent Presentation
Digital Citizenship: Parent Presentation
 
Expressworks Perspective on Human Behavior and Cyber Security
Expressworks Perspective on Human Behavior and Cyber SecurityExpressworks Perspective on Human Behavior and Cyber Security
Expressworks Perspective on Human Behavior and Cyber Security
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
Dwyer ISSA Presentation
Dwyer ISSA PresentationDwyer ISSA Presentation
Dwyer ISSA Presentation
 
Opening the IoT - Joe Fortey - IoT Midlands Meet Up - 29/07/14
Opening the IoT  - Joe Fortey - IoT Midlands Meet Up - 29/07/14Opening the IoT  - Joe Fortey - IoT Midlands Meet Up - 29/07/14
Opening the IoT - Joe Fortey - IoT Midlands Meet Up - 29/07/14
 
NTXISSACSC3 - 7 Security Mindsets to Adopt Today by Ted Gruenloh
NTXISSACSC3 - 7 Security Mindsets to Adopt Today by Ted GruenlohNTXISSACSC3 - 7 Security Mindsets to Adopt Today by Ted Gruenloh
NTXISSACSC3 - 7 Security Mindsets to Adopt Today by Ted Gruenloh
 
Cyber Security for Teenagers/Students
Cyber Security for Teenagers/StudentsCyber Security for Teenagers/Students
Cyber Security for Teenagers/Students
 
From Identity to Ownership Theft
From Identity to Ownership TheftFrom Identity to Ownership Theft
From Identity to Ownership Theft
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Cite conference intralinks_industrialization_or_consumerization_final
Cite conference intralinks_industrialization_or_consumerization_finalCite conference intralinks_industrialization_or_consumerization_final
Cite conference intralinks_industrialization_or_consumerization_final
 
Making the Most out of Social Media!
Making the Most out of Social Media!Making the Most out of Social Media!
Making the Most out of Social Media!
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
 
E-Safety
E-SafetyE-Safety
E-Safety
 
Technology specialist
Technology specialistTechnology specialist
Technology specialist
 
The need for effective information security awareness practices.
The need for effective information security awareness practices.The need for effective information security awareness practices.
The need for effective information security awareness practices.
 
Secure your network to secure your reputation and your income
Secure your network to secure your reputation and your incomeSecure your network to secure your reputation and your income
Secure your network to secure your reputation and your income
 

Viewers also liked

Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 

Viewers also liked (6)

Understanding governance
Understanding governanceUnderstanding governance
Understanding governance
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
ISO 27014 et 38500
ISO 27014 et 38500ISO 27014 et 38500
ISO 27014 et 38500
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 

Similar to Managing Corporate Information Security Risk in Financial Institutions

Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2
Stephanie Crates
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 

Similar to Managing Corporate Information Security Risk in Financial Institutions (20)

Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalystScale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Technophile CEO's Revamping the Tech October 2020
Technophile CEO's Revamping the Tech October 2020Technophile CEO's Revamping the Tech October 2020
Technophile CEO's Revamping the Tech October 2020
 
Matt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptxMatt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptx
 
CompTIA IT Skills Gap 2017
CompTIA IT Skills Gap 2017CompTIA IT Skills Gap 2017
CompTIA IT Skills Gap 2017
 
Security and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week JakartaSecurity and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week Jakarta
 
Evolving State of the Endpoint Webinar
Evolving State of the Endpoint WebinarEvolving State of the Endpoint Webinar
Evolving State of the Endpoint Webinar
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN
 
Technophile CEO's Revamping the Tech October 2020
Technophile CEO's Revamping the Tech October 2020Technophile CEO's Revamping the Tech October 2020
Technophile CEO's Revamping the Tech October 2020
 
Information security for small business
Information security for small businessInformation security for small business
Information security for small business
 

More from Mark Curphey (11)

Curphey AppSecUSA - Community The Killer Application
Curphey AppSecUSA - Community The Killer ApplicationCurphey AppSecUSA - Community The Killer Application
Curphey AppSecUSA - Community The Killer Application
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Research
ResearchResearch
Research
 
Product Definition
Product DefinitionProduct Definition
Product Definition
 
Product and Brand
Product and BrandProduct and Brand
Product and Brand
 
Product Positioning and Lifecycle
Product Positioning and LifecycleProduct Positioning and Lifecycle
Product Positioning and Lifecycle
 
New product Offer
New product OfferNew product Offer
New product Offer
 
Marketing Introduction
Marketing IntroductionMarketing Introduction
Marketing Introduction
 
Advertising Theory
Advertising TheoryAdvertising Theory
Advertising Theory
 
Innovators Dilemma Slides
Innovators Dilemma SlidesInnovators Dilemma Slides
Innovators Dilemma Slides
 
Hack in the Box Keynote 2006
Hack in the Box Keynote 2006Hack in the Box Keynote 2006
Hack in the Box Keynote 2006
 

Recently uploaded

Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
zidauu _business communication.pptx /pdf
zidauu _business  communication.pptx /pdfzidauu _business  communication.pptx /pdf
zidauu _business communication.pptx /pdf
zukhrafshabbir
 
Constitution of Company Article of Association
Constitution of Company Article of AssociationConstitution of Company Article of Association
Constitution of Company Article of Association
seri bangash
 

Recently uploaded (20)

Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlastUnlock Your TikTok Potential: Free TikTok Likes with InstBlast
Unlock Your TikTok Potential: Free TikTok Likes with InstBlast
 
LinkedIn Masterclass Techweek 2024 v4.1.pptx
LinkedIn Masterclass Techweek 2024 v4.1.pptxLinkedIn Masterclass Techweek 2024 v4.1.pptx
LinkedIn Masterclass Techweek 2024 v4.1.pptx
 
zidauu _business communication.pptx /pdf
zidauu _business  communication.pptx /pdfzidauu _business  communication.pptx /pdf
zidauu _business communication.pptx /pdf
 
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024
 
New Product Development.kjiy7ggbfdsddggo9lo
New Product Development.kjiy7ggbfdsddggo9loNew Product Development.kjiy7ggbfdsddggo9lo
New Product Development.kjiy7ggbfdsddggo9lo
 
Using Generative AI for Content Marketing
Using Generative AI for Content MarketingUsing Generative AI for Content Marketing
Using Generative AI for Content Marketing
 
Event Report - IBM Think 2024 - It is all about AI and hybrid
Event Report - IBM Think 2024 - It is all about AI and hybridEvent Report - IBM Think 2024 - It is all about AI and hybrid
Event Report - IBM Think 2024 - It is all about AI and hybrid
 
Cracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptxCracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptx
 
Constitution of Company Article of Association
Constitution of Company Article of AssociationConstitution of Company Article of Association
Constitution of Company Article of Association
 
Copyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to KnowCopyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to Know
 
What Does A 3-Band Wedding Band Mean?
What Does A 3-Band Wedding Band Mean?What Does A 3-Band Wedding Band Mean?
What Does A 3-Band Wedding Band Mean?
 
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
 
Luxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | ShajaraLuxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
Luxury Artificial Plants Dubai | Plants in KSA, UAE | Shajara
 
Hyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings releaseHyundai capital 2024 1quarter Earnings release
Hyundai capital 2024 1quarter Earnings release
 
Understanding UAE Labour Law: Key Points for Employers and Employees
Understanding UAE Labour Law: Key Points for Employers and EmployeesUnderstanding UAE Labour Law: Key Points for Employers and Employees
Understanding UAE Labour Law: Key Points for Employers and Employees
 
Falcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small BusinessesFalcon Invoice Discounting Setup for Small Businesses
Falcon Invoice Discounting Setup for Small Businesses
 
State of D2C in India: A Logistics Update
State of D2C in India: A Logistics UpdateState of D2C in India: A Logistics Update
State of D2C in India: A Logistics Update
 
Pitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deckPitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deck
 

Managing Corporate Information Security Risk in Financial Institutions

  • 1. Managing Corporate Information Security Risk in Financial Institutions Mark Curphey and Bill Hau
  • 2. Have you ever been hacked?
  • 3. Could you have ever been hacked?
  • 5. Would you REALLY know?
  • 6.
  • 7. How did others answer our survey?
  • 8. What does security mean anyway? confidentiality, integrity and authenticity C.I.A
  • 9. ALWAYS REMEMBER You are not in business to run a secure network or building secure software, you are in business to running a secure enough network and build secure enough software
  • 10. What is security risk? R = V x T x BI
  • 11. Risk ($) = Vulnerabilities (#) x Threats (%) x Business Impact ($)
  • 12. security people as the thought police Today's Information Security Departments
  • 13. Security people are from Mars , business people are from Venus
  • 14. “ In the future everyone will have their 15 minutes of fame” – Andy Warhol
  • 15. NEWS FLASH: The world is not falling down because of cross site scripting Security < Performance < Functionality Start caring about the important stuff (before security becomes ignored)
  • 16. Security people like gadgets and kudos , business people like numbers and money
  • 17. A fool with a tool … .is still a fool
  • 18. News for people who run tools
  • 23. traditional security departments are dead (or dying fast) so traditional security people are becoming less relevant
  • 24. Stop stopping security as a business enabler Start facilitating
  • 25. So What Should Companies Be Doing? People PROCESS Technology
  • 26. Information Security Maturity: 1998 18% 2% 0% (Re-) Establish Security Team Develop New Policy Set Initiate Strategic Program Design Architecture Institute Processes Track Technology and Business Change Continuous Process Improvement Maturity 80% time NOTE: Population distributions represent typical, large G2000-type organizations Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Conclude Catch-Up Projects Review Status Quo
  • 27. Information Security Maturity: 2002 Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Maturity time 28% Track Technology and Business Change Continuous Process Improvement 2% Conclude Catch-Up Projects Design Architecture Institute Processes 10% Initiate Strategic Program Develop New Policy Set Review Status Quo 60%
  • 28. Information Security Maturity: 2006 (Re-) Establish Security Team Initiate Strategic Program Institute Processes Conclude Catch-Up Projects Track Technology and Business Change Continuous Process Improvement Maturity time 15% 5% Review Status Quo 50% 30% Develop New Policy Set Design Architecture Awareness Phase Corrective Phase Blissful Ignorance Operational Excellence Phase Duration 3+ years
  • 29. Don’t spend 10 dollars to protect 5 dollars Zero risk is a fallacy Silver bullets don’t work Security Fortune Cookies
  • 30.