The document discusses information security risk management in financial institutions. It begins by asking if the reader has ever been hacked and discusses the components of a typical security program. It notes that security programs should focus on facilitating the business rather than just securing systems. The document then discusses how security risk is calculated based on vulnerabilities, threats, and business impact. It outlines the evolution of information security maturity from 1998 to 2006, showing a shift from reactive approaches to more proactive continuous improvement processes. Finally, it leaves the reader with some brief security-related tips and sayings.

1. Managing Corporate Information Security Risk in Financial Institutions Mark Curphey and Bill Hau

2. Have you ever been hacked?

3. Could you have ever been hacked?

4. Would you know?

5. Would you REALLY know?

7. How did others answer our survey?

8. What does security mean anyway? confidentiality, integrity and authenticity C.I.A

9. ALWAYS REMEMBER You are not in business to run a secure network or building secure software, you are in business to running a secure enough network and build secure enough software

10. What is security risk? R = V x T x BI

11. Risk ($) = Vulnerabilities (#) x Threats (%) x Business Impact ($)

12. security people as the thought police Today's Information Security Departments

13. Security people are from Mars , business people are from Venus

14. “ In the future everyone will have their 15 minutes of fame” – Andy Warhol

15. NEWS FLASH: The world is not falling down because of cross site scripting Security < Performance < Functionality Start caring about the important stuff (before security becomes ignored)

16. Security people like gadgets and kudos , business people like numbers and money

17. A fool with a tool … .is still a fool

18. News for people who run tools

19. China!

20. China!

21. China!

22. China!

23. traditional security departments are dead (or dying fast) so traditional security people are becoming less relevant

24. Stop stopping security as a business enabler Start facilitating

25. So What Should Companies Be Doing? People PROCESS Technology

26. Information Security Maturity: 1998 18% 2% 0% (Re-) Establish Security Team Develop New Policy Set Initiate Strategic Program Design Architecture Institute Processes Track Technology and Business Change Continuous Process Improvement Maturity 80% time NOTE: Population distributions represent typical, large G2000-type organizations Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Conclude Catch-Up Projects Review Status Quo

27. Information Security Maturity: 2002 Awareness Phase Corrective Phase Operational Excellence Phase Blissful Ignorance Maturity time 28% Track Technology and Business Change Continuous Process Improvement 2% Conclude Catch-Up Projects Design Architecture Institute Processes 10% Initiate Strategic Program Develop New Policy Set Review Status Quo 60%

28. Information Security Maturity: 2006 (Re-) Establish Security Team Initiate Strategic Program Institute Processes Conclude Catch-Up Projects Track Technology and Business Change Continuous Process Improvement Maturity time 15% 5% Review Status Quo 50% 30% Develop New Policy Set Design Architecture Awareness Phase Corrective Phase Blissful Ignorance Operational Excellence Phase Duration 3+ years

29. Don’t spend 10 dollars to protect 5 dollars Zero risk is a fallacy Silver bullets don’t work Security Fortune Cookies