The document discusses information security challenges in today's borderless world of increased mobile and cloud computing use. It notes that while organizations recognize new risks from these technologies, many are not adjusting policies or security awareness accordingly. The presentation recommends that organizations establish comprehensive risk management programs, conduct risk assessments, take an information-centric view of security, and increase security controls, awareness and outsourcing to address risks from mobile, cloud and social media use. It also provides a framework to transform security programs to better protect important data and enable business needs.

1. Information security in a borderless worldTime for a re-think: Transform your security programto improve business performanceThe 3rd Kuwait Information Security Conference25 - 26 May 2011

2. Meraj AhmedPartner, Advisory Services KuwaitTechnology Sector Leader, Ernst & Young – Middle East & North AfricaMeraj is a partner in Ernst & Young MENA and leads the Technology Sector for this region. He has extensive international experience in IT governance and strategy, technology management and enablement, and IT risk and security, gained during more than 25 years of advisory services experience, of which 15 have been in regional leadership roles,. He has worked widely within the public/government, financial and telecom sectors.Meraj earned his MBA from the Wharton Business School, University of Pennsylvania, and has been a speaker at numerous international and regional seminars and conferences.

3. IntroductionOver the last year, we have witnessed a significant increase in the use of external service providers and the business adoption of new technologies such as cloud computing, social networking and Web 2.0. We have also seen technology advances that have provided an increasingly mobile workforce with seemingly endless ways to connect and interact with colleagues, customers and clients. Together, these changes are extending the enterprise, blurring the lines between home and office, co-worker and competitor and removing the traditional enterprise boundaries. It is within this changing business environment that our 2010 Global Information Security Survey specifically examines how organizations are adapting and addressing their information security needs.

4. Insights on information security60% of organizations see increased risk from using social networking,cloud computing and personal mobile devices at work.While only 52% of organizations indicate data leakage is a top “new”increased risk.87% of organizations believe the damage to reputation and brand is themost significant issue related to data loss.Yet, only 10% of respondents indicated that examining new and emergingtrends is a very important activity for the information security function.However, 61% are not making policy adjustments or increasing securityawareness to address these new threats.Source – Ernst & Young’s 2010 Global Information Security Survey

5. Borderless securityNew technology means new riskGiven current trends toward the use of such things as social networking, cloud computing and personal devices in the enterprise, have you seen or perceived a change in the risk environment facing your organization? 60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise.Shown: percentage of participants

6. Mobile computingOrganizations are recognizing the increased risks associated with mobile computing and are taking steps to address the issuesCompared to the previous year, does your organization plan to spend more, less or relatively the same amount over the next year for the following activities? 50% of respondents plan on spending more over the next year on data leakage/data loss prevention technologies and processes.Shown: Percentage of participants

7. Cloud computingRisks associated with cloud computing are not going undetected and must be addressed before business applications are moved to a public cloud Which of the following “new” or increased risks have you identified?39% of respondentscited the loss of visibility of what happens to company data as an increasing risk when using cloud-based solutions.Note: Multiple responses permitted Shown: Percentage of participants

8. Social mediaFew companies have thoroughly examined the social media issue and developed an approach that will balance the business opportunity with the risk exposure How important is information security in supporting the followingactivities in your organization? Only 10% of respondents indicated that examining new and emerging IT trends was a very important activity forthe information security function to perform.Shown: Percentage of participants

9. Our perspectiveBorderless securityEstablish a comprehensive IT risk management program that identifies and addresses the risks associated with new and emerging technologies.

10. Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based responses.

11. Take an “information-centric” view of security, which is better aligned with the organization’s business and information flows.

12. Increase the investment in data leakage prevention technologies, encryption and identity and access management solutions — focusing on the people who use the technology.

13. Gain an understanding of the risks created by the use of new technologies — including technologies adopted personally by employees that may be used for business purposes.

14. Information security policies should be reviewed and adjusted appropriately to establish the acceptable use and any specific restrictions related to mobile computing devices.

15. Increase security awareness training activities for the mobile workforce.

16. Push enterprise security out to end-point devices to protect critical business information and provide better alignment with the organization’s risk profile.

17. Assess the legal, organizational and technological risks as well as the security issues related to placing information into the public cloud.

18. Develop a company strategy, a governance model and an operational approach to cloud computing use, including the information security function to help define policies and guidelines.

19. Set standards and minimum requirements to enable your organization to adopt cloud computing in as secure a manner as possible.

20. Provide the online communities and social collaboration tools that the new workforce expects, but do so with a view that aligns enterprise requirements with personal responsibility to protect sensitive business information.

21. Raise security awareness and personal responsibility to levels that have not been achieved before.

22. Inform every member of the organization on the risks and issues related to social media.Mobile computingCloud computingSocial media

23. Transforming your security program

24. Begin a process to transform your security programScan internal and external environmentDefine goals and evaluate postureDevelop transformation road mapStep 1:Focus on current business drivers relevant to security and privacy Step 5:Identify short-term “wins” and long-term objectivesStep 3:Set security transformation goalsStep 2:Gain management and external perspective on pressing IT and security/compliance issuesStep 4:Diagnose current state vs. goals and identify gapsStep 6: Document expected outcomes, sequence activities and summarize program road map

25. Transform your security program to improve business / operational performanceProtect what matters mostIdentify the real risksDevelop a security strategy focused onbusiness drivers and protectinghigh-value data

26. Assume breaches will occur —improve processes that plan, protect,detect and respond

27. Balance fundamentals withemerging threat management

28. Establish and rationalizeaccess control modelsfor applications and information

29. Define the organization’s overall risk appetiteand how information risk fits

30. Identify the most important informationand applications, where they reside and who has or needs access

31. Assess the threat landscape and develop predictive models highlighting your real exposuresEnablebusiness performanceSecurity transformation goalsCurrent statePressing IT andsecurity issuesKey business driversNeeded or in-process improvementsShort-termLong-termMake security everyone’s responsibility

32. Don’t restrict newer technologies; use the forces of change to enable them

33. Broaden program to adopt enterprise-wide information risk management concepts

34. Set security program goals and metrics that influence businessperformance

35. Align all aspects ofsecurity (information,privacy, physical and business continuity)with the business

36. Spend wisely in controls andtechnology — invest more inpeople and processes

37. Consider selectively outsourcing operational security program areas

38. Get governanceright — make securitya board-level priority

39. Allow good security to drivecompliance, not vice versa

40. Measure leading indicators to catch problems while they are still small

41. Accept manageable risks that improve performanceSustain an enterprise programOptimizefor business performance

42. Framework to enable your security programto address business / operational needs Security risk governance & risk managementRisk culturePolicy frameworkGovernanceIntegratedsecurityprogramKey business driversIntegrated capabilitiesExternal challengesInternal AuditComplianceReporting and metrics Business-level performance

43. Transform your security program to improve business performanceFive questions forthe C-suiteDo you know how much damage a security breach can do to your reputation or brand?

44. Are internal and external threats considered when aligning your security strategy to your risk management efforts?

45. How do you align key risk priorities in relation to your spending?

46. Do you understand your risk appetite and how it allows you to take controlled risks?

47. How does your IT risk management strategy support your overall business strategy?Protectwhat matters mostIdentifythereal risksEnablebusiness performanceSustainan enterprise programOptimizefor business performance

48. Identify the real risksBudget and organize a security program focused primarily on meeting immediate compliance needsProtect the perimeter and keep external threats outFocus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incidentDefine the organization’s overall risk appetite and how information risk fitsIdentify the most important information and applications, where they reside and who has/needs accessAssess the threat landscape and develop predictive models highlighting your real exposuresWhat is your organization’s risk culture?Are you detecting and monitoring threats inside and outside the organization?Have you anticipated new technology risks, such as mobile devices, social media and cloud computing?

49. Protect what matters mostSecurity program budget and organization focused primarily on meeting immediate compliance needsSet goal and expectation to stop all attacks and threatsDisproportionate focus on maintaining lower-risk/lower-value security activitiesUser access and roles are set up based on last employee hiredDevelop a security strategy focused on business drivers and protecting high-value data Assume breaches will occur — improve processes that plan, protect, detect and respondBalance fundamentals with emerging threat managementEstablish and rationalize access control models for applications and informationHave you considered automating security controls?Are you using predictive indicators to analyze seemingly legitimate network activity?Are your resources focused on emerging threats?

50. Optimize for business performanceVarious security aspects exist in silos and are driven by compliance onlyLargest portion of security budget goes to technology solutionsFear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiativesAlign all aspects of security (information, privacy, physical and business continuity) with the businessSpend wisely in controls and technology — invest more in people and processes Consider selectively outsourcing operational security program areasAre you balancing spending money among key risk priorities?Have you investigated the latent functionality of your existing tools?Are you outsourcing any of your information security?

51. Sustain an enterprise programSecurity viewed as sub-function of IT with little top management visibilitySecurity program budget and organization focused on meeting immediate compliance needsSecurity metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidentsInherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetiteGet governance right — make security a board-level priorityAllow good security to drive compliance, not vice versaMeasure leading indicators to catch problems while they are still smallAccept manageable risks that improve performanceAre you taking controlled risks rather than striving to eliminate risks altogether?Are your key indicators trailing or leading?

52. Enable business performanceSecurity viewed as merely a function of the security teamBan emerging technologies (social media, mobile) until they are matureProgram focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers Make security everyone’s responsibilityDon’t restrict newer technologies; use the forces of change to enable themBroaden program to adopt enterprise-wide information risk management conceptsSet security program goals/metrics that impact business performanceDo all of the organization’s stakeholders understand the importance of information security?Is your organization up-to-date with the new technologies hitting the workforce?Does your organization have the right measures to create a scorecard on information security at the enterprise level?

53. Thank You!