210 likes | 450 Views
Does IT Security Matter?. Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007. Outline. A bit about Zurich and myself Nicholas Carr and knowing your neighbours Security Tectonics
E N D
Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007
Outline • A bit about Zurich and myself • Nicholas Carr and knowing your neighbours • Security Tectonics • The Explanation is Mightier than the Action • Risk and the New Math • Final Grains of Wisdom
Introduction to Zurich • Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets • Servicing capabilities to manage programs with risk exposure in more than 170 countries • Approximately 58,000 employees worldwide • Insurer of the majority ofFortune’s Global 100 companies • Net income attributable to shareholders of USD 4.5 billionin 2006 • Business operating profit of USD 5.9 billion in 2006
My Background Industrial Research (6 yr) What people might want Consulting (5 yr) What people say they want In house (2 yr) What people expect (Security) (Risk)
G-IT Risk stakeholders Service Providers Zurich Business GSM G-ISP Account Exec A Business A Supplier A Account Exec B Business B Supplier B Account Exec C Business C Supplier x Account Exec x Business x Project risk management Service risk management Capabilities Finance GITAG Process/QM Sourcing GITR Investigations Co-operate Primary interface for G-IT Consumeinformation and Services GITR Partner Focus Audit Compliance Legal Risk Group functions Industry Bodies & Suppliers G-IT support functions External functions
Does IT Matter? • “IT doesn’t matter and can’t bring strategic advantage at present!“ • Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities • IT management should become “boring” • Manage risks and costs • Carr, N, “IT Doesn’t Matter”, Harvard Business Review, Vol 81, 5, May 2003 • Carr, N, “Does IT Matter?”, 2004
The Continental Drift of C, I, ACIA better known to business as “Call in Accenture”
The Explanation is Mightier Than the Action Business Security
Notable Security Setbacks • Regulatory Frameworks over Security Frameworks (SOX over 7799) • Excel over FUD (Fear, Uncertainty and Doubt) • Reactive over Proactive • SLAs over Security Program • Commerical over Military
The next Big Thing: Network Access Control (NAC)How do you sell this to your IT Department or Business?
From Security …. Perceived Desired Reality The Plan Objectives Controls Testing Report • Documentation • Questionnaires • Interviews • Demonstrations • Inspections • Tooling • 3rd Party Analysis • Control • Effectiveness • Compliance • Risk • Mitigation • Priorities • ISO 17799 • ISF • Cobit • NIST • Your Policies • and Standards • etc … • ISO 17799 • ISF • Cobit • NIST • Your Service • Catalogue • etc …
… to Risk What could happen? How could it happen? What is the impact? Description Trigger Consequence Probability Severity How often? How bad?
Controls as Risk (as is) Control Objective e.g. CoBIT, Risk Scenarios are reformulations of control deficiencies (gaps) Control C1 NO ! Control Gaps are potential triggers of Risk Effective Risk? Risk? Control C2 Risk? Needs Improvement Control C3 Not Effective Control C4 C2 C1 C4 C3 Control Assessment
IT Risk – Components IT Risk Components IT Services Risk IT Projects Risk • Service Level Management • Capacity Planning • Contingency Planning • Availability Management • Cost Management • Configuration Management • Problem Management • Change Management • Help Desk • Software Control & Distribution • IT Security • Financial & Resources • Compliance & Audit • Contract & Supplier Mgmt • IT Architecture & Strategy • IT Project Management Risks • Facilities & Environment • IT Operations & Support • Time to Deliver • IT Security
Zurich’s IT Risk Management Framework Object to be assessed The ABC (Assessment of Business Criticality) risk analysis prioritizes resources 1 ABC 1 Above threshold 2 Optimised risk analysis for projects Service Project Below threshold 2 3 Optimised risk analysis for services 3 No further Analysis Apply Policies and Standards Project Risk ToolRisk assessment Within PMO process Service Risk ToolFacilitated Assessments and Self-Assessments IT Security Risk Assessments Project Risk Consulting Services Risk Consulting 4 Risk register providessingle global datastore for analysisreporting Group IT - RiskRegister (Central) 4 5 Reporting,Escalation andAction Monitoring Group ITRisk Reporting QRR Dashboard Actions monitoring 5
Conclusion: Does IT Security Matter? • IT Security in general is not an end in itself • IT Security is one area competing for attention and funding, amongst many • If you don’t make IT security matter, it won’t • Keeping business secure is the main end • Focus on securing business processes not the process of securing • Excel is your new best friend • Make your spreadsheets work with their spreadsheets • A risk-based approach is the opportunity to speak business language • Don’t replace FUD with GIGO (garbage in, garbage out)