1 / 22

SAFE KNOWLEDGE

SAFE KNOWLEDGE. GEOFF ROBERTS Implementation Partner AUSTRALIAN PROJECTS PTY LIMITED IT Security and Data Protection. The Management versus Technical Staff Challenge.

estrella
Download Presentation

SAFE KNOWLEDGE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAFE KNOWLEDGE GEOFF ROBERTS Implementation Partner AUSTRALIAN PROJECTS PTY LIMITED IT Security and Data Protection

  2. The Management versus Technical Staff Challenge Create win-win IT security outcomes that meet management objectives for the enterprise, and realistic productivity expectations of the IT department

  3. Differing cultures • Non-technical managers are mostly in a world of budgets, timeframes, deadlines, deliverables, results and the “big picture” • IT staff are mostly in a world of rapid change, uncertainties, threats, complexity and detail, as well as timeframes, deadlines and deliverables • The difference is often clear to IT staff but unclear to non-technical managers

  4. The Management versus Technical Staff Conundrum • Corporate structure that fails to acknowledge a rapidly changing security landscape • Poorly defined IT security roles and responsibilities for non-technical management and IT management teams • Failure of technical expectations to be fulfilled due to unrealistic low budgets and failure of non technical management to approve sufficient human resources to meet the requirements of the IT department • No common approach and a lack of language clarity between management and technical staff

  5. Enterprise Structure • Enterprise management and IT department in separate isolated silos • These silos fail to share accountability and responsibility for IT security policy and practice • The silo approach does not work because shared responsibilities and communications are often neglected • Silos can address isolated work area requirements but will leave gaps across the whole enterprise (including legal)

  6. Roles and Responsibilities • Inappropriate delegation of responsibilities and tasks is a common weakness • Legal responsibilities and associated liabilities delegated to the technical team with little or no ownership by senior non-technical management • Accountability that should be shared, erroneously devolved to the IT technical department instead of being “owned” from top management down

  7. Expectations and resources • Failure of management to articulate the IT security expectations of the enterprise • Management often underestimates the human resources needed to implement and manage IT security across the enterprise • Management often underestimates the financial cost to deliver a whole of enterprise security solution • Failure of technical team to communicate realistic requirements and timelines to meet the management expectation

  8. What about IT Security? • Management perceives IT security as a given • Therefore management tends to take it for granted • This can create a false sense of security • New IT security implementations are given low priority • IT security solutions often implemented after an incident has occurred … (reactive management, rather than proactive management) • Management failure to understand that IT security is a valid cost of doing business

  9. Bridging the GAP – How Mgmt sees IT Department Management want RESULTS Potential Results (Output) IT is uniquely positioned to bridge the gap! GAP Momentum Time

  10. Key challenges • Achieve a strategic whole-of-enterprise IT security solution to manage risk • Address strategic outcomes based on well informed and realistic expectations set by top management • Allocation of appropriate resources for each step of the process • Think strategically, act tactically, because each step is is only a part of the whole

  11. Management Role • Set a realistic agenda in concert with the IT department ensuring expectations are deliverable • Assume overall responsibility and liability • Provide appropriate resources, human and financial to deliver the desired outcome • Engage in continuing review with the IT department to ensure minimisation of risk associated with new and emerging threats

  12. IT Department Role • Provide management with accurate and timely information that will aid the planning and decision making process • Evaluate new and emerging products and services that may meet the IT security needs of the enterprise • Ensure language is clear and unambiguous for non-technical senior decision makers • Work to each pre-agreed management brief to ensure on-time and on-budget delivery

  13. Risk Management Regulatory Requirements The Information Risk Spectrum Logical Process Physical IT Security IT Contingency Personnel Security Business Continuity Physical Security Closing the gap John Meaking – Standard Chartered Bank

  14. Risk – a common dialogue • Asset Values ($) • Vulnerabilities (access to assets) • Threats (scenario exploits vulnerability) • RISK

  15. Risk analysis EXPOSURE FACTOR CONTROLS THREAT VULNERABILITY ASSET Unknown and Unquantifiable in absolute terms LIKELIHOOD X = RISK IMPACT Frequency & Exposure Consequence – some guesswork Control Effectiveness John Meakin – Standard Chartered Bank

  16. Matrix – a common dialogue Consequence Severity Think generically about using Risk Assessments

  17. Where to start? • Look for High Likelihood High Impact (HH) • Pareto • Demonstrate Cost/Benefit. Don’t emphasise ROI

  18. Prioritising Trivial Many Critical Few

  19. Demonstrate value & results • Through appropriate metrics • In terms management understands • Avoid measuring too much or inappropriately (let risk drive what is measured) • Communicate trends and changes regularly

  20. Successful Team Attributes • Plan and work as an enterprise team with shared responsibilities and accountabilities • Focus on realistic pre-agreed outcomes • Avoid “isolated empire” thinking and engage in “whole of enterprise” thinking • Undertake an ongoing, regular review process • Be nice to each other

  21. Three final thoughts Computers are incredibly fast accurate and stupid. People are unbelievably slow, inaccurate and brilliant. Despite the foregoing, the marriage of the two is a positive force beyond calculation.

  22. Geoff Roberts geoff@apro.com.au Tel: +61 2 4228 6213 www.apro.com.au Reflex – PC Guardian – SecuriKey – Trust Digital – Zondex

More Related