Business Value of IT Security - CDM Media · • “A New CIO-CFO Partnership”, Brian Barnier....
Transcript of Business Value of IT Security - CDM Media · • “A New CIO-CFO Partnership”, Brian Barnier....
Business Value of IT Security
Ricardo Mariano González
Head of Operational Risk & Control
Zurich Spain
Disclaimer: The opinions expressed in this presentation are those of the presenter, and do not necessarily represent the
view of Zurich Seguros (Zurich in Spain), Zurich Insurance Company Ltd. or the Zurich Insurance Group
2
The problem
Business leaders do not see
IT Security as a competitive
advantage. A necessary
cost, or something to be
avoided.
High-profile cases help (for a
while), but “it won’t happen
to me”.
What if we just…minimize
the spending in IT Security?
money, coins, investment from s_falkow, licensed under the Creative Commons Attribution-Noncommercial 2.0 Generic license.
3
The problem
Budget is still scarce (cuts,
scrutiny of spending and cash
management)
Concerns about IT: risks,
decisions and
implementations
Interconnected risks
(outsourcers, supply chain…)
Business demand more open
access to data and systems
The gap is vast. It won’t get
small.
Euros from Images_of_Money, licensed under the Creative Commons Attribution 2.0 Generic license.
4
Uncomfortable Questions
“Why you guys speak so funny? Nobody else in the
Company can understand you.”
“Are we getting enough from what we’re spending?”
“If I give you more money, will I get more?”
DAY 29/365: Communication from dcosand, licensed
under the Creative Commons Attribution-Noncommercial-
Share Alike 2.0 Generic license.
5
Uncomfortable Questions
“Here’s the balance sheet:
please explain to me how
the ‘Information Security’ line
translates into ‘Less
Business Risks’, in a
language I can understand”
Balancing The Account By Hand from kenteegardin, licensed under the Creative Commons Attribution 2.0 Generic license.
6
Business Language, please
The story goes :
Businesses run on IT, including IT Security (they already
know this).
(Via some financial processes) Finance assigns money to
IT
IT uses that money to run its hardware, software, people
and services
Later on, Finance should verify that IT used that money
properly
…but…
7
Business Language, please
…Finance does not
always do that,
…IT does not always
ensure this
verification happens,
and then
…the value of IT is not
always demonstrated
If you can’t prove is competitive, then
is expensive
Graph With Stacks Of Coins from kenteegardin, licensed under the Creative Commons Attribution 2.0 Generic license.
8
Business Language, please
Expectations:
Business are used to immediate
results.
The CIO / CISO does not want to
disappoint and might over promise.
But IT projects do have delays:
From spending, to implementation
From implementation, to measurable
return
Results and benefits are difficult to
measure
Target DOES move: hard to prove
you reached where you wanted
targets from hans s, licensed under the Creative Commons Attribution-No Derivative Works 2.0 Generic license.
9
Information Security…
…does it really have a value of its own?
10
Finding Value
Source: “Revolution or evolution?” The Technology Strategy Board & PWC
“What if we just…do not spend in IT Security?”
11
Finding Value
“Is there a way to spend thinking about maximum
return?”
First think about “what to do”, then “how to do it”
Fan of Euro Notes on Scales from Images_of_Money, licensed under the Creative Commons Attribution 2.0 Generic license.
Commodities, infrastructure:
price, or “how much”
Laws and regulations: depth,
or “how far”
Investments: cost-benefit, or
“how much to produce a
desired outcome”
Cave at: “Return of
Investment” and “Business
Value” are not synonyms!!!
12
Finding Value
“If we do better IT Security than the competition, will
we be more Valuable?”
– Threshold condition
– Sufficient security
– Intellectual property
– Sales percentage
IT Security fosters Innovation
– Investment in Social, Mobility,
Cloud, BYOD, Big Data…
– Peace of mind to try out new
things and explore new
products/services
– Customer & Shareholder trustPrice of Houses in the UK from Images_of_Money, licensed under the Creative Commons Attribution 2.0 Generic license.
13
Managing Communications and Expectations
Benefit: only if Business
understand it
Presenting projects,
risks, benefits? Better
call Finance first.
Use standard
presentation formats and
value measures.
Ensure you’re aligned
with your CEO / CFO. Is
easy.
Books (74/365) from LifeSupercharger, licensed under the Creative Commons Attribution 2.0 Generic license.
14
Articulating Value
Do you know what your Business wants from IT?
You’re sure?
Competitive
Weapon
Commodity
Efficiency
Niche
Enhancement
Source: ValueBridge Advisors LCC, used by permission
Differentiation of IT Use in “This” Enterprise
Importance of IT to
Business Strategy
Reliable
Business
15
Articulating Value
Another model, following Business Strategy:
Growth: ITSec can protect the business, safeguard revenue
and free-up resources to increase revenue.
Innovation: Data needs to be secure, privacy is critical.
ITSec can help demonstrate leadership.
Optimization: ITSec can optimize the costs of protecting
information (not all of it in the ITSec function).
Protection: ITSec can demonstrate strong and effective
monitoring, good governance and transparency.
Insights on governance, risk and compliance. Ersnt & Young’s Global Information Security Survey 2012”, Ernst & Young
16
Articulating Value
Invest where less money brings more effect
Effect
InvestmentCustom Solutions
Passwords
Intrusion
detection
SSO
Kerberos
PKI
DCE
Integrated
Architecture
Backup
Site
Auto ProvisioningBCP
SSL
FirewallTokens
Encryption
Awareness
Policies
Standards
17
Articulating Value
Align…
– to your IT and Business strategy,
– to your Portfolio and Program management
Understand who will benefit, and meet them
Measure:
–Use existing metrics, already aligned to organizational objectives
–Use the same value measures in investment portfolios and daily operations (i.e. when deciding, and when reporting)
18
Examples…
19
Shifting from Cost-Centre to Differentiator
Monitor alignment (ITSec
initiatives, IT portfolio,
Business portfolio)
Engage the Risk Manager:
how can I reduce business
risks, and risks from IT?
Changed Priorities Ahead from add1sun, licensed under the Creative Commons Attribution-Noncommercial-Share Alike 2.0 Generic license.
You can transfer some of those risks (and also have a handy
quantification!)
Give the next step: IT Risk Management
20
Final thoughts…
IT Security is not only cost; it is a strategic investment in
reduction of corporate risk, and a positive contribution to the
realization of business value.
Barometer - Change from Andres Rueda, licensed under the Creative Commons Attribution 2.0 Generic license.
There is no “one-size-fits-
all” recipe. There is a right
answer for your own
organization, but you’ll need
to find it.
21
Remarks…
“One positive trend has been the growing awareness of cyber risks among members of corporate boards“ (Zurich & Atlantic Council)
“Cyber-security is no longer a technical problem, but rather a risk the Board and C-suit must understand and properly manage” (PWC)
“across industries, we continue to see evidence of executive recognition that security’s strategic value is more closely aligned with the business than with IT” (PWC)
“the information security function continues to take on a far more customer-facing, business-supporting, strategic value-building role” (PWC)
free from jonrawlinson, licensed under the Creative Commons Attribution 2.0 Generic license.
Thank You!
This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
@gonzalezrichard
+34 639 585 461
http://www.linkedin.com/in/ricardomarianogonzalez
23
Endnotes• Source: “Show Me the Money! Three Ways to Better Partner with Finance,” by Brian Barnier, ISACA Journal, Vol. 6, 2010© ISACA® All
rights reserved. Reprinted by permission.
• Source: “What is the Value of Security?” by Steven Ross, ISACA Journal, Vol. 2, 2011, © ISACA® All rights reserved. Reprinted bypermission.
• Source: “ROSI Scenarios,” by Steven Ross, ISACA Journal, Vol. 2, 2002© ISACA® All rights reserved. Reprinted by permission.
• Source: “Vive le ROI,” by Steven Ross, ISACA Journal, Vol. 2, 2002© ISACA® All rights reserved. Reprinted by permission.
• Source: “Five Tips for Better Communication with ‘the Business’,” by Brian Barnier, @ISACA, Volume 14, 7 July 2010© ISACA® All rights reserved. Reprinted by permission.
• “Ready for 2011? Five questions for CISOs”, Brian Barnier, CGEIT, CRISC. SC Magazine, January 18, 2011.
• “A New CIO-CFO Partnership”, Brian Barnier. Baseline Magazine, 2010-02-04.
• “Seeking Better Outcomes from Risk Management? New Research Gives Tips”, Brian Barnier, ValueBridge Advisors. Agility.FinanceTech.com. 2009/04.
• “From IT risk management to IT business risk management in five steps”, Brian Barner. SearchCompliance.techtarget.com, 09 Aug 2010.
• “How to Improve IT Value Measurement”, Brian G. Barnier. CIO Insight, February 2011.
• “2010 – The Year of Making IT More Personal to the C-Suite – Six Tips to Help YOU Bring More Benefit to Your Organization”, Brian G. Barnier, ValueBridge Advisors. The Innovator, Financial Services Roundtable, March 2010.
• “Respected – but still restrained. Findings from the 2011 Global State of Information Security Survey ®”, PricewaterhouseCoopers, 2011.
• “Revolution or evolution? Information Security 2020”, the Technology Strategy Board jointly with PricewaterhouseCoopers, 2010.
• “Moving Beyond Compliance. Ernst & Young’s 2008 Global Information Security Survey”, Ernst & Young, 2008.
• “Borderless security. Ernst & Young’s 2010 Global Information Security Survey”, Ernst & Young, 2010.
• “Cisco Connected World Technology Report”, http://www.cisco.com/en/US/netsol/ns1120/index.html, Cisco, 2013.
• “Fighting to Close the gap. Insights on governance, risk and compliance. Ersnt & Young’s Global Information Security Survey 2012”, Ernst & Young.
• “Risk Nexus. Beyond data breaches: global interconnections of cyber risk”. Zurich Insurance Company and Atlantic Council of the UnitedStates. 2014.
• “Managing cyber risks with insurance”. PricewaterhouseCoopers LLP. 2014.
• The ideas, views, expressions and comments expressed in this presentation are my own and don’t necessarily represent Zurich’s position, strategy or views.
• This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.