Business Value of IT Security

Ricardo Mariano González

Head of Operational Risk & Control

Zurich Spain

Disclaimer: The opinions expressed in this presentation are those of the presenter, and do not necessarily represent the

view of Zurich Seguros (Zurich in Spain), Zurich Insurance Company Ltd. or the Zurich Insurance Group

2

The problem

Business leaders do not see

IT Security as a competitive

advantage. A necessary

cost, or something to be

avoided.

High-profile cases help (for a

while), but “it won’t happen

to me”.

What if we just…minimize

the spending in IT Security?

money, coins, investment from s_falkow, licensed under the Creative Commons Attribution-Noncommercial 2.0 Generic license.

3

The problem

Budget is still scarce (cuts,

scrutiny of spending and cash

management)

Concerns about IT: risks,

decisions and

implementations

Interconnected risks

(outsourcers, supply chain…)

Business demand more open

access to data and systems

The gap is vast. It won’t get

small.

Euros from Images_of_Money, licensed under the Creative Commons Attribution 2.0 Generic license.

4

Uncomfortable Questions

“Why you guys speak so funny? Nobody else in the

Company can understand you.”

“Are we getting enough from what we’re spending?”

“If I give you more money, will I get more?”

DAY 29/365: Communication from dcosand, licensed

under the Creative Commons Attribution-Noncommercial-

Share Alike 2.0 Generic license.

5

Uncomfortable Questions

“Here’s the balance sheet:

please explain to me how

the ‘Information Security’ line

translates into ‘Less

Business Risks’, in a

language I can understand”

Balancing The Account By Hand from kenteegardin, licensed under the Creative Commons Attribution 2.0 Generic license.

6

Business Language, please

The story goes :

Businesses run on IT, including IT Security (they already

know this).

(Via some financial processes) Finance assigns money to

IT

IT uses that money to run its hardware, software, people

and services

Later on, Finance should verify that IT used that money

properly

…but…

7

Business Language, please

…Finance does not

always do that,

…IT does not always

ensure this

verification happens,

and then

…the value of IT is not

always demonstrated

If you can’t prove is competitive, then

is expensive

Graph With Stacks Of Coins from kenteegardin, licensed under the Creative Commons Attribution 2.0 Generic license.

8

Business Language, please

Expectations:

Business are used to immediate

results.

The CIO / CISO does not want to

disappoint and might over promise.

But IT projects do have delays:

From spending, to implementation

From implementation, to measurable

return

Results and benefits are difficult to

measure

Target DOES move: hard to prove

you reached where you wanted

targets from hans s, licensed under the Creative Commons Attribution-No Derivative Works 2.0 Generic license.

9

Information Security…

…does it really have a value of its own?

10

Finding Value

Source: “Revolution or evolution?” The Technology Strategy Board & PWC

“What if we just…do not spend in IT Security?”

11

Finding Value

“Is there a way to spend thinking about maximum

return?”

First think about “what to do”, then “how to do it”

Fan of Euro Notes on Scales from Images_of_Money, licensed under the Creative Commons Attribution 2.0 Generic license.

Commodities, infrastructure:

price, or “how much”

Laws and regulations: depth,

or “how far”

Investments: cost-benefit, or

“how much to produce a

desired outcome”

Cave at: “Return of

Investment” and “Business

Value” are not synonyms!!!

12

Finding Value

“If we do better IT Security than the competition, will

we be more Valuable?”

– Threshold condition

– Sufficient security

– Intellectual property

– Sales percentage

IT Security fosters Innovation

– Investment in Social, Mobility,

Cloud, BYOD, Big Data…

– Peace of mind to try out new

things and explore new

products/services

– Customer & Shareholder trustPrice of Houses in the UK from Images_of_Money, licensed under the Creative Commons Attribution 2.0 Generic license.

13

Managing Communications and Expectations

Benefit: only if Business

understand it

Presenting projects,

risks, benefits? Better

call Finance first.

Use standard

presentation formats and

value measures.

Ensure you’re aligned

with your CEO / CFO. Is

easy.

Books (74/365) from LifeSupercharger, licensed under the Creative Commons Attribution 2.0 Generic license.

14

Articulating Value

Do you know what your Business wants from IT?

You’re sure?

Competitive

Weapon

Commodity

Efficiency

Niche

Enhancement

Source: ValueBridge Advisors LCC, used by permission

Differentiation of IT Use in “This” Enterprise

Importance of IT to

Business Strategy

Reliable

Business

15

Articulating Value

Another model, following Business Strategy:

Growth: ITSec can protect the business, safeguard revenue

and free-up resources to increase revenue.

Innovation: Data needs to be secure, privacy is critical.

ITSec can help demonstrate leadership.

Optimization: ITSec can optimize the costs of protecting

information (not all of it in the ITSec function).

Protection: ITSec can demonstrate strong and effective

monitoring, good governance and transparency.

Insights on governance, risk and compliance. Ersnt & Young’s Global Information Security Survey 2012”, Ernst & Young

16

Articulating Value

Invest where less money brings more effect

Effect

InvestmentCustom Solutions

Passwords

Intrusion

detection

SSO

Kerberos

PKI

DCE

Integrated

Architecture

Backup

Site

Auto ProvisioningBCP

SSL

FirewallTokens

Encryption

Awareness

Policies

Standards

17

Articulating Value

Align…

– to your IT and Business strategy,

– to your Portfolio and Program management

Understand who will benefit, and meet them

Measure:

–Use existing metrics, already aligned to organizational objectives

–Use the same value measures in investment portfolios and daily operations (i.e. when deciding, and when reporting)

18

Examples…

19

Shifting from Cost-Centre to Differentiator

Monitor alignment (ITSec

initiatives, IT portfolio,

Business portfolio)

Engage the Risk Manager:

how can I reduce business

risks, and risks from IT?

Changed Priorities Ahead from add1sun, licensed under the Creative Commons Attribution-Noncommercial-Share Alike 2.0 Generic license.

You can transfer some of those risks (and also have a handy

quantification!)

Give the next step: IT Risk Management

20

Final thoughts…

IT Security is not only cost; it is a strategic investment in

reduction of corporate risk, and a positive contribution to the

realization of business value.

Barometer - Change from Andres Rueda, licensed under the Creative Commons Attribution 2.0 Generic license.

There is no “one-size-fits-

all” recipe. There is a right

answer for your own

organization, but you’ll need

to find it.

21

Remarks…

“One positive trend has been the growing awareness of cyber risks among members of corporate boards“ (Zurich & Atlantic Council)

“Cyber-security is no longer a technical problem, but rather a risk the Board and C-suit must understand and properly manage” (PWC)

“across industries, we continue to see evidence of executive recognition that security’s strategic value is more closely aligned with the business than with IT” (PWC)

“the information security function continues to take on a far more customer-facing, business-supporting, strategic value-building role” (PWC)

free from jonrawlinson, licensed under the Creative Commons Attribution 2.0 Generic license.

Thank You!

This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License. To view a copy of this license, visit

http://creativecommons.org/licenses/by-nc/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

ricardomariano.gonzalez@zurich.com

@gonzalezrichard

+34 639 585 461

http://www.linkedin.com/in/ricardomarianogonzalez

23

Endnotes• Source: “Show Me the Money! Three Ways to Better Partner with Finance,” by Brian Barnier, ISACA Journal, Vol. 6, 2010© ISACA® All

rights reserved. Reprinted by permission.

• Source: “What is the Value of Security?” by Steven Ross, ISACA Journal, Vol. 2, 2011, © ISACA® All rights reserved. Reprinted bypermission.

• Source: “ROSI Scenarios,” by Steven Ross, ISACA Journal, Vol. 2, 2002© ISACA® All rights reserved. Reprinted by permission.

• Source: “Vive le ROI,” by Steven Ross, ISACA Journal, Vol. 2, 2002© ISACA® All rights reserved. Reprinted by permission.

• Source: “Five Tips for Better Communication with ‘the Business’,” by Brian Barnier, @ISACA, Volume 14, 7 July 2010© ISACA® All rights reserved. Reprinted by permission.

• “Ready for 2011? Five questions for CISOs”, Brian Barnier, CGEIT, CRISC. SC Magazine, January 18, 2011.

• “A New CIO-CFO Partnership”, Brian Barnier. Baseline Magazine, 2010-02-04.

• “Seeking Better Outcomes from Risk Management? New Research Gives Tips”, Brian Barnier, ValueBridge Advisors. Agility.FinanceTech.com. 2009/04.

• “From IT risk management to IT business risk management in five steps”, Brian Barner. SearchCompliance.techtarget.com, 09 Aug 2010.

• “How to Improve IT Value Measurement”, Brian G. Barnier. CIO Insight, February 2011.

• “2010 – The Year of Making IT More Personal to the C-Suite – Six Tips to Help YOU Bring More Benefit to Your Organization”, Brian G. Barnier, ValueBridge Advisors. The Innovator, Financial Services Roundtable, March 2010.

• “Respected – but still restrained. Findings from the 2011 Global State of Information Security Survey ®”, PricewaterhouseCoopers, 2011.

• “Revolution or evolution? Information Security 2020”, the Technology Strategy Board jointly with PricewaterhouseCoopers, 2010.

• “Moving Beyond Compliance. Ernst & Young’s 2008 Global Information Security Survey”, Ernst & Young, 2008.

• “Borderless security. Ernst & Young’s 2010 Global Information Security Survey”, Ernst & Young, 2010.

• “Cisco Connected World Technology Report”, http://www.cisco.com/en/US/netsol/ns1120/index.html, Cisco, 2013.

• “Fighting to Close the gap. Insights on governance, risk and compliance. Ersnt & Young’s Global Information Security Survey 2012”, Ernst & Young.

• “Risk Nexus. Beyond data breaches: global interconnections of cyber risk”. Zurich Insurance Company and Atlantic Council of the UnitedStates. 2014.

• “Managing cyber risks with insurance”. PricewaterhouseCoopers LLP. 2014.

• The ideas, views, expressions and comments expressed in this presentation are my own and don’t necessarily represent Zurich’s position, strategy or views.

• This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.