Meraj Ahmad - Information security in a borderless world

The 3rd Kuwait Information Security Conference25 - 26 May 2011

Time for a re-think: Transform your security programto improve business performance

Information security in a borderless world

Time for a re-think: Transform your security program to improve business performance | © 2011 EYGM LimitedAll Rights Reserved

Meraj is a partner in Ernst & Young MENA and leads the Technology Sector for this region. He has extensive international experience in IT governance and strategy, technology management and enablement, and IT risk and security, gained during more than 25 years of advisory services experience, of which 15 have been in regional leadership roles,. He has worked widely within the public/government, financial and telecom sectors.Meraj earned his MBA from the Wharton Business School, University of Pennsylvania, and has been a speaker at numerous international and regional seminars and conferences.

Meraj AhmedPartner, Advisory Services KuwaitTechnology Sector Leader, Ernst & Young – Middle East & North Africa


Introduction

• Over the last year, we have witnessed a significant increase in the use of external service providers and the business adoption of new technologies such as cloud computing, social networking and Web 2.0.

• We have also seen technology advances that have provided an increasingly mobile workforce with seemingly endless ways to connect and interact with colleagues, customers and clients. Together, these changes are extending the enterprise, blurring the lines between home and office, co-worker and competitor and removing the traditional enterprise boundaries.

• It is within this changing business environment that our 2010 Global Information Security Survey specifically examines how organizations are adapting and addressing their information security needs.


Insights on information security

60% of organizations see increased risk from using social networking,cloud computing and personal mobile devices at work.

While only 52% of organizations indicate data leakage is a top “new”increased risk.

87% of organizations believe the damage to reputation and brand is themost significant issue related to data loss.

Yet, only 10% of respondents indicated that examining new and emergingtrends is a very important activity for the information security function.

However, 61% are not making policy adjustments or increasing securityawareness to address these new threats.Source – Ernst & Young’s 2010 Global Information Security Survey


60%

3%

37%

Yes, increasing level of risk

No, decreasing level of risk

Relatively constant level of risk

Borderless securityNew technology means new risk

Given current trends toward the use of such things as social networking, cloud computing and personal devices in the

enterprise, have you seen or perceived a change in the risk environment facing your organization?

60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise.

Shown: percentage of participants


17%

18%

22%

26%

28%

30%

30%

32%

32%

33%

34%

36%

41%

41%

42%

44%

48%

50%

50%

64%

74%

63%

68%

67%

63%

61%

64%

64%

63%

61%

58%

55%

55%

53%

50%

45%

45%

46%

19%

8%

15%

6%

5%

7%

9%

4%

4%

4%

5%

6%

4%

4%

5%

6%

7%

5%

4%

Outsourcing security functions

Forensics/f raud support

Recruiting security resources

Incident response plans and capabilities

Compliance with corporate policies

Secure development processes (e.g., secure coding, QA process)

Implementing security standards (e.g., ISO/IEC 27002:2005)

Security metrics and reporting

Protecting proprietary information

Vulnerability management technologies and processes

Protecting personal information

Security testing (e.g., attack and penetration)

Information security risk management

Compliance with regulatory requirements

Security awareness and training

Securing new technologies (e.g., cloud computing, virtualization)

Identity and access management technologies and processes

Business continuity/disaster recovery plans and capabilities

Data leakage/data loss prevention technologies and processes

Spend more Same or constant Spend less

Mobile computingOrganizations are recognizing the increased risks associated with mobile computing and are taking steps to address the issues

Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the next year

for the following activities? 50% of respondents plan on spending more over the next year on data leakage/data loss prevention technologies and processes.

Shown: Percentage of participants


Cloud computingRisks associated with cloud computing are not going undetected and must be addressed before business applications are moved to a public cloud

Which of the following “new” or increased risks have you identified?39% of respondentscited the loss of visibility of what happens to company data as an increasing risk when using cloud-based solutions.


Note: Multiple responses permitted

11%

13%

15%

17%

18%

22%

29%

34%

39%

52%

Performance management risks

Capacity management risks

Challenges in updating internal audit and compliance plans

Availability risks

Contract risks

Increased collaboration with individuals outside the enterprise

Dif f iculty in technical and procedural monitoring

Unauthorized access

Loss of visibility of what happens to company data

Data leakage risks


10%

12%

14%

16%

21%

25%

31%

34%

42%

45%

53%

56%

33%

20%

30%

37%

40%

34%

30%

43%

33%

36%

29%

26%

38%

26%

34%

31%

27%

25%

25%

18%

18%

15%

13%

12%

15%

20%

15%

12%

10%

11%

10%

4%

5%

3%

4%

4%

4%

22%

7%

4%

2%

5%

4%

1 %

2%

1 %

1 %

2%

Examining new and emerging IT trends

Facilitating mergers, acquisitions and divestitures

Enhancing new service or product launches

Managing external vendors

Improving IT and operational efficiencies

Improving stakeholder and investor confidence

Protecting intellectual property

Managing operational and (or) enterprise risk

Achieving compliance with corporate policies

Managing privacy and protecting personal information

Protecting reputation and brand

Achieving compliance with regulations

Very important 4 3 2 Not important

Social mediaFew companies have thoroughly examined the social media issue and developed an approach that will balance the business opportunity with the risk exposure

How important is information security in supporting the followingactivities in your organization?

Only 10% of respondents indicated that examining new and emerging IT trends was a very important activity forthe information security function to perform.



Our perspective• Establish a comprehensive IT risk management program that identifies and addresses the risks associated with new

and emerging technologies. • Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based

responses.• Take an “information-centric” view of security, which is better aligned with the organization’s business and

information flows.

• Increase the investment in data leakage prevention technologies, encryption and identity and access management solutions — focusing on the people who use the technology.

• Gain an understanding of the risks created by the use of new technologies — including technologies adopted personally by employees that may be used for business purposes.

• Information security policies should be reviewed and adjusted appropriately to establish the acceptable use and any specific restrictions related to mobile computing devices.

• Increase security awareness training activities for the mobile workforce. • Push enterprise security out to end-point devices to protect critical business information and provide better

alignment with the organization’s risk profile.

• Assess the legal, organizational and technological risks as well as the security issues related to placing information into the public cloud.

• Develop a company strategy, a governance model and an operational approach to cloud computing use, including the information security function to help define policies and guidelines.

• Set standards and minimum requirements to enable your organization to adopt cloud computing in as secure a manner as possible.

• Provide the online communities and social collaboration tools that the new workforce expects, but do so with a view that aligns enterprise requirements with personal responsibility to protect sensitive business information.

• Raise security awareness and personal responsibility to levels that have not been achieved before. • Inform every member of the organization on the risks and issues related to social media.

Borderless security

Mobile computing

Cloud computing

Social media


Transforming your security program


Begin a process to transform your security program

Scan internal and external environment

Define goals and evaluate posture

Step 1: Focus on current business drivers relevantto security and privacy

Step 3: Set security transformationgoals

Step 4: Diagnose current state vs. goals and identify gaps

Step 5: Identify short-term “wins” and long-term objectives

Develop transformation road map

Step 2: Gain management and external perspective on pressing IT and security/compliance issues

Confidential – © 2010 Ernst & Young Enhancing and sustaining business performance —Unlocking the value of internal audit| Page 32

Self-assessment How is your IA Function positioned to enhance and sustain business performance? (con't)

Improvedbusiness

performance

Focus area Basic Evolving Established Advanced Leading

MandateInternal audit strategy and objectives are narrowly defined with little or no input from executive management or the audit committee

Internal audit strategy, objectives and value contribution to the business are co-developed with executive management and the audit committee and are fully aligned with organizational strategies and business objectives

PeopleInternal audit does not utilize a people model to identify and align skills with key risk areas and internal/external stakeholder expectations

The internal audit function utilizes a formalized people model to document skills by level, and align skills with key risk areas and internal / external stakeholder expectations. Flexible sourcing of the resources with required skills

MethodsAudit needs assessment does not reflect the business strategy and risk profile

Full coordination and integration of risk assessment / audit planning and internal audit activities including regular updates to the audit needs assessment and re-evaluation of key business risks during the year

Technology enablement

The internal audit utilizes basic tools and technology with limited efficiency and leverage

Internal audit utilizes leading edge tools and technologies which enable effective / efficient work streams, continuous risk monitoring, collaborative efforts and efficient knowledge exchange

Risk

Cost

Value

ValueRisk

Cost

Value

Cost

Risk

• Focus on risks that matter

• Alignment to business objectives

• Create competitive advantage

• Lower costs• Greater efficiency• Less complexity

• Broader risk coverage

• Improved coordination

• Proactive approach

Step 6: Document expected outcomes, sequence activities and summarize program road map


Transform your security program to improve business / operational performance

Current state

Pressing IT andsecurity issues• • • • • Key business drivers• • • • •

Needed or in-process improvements

Short-term• • • • •

Long-term• • • • •

Identify the real risks Protect what matters most• Develop a security strategy focused on

business drivers and protectinghigh-value data

• Assume breaches will occur —improve processes that plan, protect,

detect and respond• Balance fundamentals with

emerging threat management• Establish and rationalize

access control modelsfor applications and information

• Align all aspects ofsecurity (information,privacy, physical and

business continuity)with the business

• Spend wisely in controls andtechnology — invest more in

people and processes • Consider selectively outsourcing

operational security program areas

Optimize for business performance

• Get governanceright — make securitya board-level priority

• Allow good security to drivecompliance, not vice versa

• Measure leading indicators to catch problems while they are still small

• Accept manageable risks that improve performance

• Define the organization’s overall risk appetiteand how information risk fits

• Identify the most important informationand applications, where they reside and who has or needs access

• Assess the threat landscape and develop predictive models highlighting your real exposures

Sustain an enterprise program

Enablebusiness performance

• Make security everyone’s responsibility

• Don’t restrict newer technologies; use the forces of change to enable them

• Broaden program to adopt enterprise-wide information risk management concepts

• Set security program goals and metrics that influence business performance

Security transformation goals


Business-level performance

Framework to enable your security programto address business / operational needs

Security technology enablementApplications Data Infrastructure

Security methods and processes

Identity and access Human resources Threat and vulnerability

Asset Information, data and privacy Business continuity and disaster recovery

Incident Operations and engineering Third party

Logging and monitoring Communications Physical andenvironmental security

Mandate, people and organization

Strategy and architecture Operations and integration Awareness and training

Integratedsecurityprogram

Security risk governance & risk management

Compliance Reporting and metrics

Risk culture Policy framework

Key business drivers

External challenges

Governance

Internal Audit

Integrated capabilities


Transform your security program to improve business performance

Identify thereal risks

Protect what matters most

Optimizefor business

performance

Sustainan enterprise program

Enable business

performance

Five questions forthe C-suite► Do you know how much

damage a security breach can do to your reputation or brand?

► Are internal and external threats considered when aligning your security strategy to your risk management efforts?

► How do you align key risk priorities in relation to your spending?

► Do you understand your risk appetite and how it allows you to take controlled risks?

► How does your IT risk management strategy support your overall business strategy?


Conventional thinking Leading thinking

Questions to ask

Identify the real risks

• Budget and organize a security program focused primarily on meeting immediate compliance needs

• Protect the perimeter and keep external threats out

• Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident

• Define the organization’s overall risk appetite and how information risk fits

• Identify the most important information and applications, where they reside and who has/needs access

• Assess the threat landscape and develop predictive models highlighting your real exposures

• What is your organization’s risk culture?• Are you detecting and monitoring threats inside and outside the organization?• Have you anticipated new technology risks, such as mobile devices, social media and cloud

computing?



Questions to ask

Protect what matters most

• Security program budget and organization focused primarily on meeting immediate compliance needs

• Set goal and expectation to stop all attacks and threats

• Disproportionate focus on maintaining lower-risk/lower-value security activities

• User access and roles are set up based on last employee hired

• Develop a security strategy focused on business drivers and protecting high-value data

• Assume breaches will occur — improve processes that plan, protect, detect and respond

• Balance fundamentals with emerging threat management

• Establish and rationalize access control models for applications and information

• Have you considered automating security controls?• Are you using predictive indicators to analyze seemingly legitimate network activity?• Are your resources focused on emerging threats?



Questions to ask

Optimize for business performance

• Various security aspects exist in silos and are driven by compliance only

• Largest portion of security budget goes to technology solutions

• Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives

• Align all aspects of security (information, privacy, physical and business continuity) with the business

• Spend wisely in controls and technology — invest more in people and processes

• Consider selectively outsourcing operational security program areas

• Are you balancing spending money among key risk priorities?• Have you investigated the latent functionality of your existing tools?• Are you outsourcing any of your information security?



Questions to ask

Sustain an enterprise program

• Security viewed as sub-function of IT with little top management visibility

• Security program budget and organization focused on meeting immediate compliance needs

• Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents

• Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite

• Get governance right — make security a board-level priority

• Allow good security to drive compliance, not vice versa

• Measure leading indicators to catch problems while they are still small

• Accept manageable risks that improve performance

• Are you taking controlled risks rather than striving to eliminate risks altogether?• Are your key indicators trailing or leading?



Questions to ask

Enable business performance

• Security viewed as merely a function of the security team

• Ban emerging technologies (social media, mobile) until they are mature

• Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)

• Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers

• Make security everyone’s responsibility

• Don’t restrict newer technologies; use the forces of change to enable them

• Broaden program to adopt enterprise-wide information risk management concepts

• Set security program goals/metrics that impact business performance

• Do all of the organization’s stakeholders understand the importance of information security?• Is your organization up-to-date with the new technologies hitting the workforce?• Does your organization have the right measures to create a scorecard on information

security at the enterprise level?


Thank You!

Meraj Ahmad - Information security in a borderless world

Documents

Transcript of Meraj Ahmad - Information security in a borderless world