The Business of Information Security:

Theo NassiokasAPAC regional head of IT risk, audit & regulatory– Investment banking sector

2006 National Executive Chair– Australian Information Security Association (AISA)

Version 2.0

Information Security 2010

Regulatory, business and culturalalignment is critical

2

Overview

Security silos to risk convergence

Business assurance to enabler

Good security strategy

Good security operations

Show me the money!

3

Information Security defined

Information Security is− Assurance that the Confidentiality, Integrity & Availability (CIA) of

information assets are within the corporate risk appetite (policy)− It involves Process, People and Technology

This requires the use of− Enterprise Risk Management Framework*

Determine scopeIdentify riskAnalysis and evaluate riskCommunicate and treat riskMonitor risk

*Security Convergence and ERM – pg. 7 – The Convergence of IT Security and Enterprise Security Risk Management

– The Alliance for Enterprise Security Risk Management - www.aesrm.org – A partnership of ISACA and ASIS International

4

Security silos to risk convergenceWhat’s the value?

5

Security’s perception of business?

“Security is excessive until… it’s not enough”

- Robbie Sinclair -Head of Security

Country Power

6

Security silos to risk convergence

What is Security Convergence? Meaning 1: Technology savvy physical security teams that have

converged with IT – i.e. with the computers, software and networks of IT* Meaning 2: Correlated IT and physical security related data that is

analysed and turned into useful risk management information* Meaning 3: The merging of IT security people and process with physical

security people and processes*

What do we mean by Risk Convergence? The convergence of IT security and Enterprise Risk Management (ERM)

Effective and consistent information security management in the context of broader organisational risks**

Security risks explained as ‘real’ business risks (‘ripple effect’) Aligned to the well known COSO and CObIT frameworks

**Security Convergence and ERM, The Convergence of IT Security and Enterprise Security Risk Management – pg. 5

– http://www.aesrm.org/convergence_security_prof_view.html – AESRM - 2009 – A partnership of ISACA and ASIS International

*Convergence – The Semantics Trap – http://www.csoonline.com/article/560063/Convergence_The_Semantics_Trap - Steve Hunt - March 1, 2010

7

Who are the stakeholders?

SecurityConvergence

Physical

ITIT

Legal,Regulatory

Industry codes

IP

Data Protection Act (UK)

Sarbanes OxleyS302, 404, 409

USA PATRIOT Act

ISO 27001

California Senate Bill 1386

BCPfailure

Phishing

Cyber crime

Basel II

ISO 27002

Virus incidents

Physical TheftOf Info

UnauthorisedSoftware Usage

System Access Control

License Breach

Staff screeningChecks

Outsourced ServiceProvider Control

Information Access Control

Network domain access

UnauthorisedPhysical access

Targeted Attack – Mass Extinction Event

Privacy laws

8

Why is risk convergence important?

Security viewed in a business context Sustainable competitive advantage

Competitive intelligence Corporate Strategy Mergers & acquisitions Client confidentiality Customer information

Optimal stakeholder leverage (influence) Business lines Operational risk management Legal counsel Compliance (regulatory and internal policy) Auditors (external and internal assurance)

The Alliance for Enterprise Security Risk Management - www.aesrm.org – A partnership of ISACA and ASIS International

9

Business ‘assurance’ to ‘enabler’The objective of security?

10

Business’ perception of security?

“It is difficult to get a man to understand something, when his salary depends upon his not

understanding it”

- Upton Sinclair -Prolific American author and investigative journalist

1878 - 1968

11

Research re: security as an enabler

CMO (Chief Marketing Officer) Council (USA) “Secure the Trust of Your Brand” – Aug 2006

12

Research re: security as enabler

“Secure the Trust of Your Brand” – Aug 2006

13

Research re: security as enabler

“Secure the Trust of Your Brand” – Aug 2006

65% of European and U.S. respondents, on average, have experienced computer security problems

1 in 6 respondents have had their personal information lost or compromised

40% of respondents have actually stopped a transaction due to a security incident

Over one third would consider taking their business elsewhere if personal information were compromised

25% would definitely take their business elsewhere if their personal information were compromised

14

Good security strategyAligned to the emerging regulatory framework

15

It is part of Corporate Governance

− It is one of the five main areas of corporate governance, the significance of which would depend on the industry and its jurisdiction.

CORPORATE GOVERNANCE

Risk/SecurityGovernance

IT Governance

Administrative

And Financial

Governance

OperationalGovernance

Regulatory

And Legal

Governance

Security governance is a component of corporate governance

16

Why is it part of Corporate Governance?

International regulatory framework includes:

Basel IICapital Adequacy Accord 2005

Bank for International Settlements

(Basel, Switzerland)

Domestic Security Enhancement Act 2003

(PATRIOT II) USA

Vital Interdiction of Criminal Terrorist Organizations

(VICTORY) Act 2003 USA

Public Company AccountingReform and Investor Protection

(Sarbanes Oxley) Act 2002 USA

SEC registered/NYSE or NASDAQ listed

Uniting and Strengthening America by Providing

Appropriate Tools Required to Intercept and

Obstruct Terrorism(USA PATRIOT) Act 2001

Financial Modernization (Gramm-Leach-Bliley Act [GLB])

Act 1999 (USA) (US banking & finance)

Data Protection Act 1998 UK

California Security BreachInformation Act 2003

(SB1386)California, USA

Data Protection Directive 1995(Directive 95/46/EC)

European Union

17

Why is it part of Corporate Governance?

Australian regulatory framework includes:

Anti Money Laundering (AML) and Counter Terrorism

Financing (CTF) Act 2006 Commonwealth of Australia

(banks and insurance)

Terrorism InsuranceAct 2003

Commonwealth of Australia(insurance)

Criminal Code Act 1995 Commonwealth of Australia

Privacy Act 1988 (as amended)Commonwealth of Australia

Liquid Fuel Emergency Act 1984Commonwealth of Australia

(fuel industry)

Crimes Act 1914 Commonwealth of Australia

The regulatory environment is the DNA of security strategy

18

Good security operationsAligned to business objectives

19

What is strategic risk?

The risk of a loss arising from a poor multi-year business decision

It is the failure to monitor, correctly interpret and respond to business and market change

Reduction in business relevance and value of security capabilities

Loss of a clear ‘line-of-sight’ between security activities and business objectives

How do we minimise strategic risk ?

20

Alignment to business strategy

Example –Security ‘line of sight’ to business

Assessment ofSupport Services

Requirements

Vision and missionfor

Support Services

Support ServicesStrategy

Support ServicesStrategic

Plan

Support ServicesOperational Plans

And Budgets

Assessment ofSecurity

Requirements

Vision and missionfor

Security

SecurityStrategy

SecurityOperational Plans

And Budgets

SecurityStrategic Plan

Assessment ofthe Business

Vision and missionfor the

Business

BusinessStrategy

BusinessOperational Plans

and Budgets

BusinessStrategic Plan

“Support services” may be risk, property or IT reporting lines depending on the security service e.g. physical or information and operational or governance

21

Example – Capability Growth Strategy

Strategy is “how the mission will be achieved” i.e. security convergence

Convergence strategy

Strategic Planning is “how the strategy will be delivered”

Strategic Planning achieves strategy

•Identification of stakeholders

•Leveraging synergies

•Identification of Synergiesbetween stakeholders

achieved through:

Capability Today Capability Tomorrow

Trajectory is “the time required to deliver the strategy”

22

Show me the money!Increasing likelihood of budget approvals

23

Is leading an innovation easy?

“Let it be noted that there is no more delicate matter to take in hand, nor more dangerous to conduct, nor more doubtful in its success, than to set up as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order, and only lukewarm supporters in those who might be better off under the new.”

− [Niccolò Machiavelli (1469-1527), The Prince, 1513, Chapter VI, para.5]

24

Aligning projects to corporate culture

The prevailing corporate culture will ‘flavour’ the risk and security governance in place, for example:

− Conservative cultures - formal governance model i.e. more formal committees and deeper vertical structures

− Innovative cultures - flexible governance model i.e. greater autonomy and flatter horizontal structures

Understanding the prevailing corporate culture provides an insight into the governance model

− Stronger understanding of business priorities− Greater chance of initial project budget approvals (opex, capex)

25

ROI - Broad programs Vs focussed projects

26

Know your organisation’s project governance process

27

Conclusion

Risk Convergence allows security to be viewed in a business context, creating optimal stakeholder buy-in

Perception of security is moving from ‘business assurance’ to ‘business enabler’

Security strategy must be aligned to the regulatory environment and business strategy

Security operations must be aligned to business objectives to demonstrate value

Projects must be aligned to corporate culture and deliver measurable business value

28

A message from a past leader

“The era of procrastination, of half-measures, of soothing and baffling expedients, of delays, is coming to its close.

In its place, we are entering a period of consequences.”

- Sir Winston Churchill -November 12, 1936

29

Questions?

Contact details:

Theo Nassiokas, MBA (Tech Mgt), CISM, CPPAPAC regional head, IT risk, audit & regulatory– Investment banking sector

2006 National Executive Chair- Australian Information Security Association (AISA)

theonassiokas@aim.com+65 9225 4449 (Singapore)+61 (0)406 198 380 (Australia)

Thank you for your time!

30

Appendix

Security convergence project budgets

Spending on Converged Security Projects (per year in millions)

  2004 2005 2006 2007 2008

Public sector $250 $500 $1,200 $2,600 $5,001

Physical/logical access control projects $30 $90 $248 $542 $994

Large-scale convergence projects $10 $36 $93 $202 $453

Small projects $10 $30 $81 $172 $277

Other projects performed jointly by IT and physical security departments

$10 $35 $92 $191 $315

Total $311 $691 $1,713 $3,707 $7,039

(Source: Forrester Research, "Trends 2005: Security Convergence Gets Real“)

Actual ‘security convergence’ project budgets, based on surveying 60 end users from Canada, Europe and the United States: