Presentation on theme: "Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007."— Presentation transcript:
Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007
2 Outline A bit about Zurich and myself Nicholas Carr and knowing your neighbours Security Tectonics The Explanation is Mightier than the Action Risk and the New Math Final Grains of Wisdom
3 Introduction to Zurich Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets Servicing capabilities to manage programs with risk exposure in more than 170 countries Approximately 58,000 employees worldwide Insurer of the majority of Fortune’s Global 100 companies Net income attributable to shareholders of USD 4.5 billion in 2006 Business operating profit of USD 5.9 billion in 2006
4 My Background Industrial Research (6 yr) What people might want Consulting (5 yr) What people say they want In house (2 yr) What people expect (Security) (Risk)
5 Service Providers Zurich Business G-IT Risk stakeholders GITR GSM Investigations Project risk management Capabilities Finance GITAG Process/QM Sourcing Audit Compliance Legal Risk Group functions G-IT support functions Industry Bodies & Suppliers GITR Partner Focus G-ISP Consume information and Services External functions Business A Supplier A Business B Business C Business x Account Exec A Account Exec B Account Exec C Account Exec x Supplier B Supplier x Co-operate Service risk management Primary interface for G-IT
6 Does IT Matter? Carr, N, “IT Doesn’t Matter”, Harvard Business Review, Vol 81, 5, May 2003 Carr, N, “Does IT Matter?”, 2004 “IT doesn’t matter and can’t bring strategic advantage at present!“ Spend less Follow, don't lead Focus on vulnerabilities, not on opportunities IT management should become “boring” Manage risks and costs
11 Notable Security Setbacks Regulatory Frameworks over Security Frameworks (SOX over 7799) Excel over FUD (Fear, Uncertainty and Doubt) Reactive over Proactive SLAs over Security Program Commerical over Military
12 The New-ish Security Model From Castle to Airport CastleAirport Security mechanisms are static and difficult to change. Security mechanisms are dynamic and responsive to threats. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Uses multiple overlapping technologies for defence in depth. Known community have unrestricted access within security boundary. Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Silo mentality in organisation.Requires an open, co-ordinated, global approach to security.
13 The next Big Thing: Network Access Control (NAC) How do you sell this to your IT Department or Business?
14 From Security …. ObjectivesControlsTestingReport ISO 17799 ISF Cobit NIST Your Policies and Standards etc … ISO 17799 ISF Cobit NIST Your Service Catalogue etc … Documentation Questionnaires Interviews Demonstrations Inspections Tooling 3rd Party Analysis Control Effectiveness Compliance Risk Mitigation Priorities PerceivedDesiredRealityThe Plan
15 … to Risk DescriptionTriggerConsequence What could happen?How could it happen?What is the impact? ProbabilitySeverity How often?How bad?
16 Controls as Risk (as is) Control C2 Needs Improvement Not Effective Effective Control Objective Risk? Control Assessment Risk Scenarios are reformulations of control deficiencies (gaps) Control C4 Control C3 Control C1 e.g. CoBIT, C2C2 C3C3 C4C4 C1C1 NO ! Control Gaps are potential triggers of Risk
17 IT Risk – Components IT Risk Components IT Projects Risk Financial & Resources Compliance & Audit Contract & Supplier Mgmt IT Architecture & Strategy IT Project Management Risks Facilities & Environment IT Operations & Support Time to Deliver IT Security IT Services Risk Service Level Management Capacity Planning Contingency Planning Availability Management Cost Management Configuration Management Problem Management Change Management Help Desk Software Control & Distribution IT Security
18 Zurich’s IT Risk Management Framework Below threshold Above threshold The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Object to be assessed ABC 1 Optimised risk analysis for projects Project Project Risk Tool Risk assessment Within PMO process 2 Risk register provides single global data store for analysis reporting Group IT - Risk Register (Central) 4 Project Risk Consulting Services Risk Consulting IT Security Risk Assessments Service Service Risk Tool Facilitated Assessments and Self-Assessments 3 Optimised risk analysis for services Group IT Risk Reporting Dashboard Actions monitoring QRR 5 Reporting, Escalation and Action Monitoring 1 2 3 4 5 No further Analysis Apply Policies and Standards
20 Conclusion: Does IT Security Matter? IT Security in general is not an end in itself IT Security is one area competing for attention and funding, amongst many If you don’t make IT security matter, it won’t Keeping business secure is the main end Focus on securing business processes not the process of securing Excel is your new best friend Make your spreadsheets work with their spreadsheets A risk-based approach is the opportunity to speak business language Don’t replace FUD with GIGO (garbage in, garbage out)