Presentation is loading. Please wait.

Presentation is loading. Please wait.

ADVISORY The business of information security – developing a business case IT ADVISORY.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ADVISORY The business of information security – developing a business case IT ADVISORY."— Presentation transcript:

1 ADVISORY The business of information security – developing a business case IT ADVISORY

2 Agenda The hype around information security It’s just infrastructure – just like plumbing! Classical drivers for information security What’s in it for them (the business)? An example – identity management Conclusion – your business case for information security

3 The hype around information security Business Allows me to be more effective What’s the difference from a laptop? I still have to log on, so it must be secure Security Creates a significant number of “new” weaknesses Even less control and visibility over the user’s actions “Destroys” the perimeter

4 The hype around information security Business Preventing progress is not an option so find a workaround We haven’t been hacked so what we’re doing is probably enough What’s the bare minimum we can get away with to meet regulatory reqs? Security Two-factor authentication Cybercrime The insider threat WS-Security, SAML, IDS, IPS, NIDS, HIDS, PKI, Biometrics and the list goes on… Threat and vulnerability management

5 It’s just infrastructure – just like plumbing! Bottom line We continually reinforce the business’ view regarding security by failing to speak in their language – or even listening! Result – we’re still talking IT and commodity-level functions and services Quick demographic poll!

6 Classical drivers for information security Compliance Fear, Uncertainty and Doubt (FUD) Keeping up with the Joneses Risk management – financial, regulatory, brand, etc. The good news for security? BRAND risk is becoming #1 concern of the business

7 What’s in it for them (the business)? Security Two-factor authentication Cybercrime The insider threat WS-Security, SAML, IDS, IPS, NIDS, HIDS, PKI, Biometrics and the list goes on… Threat and vulnerability management Value creation Increased trust in our brand Stronger position in M&A Faster time to market Reduction of loss due to fraud Better use of what we already have Process improvement and optimisation Magic Security Language Translator

8 Non-compliant Disconnected Manual Inconsistent Compliant Bolt-ons Consistent Obtrusive Project Focus Compensating control reliance Embedded (BAU) Self-optimising Unobtrusive Integrated Automated Compliant Enterprise Focus Key Control Effectiveness Scalable What’s in it for them (the business)? Non-compliant Disconnected Manual Inconsistent Compliant Bolt-ons Consistent Obtrusive Project Focus Compensating control reliance Embedded (BAU) Self-optimising Unobtrusive Integrated Automated Compliant Enterprise Focus Key Control Effectiveness Scalable Security Maturity Time “It won’t happen to us” “If it ain’t broke don’t fix it” Most orgs.

9 What’s in it for them (the business)? Current Approach Business Value Low High Business Process Supply Chain IT Organisation Stakeholders Recommended Approach IT Processes

10 An example – identity management IT Strategy Components Ensure seamless, available and secure IT services and assets are in place to support achievement of the customer strategy KPIs Be viewed by our customers as the most trusted brand in the business Mission Customer strategy Be the best financial services institution in the world ApplicationsCustomers Security DRProjects Goals (CSFs) Single customer view Seamless to the customer No breaches 24/7 availability First to market Customer satisfaction Application integration LossesOutages Market share Board and Audit Committee Security management and operations Governance and Reporting Business Unit CIOsEnterprise CIOIT Risk Committee Risk and Compliance Committee

11 An example – identity management A business case for identity management can be driven by a variety of factors. Mostly determined by the business! Regulatory compliance – SOX A better customer experience Simplified sign-on to applications and partner sites Knowing your customer (tying it back to CRM) Cross selling, customer retention, introducing new products and services Business efficiencies and transformation Compliant provisioning on day 0 for new starters Self service maintenance of customer records (contact details, profile etc) Immediate de-provisioning for terminations Reduction of operational costs for user management activities

12 Conclusion – your business case for information security “Business cases for information security in 5 easy steps”, by Rob Goldberg Step 1: Identify the business’ strategies Step 2: Identify the CSFs to achieving the business strategies Step 3: Identify the KPIs which measure the achievement of the CSFs Step 4: Identify security risks which can affect the KPIs Step 5: Define security risk mitigation approaches to minimise the impact to the KPIs and clearly link to value creation Later, measure results to demonstrate benefits realisation (qualitative and quantitative) – this will make it easier to get future business cases across the line

13 Conclusion – your business case for information security Its not about you! Put yourself in the business owner’s shoes (WIIFM) Engage the business – tired old adage now HOW?!! Understand their KPIs – talk to them in their language, not in the language of fear, compliance and controls Gain their confidence by connecting security directly to their KPIs and to the primary processes of the business No, its not easy. But focus on the aspects of the business that create value and link the security discussion to those rather than the technology and the argument of “security for security’s sake” Remember, the business is always right

14 Presenter’s contact details Name: Rob Goldberg, CISSP Position: Partner, Asia Pacific Leader, Security, Privacy and Continuity Services Phone number: +61 2 9335 7728 Email: rhgoldberg@kpmg.com.au The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2007 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.

Download ppt "ADVISORY The business of information security – developing a business case IT ADVISORY."

Similar presentations

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,
Els Hostyn Partner Internal Audit, Risk & Compliance Services Forensic 13 October 2009 FORENSIC ADVISORY Internal Audit and other assurance providers.

Els Hostyn Partner Internal Audit, Risk & Compliance Services Forensic 13 October 2009 FORENSIC ADVISORY Internal Audit and other assurance providers.
Value for Money – new requirements and challenges

Value for Money – new requirements and challenges
© 2005 KPMG IFRG Limited, a UK registered company, limited by guarantee, and a member firm of KPMG International, a Swiss cooperative. All rights reserved.

© 2005 KPMG IFRG Limited, a UK registered company, limited by guarantee, and a member firm of KPMG International, a Swiss cooperative. All rights reserved.
The Aged Care Standards and Accreditation Agency Ltd Continuous Improvement in Residential Aged Care.

The Aged Care Standards and Accreditation Agency Ltd Continuous Improvement in Residential Aged Care.
Driving change in information risk within the financial services industry Subtitle Date.

Driving change in information risk within the financial services industry Subtitle Date.
Views on TRAC and the UWE workload model 12 th December 2013.

Views on TRAC and the UWE workload model 12 th December 2013.
A clear and compelling business case… …for the individual

A clear and compelling business case… …for the individual
Russia’s Hotel Projects and Investments Sven Osmers Head of KPMG’s Real Estate practice Russia & CIS April 10, 2014.

Russia’s Hotel Projects and Investments Sven Osmers Head of KPMG’s Real Estate practice Russia & CIS April 10, 2014.
Eurasian Economic Union – challenges and opportunities from customs perspective March 2015.

Eurasian Economic Union – challenges and opportunities from customs perspective March 2015.
How well is the Life Insurance Industry keeping pace with rapidly changing technology? International Insurance Society 23 June 2014 London.

How well is the Life Insurance Industry keeping pace with rapidly changing technology? International Insurance Society 23 June 2014 London.
Public Private Partnerships: What’s in it for my Government? 14 July 2011 Malcolm Butterfield.

Public Private Partnerships: What’s in it for my Government? 14 July 2011 Malcolm Butterfield.
Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.

Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.
Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.

Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.
KPMG CEE AUDIT / TAX / ADVISORY / LINE OF BUSINESS CEE Real Estate Capital Markets “Dense Clouds, No Rain” George Leslie Director Advisory Head of Special.

KPMG CEE AUDIT / TAX / ADVISORY / LINE OF BUSINESS CEE Real Estate Capital Markets “Dense Clouds, No Rain” George Leslie Director Advisory Head of Special.
RIBA / UK TI Conference ‘Working Internationally’ Getting Paid Martin Kelly, KPMG LLP Ruth Adams, KPMG LLP 23rd March 2012.

RIBA / UK TI Conference ‘Working Internationally’ Getting Paid Martin Kelly, KPMG LLP Ruth Adams, KPMG LLP 23rd March 2012.
Presentation to EACUBO Tax Update October 16, 2012 Presentation by Donald E. “Dee” Rich, Jr. Partner, KPMG LLP Exempt Organizations Tax Practice

Presentation to EACUBO Tax Update October 16, 2012 Presentation by Donald E. “Dee” Rich, Jr. Partner, KPMG LLP Exempt Organizations Tax Practice
Increasing customer value through effective security risk management

Increasing customer value through effective security risk management
One Firm. One Team. Countless Opportunities. Baruch College Come out to network and learn more about a career with KPMG that is far beyond coding !

One Firm. One Team. Countless Opportunities. Baruch College Come out to network and learn more about a career with KPMG that is far beyond coding !
ICAICT202A - Work and communicate effectively in an IT environment

ICAICT202A - Work and communicate effectively in an IT environment

Similar presentations

Ads by Google