Does IT Security Matter?
1 like339 views
The document discusses the significance of IT security in managing business risks at Zurich Financial Services, emphasizing a shift from traditional security measures to a more dynamic model. It critiques prior perspectives on IT security, advocating for a focus on securing business processes rather than just the security process itself. The conclusion stresses the necessity of making IT security relevant to business operations to ensure adequate funding and attention.
Does IT Security Matter?
- 1. Does IT Security Matter? Dr. Luke O’Connor Group IT Risk Zurich Financial Services, Switzerland Faculty of Information Technology, QUT November 27th, 2007
- 2. 2 Outline • A bit about Zurich and myself • Nicholas Carr and knowing your neighbours • Security Tectonics • The Explanation is Mightier than the Action • Risk and the New Math • Final Grains of Wisdom
- 3. 3 Introduction to Zurich • Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets • Servicing capabilities to manage programs with risk exposure in more than 170 countries • Approximately 58,000 employees worldwide • Insurer of the majority of Fortune’s Global 100 companies • Net income attributable to shareholders of USD 4.5 billion in 2006 • Business operating profit of USD 5.9 billion in 2006
- 4. 4 My Background Industrial Research (6 yr) Wha t pe o ple m ig ht want Consulting (5 yr) Wha t pe o ple say the y want In house (2 yr) What pe o ple e xpe ct (Se curity) (Risk)
- 5. 5 Service ProvidersZurich Business G-IT Risk stakeholders GITR GSM Investigations Project risk management Capabilities Finance GITAG Process/QM Sourcing Audit Compliance Legal Risk Group functions G-IT support functions Industry Bodies & Suppliers GITRPartnerFocus G-ISP Consume information and Services External functions Business A Supplier ABusiness B Business C Business x Account Exec A Account Exec B Account Exec C Account Exec x SupplierB Supplier x Co-operate Service risk management Primary interface for G-IT
- 6. 6 Does IT Matter? • Carr, N, “IT Doesn’t Matter”, Harvard Busine ss Re vie w, Vol 81, 5, May 2003 • Carr, N, “Does IT Matter?”, 2004 “IT doesn’t matter and can’t bring strategic advantage at present!“ • Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities • IT m anag e m e nt sho uld be co m e “bo ring ” • Manag e risks and co sts
- 7. 7 Good Neighbours, but Good Friends?
- 8. 8 The Continental Drift of C, I, A CIA better known to business as “Call in Accenture”
- 9. 9 The Explanation is Mightier Than the Action Security Business
- 11. 11 Notable Security Setbacks • Regulatory Frameworks over Security Frameworks (SOX over 7799) • Excel over FUD (Fear, Uncertainty and Doubt) • Reactive over Proactive • SLAs over Security Program • Commerical over Military
- 12. 12 The New-ish Security Model From Castle to Airport Castle Airport Security mechanisms are static and difficult to change. Security mechanisms are dynamic and responsive to threats. Reliance on a few mechanisms. Castle walls are impregnable. Once inside security mechanisms are minimal. Uses multiple overlapping technologies for defence in depth. Known community have unrestricted access within security boundary. Security must be maintained whilst an unknown population traverse. Security of inclusion (ensuring the right people have access to the right resources) and Security of exclusion (ensuring that assets are protected). Use of roles to determine security requirements. Silo mentality in organisation. Requires an open, co-ordinated, global approach to security.
- 13. 13 The next Big Thing: Network Access Control (NAC) How do you sell this to your IT Department or Business?
- 14. 14 From Security …. Objectives Controls Testing Report • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Po licie s and Standards • e tc … • ISO 1 7 7 9 9 • ISF • Co bit • NIST • Yo ur Se rvice Catalo g ue • e tc … • Do cum e ntatio n • Que stio nnaire s • Inte rvie ws • De m o nstratio ns • Inspe ctio ns • To o ling • 3rd Party Analysis • Co ntro l Effe ctive ne ss • Co m pliance • Risk • Mitig atio n • Prio ritie s Pe rce ive d De sire d Re ality The Plan
- 15. 15 … to Risk Description Trigger Consequence What could happen? How could it happen? What is the impact? Probability Severity How often? How bad?
- 16. 16 Controls as Risk (as is) Control C2 Needs Im provem ent Not Effective Effective Control Objective Risk? Risk? Risk? Control Assessment Risk Scenarios are reformulations of control deficiencies (gaps) Control C4 Control C3 Control C1 e.g. CoBIT, C2 C3 C4C1 NO ! Contr ol Gaps are poten tial trigg ers of Risk
- 17. 17 IT Risk – Com ponents IT Risk Components IT Projects Risk • Financial & Resources • Compliance & Audit • Contract & Supplier Mgmt • IT Architecture & Strategy • IT Project Management Risks • Facilities & Environment • IT Operations & Support • Time to Deliver • IT Security IT Services Risk • Service Level Management • Capacity Planning • Contingency Planning • Availability Management • Cost Management • Configuration Management • Problem Management • Change Management • Help Desk • Software Control & Distribution • IT Security
- 18. 18 Zurich’s IT Risk Managem ent Fram ework Below threshold Above threshold The ABC (Assessment of Business Criticality) risk analysis prioritizes resources Object to be assessed ABC1 Optimised risk analysis for projects Project Project Risk Tool Risk assessment Within PMO process 2 Risk register provides single global data store for analysis reporting Group IT - Risk Register (Central) 4 Project Risk Consulting Services Risk Consulting IT Security Risk Assessments Service Service Risk Tool Facilitated Assessments and Self-Assessments 3 Optimised risk analysis for services Group IT Risk Reporting Dashboard Actions monitoring QRR 5 Reporting, Escalation and Action Monitoring 1 2 3 4 5 No further Analysis Apply Policies and Standards
- 19. 19 Relation to Operational Risk
- 20. 20 Conclusion: Does IT Security Matter? • IT Security in general is not an end in itself • IT Security is one area competing for attention and funding, amongst many • If you don’t make IT security matter, it won’t • Keeping business secure is the main end • Focus on securing business processes not the process of securing • Excel is your new best friend • Make your spreadsheets work with their spreadsheets • A risk-based approach is the opportunity to speak business language • Don’t replace FUD with GIGO (garbage in, garbage out)
- 21. 21 Over to you
Editor's Notes
- #18: IT Risks are assessed according to the IT assets these have been defined by G-IT as being IT Projects or IT Services. The diagram above provides a high level summary of the broad risk categories for each asset group The risks identified from each asset class are recorded into Risk Registers which are then transferred to a Central Risk Register used to aggregate all risks Underlying IT Risk assessment within ZFS is the need to consider IT Security and the risks to the business associated with IT Security. This is explained more in later slides however the Framework includes a specific service for IT Risk Assessments