Security Principles for CEOs
Download as PPTX, PDF2 likes2,295 views
The document discusses security principles for CEOs, outlining the increased risks and costs of data breaches. It recommends five fundamental security principles: 1) Increase employee security awareness through continuous training, testing, and simulated phishing attacks. 2) Prepare for faster incident response by keeping plans updated and monitoring for breaches. 3) Safeguard bring-your-own devices with a formal program. 4) Define, protect, and monitor critical enterprise data and assets. 5) Leverage security intelligence through analytics for prevention and defense. The document advocates for active CEO involvement to develop an effective risk-aware security culture.
Security Principles for CEOs
- 1. © 2014 IBM Corporation IBM Security Security Principles for CEOs Fundamentals of a Risk-Aware Organization Morten Bjørklund Software Client Architect IBM Security October 24, 2014 1© 2014 IBM Corporation
- 2. The soaring impact of breaches has created a new security reality average cost / breach2 © 2014 IBM Corporation IBM Security 2 increase in Java vulnerabilities1 Security Principles for CEOs 3X 15% increase in cost of a breach2 $ More Risk and Bigger Impact 500,000,000 records breached3 $3.5M 1) Q3 2014 IBM X-Force Research and Development, increase from 2012 to 2013 2) 2014 Cost of a Data Breach, Ponemon Institute, global average cost, 15% increase from 2012 to 2013 3) Q3 2014 IBM X-Force Report
- 3. TThheerree’’ss aa ssiillvveerr bbuulllleett ttoo pprrootteecctt yyoouu .( t(hTehreer’es nisont’)t..) You need to put your company in lock-down. You don’t.) © 2014 IBM Corporation IBM Security To address security, leaders must avoid common myths 3 Your company’s not infected (it is). Your company is not infected. (It is.) Whatever you’ve done is enough. (It is not.) There’s a silver bullet to protect you (there’s not). You need to put your company on lock-down (you don’t). Security Principles for CEOs
- 4. Prepare to respond, © 2014 IBM Corporation IBM Security Use five fundamental security principles to help guide you 4 faster (incidents will happen) Increase the security IQ of every employee (train, test, trick) Leverage security intelligence (analytics = threat insights) Protect your crown jewels (define, protect, monitor) (the vanishing perimeter) Security Principles for CEOs Safeguard BYOD
- 5. Make security education a continuous process – for everyone © 2014 IBM Corporation IBM Security 5 Increase the security IQ of every employee Train Test Trick Make training a priority from the start, then provide annual education – keep it fun and engaging Your help needed for IBM Cloud opportunity Christina Martin to: Daniel Allen Please respond to chris.martyn.ibm.executive Hi Daniel Allen, Your manager recommended you to contribute to a proposal for an important new client opportunity that I am working on. This is a great opportunity for IBM with large commissions likely when we win this account. Please review the material posted on CloudFile and provide your feedback by EOD. We’re counting on you! http://fileinthesky.com/IBMClientOpportunity Thanks, Security Principles for CEOs Require testing for all employees, and spell out the consequences for non-compliance Provide real-life scenarios that catch your employees off-guard with learning traps – “phish” them Nearly 60% of security incidents are caused internally1 1,2014 Cost of a Data Breach, Ponemon Institute
- 6. 50% plans are outdated1 of incident response of data breaches took months or more to discover2 66% of security decision-makers 92% say that staffing issues contribute to a heightened level of risk3 © 2014 IBM Corporation IBM Security Prepare to respond more quickly and effectively to attacks 6 Keep your incident response plan updated Constantly monitor to see if someone has breached your defenses Have an emergency response and forensics partner Security Principles for CEOs Prepare to respond, faster 12013 IBM CISO Assessment, 2Verizon 2013 Data Breach Investigations Report 3 Surviving the Technical Security Skills Crisis: a commissioned study conducted by Forrester Consulting on behalf of IBM, May 2013
- 7. © 2014 IBM Corporation IBM Security Get ahead of do-it-yourself BYOD with a formal program 7 Safeguard BYOD Mobile workers use at least one business-focused app in a year2 200M of employed adults use at least one personally-owned device for business1 81% of users surveyed had corporate security on their personal devices1 <1% Manage the device Protect the data Protect the apps Protect the transaction * BYOD means ‘bring your own device’ Corporate container Security Principles for CEOs 1) Harris Interactive, 2012; 2) Global Mobile Enterprise 2011-2017 Forecast, Strategy Analytics
- 8. Identify your most critical data and protect these vital assets of publicly traded corporations’ value1 is represented by intellectual property © 2014 IBM Corporation IBM Security 8 Protect your crown jewels and other enterprise-critical data 1 Define Protect Monitor your organization’s “crown jewels” these valuable assets at all stages 12013 Commission on the Theft of American Security Principles for CEOs Intellectual Property the access and usage of the data
- 9. Use analytics and insights for smarter prevention and defense © 2014 IBM Corporation IBM Security 9 Leverage security intelligence Security Principles for CEOs Prioritized incidents Endpoints Mobile devices Cloud infrastructure Data center devices Threat intelligence Network activity Automated offense identification Real-time correlation and analytics Anomaly detection Industry and geo trending
- 10. Cybersecurity is a business risk that you need to manage actively Get involved. Set the tone and develop a governance model. © 2014 IBM Corporation IBM Security 10 Take an active role in policy – even if it’s unpopular. Make security an enabler, not an inhibitor. Everyone is part of the solution in a risk aware culture, and effective security starts at the top Security Principles for CEOs Engage the senior leadership.
- 11. IBM Fiberlink® Mobile Security Solutions © 2014 IBM Corporation IBM Security We can help you get started 11 Increase the security IQ of every employee How IBM Security Essentials and Maturity Consulting IBM Cybersecurity Awareness and Training Prepare to respond, Safeguard BYOD Protect your crown jewels IBM Mobile Application Security Assessment IBM Critical Data Protection Program IBM InfoSphere Guardium® Leverage security intelligence IBM QRadar Security Intelligence Platform IBM Managed Security Services Security Principles for CEOs faster IBM Incident Response Planning IBM Emergency Response Services
- 12. © 2014 IBM Corporation IBM Security One final tip 12 Tip: Ask your security team, “How many incidents did you handle last week?” Hint: if they say zero, consider getting a maturity benchmark assessment Security Principles for CEOs Our research shows that nearly every large enterprise deals with at least two incidents a week
- 13. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY © 2014 IBM Corporation IBM Security 13 www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.