meraj ahmad - information security in a borderless world
TRANSCRIPT
The 3rd Kuwait Information Security Conference25 - 26 May 2011
Time for a re-think: Transform your security programto improve business performance
Information security in a borderless world
Time for a re-think: Transform your security program to improve business performance | Page 2© 2011 EYGM LimitedAll Rights Reserved
Meraj is a partner in Ernst & Young MENA and leads the Technology Sector for this region. He has extensive international experience in IT governance and strategy, technology management and enablement, and IT risk and security, gained during more than 25 years of advisory services experience, of which 15 have been in regional leadership roles,. He has worked widely within the public/government, financial and telecom sectors.Meraj earned his MBA from the Wharton Business School, University of Pennsylvania, and has been a speaker at numerous international and regional seminars and conferences.
Meraj AhmedPartner, Advisory Services KuwaitTechnology Sector Leader, Ernst & Young – Middle East & North Africa
Time for a re-think: Transform your security program to improve business performance | Page 3© 2011 EYGM LimitedAll Rights Reserved
Introduction
• Over the last year, we have witnessed a significant increase in the use of external service providers and the business adoption of new technologies such as cloud computing, social networking and Web 2.0.
• We have also seen technology advances that have provided an increasingly mobile workforce with seemingly endless ways to connect and interact with colleagues, customers and clients. Together, these changes are extending the enterprise, blurring the lines between home and office, co-worker and competitor and removing the traditional enterprise boundaries.
• It is within this changing business environment that our 2010 Global Information Security Survey specifically examines how organizations are adapting and addressing their information security needs.
Time for a re-think: Transform your security program to improve business performance | Page 4© 2011 EYGM LimitedAll Rights Reserved
Insights on information security
60% of organizations see increased risk from using social networking,cloud computing and personal mobile devices at work.
While only 52% of organizations indicate data leakage is a top “new”increased risk.
87% of organizations believe the damage to reputation and brand is themost significant issue related to data loss.
Yet, only 10% of respondents indicated that examining new and emergingtrends is a very important activity for the information security function.
However, 61% are not making policy adjustments or increasing securityawareness to address these new threats.Source – Ernst & Young’s 2010 Global Information Security Survey
Time for a re-think: Transform your security program to improve business performance | Page 5© 2011 EYGM LimitedAll Rights Reserved
60%
3%
37%
Yes, increasing level of risk
No, decreasing level of risk
Relatively constant level of risk
Borderless securityNew technology means new risk
Given current trends toward the use of such things as social networking, cloud computing and personal devices in the
enterprise, have you seen or perceived a change in the risk environment facing your organization?
60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise.
Shown: percentage of participants
Time for a re-think: Transform your security program to improve business performance | Page 6© 2011 EYGM LimitedAll Rights Reserved
17%
18%
22%
26%
28%
30%
30%
32%
32%
33%
34%
36%
41%
41%
42%
44%
48%
50%
50%
64%
74%
63%
68%
67%
63%
61%
64%
64%
63%
61%
58%
55%
55%
53%
50%
45%
45%
46%
19%
8%
15%
6%
5%
7%
9%
4%
4%
4%
5%
6%
4%
4%
5%
6%
7%
5%
4%
Outsourcing security functions
Forensics/f raud support
Recruiting security resources
Incident response plans and capabilities
Compliance with corporate policies
Secure development processes (e.g., secure coding, QA process)
Implementing security standards (e.g., ISO/IEC 27002:2005)
Security metrics and reporting
Protecting proprietary information
Vulnerability management technologies and processes
Protecting personal information
Security testing (e.g., attack and penetration)
Information security risk management
Compliance with regulatory requirements
Security awareness and training
Securing new technologies (e.g., cloud computing, virtualization)
Identity and access management technologies and processes
Business continuity/disaster recovery plans and capabilities
Data leakage/data loss prevention technologies and processes
Spend more Same or constant Spend less
Mobile computingOrganizations are recognizing the increased risks associated with mobile computing and are taking steps to address the issues
Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the next year
for the following activities? 50% of respondents plan on spending more over the next year on data leakage/data loss prevention technologies and processes.
Shown: Percentage of participants
Time for a re-think: Transform your security program to improve business performance | Page 7© 2011 EYGM LimitedAll Rights Reserved
Cloud computingRisks associated with cloud computing are not going undetected and must be addressed before business applications are moved to a public cloud
Which of the following “new” or increased risks have you identified?39% of respondentscited the loss of visibility of what happens to company data as an increasing risk when using cloud-based solutions.
Shown: Percentage of participants
Note: Multiple responses permitted
11%
13%
15%
17%
18%
22%
29%
34%
39%
52%
Performance management risks
Capacity management risks
Challenges in updating internal audit and compliance plans
Availability risks
Contract risks
Increased collaboration with individuals outside the enterprise
Dif f iculty in technical and procedural monitoring
Unauthorized access
Loss of visibility of what happens to company data
Data leakage risks
Time for a re-think: Transform your security program to improve business performance | Page 8© 2011 EYGM LimitedAll Rights Reserved
10%
12%
14%
16%
21%
25%
31%
34%
42%
45%
53%
56%
33%
20%
30%
37%
40%
34%
30%
43%
33%
36%
29%
26%
38%
26%
34%
31%
27%
25%
25%
18%
18%
15%
13%
12%
15%
20%
15%
12%
10%
11%
10%
4%
5%
3%
4%
4%
4%
22%
7%
4%
2%
5%
4%
1 %
2%
1 %
1 %
2%
Examining new and emerging IT trends
Facilitating mergers, acquisitions and divestitures
Enhancing new service or product launches
Managing external vendors
Improving IT and operational efficiencies
Improving stakeholder and investor confidence
Protecting intellectual property
Managing operational and (or) enterprise risk
Achieving compliance with corporate policies
Managing privacy and protecting personal information
Protecting reputation and brand
Achieving compliance with regulations
Very important 4 3 2 Not important
Social mediaFew companies have thoroughly examined the social media issue and developed an approach that will balance the business opportunity with the risk exposure
How important is information security in supporting the followingactivities in your organization?
Only 10% of respondents indicated that examining new and emerging IT trends was a very important activity forthe information security function to perform.
Shown: Percentage of participants
Time for a re-think: Transform your security program to improve business performance | Page 9© 2011 EYGM LimitedAll Rights Reserved
Our perspective• Establish a comprehensive IT risk management program that identifies and addresses the risks associated with new
and emerging technologies. • Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based
responses.• Take an “information-centric” view of security, which is better aligned with the organization’s business and
information flows.
• Increase the investment in data leakage prevention technologies, encryption and identity and access management solutions — focusing on the people who use the technology.
• Gain an understanding of the risks created by the use of new technologies — including technologies adopted personally by employees that may be used for business purposes.
• Information security policies should be reviewed and adjusted appropriately to establish the acceptable use and any specific restrictions related to mobile computing devices.
• Increase security awareness training activities for the mobile workforce. • Push enterprise security out to end-point devices to protect critical business information and provide better
alignment with the organization’s risk profile.
• Assess the legal, organizational and technological risks as well as the security issues related to placing information into the public cloud.
• Develop a company strategy, a governance model and an operational approach to cloud computing use, including the information security function to help define policies and guidelines.
• Set standards and minimum requirements to enable your organization to adopt cloud computing in as secure a manner as possible.
• Provide the online communities and social collaboration tools that the new workforce expects, but do so with a view that aligns enterprise requirements with personal responsibility to protect sensitive business information.
• Raise security awareness and personal responsibility to levels that have not been achieved before. • Inform every member of the organization on the risks and issues related to social media.
Borderless security
Mobile computing
Cloud computing
Social media
Time for a re-think: Transform your security program to improve business performance | Page 10© 2011 EYGM LimitedAll Rights Reserved
Transforming your security program
Time for a re-think: Transform your security program to improve business performance | Page 11© 2011 EYGM LimitedAll Rights Reserved
Begin a process to transform your security program
Scan internal and external environment
Define goals and evaluate posture
Step 1: Focus on current business drivers relevantto security and privacy
Step 3: Set security transformationgoals
Step 4: Diagnose current state vs. goals and identify gaps
Step 5: Identify short-term “wins” and long-term objectives
Develop transformation road map
Step 2: Gain management and external perspective on pressing IT and security/compliance issues
Confidential – © 2010 Ernst & Young Enhancing and sustaining business performance —Unlocking the value of internal audit| Page 32
Self-assessment How is your IA Function positioned to enhance and sustain business performance? (con't)
Improvedbusiness
performance
Focus area Basic Evolving Established Advanced Leading
MandateInternal audit strategy and objectives are narrowly defined with little or no input from executive management or the audit committee
Internal audit strategy, objectives and value contribution to the business are co-developed with executive management and the audit committee and are fully aligned with organizational strategies and business objectives
PeopleInternal audit does not utilize a people model to identify and align skills with key risk areas and internal/external stakeholder expectations
The internal audit function utilizes a formalized people model to document skills by level, and align skills with key risk areas and internal / external stakeholder expectations. Flexible sourcing of the resources with required skills
MethodsAudit needs assessment does not reflect the business strategy and risk profile
Full coordination and integration of risk assessment / audit planning and internal audit activities including regular updates to the audit needs assessment and re-evaluation of key business risks during the year
Technology enablement
The internal audit utilizes basic tools and technology with limited efficiency and leverage
Internal audit utilizes leading edge tools and technologies which enable effective / efficient work streams, continuous risk monitoring, collaborative efforts and efficient knowledge exchange
Risk
Cost
Value
ValueRisk
Cost
Value
Cost
Risk
• Focus on risks that matter
• Alignment to business objectives
• Create competitive advantage
• Lower costs• Greater efficiency• Less complexity
• Broader risk coverage
• Improved coordination
• Proactive approach
Step 6: Document expected outcomes, sequence activities and summarize program road map
Time for a re-think: Transform your security program to improve business performance | Page 12© 2011 EYGM LimitedAll Rights Reserved
Transform your security program to improve business / operational performance
Current state
Pressing IT andsecurity issues• • • • • Key business drivers• • • • •
Needed or in-process improvements
Short-term• • • • •
Long-term• • • • •
Identify the real risks Protect what matters most• Develop a security strategy focused on
business drivers and protectinghigh-value data
• Assume breaches will occur —improve processes that plan, protect,
detect and respond• Balance fundamentals with
emerging threat management• Establish and rationalize
access control modelsfor applications and information
• Align all aspects ofsecurity (information,privacy, physical and
business continuity)with the business
• Spend wisely in controls andtechnology — invest more in
people and processes • Consider selectively outsourcing
operational security program areas
Optimize for business performance
• Get governanceright — make securitya board-level priority
• Allow good security to drivecompliance, not vice versa
• Measure leading indicators to catch problems while they are still small
• Accept manageable risks that improve performance
• Define the organization’s overall risk appetiteand how information risk fits
• Identify the most important informationand applications, where they reside and who has or needs access
• Assess the threat landscape and develop predictive models highlighting your real exposures
Sustain an enterprise program
Enablebusiness performance
• Make security everyone’s responsibility
• Don’t restrict newer technologies; use the forces of change to enable them
• Broaden program to adopt enterprise-wide information risk management concepts
• Set security program goals and metrics that influence business performance
Security transformation goals
Time for a re-think: Transform your security program to improve business performance | Page 13© 2011 EYGM LimitedAll Rights Reserved
Business-level performance
Framework to enable your security programto address business / operational needs
Security technology enablementApplications Data Infrastructure
Security methods and processes
Identity and access Human resources Threat and vulnerability
Asset Information, data and privacy Business continuity and disaster recovery
Incident Operations and engineering Third party
Logging and monitoring Communications Physical andenvironmental security
Mandate, people and organization
Strategy and architecture Operations and integration Awareness and training
Integratedsecurityprogram
Security risk governance & risk management
Compliance Reporting and metrics
Risk culture Policy framework
Key business drivers
External challenges
Governance
Internal Audit
Integrated capabilities
Time for a re-think: Transform your security program to improve business performance | Page 14© 2011 EYGM LimitedAll Rights Reserved
Transform your security program to improve business performance
Identify thereal risks
Protect what matters most
Optimizefor business
performance
Sustainan enterprise program
Enable business
performance
Five questions forthe C-suite► Do you know how much
damage a security breach can do to your reputation or brand?
► Are internal and external threats considered when aligning your security strategy to your risk management efforts?
► How do you align key risk priorities in relation to your spending?
► Do you understand your risk appetite and how it allows you to take controlled risks?
► How does your IT risk management strategy support your overall business strategy?
Time for a re-think: Transform your security program to improve business performance | Page 15© 2011 EYGM LimitedAll Rights Reserved
Conventional thinking Leading thinking
Questions to ask
Identify the real risks
• Budget and organize a security program focused primarily on meeting immediate compliance needs
• Protect the perimeter and keep external threats out
• Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident
• Define the organization’s overall risk appetite and how information risk fits
• Identify the most important information and applications, where they reside and who has/needs access
• Assess the threat landscape and develop predictive models highlighting your real exposures
• What is your organization’s risk culture?• Are you detecting and monitoring threats inside and outside the organization?• Have you anticipated new technology risks, such as mobile devices, social media and cloud
computing?
Time for a re-think: Transform your security program to improve business performance | Page 16© 2011 EYGM LimitedAll Rights Reserved
Conventional thinking Leading thinking
Questions to ask
Protect what matters most
• Security program budget and organization focused primarily on meeting immediate compliance needs
• Set goal and expectation to stop all attacks and threats
• Disproportionate focus on maintaining lower-risk/lower-value security activities
• User access and roles are set up based on last employee hired
• Develop a security strategy focused on business drivers and protecting high-value data
• Assume breaches will occur — improve processes that plan, protect, detect and respond
• Balance fundamentals with emerging threat management
• Establish and rationalize access control models for applications and information
• Have you considered automating security controls?• Are you using predictive indicators to analyze seemingly legitimate network activity?• Are your resources focused on emerging threats?
Time for a re-think: Transform your security program to improve business performance | Page 17© 2011 EYGM LimitedAll Rights Reserved
Conventional thinking Leading thinking
Questions to ask
Optimize for business performance
• Various security aspects exist in silos and are driven by compliance only
• Largest portion of security budget goes to technology solutions
• Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives
• Align all aspects of security (information, privacy, physical and business continuity) with the business
• Spend wisely in controls and technology — invest more in people and processes
• Consider selectively outsourcing operational security program areas
• Are you balancing spending money among key risk priorities?• Have you investigated the latent functionality of your existing tools?• Are you outsourcing any of your information security?
Time for a re-think: Transform your security program to improve business performance | Page 18© 2011 EYGM LimitedAll Rights Reserved
Conventional thinking Leading thinking
Questions to ask
Sustain an enterprise program
• Security viewed as sub-function of IT with little top management visibility
• Security program budget and organization focused on meeting immediate compliance needs
• Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents
• Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite
• Get governance right — make security a board-level priority
• Allow good security to drive compliance, not vice versa
• Measure leading indicators to catch problems while they are still small
• Accept manageable risks that improve performance
• Are you taking controlled risks rather than striving to eliminate risks altogether?• Are your key indicators trailing or leading?
Time for a re-think: Transform your security program to improve business performance | Page 19© 2011 EYGM LimitedAll Rights Reserved
Conventional thinking Leading thinking
Questions to ask
Enable business performance
• Security viewed as merely a function of the security team
• Ban emerging technologies (social media, mobile) until they are mature
• Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)
• Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers
• Make security everyone’s responsibility
• Don’t restrict newer technologies; use the forces of change to enable them
• Broaden program to adopt enterprise-wide information risk management concepts
• Set security program goals/metrics that impact business performance
• Do all of the organization’s stakeholders understand the importance of information security?• Is your organization up-to-date with the new technologies hitting the workforce?• Does your organization have the right measures to create a scorecard on information
security at the enterprise level?
Time for a re-think: Transform your security program to improve business performance | Page 20© 2011 EYGM LimitedAll Rights Reserved
Thank You!