stop thinking it security think business risk
play

Stop Thinking IT Security Think Business Risk! Simon Piff, Vice - PowerPoint PPT Presentation

Oct 10, 2023 •387 likes •613 views

Stop Thinking IT Security Think Business Risk! Simon Piff, Vice President, Security Practice IDC Asia Pacific @spiffatidc www.cloudsec.com | #CLOUDSEC IDC FutureScape: IT Security Products and Services APeJ Implications By

  2. Stop Thinking IT Security – Think Business Risk! Simon Piff, Vice President, Security Practice IDC Asia Pacific @spiffatidc www.cloudsec.com | #CLOUDSEC

  3. IDC FutureScape: IT Security Products and Services ‐ APeJ Implications By 2019, 50% of all online transactions will incorporate biometric authentication driven by 1 a ubiquitous technology infrastructure that enables low implementation costs and broad user acceptance. Cyberattack By 2019, more than 75% of IOT device manufacturers will use security and privacy as 2 Companywide Disruption 3 competitive positioning to capture the attention of security and privacy advocates and earn consumer trust. 3 By 2019, nearly every major multinational corporation with ties to the U.S. or Europe will Biometric Consumer PII 4 Authentication face significant cybersecurity attacks aimed at disruption of commodities. ORGANIZATIONAL IMPACT 1 Over the next two years, 80% of consumers in developed nations will defect from a 4 business because their personally identifiable information is impacted in a security or business units 2 departments breach. Multiple Doc #AP42209917 By 2018, 30% of enterprise cybersecurity environments will incorporate cognitive/AI IOT Security 5 and Privacy technologies to assist humans in dealing with the vastly increasing scale and complexity of Cognitive Cloud Security cyber threats. Cybersecurity Gateways By 2018, 30% of enterprise customers will leverage analytics ‐ as ‐ a ‐ service to help solve the 6 5 Incident Response challenge of combing through security related data and events 7 6 Retainers or a business 10 department Analytics ‐ as ‐ a ‐ Service 9 A single By 2020, cloud security gateway functionality begins to be integrated as part of web 7 unit Cloud, Hosted, & SaaS service offerings to entice IT leaders to move offerings to the cloud. Security Services IP enabled By 2020 30% of U.S. broadband homes will have at least one IP enabled home automation Home 8 8 Automation or security monitoring sensor/device Reactive security services such as Incident Response and Forensics services will marginally 0 ‐ 12 12 ‐ 24 24+ 9 increase by 2020 but still overshadowing proactive services TIME (MONTHS) TO MAINSTREAM 10 By 2025, on premises security management will be a thing of the past subsumed by SaaS security and Network ‐ based security. 3 IDC FutureScape: Worldwide IT Security Products and Services 2017 Predictions – Asia/Pacific Excluding Japan Implications. Doc #AP42209917

  4. Getting Past The Eye Test (on Previous Slide) • Mobile biometrics • Analytics • IoT • Cloud security • Cyber ‐ terrorism/warfare • Incident response and Forensics • Consumer reaction • Security as a service • Machine learning/ AI

  5. So Much For The Future. What about today?

  6. IDC IT Security MaturityScape Benchmark Report ‐ APeJ  84% at Stage 43.8% 40.2% 1&2 9.2% 6.1% 0.7% Proactive Partner Predictive Professional Compliant Companion Naïve Novice Reactive Responder Robust security program with strong Risk recognized as an element S olid security program and control Full-time staff address most Employ basic operational compliance and early exploration of of overall business value framework address all regulator significant security requirements security measures and act on the cost effectiveness of solutions proposition for technology, and needs and internal risk but look to external sources to security needs as they arise the security strategy approach assessments provide guidance in compliance- seeks most efficient and oriented program effective ways to manage enterprise security Business Outcome Business Outcome Business Outcome Business Outcome Business Outcome Organization Organization invests Organization has an Organization Organization keeps successfully manages significant resources efficient and effective unknowingly accepts auditors at bay but can risk but lacks and money but has economics driven large risks that leave it be challenged in a understanding of difficulty describing security strategy, extremely vulnerable breach scenario and critical overarching value proposition in including risk returned overspends on business context strategic terms per unit cost, for entire ineffective measures portfolio n= 852

  7. IDC IT Security MaturityScape Benchmark Report - India 51.5%  94% at Stages 0.1% 1&2 1.3% 4.6% 42.5% Compliant Companion Naïve Novice Reactive Responder Proactive Partner Predictive Professional S olid security program and Robust security program with Employ basic operational Full-time staff address Risk recognized as an security measures and act control framework address strong compliance and early most significant security element of overall on security needs as they all regulator needs and exploration of the cost requirements but look to business value arise internal risk assessments effectiveness of solutions external sources to provide proposition for guidance in compliance- technology, and the oriented program security strategy approach seeks most efficient and effective ways to manage enterprise security Business Outcome Business Outcome Business Outcome Business Outcome Business Outcome Organization unknowingly Organization keeps Organization invests Organization successfully Organization has an accepts large risks that auditors at bay but can significant resources and manages risk but lacks efficient and effective leave it extremely be challenged in a money but has difficulty understanding of critical economics driven security vulnerable breach scenario and describing value overarching business strategy, including risk overspends on ineffective proposition in strategic context returned per unit cost, for measures terms entire portfolio

  8. 31.4% 19.4% Source: IDC Asia/Pacific C-suite Barometer Research 2017 India 8

  9. The Critical Issue for all organizations • It’s not about IT security – this limits the view and places all the resolution onto over ‐ stretched IT teams. • It is about Business Risk – this engages the business units, the executive and the board, and helps define the role IT play in the process.

  10. Attacks are Everywhere!

  11. A Highly Transformed Industry • Niche engineers design advanced products • One organization employs hundreds of malware designers, linguists and other professionals • Key products will the keyboard language before choosing to execute, or not • Avoidance technology embedded in many “applications” (seeking bare metal, and not a VM before executing • Use social engineering for targeted campaigns • Extensive use of big data and analytics to identify further opportunities • Delivers 24x7 helpdesk support • Offers a range of offerings “as a service” • Leverages Cryptocurrency for global transactions

  12. However … old habits die hard

  13. Distributed Integrity Prevention Detection Mitigation Response Endpoint, AV, firewalls, patches, Monitoring, analytics, IDS, DLP, Mesh, Hub & Spoke. IT response user training, 2FA, gateways, tags and tethers More process driven than Crisis Management response micro-segmentation technological Legal mitigation, press & PR strategy

  14. Essential Guidance

  15. Re ‐ Format the Issue • It’s not IT security. It’s what IT can do to limit business risk • Engages other parts of the organization that need to have a stake • Ensure the CEO/Board understand there is no such thing as being connected, and 100% secure • Drives the conversation from protection, to risk management and mitigation • IT security has at least two distinct mindsets • Hunters – who are constantly tasked with seeking threats across the internal systems • Remediation team – who respond to and remediate the threats that the Hunters detect

  16. The funding model for IT Security is more akin to Military Spending that Military Spending traditional IT metrics of ROI

  17. Understand Your Unique Environment • What is at stake for the business? • Legislative compliance • Core Intellectual Property • Personally Identifiable Information (customers, employees, partners) • Business Continuity • Understand the Threatscape • What do you own that is of value to the hacking community? • How equipped are you to protect this from a persistent threat? • How well do you monitor you internal systems and critical employees? • What level of access do you provide to customers, partners and contractors?

  18. Resourcing!! • The future is SecDevOps • Embed security at the outset, no more bolting ‐ on after the fact • Chief Security Officer • Have one! • Not reporting into IT! • The “Hunter” team only reports into the CSO (Remediation team is part of the CIO, COO remit) • CEO engagement • If the CEO does not have a KPI for security, then it will never get the attention it requires

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SMALL BUSINESS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the

SMALL BUSINESS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the

STOP.THINK.CONNECT NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION ABOUT STOP.THINK.CONNECT. In 2009, President Obama issued the Cyberspace Policy Review , which tasked the Department of Homeland Security with

364 views • 10 slides
WV One Stop Business Center and the WV Small Business Development Center Partnership to Provide

WV One Stop Business Center and the WV Small Business Development Center Partnership to Provide

West Virginia Secretary of State WV One Stop Business Center and the WV Small Business Development Center Partnership to Provide Seamless Experience for New Businesses What is the WV One Stop Business Center? The WV One Stop Business Center is

187 views • 6 slides
Managing Uncertainty in the Context of Risk Acceptance Decision-Making at NASA: Thinking Beyond

Managing Uncertainty in the Context of Risk Acceptance Decision-Making at NASA: Thinking Beyond

Managing Uncertainty in the Context of Risk Acceptance Decision-Making at NASA: Thinking Beyond The Model Presented at the Rigorous Test and Evaluation for Defense, Aerospace, and National Security" Workshop Crystal City, VA April

727 views • 15 slides
Risk Management Who I Am B.S. Business Administration MIS Master of Business

Risk Management Who I Am B.S. Business Administration MIS Master of Business

Risk Management Who I Am B.S. Business Administration MIS Master of Business Administration (MBA) Information Assurance Consulting SFS Scholar School of Nursing Graduate Assistant Security Development

446 views • 27 slides
National Cybersecurity Awareness Campaign Small Business Presentation About Stop.Think.Connect .

National Cybersecurity Awareness Campaign Small Business Presentation About Stop.Think.Connect .

National Cybersecurity Awareness Campaign Small Business Presentation About Stop.Think.Connect . In 2009, President Obama issued the Cyberspace Policy Review , which tasked the Department of Homeland Security with creating an ongoing

372 views • 13 slides
How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking

How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking

How Healthy (Robust) is Your Ability to Manage Risk? Thoughts on Risk Based Thinking Requirements in ISO 9001:2015 Presented at the March 17, 2016 ASQ Delaware Section Dinner Meeting Ron Makar (ASQ) CBA, CHA, CQA, CQE, CMQ/OE Principal

660 views • 39 slides
Thinking Together About Webinar Series Thinking Together About Thinking Thought Leader: Graham

Thinking Together About Webinar Series Thinking Together About Thinking Thought Leader: Graham

Aerojet Rockeydynes Thinking Together About Webinar Series Thinking Together About Thinking Thought Leader: Graham Rawlinson graham.rawlinson@nextstepassociates.co.uk May 6 th , 2015 Page 1 Risk Management and the subconscious mind

587 views • 15 slides
Requirements . Risk vs. Business Requirement Industry Perspective Steven P. Weiss Vice

Requirements . Risk vs. Business Requirement Industry Perspective Steven P. Weiss Vice

Proprietary and Confidential Developing Public-Private Partnerships in Homeland Security: How Risk Impacts Government Policy and Business Requirements . Risk vs. Business Requirement Industry Perspective Steven P. Weiss Vice President -

360 views • 18 slides
Requirements . Risk vs. Business Requirement Industry Perspective Steven P. Weiss Vice

Requirements . Risk vs. Business Requirement Industry Perspective Steven P. Weiss Vice

Proprietary and Confidential Developing Public-Private Partnerships in Homeland Security: How Risk Impacts Government Policy and Business Requirements . Risk vs. Business Requirement Industry Perspective Steven P. Weiss Vice President -

323 views • 29 slides
Security Risk Assessment and Risk Treatment for Integrated Modular Communication Hamid Asgari,

Security Risk Assessment and Risk Treatment for Integrated Modular Communication Hamid Asgari,

Security Risk Assessment and Risk Treatment for Integrated Modular Communication Hamid Asgari, Senior Member IEEE , Sarah Haines, and Adrian Waller Thales UK Limited, Research & Technology, Worton Drive, Worton Grange Business Park, Reading

635 views • 7 slides
Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop complaining and solve a security

Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop complaining and solve a security

Stop complaining and solve a security problem instead Stop complaining and Solve a Security Problem Instead By Ivan Ristic 1 / 35 Stop complaining and solve a security problem instead uilder 1) ModSecurity I am a compulsive b I am a

722 views • 35 slides
USING A RISK-BASED APPROACH TO ALIGN SECURITY ARCHITECTURE WITH THE BUSINESS FOR DLP DEPLOYMENT

USING A RISK-BASED APPROACH TO ALIGN SECURITY ARCHITECTURE WITH THE BUSINESS FOR DLP DEPLOYMENT

USING A RISK-BASED APPROACH TO ALIGN SECURITY ARCHITECTURE WITH THE BUSINESS FOR DLP DEPLOYMENT Jeff Bardin VP , CS O ITS olut ions j eff.bardin@ it solut ions-llc.com Insert presenter logo here on slide master AGENDA What is

531 views • 35 slides
Stop? I cannot stop. What? Shall the old African blasphemer stop while he can speak? ~

Stop? I cannot stop. What? Shall the old African blasphemer stop while he can speak? ~

Stop? I cannot stop. What? Shall the old African blasphemer stop while he can speak? ~ John Newton, months before his death Clementa Carlos Clem Pinckney (July 30, 1973 June 17, 2015) Do you have the GUPA to overcome sin?

811 views • 50 slides
Thinking Beyond The Traditional Risk Management Programs Sheldon Epstein SOA Antitrust Compliance

Thinking Beyond The Traditional Risk Management Programs Sheldon Epstein SOA Antitrust Compliance

Equity-Based Insurance Guarantees Conference Nov. 5-6, 2018 Chicago, IL Thinking Beyond The Traditional Risk Management Programs Sheldon Epstein SOA Antitrust Compliance Guidelines SOA Presentation Disclaimer Sponsored by Thinking Beyond The

490 views • 18 slides
Tufin: Maximizing Agility and Security Henry Pea Digital Transformation is all about Business

Tufin: Maximizing Agility and Security Henry Pea Digital Transformation is all about Business

Tufin: Maximizing Agility and Security Henry Pea Digital Transformation is all about Business Agility 2 The Tradeoff Balancing Security and Agility 3 The Problem: Manual Processes Speed Cost Risk Compliance 4 The Solution: Security

1.21k views • 46 slides
Influence of the Nano Carbide dispersed Advanced radiation Resistant austenitic stainless Steels

Influence of the Nano Carbide dispersed Advanced radiation Resistant austenitic stainless Steels

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Influence of the Nano Carbide dispersed Advanced radiation Resistant austenitic stainless Steels (NC-ARES) microstructure on the radiation resistance under ion

347 views • 3 slides
Conversion Materials in KIMS Conversion Materials in KIMS Hak Min Kim Korea Institute of

Conversion Materials in KIMS Conversion Materials in KIMS Hak Min Kim Korea Institute of

10 th US-Korea Forum on Nanotechnology Nano-fabrication Processes for Energy Nano-fabrication Processes for Energy Conversion Materials in KIMS Conversion Materials in KIMS Hak Min Kim Korea Institute of Materials Science 2013. 10. 15 1/16

524 views • 17 slides
Influence of the Solar activity on thermal conditions in high latitudes of the Northern

Influence of the Solar activity on thermal conditions in high latitudes of the Northern

Influence of the Solar activity on thermal conditions in high latitudes of the Northern hemisphere A.A. Fomenko, ICM&MG SB RAS V.A. Kovalenko, ISTP SB RAS L.I. Kurbatskaya, ICM&MG SB RAS The main idea is the following. The external

427 views • 21 slides
Natures light show: Saturns aurora Sarah Badman Lancaster University, UK Cassini/UVIS

Natures light show: Saturns aurora Sarah Badman Lancaster University, UK Cassini/UVIS

Natures light show: Saturns aurora Sarah Badman Lancaster University, UK Cassini/UVIS images of Saturns northern aurora (Badman et al., 2013) Outline How the solar wind affects Saturns magnetosphere Why do we care?

408 views • 30 slides
Validus Holdings, Ltd. INVESTOR PRESENTATION FOURTH QUARTER 2014 Dublin, Ireland London,

Validus Holdings, Ltd. INVESTOR PRESENTATION FOURTH QUARTER 2014 Dublin, Ireland London,

Validus Holdings, Ltd. INVESTOR PRESENTATION FOURTH QUARTER 2014 Dublin, Ireland London, England Ontario, Canada Zurich, Switzerland Boston, United States Franklin Lakes, United States New York, United States Hamilton, Bermuda Miami,

606 views • 33 slides
Validus Holdings, Ltd. INVESTOR PRESENTATION FOURTH QUARTER 2013 Dublin, Ireland London,

Validus Holdings, Ltd. INVESTOR PRESENTATION FOURTH QUARTER 2013 Dublin, Ireland London,

Validus Holdings, Ltd. INVESTOR PRESENTATION FOURTH QUARTER 2013 Dublin, Ireland London, England Ontario, Canada Zurich, Switzerland New York, United States Hamilton, Bermuda Miami, United States Dubai, United Arab Emirates Labuan,

347 views • 33 slides
AGENDA I ITEM 3 M 3 INDEPENDENT EVALUATION OF THE STRATEGIC APPROACH, 2006-2015 SAICM/IP.2/4

AGENDA I ITEM 3 M 3 INDEPENDENT EVALUATION OF THE STRATEGIC APPROACH, 2006-2015 SAICM/IP.2/4

AGENDA I ITEM 3 M 3 INDEPENDENT EVALUATION OF THE STRATEGIC APPROACH, 2006-2015 SAICM/IP.2/4 SECOND INTERSESSIONAL MEETING STOCKHOLM 13-15 MARCH 2018 DR. ROBERT NURICK, INDEPENDENT EVALUATOR Objectiv ive of of Evalu luatio ion To

570 views • 10 slides
Multi-Annual Action Plan Shift2Rail Information Day for non-JU members (Open calls for proposals)

Multi-Annual Action Plan Shift2Rail Information Day for non-JU members (Open calls for proposals)

Presentation of the Shift2Rail Multi-Annual Action Plan Shift2Rail Information Day for non-JU members (Open calls for proposals) 20 January 2016 Giorgio TRAVAINI, S2R Programme Coordinator 1 S2R Multiannual Action Plan Background 2 What is

189 views • 17 slides

More recommend