Information Security!New paradigm!

Christophe Nemeth INOVEMENT Group +41 79 477 50 23

cnemeth@inovement.com

Agenda •  Information Security Today

•  Key Risks

•  New Information Era

•  New Information Security Paradigm

•  From Technical to Organizational

•  A Business Information Security Strategy

• Questions

Information Security Today •  Castle Analogy

•  Technical approach

• Operational

Key Risks •  Key Security Risks

-  Cyber Security

‣  Origin: Hacker

-  Compliance

‣  Origin: Law & Regulations

-  Continuity

‣  Origin: Major Outage

-  Business Transformation

‣  Origin: Information Security

•  Information Security Measures to

- Protect data

- Protect operations

- Protect reputation

- Protect revenue

New Information Era •  Hyper-connected Era

•  Boundaryless information flows across organizations

•  A hardened perimeter security strategy is impossible to sustain and is fundamentally at odds with an agile business model.

•  Entire value chains, from suppliers to customers, are electronically connected and collaborating as never before.

•  The number of mobile workers is expected to reach 1.3 billion by 2015.

•  Deperimeterization

Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html

New Information Security Concerns •  New technologies bring new user behaviors:

- Cloud Computing

- Mobile Devices

- BYOD

- Social Media

New Information Security Concerns •  Systemic approach, why ?

-  Mobile means BYOD

-  BYOD means Social Media

-  Mobile/BYOD means Synchronization

-  Synchronization means Cloud

•  New technology adoption is an Entreprise wide approach

Mobile - BYOD •  Find the right balance between openness and risk

management.

•  Their devices, ... your data ?

•  It blurs professional and private

-  identities

-  activities

-  information

Mobile - BYOD •  Key Rules

-  Establish the rules and spread the word (Policies, Acceptable Use)

‣  Define boundaries

‣  Communicate the new rules

-  Identify key legal aspects (Privacy)

-  Register every device (Asset Management)

-  Force use of common tools (Enforce)

-  Incident response for loss or theft (Process)

Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html

Cloud

Cloud •  In a recent Ponemon Institute report (2011), over 60% of surveyed

US and European cloud service providers said they were unsure if their cloud applications were sufficiently secured

•  A majority of those cloud providers believed it was their customer’s responsibility to secure the cloud, not theirs.

•  The majority of cloud providers admit they do not have dedicated security personnel

•  most Cloud Service Providers do not have confidence that customers’ security requirements are being met.

Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html

Cloud • Most of security

technologies are not widely deployed.

Figures and content of this slide are from Ponemon Institute

Cloud •  Key Rules

-  Best Practices

‣  CSA: https://cloudsecurityalliance.org/

•  Cloud Audit Tool

‣  COBIT - IT Control Objectives for Cloud Computing (193 pages)

-  Broad Entreprise Approach

‣  Bring Business into decision process

-  Governance (Data and Process)

‣  Purchasing (Finance)

‣  Risk Management

‣  Contract (Legal)

‣  Information Security (Information Security Policy)

Social Medias •  Now, engaging in social media, inside and

outside of the company, is a strategic imperative.

•  In a recent Ponemon Institute survey,

-  nearly 70% of global respondents said that social media is now very important for achieving their business objectives

-  63% of respondents said that social media puts their organization at risk

-  but only 29% admitted to having the necessary security controls to mitigate that threat

Figures and content of this slide are from Ponemon Institute

Social Medias •  Key Rules

- Read term of use and privacy policies

- Be authentic

-  Think before posting

- Respect other’s rights

- Be careful with connections

Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html

New Information Paradigm • More than 80% of executives surveyed in 2008 said they “occasionally” or “often” didn’t pursue innovative business opportunities because of information protection concerns.

• Questions ?

- Do we continue to live in a crisis response mode or do we adopt a proactive future risk management strategy ?

- Do we say “NO” constantly to business or do we help it to achieve their business objectives, making them aware of emerging information risks ?

Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html

To a New Security Role •  Participate in Innovation

•  Crisis response mode or proactive future risk management strategy ?

•  From a responder’s mode to an influencer’s mode.

•  Participate in systemic changes that span functions, including legal, business operations, finance, human resources and more.

•  Adopt a wider view of information protection that extends beyond just security measures.

•  Deal with future threats and the integration of new technologies related to the business.

From Technical to Business •  It means from a “NO” attitude, due to lack of time, to a “YES”

approach, collaborating with the business.

•  5 functions in Information Security

-  Define (Strategy, Innovation, Emerging Risks) - NEW! -  Plan (Policy and Controls definition) - CISO

-  Implement (Operations) - Head of Operations and Team

-  Measure (Audit and Compliance) - Head of Audit

-  Respond (Incident Response) - Head of Response Team

Figures and content of this slide are from: http://www.ibm.com/smarterplanet/us/en/index.html

Information Security for Business • Define (Strategy, Innovation, Emerging Risks) – NEW!

-  Collaboration with the business and innovation

-  Help the business go faster, further.

-  Don’t stop the train, open the roads.

-  Extend the perimeter

-  Business-centric security strategy

Questions

• Christophe Nemeth

•  cnemeth@inovement.com

• www.inovement.com