Date post: | 14-Apr-2017 |
Category: |
Business |
Upload: | auditconferenceseurope |
View: | 215 times |
Download: | 0 times |
BE MORE INFORMED, VALUED AND SUCCESSFUL ISACA connects members with a global community of more than 110,000 constituents in over 180 countries worldwide. We develop and deliver industry-leading certifications, education, research and business frameworks. We equip and inspire individuals to be leaders in the fast-changing world of information systems, information technology and business by offering opportunities to:
NETWORK MORE Gain insights, share ideas and develop relationships with innovators and leaders in information systems audit, assurance, security, risk management, privacy and governance.
LEARN MORE Leverage award-winning certifications, publications, conferences and training. Members can earn up to 70 free Continuing Professional Education (CPE) hours annually.
BE MORE Access the most up-to-date thinking on standards, best practices, emerging trends and the rapidly evolving landscape of IS and IT. You have the talent. Become indispensable. Join ISACA and understand IS, IT and business on a profound level while staying on the cutting-edge of research, standards & technology through your career.
ISACA – 110,000 people, CISA, CSX, CISM, CRISC, CGEIT,
COBIT5, Risk, Assurance, Governance, Security & more
DALIM BASU FBCS, CITP, CISA, CRISC, PRINCE2, BSc.Hons.(London)
Dalim is Events Director at ISACA London Chapter. He plans, chairs and participates in many IT-related events. He is an IT professional with expertise in IT Governance and Risk Management. His work experience includes IT security, audit, compliance, controls, security, PMO and project management. He is Director of an IT Risk Management Consultancy, and has worked at many major financial and business services firms such as PwC, KPMG, Chase, ITN, Lehman, Lloyds Banking Group, Mitsubishi, Mizuho, Nomura, Shell and Zurich Financial Services. Dalim is also a Director of the Cloud Security Alliance, and Chairman of North London Branch of BCS – the Chartered Institute for IT, Chair of BCS ELITE Group (South-East UK), and a judge of the BCS/Computing ‘UK IT Industry Awards’.
NICK JONES Nick has been Head of IT Risk & Compliance at BP since 2011. During this time he’s delivered a global behavioural change program to strengthen risk management capability. This involved extensive leadership engagement and commitment to change as well as building a professional risk and compliance network. As the risk process matured, so did the understanding that a new Risk tool was needed and this lead to a program to migrate all the risk and compliance information into Archer. This global rollout was completed and whilst it was technically feasible it met with resistance and did not fully integrate with existing security assurance processes. The last year has been spent harmonizing the IT Risk and Security Assurance processes and aligning them with a new IT Security Standard. A key learning from this process is tool implementations do not end at go live, they are behavioural change programs that are only just beginning.
About the Presenters
Dalim Basu
- CyberSecurity – IT’s only Humanly Human
Nick Jones
- Effective Risk Management Requires
Behavioural Change
Presentations
CyberSecurity – IT’s only Human
Dalim Basu
Events Director, ISACA London Chapter
Director, DSL Risk Management Consultancy
Brave Maad New World?
More threats
Anytime 24x7x365
Anywhere in organisation IT at risk?
Diverse sources – from everywhere
Crash course
“People who aren’t concerned about
CyberSecurity probably don’t know
enough about it.”
Big rush to use innovative technologies
without adequate risk evaluation, controls
and testing.
Invitation - Come and drive my car
(with untested steering and brakes)
Human Factors
Inadequate CS knowledge
Social engineering
Poor capture & communication of risks
Under-investment in security training
Using trust instead of procedures
No single point of accountability
Culture & relationship issues
Brave Cyber New World?
Cyber Everywhere
Security Essential
People are the weakest link
Technology is the Answer
REALLY?
What’s at Risk?
Loss of critical Products / Services . Business
Customer / Company / Employee Data
Processes / Applications / Network / Infrastructure
Regulatory / Legal Compliance
Intellectual Property
Brand / Organisation Image
ISACA – Key trends & Drivers of Security
Consumerization
•Mobile devices
•Social media
•Cloud services
•Nonstandard
•Security as a Service
Continual Regulatory & Compliance Pressures
• SOX, PCI, EU Privacy
• ISO 27001
• Other regulations
Emerging Trends
•Decrease in time to exploit
•Targeted attacks
•Advanced persistent threats (APTs)
The CS Cold War
- Who are the Bad Guys?
Nation States
Terrorist Groups
Organised Criminal Groups
Hacktivist Communities
Skilled Professional Hackers
Disaffected or Opportunist Insiders
Amateur Hackers
Anyone (unintentional incidents)
How Cyber Exposed is your firm?
Had CS breaches or data losses with external publicity?
Top-down CS understanding and commitment?
Are employees positive about firm and culture?
Clear responsibilities for apps, network, infrastructure, supply
chain management, processes?
Also for compliance, BCP, legal, PR, marketing?
Continuous CS assessment incl. physical security?
Regular mandatory security training incl. CS?
**Regular/ongoing self-monitoring & Audit?
CyberSecurity Roles
[Dependent on firm size, risk appetite & budget]
Management – Chief CS Officer,
Cyber Risk Manager, CS Architect
CS Specialists
GRC (Governance Risk & Compliance)
Operations
Assurance
Plus
BOARD & Senior Management *
Legal, Marketing, Publicity/PR, HR, Training *
Everyone in the firm*
Contractors & maintenance*
3rd party suppliers*
* Talk Risks & Benefits
in their language
Conclusions
CyberCrime focus so far mostly on large /
high-profile organisations
But we are all increasingly at risk & need to
protect digital assets
Need more CS awareness in
business/financial/human terms
Advise about “what can I do?”
Involve more people more
1. Understand the potential impact of cybercrime and warfare on your enterprise.
2. Understand end users, their cultural values and their behavior patterns.
3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise.
4. Establish cybersecurity governance.
5. Manage cybersecurity using principles and enablers. (The principles and enablers found in
COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other
benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.)
6. Know the cybersecurity assurance universe and objectives.
7. Provide reasonable assurance over cybersecurity. (This includes monitoring, internal
reviews, audits and, as needed, investigative and forensic analysis.)
8. Establish and evolve systemic cybersecurity.
ISACA – 8 key principles
CyberSecurity – IT’s only Human
Dalim Basu
Events Director, ISACA London Chapter
Director, DSL Risk Management Consultancy
Acknowledgements to ISACA plus
‘Cybersecurity for Beginners’ by Raef Meeuwisse 2015
But How Do You Win Hearts And
Minds?
• Leaders
• Customers
• Suppliers
• Teams/Networks
• All levels of your organisation
Effective Risk & Compliance
Programmes Require Change
• Do your leaders understand the imperative for change – how do you engage them and make it personal for them?
• Does your organisation understand its strengths and weaknesses?
• What are the perceptions of your process at all levels of the organisation?
• Are your customers and suppliers on board?
• How do you bring processes to life?
• How do you maintain the momentum?
Do Your Leaders Understand
The Imperative For Change
• Regulatory compliance is not a wonderful imperative for
change, find a more compelling imperative
• Leaders need to feel personally committed to the change
program and kept engaged throughout
• What are the personality types in your leadership team?
• What are their perceptions, what are their staff’s perceptions
and do they understand the gap?
• Have your leaders made personal commitments to making a
change and how do you help them to succeed?
How Good Are Your Processes
And How Are They Perceived?
• Perform a benchmark and understand your strengths and
weaknesses
• Survey your population’s views and beliefs and stratify the results
by team and grade
• Play this back to your leadership, you may be surprised at the
expectation gap
• Build a program based on the emotional responses and harness
the energy where it exists
Bring Your Customers And
Suppliers Along On The Journey
• Think about stakeholders in the broadest sense and analyse them
• Who are your supporters, who will pilot concepts for you, who can you bring on board, who are your change agents?
• Who are your detractors, who will be negative about your program, who will try and derail you?
• How can you leverage the positive energy and stop the negative drain on this?
• Spend enough time inspiring the people who will make you successful
• How do you turn up at meetings, pitches and stage gates feeling assured of the desired outcomes?
How Do You Maintain
Momentum?
• Redo your benchmarks and surveys and celebrate successes
• Get your supporters to hail your successes
• Use thought leadership from outside your team, share best
practices
• Focus on key stakeholders/areas of improvement, prioritise
• Change is a journey – people react differently and have different timelines
• You are likely to be ahead of the curve, be patient, reinforce key messages