BE MORE INFORMED, VALUED AND SUCCESSFUL ISACA connects members with a global community of more than 110,000 constituents in over 180 countries worldwide. We develop and deliver industry-leading certifications, education, research and business frameworks. We equip and inspire individuals to be leaders in the fast-changing world of information systems, information technology and business by offering opportunities to:

NETWORK MORE Gain insights, share ideas and develop relationships with innovators and leaders in information systems audit, assurance, security, risk management, privacy and governance.

LEARN MORE Leverage award-winning certifications, publications, conferences and training. Members can earn up to 70 free Continuing Professional Education (CPE) hours annually.

BE MORE Access the most up-to-date thinking on standards, best practices, emerging trends and the rapidly evolving landscape of IS and IT. You have the talent. Become indispensable. Join ISACA and understand IS, IT and business on a profound level while staying on the cutting-edge of research, standards & technology through your career.

ISACA – 110,000 people, CISA, CSX, CISM, CRISC, CGEIT,

COBIT5, Risk, Assurance, Governance, Security & more

DALIM BASU FBCS, CITP, CISA, CRISC, PRINCE2, BSc.Hons.(London)

Dalim is Events Director at ISACA London Chapter. He plans, chairs and participates in many IT-related events. He is an IT professional with expertise in IT Governance and Risk Management. His work experience includes IT security, audit, compliance, controls, security, PMO and project management. He is Director of an IT Risk Management Consultancy, and has worked at many major financial and business services firms such as PwC, KPMG, Chase, ITN, Lehman, Lloyds Banking Group, Mitsubishi, Mizuho, Nomura, Shell and Zurich Financial Services. Dalim is also a Director of the Cloud Security Alliance, and Chairman of North London Branch of BCS – the Chartered Institute for IT, Chair of BCS ELITE Group (South-East UK), and a judge of the BCS/Computing ‘UK IT Industry Awards’.

NICK JONES Nick has been Head of IT Risk & Compliance at BP since 2011. During this time he’s delivered a global behavioural change program to strengthen risk management capability. This involved extensive leadership engagement and commitment to change as well as building a professional risk and compliance network. As the risk process matured, so did the understanding that a new Risk tool was needed and this lead to a program to migrate all the risk and compliance information into Archer. This global rollout was completed and whilst it was technically feasible it met with resistance and did not fully integrate with existing security assurance processes. The last year has been spent harmonizing the IT Risk and Security Assurance processes and aligning them with a new IT Security Standard. A key learning from this process is tool implementations do not end at go live, they are behavioural change programs that are only just beginning.

About the Presenters

Dalim Basu

- CyberSecurity – IT’s only Humanly Human

Nick Jones

- Effective Risk Management Requires

Behavioural Change

Presentations

CyberSecurity – IT’s only Human

Dalim Basu

Events Director, ISACA London Chapter

Director, DSL Risk Management Consultancy

Brave Maad New World?

More threats

Anytime 24x7x365

Anywhere in organisation IT at risk?

Diverse sources – from everywhere

Crash course

“People who aren’t concerned about

CyberSecurity probably don’t know

enough about it.”

Big rush to use innovative technologies

without adequate risk evaluation, controls

and testing.

Invitation - Come and drive my car

(with untested steering and brakes)

Human Factors

Inadequate CS knowledge

Social engineering

Poor capture & communication of risks

Under-investment in security training

Using trust instead of procedures

No single point of accountability

Culture & relationship issues

Brave Cyber New World?

Cyber Everywhere

Security Essential

People are the weakest link

Technology is the Answer

REALLY?

What’s at Risk?

Loss of critical Products / Services . Business

Customer / Company / Employee Data

Processes / Applications / Network / Infrastructure

Regulatory / Legal Compliance

Intellectual Property

Brand / Organisation Image

ISACA – Key trends & Drivers of Security

Consumerization

•Mobile devices

•Social media

•Cloud services

•Nonstandard

•Security as a Service

Continual Regulatory & Compliance Pressures

• SOX, PCI, EU Privacy

• ISO 27001

• Other regulations

Emerging Trends

•Decrease in time to exploit

•Targeted attacks

•Advanced persistent threats (APTs)

ISACA - methods for defence against APTs

The CS Cold War

- Who are the Bad Guys?

Nation States

Terrorist Groups

Organised Criminal Groups

Hacktivist Communities

Skilled Professional Hackers

Disaffected or Opportunist Insiders

Amateur Hackers

Anyone (unintentional incidents)

How Cyber Exposed is your firm?

Had CS breaches or data losses with external publicity?

Top-down CS understanding and commitment?

Are employees positive about firm and culture?

Clear responsibilities for apps, network, infrastructure, supply

chain management, processes?

Also for compliance, BCP, legal, PR, marketing?

Continuous CS assessment incl. physical security?

Regular mandatory security training incl. CS?

**Regular/ongoing self-monitoring & Audit?

CyberSecurity Roles

[Dependent on firm size, risk appetite & budget]

Management – Chief CS Officer,

Cyber Risk Manager, CS Architect

CS Specialists

GRC (Governance Risk & Compliance)

Operations

Assurance

Plus

BOARD & Senior Management *

Legal, Marketing, Publicity/PR, HR, Training *

Everyone in the firm*

Contractors & maintenance*

3rd party suppliers*

* Talk Risks & Benefits

in their language

Conclusions

CyberCrime focus so far mostly on large /

high-profile organisations

But we are all increasingly at risk & need to

protect digital assets

Need more CS awareness in

business/financial/human terms

Advise about “what can I do?”

Involve more people more

1. Understand the potential impact of cybercrime and warfare on your enterprise.

2. Understand end users, their cultural values and their behavior patterns.

3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise.

4. Establish cybersecurity governance.

5. Manage cybersecurity using principles and enablers. (The principles and enablers found in

COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other

benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.)

6. Know the cybersecurity assurance universe and objectives.

7. Provide reasonable assurance over cybersecurity. (This includes monitoring, internal

reviews, audits and, as needed, investigative and forensic analysis.)

8. Establish and evolve systemic cybersecurity.

ISACA – 8 key principles

CyberSecurity – IT’s only Human

Dalim Basu

Events Director, ISACA London Chapter

Director, DSL Risk Management Consultancy

Acknowledgements to ISACA plus

‘Cybersecurity for Beginners’ by Raef Meeuwisse 2015

Effective Risk Management Requires

Behavioural Change

Nick Jones

Head of IT Risk & Compliance - BP

Frameworks and Processes are

an Important Start

ISO 31000

COBIT 5

But How Do You Win Hearts And

Minds?

• Leaders

• Customers

• Suppliers

• Teams/Networks

• All levels of your organisation

Effective Risk & Compliance

Programmes Require Change

• Do your leaders understand the imperative for change – how do you engage them and make it personal for them?

• Does your organisation understand its strengths and weaknesses?

• What are the perceptions of your process at all levels of the organisation?

• Are your customers and suppliers on board?

• How do you bring processes to life?

• How do you maintain the momentum?

Do Your Leaders Understand

The Imperative For Change

• Regulatory compliance is not a wonderful imperative for

change, find a more compelling imperative

• Leaders need to feel personally committed to the change

program and kept engaged throughout

• What are the personality types in your leadership team?

• What are their perceptions, what are their staff’s perceptions

and do they understand the gap?

• Have your leaders made personal commitments to making a

change and how do you help them to succeed?

How Good Are Your Processes

And How Are They Perceived?

• Perform a benchmark and understand your strengths and

weaknesses

• Survey your population’s views and beliefs and stratify the results

by team and grade

• Play this back to your leadership, you may be surprised at the

expectation gap

• Build a program based on the emotional responses and harness

the energy where it exists

Bring Your Customers And

Suppliers Along On The Journey

• Think about stakeholders in the broadest sense and analyse them

• Who are your supporters, who will pilot concepts for you, who can you bring on board, who are your change agents?

• Who are your detractors, who will be negative about your program, who will try and derail you?

• How can you leverage the positive energy and stop the negative drain on this?

• Spend enough time inspiring the people who will make you successful

• How do you turn up at meetings, pitches and stage gates feeling assured of the desired outcomes?

How Do You Maintain

Momentum?

• Redo your benchmarks and surveys and celebrate successes

• Get your supporters to hail your successes

• Use thought leadership from outside your team, share best

practices

• Focus on key stakeholders/areas of improvement, prioritise

• Change is a journey – people react differently and have different timelines

• You are likely to be ahead of the curve, be patient, reinforce key messages

Thank You - Q & A