SAFE KNOWLEDGE

SAFE KNOWLEDGE www.zondex.com

SAFE KNOWLEDGE

GEOFF ROBERTS

Implementation Partner

AUSTRALIAN PROJECTS PTY LIMITED

IT Security and Data Protection


The Management versus Technical Staff Challenge

Create win-win IT security outcomes that meet management objectives for the enterprise, and realistic productivity expectations of the IT department


Differing cultures

Non-technical managers are mostly in a world of budgets, timeframes, deadlines, deliverables, results and the “big picture”

IT staff are mostly in a world of rapid change, uncertainties, threats, complexity and detail, as well as timeframes, deadlines and deliverables

The difference is often clear to IT staff but unclear to non-technical managers


The Management versus Technical Staff Conundrum Corporate structure that fails to acknowledge a rapidly

changing security landscape Poorly defined IT security roles and responsibilities for

non-technical management and IT management teams Failure of technical expectations to be fulfilled due to

unrealistic low budgets and failure of non technical management to approve sufficient human resources to meet the requirements of the IT department

No common approach and a lack of language clarity between management and technical staff


Enterprise Structure Enterprise management and IT department

in separate isolated silos These silos fail to share accountability

and responsibility for IT security policy and practice

The silo approach does not work because shared responsibilities and communications are often neglected

Silos can address isolated work area requirements but will leave gaps across the whole enterprise (including legal)


Roles and Responsibilities

Inappropriate delegation of responsibilities and tasks is a common weakness

Legal responsibilities and associated liabilities delegated to the technical team with little or no ownership by senior non-technical management

Accountability that should be shared, erroneously devolved to the IT technical department instead of being “owned” from top management down


Expectations and resources Failure of management to articulate the IT

security expectations of the enterprise Management often underestimates the

human resources needed to implement and manage IT security across the enterprise

Management often underestimates the financial cost to deliver a whole of enterprise security solution

Failure of technical team to communicate realistic requirements and timelines to meet the management expectation


What about IT Security? Management perceives IT security as a given Therefore management tends to take it for granted This can create a false sense of security New IT security implementations are given low priority IT security solutions often implemented after an

incident has occurred … (reactive management, rather than proactive management)

Management failure to understand that IT security is a valid cost of doing business


GAP

Bridging the GAP – How Mgmt sees IT Department

Momentum

Potential

Results

(Output)

Time

IT is uniquely positioned to bridge the gap!

Management want RESULTS


Key challenges

Achieve a strategic whole-of-enterprise IT security solution to manage risk

Address strategic outcomes based on well informed and realistic expectations set by top management

Allocation of appropriate resources for each step of the process

Think strategically, act tactically, because each step is is only a part of the whole


Management Role

Set a realistic agenda in concert with the IT department ensuring expectations are deliverable

Assume overall responsibility and liability Provide appropriate resources, human and

financial to deliver the desired outcome Engage in continuing review with the IT

department to ensure minimisation of risk associated with new and emerging threats


IT Department Role

Provide management with accurate and timely information that will aid the planning and decision making process

Evaluate new and emerging products and services that may meet the IT security needs of the enterprise

Ensure language is clear and unambiguous for non-technical senior decision makers

Work to each pre-agreed management brief to ensure on-time and on-budget delivery


Closing the gap

LogicalLogical PhysicalPhysical

PhysicalSecurity

ProcessProcess

IT ContingencyIT Security PersonnelSecurity

BusinessContinuity

Risk ManagementRisk Management

Regulatory Requirements

The Information Risk SpectrumThe Information Risk Spectrum

John Meaking – Standard Chartered Bank


Risk – a common dialogue

Asset Values ($) Vulnerabilities (access to assets) Threats (scenario exploits vulnerability) RISK


Risk analysis

ASSET

CONTROLS

= RISKX IMPACTLIKELIHOOD

VULNERABILITY

THREAT

EXPOSURE FACTOR

John Meakin – Standard Chartered Bank

Frequency & Exposure

Control Effectiveness

Unknown and Unquantifiable in absolute terms

Consequence – some guesswork


Matrix – a common dialogue

Risk Degree of Risk

Likelihood

(Prob.)

H/M/L

Impact

H/M/L

Consequence

Severity

Think generically about using Risk Assessments


Where to start?

Look for High Likelihood High Impact (HH) Pareto Demonstrate Cost/Benefit. Don’t emphasise

ROI


Prioritising

Critical Few Trivial Many


Demonstrate value & results

Through appropriate metrics In terms management understands Avoid measuring too much or inappropriately

(let risk drive what is measured) Communicate trends and changes regularly


Successful Team Attributes

Plan and work as an enterprise team with shared responsibilities and accountabilities

Focus on realistic pre-agreed outcomes Avoid “isolated empire” thinking and engage in

“whole of enterprise” thinking Undertake an ongoing, regular review process Be nice to each other


Three final thoughts

Computers are incredibly fast accurate and stupid.

People are unbelievably slow, inaccurate and brilliant.

Despite the foregoing, the marriage of the two is a positive force beyond calculation.


Geoff Roberts

[email protected]

Tel: +61 2 4228 6213

www.apro.com.au

Reflex – PC Guardian – SecuriKey – Trust Digital – Zondex

Documents

SAFE KNOWLEDGE