Upload
kesler
View
18
Download
0
Embed Size (px)
DESCRIPTION
SAFE KNOWLEDGE. GEOFF ROBERTS Implementation Partner AUSTRALIAN PROJECTS PTY LIMITED IT Security and Data Protection. The Management versus Technical Staff Challenge. - PowerPoint PPT Presentation
Citation preview
SAFE KNOWLEDGE www.zondex.com
SAFE KNOWLEDGE
GEOFF ROBERTS
Implementation Partner
AUSTRALIAN PROJECTS PTY LIMITED
IT Security and Data Protection
SAFE KNOWLEDGE www.zondex.com
The Management versus Technical Staff Challenge
Create win-win IT security outcomes that meet management objectives for the enterprise, and realistic productivity expectations of the IT department
SAFE KNOWLEDGE www.zondex.com
Differing cultures
Non-technical managers are mostly in a world of budgets, timeframes, deadlines, deliverables, results and the “big picture”
IT staff are mostly in a world of rapid change, uncertainties, threats, complexity and detail, as well as timeframes, deadlines and deliverables
The difference is often clear to IT staff but unclear to non-technical managers
SAFE KNOWLEDGE www.zondex.com
The Management versus Technical Staff Conundrum Corporate structure that fails to acknowledge a rapidly
changing security landscape Poorly defined IT security roles and responsibilities for
non-technical management and IT management teams Failure of technical expectations to be fulfilled due to
unrealistic low budgets and failure of non technical management to approve sufficient human resources to meet the requirements of the IT department
No common approach and a lack of language clarity between management and technical staff
SAFE KNOWLEDGE www.zondex.com
Enterprise Structure Enterprise management and IT department
in separate isolated silos These silos fail to share accountability
and responsibility for IT security policy and practice
The silo approach does not work because shared responsibilities and communications are often neglected
Silos can address isolated work area requirements but will leave gaps across the whole enterprise (including legal)
SAFE KNOWLEDGE www.zondex.com
Roles and Responsibilities
Inappropriate delegation of responsibilities and tasks is a common weakness
Legal responsibilities and associated liabilities delegated to the technical team with little or no ownership by senior non-technical management
Accountability that should be shared, erroneously devolved to the IT technical department instead of being “owned” from top management down
SAFE KNOWLEDGE www.zondex.com
Expectations and resources Failure of management to articulate the IT
security expectations of the enterprise Management often underestimates the
human resources needed to implement and manage IT security across the enterprise
Management often underestimates the financial cost to deliver a whole of enterprise security solution
Failure of technical team to communicate realistic requirements and timelines to meet the management expectation
SAFE KNOWLEDGE www.zondex.com
What about IT Security? Management perceives IT security as a given Therefore management tends to take it for granted This can create a false sense of security New IT security implementations are given low priority IT security solutions often implemented after an
incident has occurred … (reactive management, rather than proactive management)
Management failure to understand that IT security is a valid cost of doing business
SAFE KNOWLEDGE www.zondex.com
GAP
Bridging the GAP – How Mgmt sees IT Department
Momentum
Potential
Results
(Output)
Time
IT is uniquely positioned to bridge the gap!
Management want RESULTS
SAFE KNOWLEDGE www.zondex.com
Key challenges
Achieve a strategic whole-of-enterprise IT security solution to manage risk
Address strategic outcomes based on well informed and realistic expectations set by top management
Allocation of appropriate resources for each step of the process
Think strategically, act tactically, because each step is is only a part of the whole
SAFE KNOWLEDGE www.zondex.com
Management Role
Set a realistic agenda in concert with the IT department ensuring expectations are deliverable
Assume overall responsibility and liability Provide appropriate resources, human and
financial to deliver the desired outcome Engage in continuing review with the IT
department to ensure minimisation of risk associated with new and emerging threats
SAFE KNOWLEDGE www.zondex.com
IT Department Role
Provide management with accurate and timely information that will aid the planning and decision making process
Evaluate new and emerging products and services that may meet the IT security needs of the enterprise
Ensure language is clear and unambiguous for non-technical senior decision makers
Work to each pre-agreed management brief to ensure on-time and on-budget delivery
SAFE KNOWLEDGE www.zondex.com
Closing the gap
LogicalLogical PhysicalPhysical
PhysicalSecurity
ProcessProcess
IT ContingencyIT Security PersonnelSecurity
BusinessContinuity
Risk ManagementRisk Management
Regulatory Requirements
The Information Risk SpectrumThe Information Risk Spectrum
John Meaking – Standard Chartered Bank
SAFE KNOWLEDGE www.zondex.com
Risk – a common dialogue
Asset Values ($) Vulnerabilities (access to assets) Threats (scenario exploits vulnerability) RISK
SAFE KNOWLEDGE www.zondex.com
Risk analysis
ASSET
CONTROLS
= RISKX IMPACTLIKELIHOOD
VULNERABILITY
THREAT
EXPOSURE FACTOR
John Meakin – Standard Chartered Bank
Frequency & Exposure
Control Effectiveness
Unknown and Unquantifiable in absolute terms
Consequence – some guesswork
SAFE KNOWLEDGE www.zondex.com
Matrix – a common dialogue
Risk Degree of Risk
Likelihood
(Prob.)
H/M/L
Impact
H/M/L
Consequence
Severity
Think generically about using Risk Assessments
SAFE KNOWLEDGE www.zondex.com
Where to start?
Look for High Likelihood High Impact (HH) Pareto Demonstrate Cost/Benefit. Don’t emphasise
ROI
SAFE KNOWLEDGE www.zondex.com
Prioritising
Critical Few Trivial Many
SAFE KNOWLEDGE www.zondex.com
Demonstrate value & results
Through appropriate metrics In terms management understands Avoid measuring too much or inappropriately
(let risk drive what is measured) Communicate trends and changes regularly
SAFE KNOWLEDGE www.zondex.com
Successful Team Attributes
Plan and work as an enterprise team with shared responsibilities and accountabilities
Focus on realistic pre-agreed outcomes Avoid “isolated empire” thinking and engage in
“whole of enterprise” thinking Undertake an ongoing, regular review process Be nice to each other
SAFE KNOWLEDGE www.zondex.com
Three final thoughts
Computers are incredibly fast accurate and stupid.
People are unbelievably slow, inaccurate and brilliant.
Despite the foregoing, the marriage of the two is a positive force beyond calculation.
SAFE KNOWLEDGE www.zondex.com
Geoff Roberts
Tel: +61 2 4228 6213
www.apro.com.au
Reflex – PC Guardian – SecuriKey – Trust Digital – Zondex