Securing the Digital Environment

Technology Risk Management - A Caribbean Perspective

Monday November 10th 2014

Roshan Mohammed

Current State

• Low business priority on securing digital assets

• Reactive Management - • After the web site is hacked• After the data has been taken• After employees take intellectual

property

• We perceive information security to be simple – • Can be done in-house by IT

Department• Firewall + Anti Virus = Secure

Network

Caribbean Incidents

Mar 20

Barbados

… Bank Records hacked

Mar 11

Bahamas

Hackers spark credit card chaos

Feb 6 Jamaica Hackers said to be found with DPP files

Feb 6 Barbados

Barbados police investigating missing data on oil industry

Jan 26

Jamaica … Hacked

Quoted mainly from the Trinidad Guardian - http://m.guardian.co.tt/business-guardian/2013-03-11/caribbean-cyberattacks-rise

Imminent Landscape

Legislation- Local - and International (SOX, PCI DSS, ISO)

Board Due Diligence Requirements – Pro Active Management of Risk- Managing Risk within the local technology ecosystem

Internet Operational Risk- Cybercrime

Technology Adoption- Stay-in-Business

Planning for Risk Management

• For my business, in my country, in my industry, in my region – what are the most critical technology risks?

• What strategic options do I have in approaching the mitigation of these risks?

• How do I future proof my investment in risk mitigation?

DO NOT

Invest in risk management technology without understanding your business risks.

Underestimate the technology risk in business activities. - JP Morgan

- Dropbox- Target

What can help

If you do not already have a risk management strategy, invest in getting one- Have a technology risk assessment done for your business- Make sure the strategy fits our Caribbean business model

Use the right tools- Best practice standards (ISO 27000, ISO 25999 etc)- You cannot manage what you do not measure

Use the right resources- Proven work history- Grow with the company over time.

The Results

Some of the questions that will be answered at the end of the strategic risk assessment.

• Policy and Procedures – • If these are in place, do they meet best practice guidelines?• Do they cover my greatest business risk areas?

• Technology• Is technology design and configuration sufficient to protect my

business?• Will my technology defenses grow with my business?

• People• Does my corporate culture embrace risk management, and if

not how can I achieve this?• Are my superusers actions being monitored?

Questions