Upload
dinhduong
View
214
Download
0
Embed Size (px)
Citation preview
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 1
Going UP? How to talk about Privacy with
your boss in the elevator?
Before you do things right, you have to do the right things. Why good communication between business and IT areas is so important to help organizations delivering value
and how to put everyone speaking the same language using COBIT 5 related materials. Reality check and lessons learned from projects and initiatives developed
to improve Information Security & Privacy savviness at small medium enterprises in a “small medium country” like Portugal.
Bruno Horta Soares, CISA®, CGEIT®, CRISC™, PMP® Founder & Senior Advisor at GOVaaS - Governance Advisors, as-a-Service
ISACA Lisbon Chapter Founder and President
“More you know, less you no!”
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 2
BRUNO HORTA SOARES “Everything Should Be Made as Simple as Possible, But Not Simpler”
Albert Einstein
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 3
Agenda
1.
You have the size of your
dreams!
2.
Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 4
“The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding 50 million euro, and/or an annual balance sheet total not exceeding 43 million euro.” Source: Extract of Article 2 of the Annex of Recommendation 2003/361/EC
Does size matter?
1. You have the size of your dreams!
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 5
“The essence of systems theory is that a system need to be viewed holistically – not merely as a sum of its parts – to be accurately understood” von Bertalanffy, L.; General System Theory: Foundation, Development, Applications
An evolution Gap…
1. You have the size of your dreams!
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 6
Business Strategy
IT Strategy
Digital Strategy Customer experience
Operating model Product & Services
Close the Gap!
How LoB See IT? “LoB executives are taking charge of their destiny. Business leaders are taking control of their technology because it is integral to their outcomes.”
IDC FutureScape
How CIOs See IT? “By 2017, 80% of the CIO's time will be focused on analytics, cybersecurity, and creating new revenue streams through digital services.” IDC FutureScape
1. You have the size of your dreams!
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 7
Oportunity
Pressure
Rationalization
Vulnerabilities Actors Threats
Assets/Resources
Risks
Benefits Resources
Assets/Resources
Size doesn’t matter: Its all about Value Creation?
1. You have the size of your dreams!
Sofistication
Determination
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 8
Elevator pitch
“How about the weather?”
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 9
“Solutions that focus on specifics will be outdated rapidly; a principle-based approach is required”
World Economic Forum
COBIT® 5 provides a comprehensive business framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
Adopt and adapt COBIT® 5
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 10
X “I don’t know if you heard about the
new EU Data Privacy/Protection Regulation and had the opportunity to analyze the budget regarding ISO / IEC 27001 certification… is not urgent... but
we are always afraid of an attack or non compliance that
will end our business”
Tip#1 There is always two sides of the story
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 11
“My security & privacy guy is 5 stars, have lots of certifications and is very concerned ... It’s a shame I don’t understand anything he says or what he does!”
The boss
Stakeholders drivers
Benefits Realisation
Resource Optimization
Risk Oprimisations
Necessidades dos Stakeholders
Business Goals
IT Related Goals
Enablers Goals
Influence
Cascade to
Cascade to
Cascade to
COBIT 5 Principle 1: Meeting Stakeholder Needs
Tip#1 There is always two sides of the story
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 12
COBIT 5 Principle 1: Meeting Stakeholder Needs
Tip#1 There is always two sides of the story
2. Going up?
“Compliance with external
laws and regulations”
“IT compliance and support for business compliance with
external laws and regulations”
“Security of information, processing infrastructure and
applications”
EDM03 Ensure Risk
Optimisation
APO01 Manage the IT Management Framework
APO12 Manage Risk
APO13 Manage Security
BAI10 Manage
Configuration
MEA02 Monitor,
Evaluate and Assess the System of Internal Control
BAI06 Manage Changes
DSS05 Manage Security Services
MEA03 Monitor,
Evaluate and Assess
Compliance With External Requirements
Ilustrative
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 13
“We know that Compliance with external laws and regulations is
critical to our business and we are
setting IT compliance and Security as two of our critical goals. We’ll
identify relevant enablers to support this goal and I would appreciate your
sponsorship to our Security & Privacy
Program.”
Tip#1 There is always two sides of the story
Do you know that “By 2019, Geopolitical Divisions and Global Economic Instability Will Result in Supplier Cyberattacks, Prompting Spending by 25% or More on Supply Chain Risks” IDC FutureScape
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 14
X “I’m so sorry for all the inconvenient
the privacy incident caused! We are already doing an audit and we are almost sure it was an outsourcer’s
responsibility. I promise it will not happen again!”
Tip#2 Remember, there are no technical problems
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 15
“Our Clients’ Information appear in newspapers!!! Who’s the responsability? I’m taking care of the business, you have to take care of the Security & Privacy!”
The boss
Governing Body
Management
Operations and Execution
Owners and Stakeholders
Delegate
Set Direction
Instruct and align
Accountable
Monitor
Report
COBIT 5 Principle 2: Covering the Enterprise End-to-end
Tip#2 Remember, there are no technical problems
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 16
COBIT 5 Principle 2: Covering the Enterprise End-to-end
Tip#2 Remember, there are no technical problems
2. Going up?
Ilustrative
Board Chief Risk
Officer
“Compliance with external laws and regulations”
“IT compliance and support for business compliance with external laws and regulations”
“Security of information, processing infrastructure and applications”
EDM03 Ensure Risk
Optimisation
APO01 Manage the IT Management Framework
APO12 Manage Risk
APO13 Manage Security
BAI10 Manage Configuration
MEA02 Monitor, Evaluate and Assess the System of
Internal Control
BAI06 Manage Changes
DSS05 Manage Security
Services
MEA03 Monitor, Evaluate and
Assess Compliance With External Requirements
Chief Information
Security Officer
Audit Chief
Information Officer
Head IT Operations
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 17
"The analysis of the incident allowed us to conclude that it’s necessary a
better involvement of the entire organization in Security
& Privacy decisions. We would
suggest the creation of the CISO function to get all areas involved and to
increase our savvinness. "
Tip#2 Remember, there are no technical problems
Do you know that “By 2017, One-Third of Corporate Boards Will Fill a Seat With a Risk Mitigation Expert Who Can Provide Guidance on Data Privacy and Security Initiatives” IDC FutureScape
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 18
X "We are so happy for our recent
achievements. We received two awards related with ITIL and ISO27001 certification
and our KPIs are all green. We are 100% focused on providing our best support to our
users, that’s why those new compliance projects from business
are a little bit delayed!"
Tip #3 Speak the same language
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 19
“Why are we paying every year so much money to be certified and our regulators keep saying we are not answering their needs!”
The boss
Performance
Drivers
Complience
COBIT 5 Principle 3: Applying a Single Integrated Framework
Tip #3 Speak the same language
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 20
"We care about the continuous improvement of our Security & Privacy.
We improved the coordination between internal and external Security and Legal Teams, we reviewed business
areas' needs, adjusted our SLAs to
better manage all stakeholders expectations and enforced new
compliance controls."
Tip #3 Speak the same language
Do you know that “By 2019, 25% of Security Spend Will Be Driven by the European Union and Other Jurisdictional Data Regulations, Leading to a Patchwork of Compliance Regimes” IDC FutureScape
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 21
X “Our Data Lekeage software is out of
date. We are now studying new solutions to replace it and as soon we
have the new technology we
believe that our Security & Privacy will improve."
Tip #4 Show him the big picture
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 22
“A friend of mine told me about these new security services in the cloud. I think it's a great opportunity to get rid of security & privacy internal costs and focus in my core business.”
The boss
Processes Organisational
structures Culture, ethics and
behaviour
Principles, policies and frameworks
Information Services,
infrastructure and applications
People, skills and competencies
Enablers
Resources
COBIT 5 Principle 4: Enabling a Holistic Approach
Tip #4 Show him the big picture
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 23
“We analysed why Security incidents happen and we believe that only by
aligning people, processes and technologies it will be possible to
deliver better Security & Privacy related initiatives. We’ll review our Security &
Privacy framework, update our supporting tools, implement a new CISO
and train our people!”
Tip #4 Show him the big picture
Do you know that “By 2020, More than Half of Web Security Market Revenue Will Come from Cloud-Based Offerings Over Traditional On-Premises Gateways ” IDC FutureScape
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 24
X “We have been implementing a
new Security & Privacy Governance framework and set all associated
processes. As soon we finish it we will send it for your approval.”
Tip #5 There are unknowns unknowns
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 25
“I’m already responsible for the Corporate Governance, you can take care of Security & Privacy governance.”
The boss
COBIT 5 Principle 5: Separating Governance From Management
Evaluate
Plan Build
Governance
Management
Run Monitor
Direct Control
Stakeholder needs
Feedback
Plan Build
Operations
Run Monitor
Tip #5 There are unknowns unknowns
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 26
"We are designing the Security & Privacy Governance and Management framework
to focus in value creation and we would like to discuss with the Board it’s
role and how better Security & Privacy can contribute to benefits realization, risk and
resources optimization. It would be very
important to have your direction."
Tip #5 There are unknowns unknowns
Do you know that “— By 2017, the Security Services Market Will Increase At Least 30%, Driven by the Scarceness and High Price of Available Data Scientists” IDC FutureScape
2. Going up?
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 27
Next steps
“Since most organizations have
strong love for complexity, few will believe that a firm’s
success is based on such simple premises.”
The knowing doing gap, Jeffrey Pfeffer ad Robert I
Sutton, 2000
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 28
Bruno Horta Soares, CISA®, CGEIT®,
CRISCTM, PMP®
Founder & Senior Advisor
GOVaaS - Governance Advisors, as-a-Service
Rua do Tamisa, BL 5.02.03 D 1.ºC
Parque das Nações
1990-518 Lisboa
Mobile: +351 962 103 153
www.govaas.com
Q&A “More you know, less you no!”
ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 29
Bruno Horta Soares, CISA®, CGEIT®, CRISC™, PMP®
• Founder and Senior Advisor at GOVaaS – Governance Advisors, as-a-Service
• IT Executive Senior Advisor on IT Strategy and Governance at IDC Portugal
• Visiting professor and coordinator at ISCAC - Coimbra Business School - Coimbra, Portugal
• Visiting professor at Instituto Superior Técnico (IST) - Lisbon, Portugal
• Visiting professor at Universidade Portucalense (UPT) - Porto, Portugal
• Visiting professor and coordinator at Universidade Europeia | Laureate International Universities - Lisbon, Portugal
• Visiting professor at Unipê - Centro Universitário de João Pessoa - Paraíba, Brasil
• Visiting professor at Universidade Católica Portuguesa - Lisbon, Portugal
• Visiting professor at Porto Business School - Porto, Portugal
• Founder and President at ISACA Lisbon Chapter
• Member of ISACA Government and Regulatory Advocacy Regional Subcommittee Area 3
• IT Governance coordinator at the Portuguese Institute of Directors
• ISACA Knowledge Center Topic Leader - COBIT 5
• APMG individual accredited trainer for COBIT 5
Academic training • 5 years degree in Management and
Computer Science, from ISCTE and a post-degree in Project Management, from ISLA Campus Lisboa.
Professional certifications • Certified in Project Management Professional
(PMP), from Project Management Institute (PMI), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) and COBIT 5 Foundation from ISACA, ITIL® version 3 Foundation, ISO/IEC 27001 Lead Auditor and Training for Trainers Certification (CAP). He’s also APMG individual accredited trainer for COBIT 5.