your boss in the elevator? - m.isaca.orgm.isaca.org/chapters11/Malta/Documents/Events/Biennial Conference... · ISAA Malta hapter | “Protecting Privacy in an Information -Driven

ISACA Malta Chapter | “Protecting Privacy in an Information-Driven Economy” | Bruno Horta Soares 1

Going UP? How to talk about Privacy with

your boss in the elevator?

Before you do things right, you have to do the right things. Why good communication between business and IT areas is so important to help organizations delivering value

and how to put everyone speaking the same language using COBIT 5 related materials. Reality check and lessons learned from projects and initiatives developed

to improve Information Security & Privacy savviness at small medium enterprises in a “small medium country” like Portugal.

Bruno Horta Soares, CISA®, CGEIT®, CRISC™, PMP® Founder & Senior Advisor at GOVaaS - Governance Advisors, as-a-Service

ISACA Lisbon Chapter Founder and President

“More you know, less you no!”


BRUNO HORTA SOARES “Everything Should Be Made as Simple as Possible, But Not Simpler”

Albert Einstein


Agenda

1.

You have the size of your

dreams!

2.

Going up?


“The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding 50 million euro, and/or an annual balance sheet total not exceeding 43 million euro.” Source: Extract of Article 2 of the Annex of Recommendation 2003/361/EC

Does size matter?

1. You have the size of your dreams!


“The essence of systems theory is that a system need to be viewed holistically – not merely as a sum of its parts – to be accurately understood” von Bertalanffy, L.; General System Theory: Foundation, Development, Applications

An evolution Gap…



Business Strategy

IT Strategy

Digital Strategy Customer experience

Operating model Product & Services

Close the Gap!

How LoB See IT? “LoB executives are taking charge of their destiny. Business leaders are taking control of their technology because it is integral to their outcomes.”

IDC FutureScape

How CIOs See IT? “By 2017, 80% of the CIO's time will be focused on analytics, cybersecurity, and creating new revenue streams through digital services.” IDC FutureScape



Oportunity

Pressure

Rationalization

Vulnerabilities Actors Threats

Assets/Resources

Risks

Benefits Resources

Assets/Resources

Size doesn’t matter: Its all about Value Creation?


Sofistication

Determination


Elevator pitch

“How about the weather?”

2. Going up?


“Solutions that focus on specifics will be outdated rapidly; a principle-based approach is required”

World Economic Forum

COBIT® 5 provides a comprehensive business framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.

Adopt and adapt COBIT® 5

2. Going up?


X “I don’t know if you heard about the

new EU Data Privacy/Protection Regulation and had the opportunity to analyze the budget regarding ISO / IEC 27001 certification… is not urgent... but

we are always afraid of an attack or non compliance that

will end our business”

Tip#1 There is always two sides of the story

2. Going up?


“My security & privacy guy is 5 stars, have lots of certifications and is very concerned ... It’s a shame I don’t understand anything he says or what he does!”

The boss

Stakeholders drivers

Benefits Realisation

Resource Optimization

Risk Oprimisations

Necessidades dos Stakeholders

Business Goals

IT Related Goals

Enablers Goals

Influence

Cascade to

Cascade to

Cascade to

COBIT 5 Principle 1: Meeting Stakeholder Needs


2. Going up?


COBIT 5 Principle 1: Meeting Stakeholder Needs


2. Going up?

“Compliance with external

laws and regulations”

“IT compliance and support for business compliance with

external laws and regulations”

“Security of information, processing infrastructure and

applications”

EDM03 Ensure Risk

Optimisation

APO01 Manage the IT Management Framework

APO12 Manage Risk

APO13 Manage Security

BAI10 Manage

Configuration

MEA02 Monitor,

Evaluate and Assess the System of Internal Control

BAI06 Manage Changes

DSS05 Manage Security Services

MEA03 Monitor,

Evaluate and Assess

Compliance With External Requirements

Ilustrative


“We know that Compliance with external laws and regulations is

critical to our business and we are

setting IT compliance and Security as two of our critical goals. We’ll

identify relevant enablers to support this goal and I would appreciate your

sponsorship to our Security & Privacy

Program.”


Do you know that “By 2019, Geopolitical Divisions and Global Economic Instability Will Result in Supplier Cyberattacks, Prompting Spending by 25% or More on Supply Chain Risks” IDC FutureScape

2. Going up?


X “I’m so sorry for all the inconvenient

the privacy incident caused! We are already doing an audit and we are almost sure it was an outsourcer’s

responsibility. I promise it will not happen again!”

Tip#2 Remember, there are no technical problems

2. Going up?


“Our Clients’ Information appear in newspapers!!! Who’s the responsability? I’m taking care of the business, you have to take care of the Security & Privacy!”

The boss

Governing Body

Management

Operations and Execution

Owners and Stakeholders

Delegate

Set Direction

Instruct and align

Accountable

Monitor

Report

COBIT 5 Principle 2: Covering the Enterprise End-to-end


2. Going up?


COBIT 5 Principle 2: Covering the Enterprise End-to-end


2. Going up?

Ilustrative

Board Chief Risk

Officer

“Compliance with external laws and regulations”

“IT compliance and support for business compliance with external laws and regulations”

“Security of information, processing infrastructure and applications”

EDM03 Ensure Risk

Optimisation

APO01 Manage the IT Management Framework

APO12 Manage Risk

APO13 Manage Security

BAI10 Manage Configuration

MEA02 Monitor, Evaluate and Assess the System of

Internal Control

BAI06 Manage Changes

DSS05 Manage Security

Services

MEA03 Monitor, Evaluate and

Assess Compliance With External Requirements

Chief Information

Security Officer

Audit Chief

Information Officer

Head IT Operations


"The analysis of the incident allowed us to conclude that it’s necessary a

better involvement of the entire organization in Security

& Privacy decisions. We would

suggest the creation of the CISO function to get all areas involved and to

increase our savvinness. "


Do you know that “By 2017, One-Third of Corporate Boards Will Fill a Seat With a Risk Mitigation Expert Who Can Provide Guidance on Data Privacy and Security Initiatives” IDC FutureScape

2. Going up?


X "We are so happy for our recent

achievements. We received two awards related with ITIL and ISO27001 certification

and our KPIs are all green. We are 100% focused on providing our best support to our

users, that’s why those new compliance projects from business

are a little bit delayed!"

Tip #3 Speak the same language

2. Going up?


“Why are we paying every year so much money to be certified and our regulators keep saying we are not answering their needs!”

The boss

Performance

Drivers

Complience

COBIT 5 Principle 3: Applying a Single Integrated Framework


2. Going up?


"We care about the continuous improvement of our Security & Privacy.

We improved the coordination between internal and external Security and Legal Teams, we reviewed business

areas' needs, adjusted our SLAs to

better manage all stakeholders expectations and enforced new

compliance controls."


Do you know that “By 2019, 25% of Security Spend Will Be Driven by the European Union and Other Jurisdictional Data Regulations, Leading to a Patchwork of Compliance Regimes” IDC FutureScape

2. Going up?


X “Our Data Lekeage software is out of

date. We are now studying new solutions to replace it and as soon we

have the new technology we

believe that our Security & Privacy will improve."

Tip #4 Show him the big picture

2. Going up?


“A friend of mine told me about these new security services in the cloud. I think it's a great opportunity to get rid of security & privacy internal costs and focus in my core business.”

The boss

Processes Organisational

structures Culture, ethics and

behaviour

Principles, policies and frameworks

Information Services,

infrastructure and applications

People, skills and competencies

Enablers

Resources

COBIT 5 Principle 4: Enabling a Holistic Approach


2. Going up?


“We analysed why Security incidents happen and we believe that only by

aligning people, processes and technologies it will be possible to

deliver better Security & Privacy related initiatives. We’ll review our Security &

Privacy framework, update our supporting tools, implement a new CISO

and train our people!”


Do you know that “By 2020, More than Half of Web Security Market Revenue Will Come from Cloud-Based Offerings Over Traditional On-Premises Gateways ” IDC FutureScape

2. Going up?


X “We have been implementing a

new Security & Privacy Governance framework and set all associated

processes. As soon we finish it we will send it for your approval.”

Tip #5 There are unknowns unknowns

2. Going up?


“I’m already responsible for the Corporate Governance, you can take care of Security & Privacy governance.”

The boss

COBIT 5 Principle 5: Separating Governance From Management

Evaluate

Plan Build

Governance

Management

Run Monitor

Direct Control

Stakeholder needs

Feedback

Plan Build

Operations

Run Monitor


2. Going up?


"We are designing the Security & Privacy Governance and Management framework

to focus in value creation and we would like to discuss with the Board it’s

role and how better Security & Privacy can contribute to benefits realization, risk and

resources optimization. It would be very

important to have your direction."


Do you know that “— By 2017, the Security Services Market Will Increase At Least 30%, Driven by the Scarceness and High Price of Available Data Scientists” IDC FutureScape

2. Going up?


Next steps

“Since most organizations have

strong love for complexity, few will believe that a firm’s

success is based on such simple premises.”

The knowing doing gap, Jeffrey Pfeffer ad Robert I

Sutton, 2000


Bruno Horta Soares, CISA®, CGEIT®,

CRISCTM, PMP®

Founder & Senior Advisor

GOVaaS - Governance Advisors, as-a-Service

Rua do Tamisa, BL 5.02.03 D 1.ºC

Parque das Nações

1990-518 Lisboa

Mobile: +351 962 103 153

@: [email protected]

www.govaas.com

Q&A “More you know, less you no!”


Bruno Horta Soares, CISA®, CGEIT®, CRISC™, PMP®

• Founder and Senior Advisor at GOVaaS – Governance Advisors, as-a-Service

• IT Executive Senior Advisor on IT Strategy and Governance at IDC Portugal

• Visiting professor and coordinator at ISCAC - Coimbra Business School - Coimbra, Portugal

• Visiting professor at Instituto Superior Técnico (IST) - Lisbon, Portugal

• Visiting professor at Universidade Portucalense (UPT) - Porto, Portugal

• Visiting professor and coordinator at Universidade Europeia | Laureate International Universities - Lisbon, Portugal

• Visiting professor at Unipê - Centro Universitário de João Pessoa - Paraíba, Brasil

• Visiting professor at Universidade Católica Portuguesa - Lisbon, Portugal

• Visiting professor at Porto Business School - Porto, Portugal

• Founder and President at ISACA Lisbon Chapter

• Member of ISACA Government and Regulatory Advocacy Regional Subcommittee Area 3

• IT Governance coordinator at the Portuguese Institute of Directors

• ISACA Knowledge Center Topic Leader - COBIT 5

• APMG individual accredited trainer for COBIT 5

Academic training • 5 years degree in Management and

Computer Science, from ISCTE and a post-degree in Project Management, from ISLA Campus Lisboa.

Professional certifications • Certified in Project Management Professional

(PMP), from Project Management Institute (PMI), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) and COBIT 5 Foundation from ISACA, ITIL® version 3 Foundation, ISO/IEC 27001 Lead Auditor and Training for Trainers Certification (CAP). He’s also APMG individual accredited trainer for COBIT 5.