Upload
morten-bjorklund
View
744
Download
1
Embed Size (px)
DESCRIPTION
Important issues in respect to risk and security
Citation preview
© 2014 IBM Corporation
IBM Security
1© 2014 IBM Corporation
Security Principles for CEOsFundamentals of a Risk-Aware Organization
Morten Bjørklund
Software Client Architect
IBM Security
October 24, 2014
© 2014 IBM Corporation
IBM Security
2
The soaring impact of breaches has created a new security reality
Security Principles for CEOs
More Risk and Bigger Impact
500,000,000records breached3
3Xincrease in Java
vulnerabilities1
1) Q3 2014 IBM X-Force Research and Development, increase from 2012 to 2013
2) 2014 Cost of a Data Breach, Ponemon Institute, global average cost, 15% increase from 2012 to 2013
3) Q3 2014 IBM X-Force Report
15%
increase in
cost of a breach2$
$3.5Maverage cost / breach2
© 2014 IBM Corporation
IBM Security
3
To address security, leaders must avoid common myths
Your company’s not infected (it is).
There’s a silver bullet to protect you (there’s not).
You need to put your company on lock-down (you don’t).
Security Principles for CEOs
Your company is not infected. (It is.)
Whatever you’ve done is enough. (It is not.)
You need to put your company in lock-down. (You don’t.)
There’s a silver bullet to protect you (there’s not).There’s a silver bullet to protect you. (There isn’t.)
© 2014 IBM Corporation
IBM Security
4
Use five fundamental security principles to help guide you
(incidents will happen)
Prepare to respond,
faster
(train, test, trick)
Increase the security IQ
of every employee
Security Principles for CEOs
(analytics = threat insights)
Leverage
security intelligence
Protect your
crown jewels
(define, protect, monitor) (the vanishing perimeter)
Safeguard
BYOD
© 2014 IBM Corporation
IBM Security
5
Make security education a continuous process – for everyone
Security Principles for CEOs
Increase the security IQ of every employee
Make training a priority from the
start, then provide annual education
– keep it fun and engaging
Require testing for all employees,
and spell out the consequences
for non-compliance
Provide real-life scenarios that
catch your employees off-guard
with learning traps – “phish” them
Nearly 60% of security incidents are caused internally1
1,2014 Cost of a Data Breach, Ponemon Institute
Train Test Trick
Your help needed for IBM Cloud opportunity
Christina Martin to: Daniel Allen Please respond to chris.martyn.ibm.executive
Hi Daniel Allen,
Your manager recommended you to contribute to a proposal for an important new client opportunity
that I am working on. This is a great opportunity for IBM with large commissions likely when we win
this account. Please review the material posted on CloudFile and provide your feedback by EOD.
We’re counting on you!
http://fileinthesky.com/IBMClientOpportunity
Thanks,
© 2014 IBM Corporation
IBM Security
6
Prepare to respond more quickly and effectively to attacks
Security Principles for CEOs
Prepare to respond, faster
12013 IBM CISO Assessment, 2Verizon 2013 Data Breach Investigations Report3 Surviving the Technical Security Skills Crisis: a commissioned study conducted by Forrester Consulting on behalf of IBM, May 2013
Constantly monitor to
see if someone has
breached your defenses
of data breaches took
months or more to
discover266%
Have an emergency
response and forensics
partner
of security decision-
makers say that staffing
issues contribute to a
heightened level of risk392%
Keep your incident
response plan updated
of incident response
plans are outdated150%
© 2014 IBM Corporation
IBM Security
7
Get ahead of do-it-yourself BYOD with a formal program
Safeguard BYOD
Mobile workers use at least one business-focused app in a year2
200M
of employed adults use at least one personally-owned device for business1
81%
of users surveyed had corporate security on their personal devices1
<1%
* BYOD means ‘bring your own device’
Security Principles for CEOs 1) Harris Interactive, 2012; 2) Global Mobile Enterprise 2011-2017 Forecast, Strategy Analytics
Protect the
data
Protect the
apps
Manage the
device
Protect the
transaction
Corporate
container
© 2014 IBM Corporation
IBM Security
8
Identify your most critical data and protect these vital assets
Protect your crown jewels
12013 Commission on the Theft of American Intellectual PropertySecurity Principles for CEOs
of publicly traded corporations’ value1
is represented by intellectual property
and other enterprise-critical data
1
Define Protect Monitor
your organization’s
“crown jewels”
these valuable assets
at all stages
the access and
usage of the data
© 2014 IBM Corporation
IBM Security
9
Use analytics and insights for smarter prevention and defense
Leverage security intelligence
Security Principles for CEOs
Prioritized incidents
Endpoints
Mobile devices
Cloud infrastructure
Data center devices
Threat intelligence
Network activity
Automated
offense
identification
Real-time correlation and analytics
Anomaly detection
Industry and geo trending
© 2014 IBM Corporation
IBM Security
10
Make security an enabler, not an inhibitor.
Take an active role in policy – even if it’s unpopular.
Cybersecurity is a business risk that you need to manage actively
Everyone is part of the solution in a risk aware culture,
and effective security starts at the top
Get involved. Set the tone and develop a governance model.
Security Principles for CEOs
Engage the senior leadership.
© 2014 IBM Corporation
IBM Security
11
We can help you get started
Increase the security IQ
of every employee
IBM Security Essentials and Maturity
Consulting
IBM Cybersecurity Awareness and Training
How
Protect your
crown jewels
IBM Critical Data Protection Program
IBM InfoSphere Guardium®
Leverage security
intelligence
Safeguard BYOD
IBM QRadar Security Intelligence Platform
IBM Managed Security Services
IBM Fiberlink® Mobile Security Solutions
IBM Mobile Application Security
Assessment
Security Principles for CEOs
Prepare to respond,
faster
IBM Incident Response Planning
IBM Emergency Response Services
© 2014 IBM Corporation
IBM Security
12
One final tip
Tip: Ask your security team,
“How many incidents did you handle last week?”
Hint: if they say zero, consider getting
a maturity benchmark assessment
Security Principles for CEOs
Our research shows that nearly
every large enterprise deals with at
least two incidents a week
© 2014 IBM Corporation
IBM Security
13
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY