SlideShare a Scribd company logo

Information security governance

Download as PPTX, PDF
Koen Maris
Koen Maris

A presentation about the research findings regarding my master project.

Technology
1 of 17
1 Information Security Governance: Awareness at the Board of Directors and Executive Committee Koen Maris ©2014
2 Problem statement • Information security is associated with technology • Interest of decision makers not proportional with the dependence on information technology and related information security issues* • Information security seen by senior management and board as a too complex and technology oriented • Information security considered as a discretionary budget line item* • Difficult to align information security with business requirements taken into account the defined risk appetite * Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab
3 Research questions * knowledge or perception of a situation or fact (Oxford dictionary) Which level of information security governance “awareness” is present at the level of Board of Directors and executive management in a contemporary enterprise? • Which practices (structures, procedures) have been identified? • To what extent are these practices considered effective? • Which practices are well adopted in today's enterprise? • What are the main drivers for implementing these practices?
4 Methodology Literature research Public surveys Custom made survey Academic papers Books Papers from commercial companies Surveys from large consultancy firms Various industries Different levels of hierarchy Respondent volume ranging from + 100 to +9000 Focus on board and executive management Peer review on which practices deemed most important Small number of respondentsIdentification of common practices with focus on Board of Directors and Executive Management Frameworks, methodologies, standards ISO 2700x COBIT 5 ISACA, Business model for information security ISC2, common body of knowledge NIST 800-53
5 Background on master project Information security and cyber security hot news items Many high level incidents Information security is a shared responsibility Information security and technology change at high velocity Aligning business, technology (IT) and information security remains difficult
6 What is information security governance Definition (NIST) Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Information security governance framework (ISACA) • A comprehensive security strategy explicitly linked with business and IT objectives • An effective security organisational structure • A security strategy that talks about the value of information protected and delivered • Security policies that address each aspect of strategy, control and regulation • A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy • Institutionalised monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk • A process to ensure continued evaluation and update of security policies, standards, procedures and risks
7 Information Security Governance at the Board • Risk Management, setting the tone by defining the risk appetite • Identify information security leaders, provide resources and support • Direction, strategy and leadership, put information security on the board's agenda • Ensure effectiveness of the information security policy • Integrate a strategic committee • Staff awareness and training • Measurement, monitoring and audit Identified practices Effectiveness Adopted Drivers for integration
8 Information Security Governance at the Board • 23% see lack of leadership as an important obstacle in the overall strategic effectiveness of their organisation’s security strategy (PWC, 2012) • 68% assume their information security strategy is aligned with the business needs (E&Y, 2012) • Little or no involvement when aligning risk-based security with business objectives(Tripwire-Ponemon, 2013) • Lack of strict segregation between risk and audit committee, only 8% and half of those only oversee privacy and security (Jody R. Westby, 2012) • 16% of board members is prepared to deviate from risk appetite (Koen Maris, 2013) • 68% of the CRO functions have a direct reporting line to the board Identified practices Effectiveness Adopted Drivers for integration
9 Information Security Governance at the Board • 27% indicate that their board had an outside director with cyber security experience though 64% think it is important to have it (Jody R. Westby (2012) • 42% have their information security strategy aligned with business objectives(E&Y, 2012) • 50% thinks information is too technical to be understood by non-technical management(Tripwire-Ponemon, 2013) • 33% of the boards address Computer and information security (Jody R. Westby, 2012) • 67% of board approve risk appetite statement (E&Y, 2013), • 2/3 of Forbes Global 2000 companies have full-time personnel in key roles responsible for security and privacy Identified practices Effectiveness Adopted Drivers for integration
10 Information Security Governance at the Board • Severe incidents • Legal/compliance • Regulations • Accountability Identified practices Effectiveness Adopted Drivers for integration
11 Information Security Governance at the Executive Committee • Information Security Framework • Chief Security Officer / Chief Information Security Officer • Implementation of information security • Monitoring and assessment • Awareness and communication Identified practices Effectiveness Adopted Drivers for integration
12 Information Security Governance at the Executive Committee • Large majority of staff knows the security policy, at least of its existence. (Koen Maris, 2013) • Only 26% of respondents with a security policy believe their employees have a good understanding of it. (PWC, 2012) • Almost 40% of the CISO/CSO reports to the CIO, almost 30% to someone other than CFO, CEO/COO.(Jody R. Westby, 2012) • 80% claim not to evaluate the ROI of security investments(PWC, 2012) • Adopting to new risks is done by blocking for approx. 50% of the companies (E&Y, 2012) • Only 8% of CSO/CISO measure the value and effectiveness of their enterprise cyber security organisation (Deloitte, 2012) • Reporting only occurs in case of severe incident and happen at a too low level (Tripwire-Ponemon, 2013) Identified practices Effectiveness Adopted Drivers for integration
13 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • 95% of large companies have a security policy in place (PWC, 2012) • Majority of Exec’s agree that they should have someone responsible for information security (Koen Maris, 2013) • 47% of the companies have an information security strategy committee in place (PWC, 2012) • 56% claim security budgets are in a federated model, making it hard to measure and determine the real available budget. (Deloitte, 2012) • About 50% monitor and measure trends in security/incidents costs. Approx. 20% does not evaluate at all (PWC, 2012) • Only 32% of staff in claim to have received awareness training (ESET, 2012)
14 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • Response on an incident • Legal and compliance • Not done because it is too technical & complex • Reduce risk • Severe incident
15 Conclusion Board Exec. committee • Unclear if a company having thoughtful leadership and enterprise risk management in place also had identified a security leader • Audit and monitoring parts are well in place but measuring effectiveness remains doubtful, not always strict separation between risk and audit committee • Leadership, alignment and value are the least adopted • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
16 Conclusion Board Exec. committee • An ISMS is often in place, but the level of understanding and knowledge across the company remains low • A CSO/CISO is in place in the majority of larger companies. Measuring the effectiveness remains difficult. • Reporting line is not always clear, and reporting bottom-up shows some clear shortcomings • Awareness and steering committee have a low degree of adoption, though the majority recognises the importance of awareness • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
17 End Note • Would good ERM and correct bottom up reporting provide better awareness and increase the alignment for information security? • The effectiveness and the links between structures and procedures are not well addressed. How do the influence each other? • Would good bottom-up reporting provide better strategy? • More questions than answers….

Recommended

Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 

Recommended

Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
SlideTeam
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
Evolve IP
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
Sachin Darekar
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
Brian Honan
 
Implementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptxImplementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptx
damilolasunmola
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
Marko Suswanto
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 

More Related Content

What's hot

IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
SlideTeam
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 

What's hot (20)

Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation Slides
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Implementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptxImplementing cybersecurity best practices and new technology ppt (1).pptx
Implementing cybersecurity best practices and new technology ppt (1).pptx
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Information security management system
Information security management systemInformation security management system
Information security management system
 

Viewers also liked

Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
Sampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademikSampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademik
Slamet Suprihanto
 
Governance - how does information & security drive your architecture
Governance - how does information & security drive your architectureGovernance - how does information & security drive your architecture
Governance - how does information & security drive your architecture
Randy Williams
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 
Big Data Use Cases and Solutions in the AWS Cloud
Big Data Use Cases and Solutions in the AWS CloudBig Data Use Cases and Solutions in the AWS Cloud
Big Data Use Cases and Solutions in the AWS Cloud
Amazon Web Services
 

Viewers also liked (20)

Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
Sampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademikSampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademik
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
 
Governance - how does information & security drive your architecture
Governance - how does information & security drive your architectureGovernance - how does information & security drive your architecture
Governance - how does information & security drive your architecture
 
Introduction to cyber security by cyber security infotech (csi)
Introduction to cyber security by cyber security infotech (csi)Introduction to cyber security by cyber security infotech (csi)
Introduction to cyber security by cyber security infotech (csi)
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
IT Governances
IT GovernancesIT Governances
IT Governances
 
Data Driven Cybersecurity Governance
Data Driven Cybersecurity GovernanceData Driven Cybersecurity Governance
Data Driven Cybersecurity Governance
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security Training
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity Governance
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
Information risk management
Information risk managementInformation risk management
Information risk management
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Tata Kelola Keamanan Informasi
Tata Kelola Keamanan InformasiTata Kelola Keamanan Informasi
Tata Kelola Keamanan Informasi
 
Big Data Use Cases and Solutions in the AWS Cloud
Big Data Use Cases and Solutions in the AWS CloudBig Data Use Cases and Solutions in the AWS Cloud
Big Data Use Cases and Solutions in the AWS Cloud
 
Indonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyIndonesia National Cyber Security Strategy
Indonesia National Cyber Security Strategy
 

Similar to Information security governance

Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
IBM Security
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
FERMA
 

Similar to Information security governance (20)

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Risk - IT Services
Risk - IT ServicesRisk - IT Services
Risk - IT Services
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Information security governance

  • 1. 1 Information Security Governance: Awareness at the Board of Directors and Executive Committee Koen Maris ©2014
  • 2. 2 Problem statement • Information security is associated with technology • Interest of decision makers not proportional with the dependence on information technology and related information security issues* • Information security seen by senior management and board as a too complex and technology oriented • Information security considered as a discretionary budget line item* • Difficult to align information security with business requirements taken into account the defined risk appetite * Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab
  • 3. 3 Research questions * knowledge or perception of a situation or fact (Oxford dictionary) Which level of information security governance “awareness” is present at the level of Board of Directors and executive management in a contemporary enterprise? • Which practices (structures, procedures) have been identified? • To what extent are these practices considered effective? • Which practices are well adopted in today's enterprise? • What are the main drivers for implementing these practices?
  • 4. 4 Methodology Literature research Public surveys Custom made survey Academic papers Books Papers from commercial companies Surveys from large consultancy firms Various industries Different levels of hierarchy Respondent volume ranging from + 100 to +9000 Focus on board and executive management Peer review on which practices deemed most important Small number of respondentsIdentification of common practices with focus on Board of Directors and Executive Management Frameworks, methodologies, standards ISO 2700x COBIT 5 ISACA, Business model for information security ISC2, common body of knowledge NIST 800-53
  • 5. 5 Background on master project Information security and cyber security hot news items Many high level incidents Information security is a shared responsibility Information security and technology change at high velocity Aligning business, technology (IT) and information security remains difficult
  • 6. 6 What is information security governance Definition (NIST) Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Information security governance framework (ISACA) • A comprehensive security strategy explicitly linked with business and IT objectives • An effective security organisational structure • A security strategy that talks about the value of information protected and delivered • Security policies that address each aspect of strategy, control and regulation • A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy • Institutionalised monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk • A process to ensure continued evaluation and update of security policies, standards, procedures and risks
  • 7. 7 Information Security Governance at the Board • Risk Management, setting the tone by defining the risk appetite • Identify information security leaders, provide resources and support • Direction, strategy and leadership, put information security on the board's agenda • Ensure effectiveness of the information security policy • Integrate a strategic committee • Staff awareness and training • Measurement, monitoring and audit Identified practices Effectiveness Adopted Drivers for integration
  • 8. 8 Information Security Governance at the Board • 23% see lack of leadership as an important obstacle in the overall strategic effectiveness of their organisation’s security strategy (PWC, 2012) • 68% assume their information security strategy is aligned with the business needs (E&Y, 2012) • Little or no involvement when aligning risk-based security with business objectives(Tripwire-Ponemon, 2013) • Lack of strict segregation between risk and audit committee, only 8% and half of those only oversee privacy and security (Jody R. Westby, 2012) • 16% of board members is prepared to deviate from risk appetite (Koen Maris, 2013) • 68% of the CRO functions have a direct reporting line to the board Identified practices Effectiveness Adopted Drivers for integration
  • 9. 9 Information Security Governance at the Board • 27% indicate that their board had an outside director with cyber security experience though 64% think it is important to have it (Jody R. Westby (2012) • 42% have their information security strategy aligned with business objectives(E&Y, 2012) • 50% thinks information is too technical to be understood by non-technical management(Tripwire-Ponemon, 2013) • 33% of the boards address Computer and information security (Jody R. Westby, 2012) • 67% of board approve risk appetite statement (E&Y, 2013), • 2/3 of Forbes Global 2000 companies have full-time personnel in key roles responsible for security and privacy Identified practices Effectiveness Adopted Drivers for integration
  • 10. 10 Information Security Governance at the Board • Severe incidents • Legal/compliance • Regulations • Accountability Identified practices Effectiveness Adopted Drivers for integration
  • 11. 11 Information Security Governance at the Executive Committee • Information Security Framework • Chief Security Officer / Chief Information Security Officer • Implementation of information security • Monitoring and assessment • Awareness and communication Identified practices Effectiveness Adopted Drivers for integration
  • 12. 12 Information Security Governance at the Executive Committee • Large majority of staff knows the security policy, at least of its existence. (Koen Maris, 2013) • Only 26% of respondents with a security policy believe their employees have a good understanding of it. (PWC, 2012) • Almost 40% of the CISO/CSO reports to the CIO, almost 30% to someone other than CFO, CEO/COO.(Jody R. Westby, 2012) • 80% claim not to evaluate the ROI of security investments(PWC, 2012) • Adopting to new risks is done by blocking for approx. 50% of the companies (E&Y, 2012) • Only 8% of CSO/CISO measure the value and effectiveness of their enterprise cyber security organisation (Deloitte, 2012) • Reporting only occurs in case of severe incident and happen at a too low level (Tripwire-Ponemon, 2013) Identified practices Effectiveness Adopted Drivers for integration
  • 13. 13 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • 95% of large companies have a security policy in place (PWC, 2012) • Majority of Exec’s agree that they should have someone responsible for information security (Koen Maris, 2013) • 47% of the companies have an information security strategy committee in place (PWC, 2012) • 56% claim security budgets are in a federated model, making it hard to measure and determine the real available budget. (Deloitte, 2012) • About 50% monitor and measure trends in security/incidents costs. Approx. 20% does not evaluate at all (PWC, 2012) • Only 32% of staff in claim to have received awareness training (ESET, 2012)
  • 14. 14 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • Response on an incident • Legal and compliance • Not done because it is too technical & complex • Reduce risk • Severe incident
  • 15. 15 Conclusion Board Exec. committee • Unclear if a company having thoughtful leadership and enterprise risk management in place also had identified a security leader • Audit and monitoring parts are well in place but measuring effectiveness remains doubtful, not always strict separation between risk and audit committee • Leadership, alignment and value are the least adopted • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
  • 16. 16 Conclusion Board Exec. committee • An ISMS is often in place, but the level of understanding and knowledge across the company remains low • A CSO/CISO is in place in the majority of larger companies. Measuring the effectiveness remains difficult. • Reporting line is not always clear, and reporting bottom-up shows some clear shortcomings • Awareness and steering committee have a low degree of adoption, though the majority recognises the importance of awareness • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
  • 17. 17 End Note • Would good ERM and correct bottom up reporting provide better awareness and increase the alignment for information security? • The effectiveness and the links between structures and procedures are not well addressed. How do the influence each other? • Would good bottom-up reporting provide better strategy? • More questions than answers….