ADVISORY The business of information security – developing a business case IT ADVISORY.

Slides:

Advertisements

Similar presentations

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,

Advertisements

Els Hostyn Partner Internal Audit, Risk & Compliance Services Forensic 13 October 2009 FORENSIC ADVISORY Internal Audit and other assurance providers.

Value for Money – new requirements and challenges

© 2005 KPMG IFRG Limited, a UK registered company, limited by guarantee, and a member firm of KPMG International, a Swiss cooperative. All rights reserved.

The Aged Care Standards and Accreditation Agency Ltd Continuous Improvement in Residential Aged Care.

Driving change in information risk within the financial services industry Subtitle Date.

Views on TRAC and the UWE workload model 12 th December 2013.

A clear and compelling business case… …for the individual

Russia’s Hotel Projects and Investments Sven Osmers Head of KPMG’s Real Estate practice Russia & CIS April 10, 2014.

Eurasian Economic Union – challenges and opportunities from customs perspective March 2015.

How well is the Life Insurance Industry keeping pace with rapidly changing technology? International Insurance Society 23 June 2014 London.

Public Private Partnerships: What’s in it for my Government? 14 July 2011 Malcolm Butterfield.

Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.

Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.

KPMG CEE AUDIT / TAX / ADVISORY / LINE OF BUSINESS CEE Real Estate Capital Markets “Dense Clouds, No Rain” George Leslie Director Advisory Head of Special.

RIBA / UK TI Conference ‘Working Internationally’ Getting Paid Martin Kelly, KPMG LLP Ruth Adams, KPMG LLP 23rd March 2012.

Presentation to EACUBO Tax Update October 16, 2012 Presentation by Donald E. “Dee” Rich, Jr. Partner, KPMG LLP Exempt Organizations Tax Practice

Increasing customer value through effective security risk management

One Firm. One Team. Countless Opportunities. Baruch College Come out to network and learn more about a career with KPMG that is far beyond coding !

ICAICT202A - Work and communicate effectively in an IT environment

Actuaries in China 2 nd December © 2010 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of.

Enterprise Risk Management at Your School: Getting Started Constance Neary, VP for Risk Management, United Educators Debra Wilson, Legal Counsel, National.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

V. Conferencia Internacional Antilavado de dinero y Contra el Financiamiento al Terrorismo Anti-Money Laundering Compliance for Broker/Dealers Current.

IAS 16―Property, Plant & Equipment IFRS vs. GAAP AUDIT The information contained herein is of a general nature and is not intended to address the circumstances.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Identity and Access Management Business Ready Security Solutions.

Audit Sampling: A Basic Understanding AGA-Baltimore Johnny Ramsey, Senior Manager KPMG Government Industry Sector September 20, 2012.

Preventing Fraud: What are the central securities depositories doing to mitigate this risk? Cancún, May 21, 2015.

Risk Management Reconstructed Implementing fraud risk intelligence practices July 2011 KPMG FORENSIC SM.

0 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative.

Focused Assessments and Quick Response Audits Developing an Effective Strategy April 14, 2011 TAX.

© 2006 KPMG, the Trinidad and Tobago member firm of KPMG International, a Swiss cooperative. All rights reserved. The KPMG logo and name are trade marks.

OMB Circular A-123 Lessons Learned OMB Circular A-123 Lessons Learned FEDERAL ADVISORY Sean Hoffman Partner KPMG LLP.

Converting to, and reporting under, IFRS John Kent 2 October 2007 IFRS Conversion Services Audit.

AUDIT FEI Career Management Group Qualifications for a Successful CFO/Controller in Today's Market December 3, 2009.

Marc Vael Chief Security Officer KPMG Brussels June 2 nd 2004 ICT ADVISORY eID usage within KPMG.

ADVISORY What do CIOs need for Career Progression? 18 th May 2005 Kumar Parakala, Global Chief Operating Officer, IT Advisory, KPMG 8 May 2007, Sydney,

© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved. 1 Differing Roles of Internal Auditor and Risk.

September 30, 2008 BIBA ROUNDTABLE Regulatory Panel.

Protecting Corporate Assets and the Brand in a Digitized, Global Environment July 29, 2013 Stacy-Ann Golding.

What we are going to be speaking about

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

Building Your Business PCG, 8 th November, What are we going to do? A mix of …. Getting you ‘on fire’ for 2013 ! Planning for business success in.

WAISC September 19, 2012 The Evolution of and Industry.

Factors Associated with IT Audits by the Internal Audit Function Discussant Comments October 2, 2009 INFORMATION RISK MANAGEMENT ADVISORY.

European insurers' preparedness for Solvency II Janine Hawes, Director 6 November 2013.

Corporate Social Responsibility LECTURE 25: Corporate Social Responsibility MGT

Who is KPMG? Caribbean Association of Banks 2015 Annual Conference 12 November 2015.

Ewan Donald Cyber Security FEEL FREE A NEW APPROACH TO CYBER SECURITY.

© 2012 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International,

From cost to value: 2010 Global Survey on the CIO Agenda June 15 th, 2010 IT ADVISORY KPMG INTERNATIONAL.

FINANCIAL SERVICES ADVISORY SERVICES 13 March 2007 Challenges faced by consultants whilst consulting on Basel II.

KPMG GOVERNMENT INSTITUTE The Future of Government Financial Reporting: Where Do We Go From Here? AGA Baltimore Chapter AUDIT Andrew C. Lewis, CPA, CGFM,

Linkage of Risk, Capital and Financial Management CAS Annual Meeting Aaron Halpert, ACAS, MAAA Leslie R. Marlo, FCAS, MAAA November 12, 2007 INSURANCE.

Dolly Dhamodiwala CEO, Business Beacon Management Consultants

The future of recruitment and selection? Vanessa Doust – Graduate Recruitment Manager Lizzie McCoy – Graduate Marketing Officer Analiese Birch – Graduate.

IFRS Updates 2014 June 6, Agenda  IFRS 10, 11, 12 and IAS 28  IFRS 13  IFRS 15.

Trade Compliance Considerations April 13, © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network.

ERM and Information Risks July 2013 Advisory. 1 © KPMG, a partnership established under Ghanaian law and a member firm of the KPMG network of independent.

HEALTH AND SAFETY LEADERSHIP: MANDATORY NOT DISCRETIONARY David Sutton - Partner Erica Miles - Health and Safety Specialist KPMG Advisory May 2014 The.

1 CENTER FOR LEARNING & DEVELOPMENT Extracting Value From Post-course Evaluations Using Advanced Statistical Techniques November 12, :30 – 6:00P.

Workshop 4: Developing a one page business case

KPMG university mentoring program

Welcome to the machine.

Views on TRAC and the UWE workload model

Brexit & The BVI Hard, Soft Or Over Easy? Implications & Opportunities

INSOL International What makes a good insolvency regime

Rethinking classroom design

Professional services in papua new guinea

Presentation transcript:

ADVISORY The business of information security – developing a business case IT ADVISORY

Agenda The hype around information security It’s just infrastructure – just like plumbing! Classical drivers for information security What’s in it for them (the business)? An example – identity management Conclusion – your business case for information security

The hype around information security Business Allows me to be more effective What’s the difference from a laptop? I still have to log on, so it must be secure Security Creates a significant number of “new” weaknesses Even less control and visibility over the user’s actions “Destroys” the perimeter

The hype around information security Business Preventing progress is not an option so find a workaround We haven’t been hacked so what we’re doing is probably enough What’s the bare minimum we can get away with to meet regulatory reqs? Security Two-factor authentication Cybercrime The insider threat WS-Security, SAML, IDS, IPS, NIDS, HIDS, PKI, Biometrics and the list goes on… Threat and vulnerability management

It’s just infrastructure – just like plumbing! Bottom line We continually reinforce the business’ view regarding security by failing to speak in their language – or even listening! Result – we’re still talking IT and commodity-level functions and services Quick demographic poll!

Classical drivers for information security Compliance Fear, Uncertainty and Doubt (FUD) Keeping up with the Joneses Risk management – financial, regulatory, brand, etc. The good news for security? BRAND risk is becoming #1 concern of the business

What’s in it for them (the business)? Security Two-factor authentication Cybercrime The insider threat WS-Security, SAML, IDS, IPS, NIDS, HIDS, PKI, Biometrics and the list goes on… Threat and vulnerability management Value creation Increased trust in our brand Stronger position in M&A Faster time to market Reduction of loss due to fraud Better use of what we already have Process improvement and optimisation Magic Security Language Translator

Non-compliant Disconnected Manual Inconsistent Compliant Bolt-ons Consistent Obtrusive Project Focus Compensating control reliance Embedded (BAU) Self-optimising Unobtrusive Integrated Automated Compliant Enterprise Focus Key Control Effectiveness Scalable What’s in it for them (the business)? Non-compliant Disconnected Manual Inconsistent Compliant Bolt-ons Consistent Obtrusive Project Focus Compensating control reliance Embedded (BAU) Self-optimising Unobtrusive Integrated Automated Compliant Enterprise Focus Key Control Effectiveness Scalable Security Maturity Time “It won’t happen to us” “If it ain’t broke don’t fix it” Most orgs.

What’s in it for them (the business)? Current Approach Business Value Low High Business Process Supply Chain IT Organisation Stakeholders Recommended Approach IT Processes

An example – identity management IT Strategy Components Ensure seamless, available and secure IT services and assets are in place to support achievement of the customer strategy KPIs Be viewed by our customers as the most trusted brand in the business Mission Customer strategy Be the best financial services institution in the world ApplicationsCustomers Security DRProjects Goals (CSFs) Single customer view Seamless to the customer No breaches 24/7 availability First to market Customer satisfaction Application integration LossesOutages Market share Board and Audit Committee Security management and operations Governance and Reporting Business Unit CIOsEnterprise CIOIT Risk Committee Risk and Compliance Committee

An example – identity management A business case for identity management can be driven by a variety of factors. Mostly determined by the business! Regulatory compliance – SOX A better customer experience Simplified sign-on to applications and partner sites Knowing your customer (tying it back to CRM) Cross selling, customer retention, introducing new products and services Business efficiencies and transformation Compliant provisioning on day 0 for new starters Self service maintenance of customer records (contact details, profile etc) Immediate de-provisioning for terminations Reduction of operational costs for user management activities

Conclusion – your business case for information security “Business cases for information security in 5 easy steps”, by Rob Goldberg Step 1: Identify the business’ strategies Step 2: Identify the CSFs to achieving the business strategies Step 3: Identify the KPIs which measure the achievement of the CSFs Step 4: Identify security risks which can affect the KPIs Step 5: Define security risk mitigation approaches to minimise the impact to the KPIs and clearly link to value creation Later, measure results to demonstrate benefits realisation (qualitative and quantitative) – this will make it easier to get future business cases across the line

Conclusion – your business case for information security Its not about you! Put yourself in the business owner’s shoes (WIIFM) Engage the business – tired old adage now HOW?!! Understand their KPIs – talk to them in their language, not in the language of fear, compliance and controls Gain their confidence by connecting security directly to their KPIs and to the primary processes of the business No, its not easy. But focus on the aspects of the business that create value and link the security discussion to those rather than the technology and the argument of “security for security’s sake” Remember, the business is always right

Presenter’s contact details Name: Rob Goldberg, CISSP Position: Partner, Asia Pacific Leader, Security, Privacy and Continuity Services Phone number: The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2007 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation.