1. Security Awareness at Board Level Dr. Claudia Natanson CISO Diageo TERENA Networking Conference 21- 24 May 2007 Lyngby, Denmark “Myth or Reality”

2. 2

3. 3 DeMystifying Security 1.Changing Perceptions from Business Barrier to Business Driver and Business Enabler. 2.Changing the perception of the Group that says “NO” to Group that says “Yes”, but here is the information. 3.Contributes to growth and value, not cost and overheads. 4.Helps develop the risk appetite of the organisation. Not all risk is bad risk. 5.Moves the security practice from reactive, fire fighting to more strategic and proactive. 6.Work with Stake Holders across the organisation to move to shared accountability for security. 7.Capitalise on the more technical savvy ability of end users to personalise security awareness. 8.Develop security best practice based on compliance but what’s best to your organisation. One size does not fit all. 9.Executive sponsorship is a vital component of successful security programmes. Work to attaining this as a major goal. 10.KNOW the business of your organisation.

4. 4 A branded approach to security means that practitioners must continually view security through new an evolving lens. The success of the security brand is the look and feel of the program. It is the visible difference that stake holders can identify and end users experience. This difference must start at the top of the organisation. The Art of Security…The Brand

5. 5 Dialogue at Board Level 2.Off shoring and Outsourcing contracts 1.Mergers and Acquisitions 3.Third Party Connections to corporate network. 4.Increasing technological dependency. Security Top 10 Discussion List 5.Risk Footprints and proactive Compliance. 6.Data protection 7.Convergence 8.Executive Endorsement and Buy-In 9.Implementing Leading Edge technologies 10.Policy Endorsement, Sign Off and Support

6. 6 REPUTATION Customer Confidence Compliance Adverse Media Integrity Responsibility REVENUE Organic Growth Profit Targets New Markets Market Share Releasing Security Value

7. 7 Security Challenges 2.Understand good risk and bad risk.. develop and maintain regular risk footprints. 1.Know your industry benchmarks. 3.Like synchronised swimming….. the security programme should be aligned with organisational goals..know your organisation, know your business. 4.Awareness programs not just for being aware, but rather for STAYING AWARE. 5.The role of the security practitioner has changed… How does your programme and practice reflect this change?

8. 8 The World Around Us “A laptop with personal information for your employees is stolen. The information can lead to identity theft, breaches of the Data protection act, non-compliance with HIPPA and SB1386”. “A contractor due to start work at a competitor’s site in two weeks starts transferring corporate information off site 4 weeks before leaving.” “ An employee, a former administrator for some accounts leave, but access remains to key systems which allows fraudulent activities” “A seasoned hacker is able to get a job as a cleaner in the organisation, allowing installation of key stroke loggers to capture passwords and access to key financial and business critical data.“ “7 out 10 websites now contain a security vulnerability that can be used by hackers to steal information or bring the site down.”

9. 9 “ Security is an art form… Technology the clay which helps to mould our end users into new ways of working, our creative minds, integrating life and landscape around us to produce a piece of art, admired by the entire organisation. “ Personal Security Charter Dr. Claudia Natanson, CISO, Diageo

10. 10 Enjoy our brands…remember Thank You