Does IT Security Matter?

Dr. Luke O’Connor

Group IT Risk

Zurich Financial Services, Switzerland

Faculty of Information Technology, QUT

November 27th, 2007

2

Outline

• A bit about Zurich and myself

• Nicholas Carr and knowing your neighbours

• Security Tectonics

• The Explanation is Mightier than the Action

• Risk and the New Math

• Final Grains of Wisdom

3

Introduction to Zurich

• Offices in North America and Europe as well as in Asia Pacific, Latin America and other markets

• Servicing capabilities to manage programs with risk exposure in more than 170 countries

• Approximately 58,000 employees worldwide

• Insurer of the majority of Fortune’s Global 100 companies

• Net income attributable to shareholders of USD 4.5 billion in 2006

• Business operating profit of USD 5.9 billion in 2006

4

My Background

Industrial Research (6 yr)What people might want

Consulting (5 yr)What people say they want

In house (2 yr)What people expect

(Security)(Risk)

5

Service ProvidersZurich Business

G-IT Risk stakeholders

GITR

GSM

Investigations

Project risk management

CapabilitiesFinanceGITAG

Process/QMSourcing

AuditCompliance

LegalRisk

Group functions

G-IT support functionsIndustry Bodies & Suppliers

GITR Partner Focus

G-ISP

Consumeinformation and Services

External functions

Business A

Supplier ABusiness B

Business C

Business x

Account Exec A

Account Exec B

Account Exec C

Account Exec x

Supplier B

Supplier x

Co-operate

Service risk management

Primary interface for G-IT

6

Does IT Matter?

• Carr, N, “IT Doesn’t Matter”, Harvard Business Review, Vol 81, 5, May 2003• Carr, N, “Does IT Matter?”, 2004

“IT doesn’t matter and can’t bring strategic advantage at present!“

• Spend less • Follow, don't lead • Focus on vulnerabilities, not on opportunities

• IT management should become “boring”

• Manage risks and costs

7

Good Neighbours, but Good Friends?

Business

IT Department

IT Security

Business see IT as something technical

IT Departments see IT Security as

something technical

There is a dependency but not a strategic relationship

There is a dependency but not a strategic relationship

8

The Continental Drift of C, I, ACIA better known to business as “Call in Accenture”

Security

Confidentiality Integrity Availability

· SSL· VPN · “SSL VPN“· Database Encryption· Hard Disk Encryption

· Data In Flight· Data at Rest

· Data Retention· Data Leakage· Data Breach· Data Privacy· Cross Border Data Flow

· Hashing & Checksums· Digital Signatures

Authentication· Access Control· Logging

· One person, one ID· Rapid and flexible

provisioning and deprovisioning of rights

· Role Based Access Control

· Anti-Virus· Firewalls· Anti-Spyware· DOS

· ID Management· Financial Process Integrity

· Backup & Restore· RAID, Clustering· Hot Swapping· Incident Response

· Business Continuity· Disaster Recovery

TECHNICAL

CONCEPTUAL

ARCHITECTURAL

PROCESS

BUSINESS

9

The Explanation is Mightier Than the Action

Security Business

10

Security Bingo

11

Notable Security Setbacks

• Regulatory Frameworks over Security Frameworks (SOX over 7799)

• Excel over FUD (Fear, Uncertainty and Doubt)

• Reactive over Proactive

• SLAs over Security Program

• Commerical over Military

12

The New-ish Security ModelFrom Castle to Airport

Castle Airport

Security mechanisms are static and difficult to

change.

Security mechanisms are dynamic and responsive

to threats.

Reliance on a few mechanisms. Castle walls are

impregnable. Once inside security mechanisms are

minimal.

Uses multiple overlapping technologies for defence in depth.

Known community have unrestricted access within

security boundary.

Security must be maintained whilst an unknown

population traverse. Security of inclusion (ensuring

the right people have access to the right resources)

and Security of exclusion (ensuring that assets are

protected). Use of roles to determine security

requirements.

Silo mentality in organisation. Requires an open, co-ordinated, global approach to

security.

13

The next Big Thing: Network Access Control (NAC)How do you sell this to your IT Department or Business?Remote Access DMZ

Quarantine Network

Trusted Network

Firewall Cluster

Firewall Cluster

VPNConcentrator

Trusted VLANs

Access to a restricted set of web applications based on user role

Access to a restricted VLAN based on user role

IDS Sensor

Network AccessControl Server

Platform Configuration Server

QuarantineServer

DMZ Network

AAA Server

IDS Sensor

14

From Security ….

Objectives Controls Testing Report

• ISO 17799• ISF• Cobit• NIST• Your Policies and Standards• etc …

• ISO 17799• ISF• Cobit• NIST• Your Service Catalogue• etc …

• Documentation• Questionnaires• Interviews• Demonstrations• Inspections• Tooling • 3rd Party Analysis

• Control Effectiveness• Compliance• Risk• Mitigation• Priorities

Perceived Desired Reality The Plan

15

… to Risk

Description Trigger Consequence

What could happen? How could it happen? What is the impact?

Probability Severity

How often? How bad?

16

Controls as Risk (as is)

Control C2Needs Improvement

Not Effective

Effective

ControlObjective

Ris

k? Ris

k?

Ris

k?

Control Assessment

Risk Scenarios are reformulations

of control deficiencies (gaps)

Control C4

Control C3

Control C1

e.g. CoBIT,

C2

C3

C4

C1

NO !

ControlGaps are potential triggers of Risk

17

IT Risk – Components

IT Risk Components

IT Projects Risk

• Financial & Resources• Compliance & Audit• Contract & Supplier Mgmt • IT Architecture & Strategy• IT Project Management Risks• Facilities & Environment• IT Operations & Support • Time to Deliver• IT Security

IT Services Risk• Service Level Management• Capacity Planning• Contingency Planning• Availability Management• Cost Management• Configuration Management• Problem Management • Change Management• Help Desk• Software Control & Distribution• IT Security

18

Zurich’s IT Risk Management Framework

Below threshold

Above threshold

The ABC (Assessment of Business Criticality) risk analysis prioritizes resources

Object to be assessed

ABC1

Optimised risk analysisfor projects Project

Project Risk ToolRisk assessment

Within PMO process

2

Risk register providessingle global datastore for analysisreporting Group IT - Risk Register (Central)

4

Project Risk Consulting

Services Risk Consulting

IT Security Risk Assessments

Service

Service Risk ToolFacilitated

Assessmentsand Self-Assessments

3Optimised risk analysisfor services

Group ITRisk Reporting

DashboardActions

monitoringQRR

5 Reporting,Escalation andAction Monitoring

1

2 3

4

5

No further AnalysisApply Policiesand Standards

19

Relation to Operational Risk

IT Project RiskAssessments

IT Service RiskAssessments

opRisk QRA opRisk KRIsopRisk LEDCollection

IT Risk IncidentManagement

opRisk Modeling andQuantificationCommon Risk Repository

opRiskReporting

IT RiskReporting

Com

mon IT

Infr

astr

uct

ure

Other Sources:ICF, TRP, ...

Awareness,Well Informed Decision Making,

Incentives, Performance Measurement

Capital Allocation

opRiskProcess

IT RiskProcess

JointEffort

DataFlow

Input

OtherProcess

20

Conclusion: Does IT Security Matter?

• IT Security in general is not an end in itself

• IT Security is one area competing for attention and funding, amongst many

• If you don’t make IT security matter, it won’t

• Keeping business secure is the main end

• Focus on securing business processes not the process of securing

• Excel is your new best friend

• Make your spreadsheets work with their spreadsheets

• A risk-based approach is the opportunity to speak business language

• Don’t replace FUD with GIGO (garbage in, garbage out)

21

Over to you