Name

Title:

Glen GoodingDirector, Institute for Advanced SecurityAsia Pacific

Managing threats in the Digital Age - Addressing security, risk and compliance in the C-Suite

The Planet is getting more…Smart

Supply ChainsSmart

CountriesSmart

RetailSmart Water

ManagementSmart

WeatherSmart

Energy Grids

Smart Oil Field

TechnologiesSmart

RegionsSmart

HealthcareSmart Traffic

SystemsSmart

CitiesSmart

Food Systems

INSTRUMENTED INTERCONNECTED INTELLIGENT

EVERYTHING IS EVERYWHEREContinued movement of business to new platforms including cloud, virtualization, mobile, social business and more.

EVERYTHING IS EVERYWHEREContinued movement of business to new platforms including cloud, virtualization, mobile, social business and more.

CONSUMERIZATION OF ITWith the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared.

CONSUMERIZATION OF ITWith the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared.

DATA EXPLOSIONThe age of Big Data –

the explosion of digital information –

has arrived and is facilitated by the pervasiveness of applications accessed from everywhere.

DATA EXPLOSIONThe age of Big Data –

the explosion of digital information –

has arrived and is facilitated by the pervasiveness of applications accessed from everywhere.

ATTACK SOPHISTICATIONThe speed and dexterity of attacks has increased coupled with new motivations from cyber crime to state sponsored to terror inspired.

ATTACK SOPHISTICATIONThe speed and dexterity of attacks has increased coupled with new motivations from cyber crime to state sponsored to terror inspired.

An explosion of breaches has opened 2011 marking this year as “The Year of the Security Breach.”

A secure Web presence has become the Achilles heel of Corporate IT Security

IBM’s Rational Application Security Group research tested 678 sites (Fortune 500) – 40% contained client-side vulnerabilities

Mass endpoint exploitation happening not only through browser vulnerabilities, but also malicious movies and documents

IBM Managed Security Services show favorite attacker methods are SQL injection, and the brute forcing of passwords, databases, and Windows shares

EVOLVING THREATS 2011 X-Force Mid-Year Trend And Risk Report

Cyber attacks

Organized crime

Corporate espionage

State-sponsored attacks

External threats

Sharp rise in external attacks from non-traditional sources

Administrative mistakes

Careless inside behavior

Internal breaches

Disgruntled employee actions

Internal threats

Ongoing risk of careless and malicious insider behavior

National regulations

Industry standards

Local mandates

Compliance

Growing need to address an increasing number of mandates

Impacting innovation

Security challenges are impacting innovation

Cloud Computing Mobile Computing Social Business Business Analytics

The impact of a breach is now not contained to IT, but reverberates across the corporation

CxO

priority

Security risks

Potential impact

CEO

Maintain competitive differentiation

Misappropriation of intellectual property

Misappropriation of business sensitive data

Loss of market share and reputation

Legal exposure

CFO/COO

Comply with regulations

Failure to address regulatory requirements

Audit failure

Fines and criminal charges

Financial loss

CIO

Expand use of mobile devices

Data proliferation

Unsecured endpoints and inappropriate access

Loss of data confidentiality, integrity and/or availability

CHRO

Enable global labor flexibility

Release of sensitive data

Careless insider behavior

Violation of employee privacy

CMO

Enhance the brand

Stolen personal information from customers or employees

Loss of customer trust

Loss of brand reputation

Increasingly, companies are appointing CROs

and CISOs

with a direct line to the Audit Committee

The Result: Security is becoming a board room discussion

Business Results

AuditRisk

Impact of hacktivism

Legal ExposureSupply Chain

Sony estimates potential $1B long term impact – $171M / 100 customers

Epsilon breach impacts 100 national brands

TJX estimates $150M class action settlement in release of credit / debit card info

Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …

Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records

BrandImage

Bank data breach discloses 24K private banking customers

Can this happen to us?

It’s time to start thinking differently about security.

People

Data

Applications

Infrastructure

Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers

Systems applications Web applications Web 2.0 Mobile apps

Structured Unstructured At rest In motion

77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent

75% felt effectiveness would increase with end-to-end solutions

The attack surface for a typical business is growing at an exponential rate

SecurityIntelligence

Proactive

Aut

omat

ed

BasicBasic

Optimized

Optimized

Man

ual

Reactive

Organizations use predictive and automated security analytics to drive toward security intelligence

Security is layered into the IT fabric and business operations

Organizations employ perimeter protection, which

regulates access and feeds manual

reportingProficient

Proficient

In this “new normal”, IBM is helping organizations usher in an era of Security Intelligence

People Data Applications Infrastructure

Optimized

Governance, risk and complianceAdvanced correlation and deep analytics

Role based analytics

Identity governance

Privileged user controls

Data flow analytics

Data governance

Secure app engineering processes

Fraud detection

Advanced network monitoring

Forensics / data mining

Secure systems

ProficientUser provisioning

Strong authentication

Access monitoring

Data loss prevention

Application firewall

Source code scanning

Asset mgmt

Endpoint / network security

management

Basic Centralized directory

Encryption

Access controlApplication scanning

Perimeter security

Anti-virus

SecurityIntelligence

Optimize security across domains

GETTING TO SECURITY INTELLIGENCE: A Three Point Plan

GET INFORMED

Take a structured approach to assessing business and IT risks

GET ALIGNED

Implement and enforce security excellence across the extended enterprise

GET SMART

Deploy intelligent controls and analytics within and across key domains

Take a structured approach to assessing business and IT risks

ADDRESSING RISK MANAGEMENT

Align and integrate IT risk into the business’

Enterprise Risk Management framework

Identify key threats and compliance mandates

Implement and enforce a risk management process and common controls framework

Execute incident management processes when crises occurs

Get Informed

Implement and enforce security excellence across the extended enterprise

17

EXTENDED ENTERPRISE

PARTNERSCUSTOMERS REGULATORSEMPLOYEES AUDITORS

Get Aligned

Deploy intelligent controls and analytics within and across key domains

Complex, low-latency Cybersecurity analytics with InfoSphere Streams

21B events per day correlated in Managed Security Services leveraging Cognos

Identity Governance to help demonstrate

compliance

Next generation network security

designed to integrate web, content, and

network activity

Hybrid scanning capabilities from

Rational AppScan

SPSS Predictive Analytics reducing the cost of a client’s audit

investigations by

60%

Get Smart

IBM’s unique security expertise and approach…

21 billion events monitored per day

4,000+ managed services customers

10 security development labs

9 security operations centers

6,000+ technical experts

20+ leadership recognitions

2010 Security Company of the Year

SECURITY APPROACH

GET ALIGNED

GET INFORMED

GET SMART

UNIQUE EXPERTISE

… is combined with IBM’s depth of capabilities, and with Q1 Labs, IBM will have the most complete portfolio in IT security

Security Consulting

Managed

Services

X-Force

and IBM Research

IBM Security PortfolioIBM Security Portfolio

People Data Applications Infrastructure

IT Infrastructure –

Operational Security Domains

IT Security and Compliance Analytics & Reporting

QRadar

SIEMQRadar

Log ManagerQRadar

Risk ManagerIBM Privacy, Audit and

Compliance Assessment Services

Identity & Access Management Suite

Federated Identity Manager

Enterprise Single Sign-On

Identity Assessment, Deployment and Hosting Services

Guardium Database Security

Optim Data Masking

Key Lifecycle Manager

Data Security Assessment Service

Encryption and DLP Deployment

AppScan Source Edition

AppScan Standard Edition

Security Policy Manager

Application Assessment Service

AppScan OnDemand Software as a Service

Network Intrusion Prevention

DataPower Security Gateway

QRadar

Anomaly Detection / QFlow

Managed Firewall, Unified Threat and Intrusion Prevention Services

Endpoint Manager (BigFix)

zSecure, Server and Virtualization Security

Penetration Testing Services

Native Server Security (RACF, IBM Systems)

Network Endpoint

Enterprise Governance, Risk and Compliance Management

IBM OpenPages Algorithmics (recent acquisition) i2 Corporation (recent acquisition)

Let me leave you with 10 thoughts… If X-Force were running the IT Department