Protiviti_Security Convergence (March 2008)
Transcript of Protiviti_Security Convergence (March 2008)
-
8/14/2019 Protiviti_Security Convergence (March 2008)
1/12
1
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
Security ConvergenceFact or Fiction?
March 2008, InfoSecurity, Groot-Bijgaarden
2
2008 Protiviti Inc.
Short Introduction on Protiviti
Marc Vael, Executive Director / Co-Founder Protiviti Belgium
-
8/14/2019 Protiviti_Security Convergence (March 2008)
2/12
2
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 3
Business Risk ConsultingEnterprise Risk Management
Sarbanes-Oxley / J-SOX complianceForensics Solutions
Fraud Risk ManagementBasel II compliance
Credit & Treasury Risk ManagementFinancial Process Improvement
Revenue Risk ManagementSpend Risk Improvement
Supply Chain Risk Management
Internal Audit
Audit Committee AdvisoryIA Co-SourcingIA Full Outsourcing
IA TransformationQuality Assurance Reviews
IT Audit Services
IA Technology Implementation
Technology Risk Consulting
Application ControlsBusiness Continuity ManagementIncident & Crisis Management
Privacy Risk & Data Protection Management
Project Risk ManagementSecurity Improvement
Change ManagementBusiness Intelligence
Outsourcing Risk Management
Protiviti is a leading provider of independent risk consulting & internal auditservices to help clients identify, assess, measure and manage financial,operational and technology-related risks encountered in their industries,and assist in the implementation of processes & controls to enablecontinued monitoring. active since 2002
+3.000 dedicated professionals worldwide (of which +500 in Europe)
Revenue 2007: 552,3 million USD
100% part of Robert Half International : 4,6 billion USD revenue 2007
Protiviti
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 4
Protiviti Global Footprint
*KUWAIT
*ISTANBUL
*JAKARTAMALAYSIA
BRUSSEL
MADRID
60 offices in 15 countries
-
8/14/2019 Protiviti_Security Convergence (March 2008)
3/12
3
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
5
2008 Protiviti Inc.
Security Convergence : Fact or Fiction?
Marc Vael, Executive Director / Co-Founder Protiviti Belgium
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 6
Why Security Convergence?
The Holy Grail for CISO Centralised & consolidated security approach
Protect customer & employee & company data
Demonstrate compliance
Integrated security architecture
-
8/14/2019 Protiviti_Security Convergence (March 2008)
4/12
4
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 7
Why Security Convergence?
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 8
The identification ofsecurity risks & interdependencies
between business functions & processeswithin the enterprise
and the development ofmanaged business process solutions
to address those risks & interdependencies.
Definition of Security Convergence
From ASIS International
-
8/14/2019 Protiviti_Security Convergence (March 2008)
5/12
5
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 9
Security Convergence : starting point
IDENTIFY EXTERNAL DRIVERSConvergenceMarket, customers, competitors, partners
IDENTIFY INTERNAL DRIVERSCorporate strategy & key earnings driversSpend analysis of security risk functionsExisting processes
Security Alignment & RiskMitigation Architecture
Determined level of risk toleranceMetrics / Dashboards / Standards
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 10
Imperatives driving Security Convergence
Growth in a global world
-
8/14/2019 Protiviti_Security Convergence (March 2008)
6/12
6
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 11
Imperatives driving Security Convergence
Compliance & Regulation
baseline for security professionals requiring minimum levels to be met(Heath Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley, Basel II, Solvency II, etc.)
complexity results in managers ability to be forward sensing whenassessing enterprises security needs
balance focus on compliance.
Mere compliance to stay out of jail is of no real use to the company or people.
If undue focus on compliance: distortion of risk priorities and agendas=> false sense of security.
Auditors see gaps in corporate security & alert clients to take action.
Effectively leveraging compliance can result in optimal risk posture whenthe following exist:
business strategy driven risk agenda
appropriate levels of accountability (RACI)
embedding of compliance & audit processes
guidelines (rather than standards).
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 12
Imperatives driving Security Convergence
Compliance & Regulation
-
8/14/2019 Protiviti_Security Convergence (March 2008)
7/12
7
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 13
Imperatives driving Security Convergence
Moving from physical to intangible world
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 14
Imperatives driving Security Convergence
Blurred boundaries
-
8/14/2019 Protiviti_Security Convergence (March 2008)
8/12
8
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 15
Imperatives driving Security Convergence
Continuous pressure to reduce costs
Complex risks => systematic, pragmatic approach to security thatmaximizes resources while adequately managing risk.
CISO should prioritize all risks => focus on critical risks(optimizing investments & reducing inefficiency).
Comprehensive look at all risks can assist in determining mitigation
strategies. Converged security solution may cost more to develop, butultimately mitigate more than 1 risk + have longer shelf life => thusreducing overall expenditures.
CISO should streamline & simplify budget requests => use businesslanguage in order to facilitate security convergence. Assessment of allaspects of spending must be consistent with security & business
objectives.
CISO should integrate security budget & security program goals intooverall budget process.
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 16
Imperatives driving Security Convergence
Pressure to reduce costs
-
8/14/2019 Protiviti_Security Convergence (March 2008)
9/12
9
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 17
Security Convergence Essential Elements
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 18
Security Convergence Essential Elements
-
8/14/2019 Protiviti_Security Convergence (March 2008)
10/12
10
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 19
Security Convergence Approach
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 20
Security Convergence Functions
SecurityStrategies Securityarchitecture, policy &standards, research,
application security
Compliance
ProgramCompliancemanagement, audit,compliance reporting
CISOInformation Security Governance
Advisory ServicesSecurity consulting,Specialist Services,Awareness
Investigations& Response
Investigations,forensics, response,tracking & reporting
-
8/14/2019 Protiviti_Security Convergence (March 2008)
11/12
11
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 21
Security Convergence: Fact or Fiction?
Security is complex
Security Convergence introduces even more complexity
Security Convergence requires essential elements
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 22
http://www.knowledgeleader.com
-
8/14/2019 Protiviti_Security Convergence (March 2008)
12/12
12
Security Convergence
Marc Vael InfoSecurityProtiviti March 2008
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 23
Contact Details
Mr. Marc Vael,Mr. Marc Vael, CISSP, CISM, CISA, ITILCISSP, CISM, CISA, ITIL
Executive DirectorExecutive Director
Protiviti BelgiumProtiviti Belgium
Riverside Business CampusRiverside Business Campus -- Building FBuilding F
TaminiauTaminiau BusinessBusiness CenterCenter -- 1st floor1st floor
InternationalelaanInternationalelaan 5555
1070 Brussels1070 Brussels
BelgiumBelgium
Tel:Tel: +32 (0) 2+32 (0) 2 609 69 23609 69 23
Fax:Fax: +32 (0) 2+32 (0) 2 609 69 65609 69 65
marc.vaelmarc.vael@@protivitiprotiviti.com.com
2008 ProtivitiInc.
Thispresentationis for public use in the context of InfoSecurityBelgium 2008. 24
At Protiviti, we believe the companies that most effectively
understand and manage their risk are the companies that mostoften succeed. Or as we like to say