SlideShare uma empresa Scribd logo

Cybersecurity Strategy Planning in Banking

Transferir como PPTX, PDF
Olivier Busolini
Olivier Busolini

Cybersecurity management

Tecnologia
1 de 13
15th November 2018 Forum Genève, Geneva, Switzerland #ZeroDayCh @ZeroDayCh www.zero-day.ch PART II Cybersecurity strategy planning in the banking sector Olivier BUSOLINI Head of IT risks and cyber security
2Olivier BusoliniCybersecurity strategy planning in the banking sector Our short journey together Let’s browse together the notes of an adventurer CISO Cybersecurity management has been transformed completely in the last couple of years. It is now a board level topic, Yes !, and should be addressed as such. It is also a very complex human, organisational and technical domain, which is under heavy scrutiny in today’s corporate world, and re- invents itself every year, if not every quarter. On the other hand, the IT security industry has matured tremendously and offers today an universe of capabilities that need to be properly articulated together to create the right level of cybersecurity resilience that each company demands. That’s where the fun begins. Source: Google image
3Olivier BusoliniCybersecurity strategy planning in the banking sector Agenda • An approach to IT security strategic planning • Controls hygiene and Compliance • Security program • Risks • Tips from the trenches Source: Google image
4Olivier BusoliniCybersecurity strategy planning in the banking sector An approach to IT security strategic planning • Business, Risks and Enterprise risk appetite • Educate - Get active business support - Security as an enterprise enabler - Formalise Enterprise risk appetite • Assess gaps • Assess IT’s effectiveness at key capabilities - Benchmark it with peers - Gather feedback from on Security’s performance • Agile planning • Controls maturity goals % risk appetite and budgets - Maximize impact of cybersecurity investments • Implementation • Clear steps and RACI – Talents – Metrics – Change mgt • Monitoring Source: Google image
5Olivier BusoliniCybersecurity strategy planning in the banking sector Controls hygiene and Compliance Source: ANSSI Source: Google image
6Olivier BusoliniCybersecurity strategy planning in the banking sector Controls hygiene and Compliance (II) Source: NIST Source: Google image Function Category ID What processes and assets need protection? Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Supply Chain Risk Management ID.SC What safeguards are available? Protect Identity Management & Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.M A Protective Technology PR.PT What techniques can identify incidents? Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.C M Detection Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM What techniques can restore capabilities? Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO
7Olivier BusoliniCybersecurity strategy planning in the banking sector Controls hygiene and Compliance (III) Source: Financial Services Sector Specific Cybersecurity “Profile”, NIST Cybersecurity Workshop May 17, 2017 Source: Wavestone • New risk–tiering methodology • Significant changes to the framework core and diagnostic statements • More precise assessment criterias NIST has been working with the Financial Services Sector Coordinating Council (FSSCC) to develop a NIST Cybersecurity Framework (CSF) sector-specific “Profile” for Financial Services that could include:
8Olivier BusoliniCybersecurity strategy planning in the banking sector Security program, one way to go Source: Google image
9Olivier BusoliniCybersecurity strategy planning in the banking sector Security program, another one • Plan a maturity increase across multiple years 1. Design and build program 2. Trust and Resilience foundations 3. e.g. Extended Detection and Customer Security 4. Target objective • Across main categories of IT assets • People – awareness, training, trust and key enabler of security… • Process – formalised, implemented, measured, reported… • Infrastructure - identified, classified, protected and resilient to attacks, monitored to detect new and advanced threats • Applications – identified, classified, SDLC, fraud detection… • Data – identified, classified, protected, monitored…Source: Google image
10Olivier BusoliniCybersecurity strategy planning in the banking sector Security program – example of tools & steps Source: SANS (Brian Ventura) Source: Google image
11Olivier BusoliniCybersecurity strategy planning in the banking sector Risks Source: Wikipedia
12Olivier BusoliniCybersecurity strategy planning in the banking sector Tips from the trenches • People first • Source and secure key talents in a multi-year people strategy • Enterprise risk appetite is • Key to drive decisions • Difficult to define beforehand • When sitting at the board, speak the boards’ language • No tech terms, RoI, Cost effectiveness, etc. • Budget management • Investments (people and $), and do not forget induced additional BAU work created across IT and Security • Work on quick improvements of Incident and Crisis management • Build agility in your program to re-prioritize projects • Evolution of threats, technology landscape of the company, regulations, business focus, etc.Source: Google image
13Olivier BusoliniCybersecurity strategy planning in the banking sector Contacts and Q&A Help me find new ideas: challenge my views ! Thanks in advance Olivier Busolini busolivier@protonmail.com Olivier Busolini has been involved in IT security for 25 years, in the private and public sectors, across several industries. He experienced different business dynamics, and developed leadership in IT risk and security management, as an integrated part of operational risks, data governance and digital business activities. He has been holding CISO roles for Swiss banks for the last 10 years. He focuses on managing technology risks and security from a business risk perspective, to deliver cost efficient risk assurance. This presentation was created in my personal capacity. The opinions expressed in this document are mine only, and do not necessarily reflect the view of my employer. All right reserved to the author.

Recomendados

Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyoneYasir Nafees
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 

Recomendados

Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyoneYasir Nafees
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial InstitutionsKhawar Nehal khawar.nehal@atrc.net.pk
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cyber security
Cyber securityCyber security
Cyber securityBhavin Shah
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOlivier Busolini
 

Mais conteúdo relacionado

Mais procurados

How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 

Mais procurados (20)

How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cyber security
Cyber securityCyber security
Cyber security
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 

Semelhante a Cybersecurity Strategy Planning in Banking

NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOlivier Busolini
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Matthew Rosenquist
 
CISO Summit 2020 Post Event Report
CISO Summit 2020 Post Event ReportCISO Summit 2020 Post Event Report
CISO Summit 2020 Post Event ReportSarthak Nanda
 
7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
7th Annual DynamicCISO Summit & Excellence Awards 2020 Report7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
7th Annual DynamicCISO Summit & Excellence Awards 2020 ReportRahul Neel Mani
 
New COBIT 5 Framework: Master the skills to review Implementation - By Compli...
New COBIT 5 Framework: Master the skills to review Implementation - By Compli...New COBIT 5 Framework: Master the skills to review Implementation - By Compli...
New COBIT 5 Framework: Master the skills to review Implementation - By Compli...Compliance Global Inc
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information securityElkanouni Mohamed
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningPECB
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 ThreatscapePeter Wood
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13subramanian K
 
The 10 Most Influential People in Cyber Security, 2023.pdf
The 10 Most Influential People in Cyber Security, 2023.pdfThe 10 Most Influential People in Cyber Security, 2023.pdf
The 10 Most Influential People in Cyber Security, 2023.pdfCIO Look Magazine
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
Security best ways to protect your intellectual capital
Security best ways to protect your intellectual capitalSecurity best ways to protect your intellectual capital
Security best ways to protect your intellectual capitalAconex
 
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...NRBsanv
 

Semelhante a Cybersecurity Strategy Planning in Banking (20)

NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
Overview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in CybersecurityOverview of Artificial Intelligence in Cybersecurity
Overview of Artificial Intelligence in Cybersecurity
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
digital strategy and information security
digital strategy and information securitydigital strategy and information security
digital strategy and information security
 
CISO Summit 2020 Post Event Report
CISO Summit 2020 Post Event ReportCISO Summit 2020 Post Event Report
CISO Summit 2020 Post Event Report
 
7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
7th Annual DynamicCISO Summit & Excellence Awards 2020 Report7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
7th Annual DynamicCISO Summit & Excellence Awards 2020 Report
 
New COBIT 5 Framework: Master the skills to review Implementation - By Compli...
New COBIT 5 Framework: Master the skills to review Implementation - By Compli...New COBIT 5 Framework: Master the skills to review Implementation - By Compli...
New COBIT 5 Framework: Master the skills to review Implementation - By Compli...
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planning
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13
 
The 10 Most Influential People in Cyber Security, 2023.pdf
The 10 Most Influential People in Cyber Security, 2023.pdfThe 10 Most Influential People in Cyber Security, 2023.pdf
The 10 Most Influential People in Cyber Security, 2023.pdf
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
Security best ways to protect your intellectual capital
Security best ways to protect your intellectual capitalSecurity best ways to protect your intellectual capital
Security best ways to protect your intellectual capital
 
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Cybersecurity Strategy Planning in Banking

  • 1. 15th November 2018 Forum Genève, Geneva, Switzerland #ZeroDayCh @ZeroDayCh www.zero-day.ch PART II Cybersecurity strategy planning in the banking sector Olivier BUSOLINI Head of IT risks and cyber security
  • 2. 2Olivier BusoliniCybersecurity strategy planning in the banking sector Our short journey together Let’s browse together the notes of an adventurer CISO Cybersecurity management has been transformed completely in the last couple of years. It is now a board level topic, Yes !, and should be addressed as such. It is also a very complex human, organisational and technical domain, which is under heavy scrutiny in today’s corporate world, and re- invents itself every year, if not every quarter. On the other hand, the IT security industry has matured tremendously and offers today an universe of capabilities that need to be properly articulated together to create the right level of cybersecurity resilience that each company demands. That’s where the fun begins. Source: Google image
  • 3. 3Olivier BusoliniCybersecurity strategy planning in the banking sector Agenda • An approach to IT security strategic planning • Controls hygiene and Compliance • Security program • Risks • Tips from the trenches Source: Google image
  • 4. 4Olivier BusoliniCybersecurity strategy planning in the banking sector An approach to IT security strategic planning • Business, Risks and Enterprise risk appetite • Educate - Get active business support - Security as an enterprise enabler - Formalise Enterprise risk appetite • Assess gaps • Assess IT’s effectiveness at key capabilities - Benchmark it with peers - Gather feedback from on Security’s performance • Agile planning • Controls maturity goals % risk appetite and budgets - Maximize impact of cybersecurity investments • Implementation • Clear steps and RACI – Talents – Metrics – Change mgt • Monitoring Source: Google image
  • 5. 5Olivier BusoliniCybersecurity strategy planning in the banking sector Controls hygiene and Compliance Source: ANSSI Source: Google image
  • 6. 6Olivier BusoliniCybersecurity strategy planning in the banking sector Controls hygiene and Compliance (II) Source: NIST Source: Google image Function Category ID What processes and assets need protection? Identify Asset Management ID.AM Business Environment ID.BE Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Supply Chain Risk Management ID.SC What safeguards are available? Protect Identity Management & Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.M A Protective Technology PR.PT What techniques can identify incidents? Detect Anomalies and Events DE.AE Security Continuous Monitoring DE.C M Detection Processes DE.DP What techniques can contain impacts of incidents? Respond Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM What techniques can restore capabilities? Recover Recovery Planning RC.RP Improvements RC.IM Communications RC.CO
  • 7. 7Olivier BusoliniCybersecurity strategy planning in the banking sector Controls hygiene and Compliance (III) Source: Financial Services Sector Specific Cybersecurity “Profile”, NIST Cybersecurity Workshop May 17, 2017 Source: Wavestone • New risk–tiering methodology • Significant changes to the framework core and diagnostic statements • More precise assessment criterias NIST has been working with the Financial Services Sector Coordinating Council (FSSCC) to develop a NIST Cybersecurity Framework (CSF) sector-specific “Profile” for Financial Services that could include:
  • 8. 8Olivier BusoliniCybersecurity strategy planning in the banking sector Security program, one way to go Source: Google image
  • 9. 9Olivier BusoliniCybersecurity strategy planning in the banking sector Security program, another one • Plan a maturity increase across multiple years 1. Design and build program 2. Trust and Resilience foundations 3. e.g. Extended Detection and Customer Security 4. Target objective • Across main categories of IT assets • People – awareness, training, trust and key enabler of security… • Process – formalised, implemented, measured, reported… • Infrastructure - identified, classified, protected and resilient to attacks, monitored to detect new and advanced threats • Applications – identified, classified, SDLC, fraud detection… • Data – identified, classified, protected, monitored…Source: Google image
  • 10. 10Olivier BusoliniCybersecurity strategy planning in the banking sector Security program – example of tools & steps Source: SANS (Brian Ventura) Source: Google image
  • 11. 11Olivier BusoliniCybersecurity strategy planning in the banking sector Risks Source: Wikipedia
  • 12. 12Olivier BusoliniCybersecurity strategy planning in the banking sector Tips from the trenches • People first • Source and secure key talents in a multi-year people strategy • Enterprise risk appetite is • Key to drive decisions • Difficult to define beforehand • When sitting at the board, speak the boards’ language • No tech terms, RoI, Cost effectiveness, etc. • Budget management • Investments (people and $), and do not forget induced additional BAU work created across IT and Security • Work on quick improvements of Incident and Crisis management • Build agility in your program to re-prioritize projects • Evolution of threats, technology landscape of the company, regulations, business focus, etc.Source: Google image
  • 13. 13Olivier BusoliniCybersecurity strategy planning in the banking sector Contacts and Q&A Help me find new ideas: challenge my views ! Thanks in advance Olivier Busolini busolivier@protonmail.com Olivier Busolini has been involved in IT security for 25 years, in the private and public sectors, across several industries. He experienced different business dynamics, and developed leadership in IT risk and security management, as an integrated part of operational risks, data governance and digital business activities. He has been holding CISO roles for Swiss banks for the last 10 years. He focuses on managing technology risks and security from a business risk perspective, to deliver cost efficient risk assurance. This presentation was created in my personal capacity. The opinions expressed in this document are mine only, and do not necessarily reflect the view of my employer. All right reserved to the author.