SlideShare uma empresa Scribd logo

Information security governance

Transferir como PPTX, PDF
Koen Maris
Koen Maris

A presentation about the research findings regarding my master project.

Tecnologia
1 de 17
1 Information Security Governance: Awareness at the Board of Directors and Executive Committee Koen Maris ©2014
2 Problem statement • Information security is associated with technology • Interest of decision makers not proportional with the dependence on information technology and related information security issues* • Information security seen by senior management and board as a too complex and technology oriented • Information security considered as a discretionary budget line item* • Difficult to align information security with business requirements taken into account the defined risk appetite * Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab
3 Research questions * knowledge or perception of a situation or fact (Oxford dictionary) Which level of information security governance “awareness” is present at the level of Board of Directors and executive management in a contemporary enterprise? • Which practices (structures, procedures) have been identified? • To what extent are these practices considered effective? • Which practices are well adopted in today's enterprise? • What are the main drivers for implementing these practices?
4 Methodology Literature research Public surveys Custom made survey Academic papers Books Papers from commercial companies Surveys from large consultancy firms Various industries Different levels of hierarchy Respondent volume ranging from + 100 to +9000 Focus on board and executive management Peer review on which practices deemed most important Small number of respondentsIdentification of common practices with focus on Board of Directors and Executive Management Frameworks, methodologies, standards ISO 2700x COBIT 5 ISACA, Business model for information security ISC2, common body of knowledge NIST 800-53
5 Background on master project Information security and cyber security hot news items Many high level incidents Information security is a shared responsibility Information security and technology change at high velocity Aligning business, technology (IT) and information security remains difficult
6 What is information security governance Definition (NIST) Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Information security governance framework (ISACA) • A comprehensive security strategy explicitly linked with business and IT objectives • An effective security organisational structure • A security strategy that talks about the value of information protected and delivered • Security policies that address each aspect of strategy, control and regulation • A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy • Institutionalised monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk • A process to ensure continued evaluation and update of security policies, standards, procedures and risks
7 Information Security Governance at the Board • Risk Management, setting the tone by defining the risk appetite • Identify information security leaders, provide resources and support • Direction, strategy and leadership, put information security on the board's agenda • Ensure effectiveness of the information security policy • Integrate a strategic committee • Staff awareness and training • Measurement, monitoring and audit Identified practices Effectiveness Adopted Drivers for integration
8 Information Security Governance at the Board • 23% see lack of leadership as an important obstacle in the overall strategic effectiveness of their organisation’s security strategy (PWC, 2012) • 68% assume their information security strategy is aligned with the business needs (E&Y, 2012) • Little or no involvement when aligning risk-based security with business objectives(Tripwire-Ponemon, 2013) • Lack of strict segregation between risk and audit committee, only 8% and half of those only oversee privacy and security (Jody R. Westby, 2012) • 16% of board members is prepared to deviate from risk appetite (Koen Maris, 2013) • 68% of the CRO functions have a direct reporting line to the board Identified practices Effectiveness Adopted Drivers for integration
9 Information Security Governance at the Board • 27% indicate that their board had an outside director with cyber security experience though 64% think it is important to have it (Jody R. Westby (2012) • 42% have their information security strategy aligned with business objectives(E&Y, 2012) • 50% thinks information is too technical to be understood by non-technical management(Tripwire-Ponemon, 2013) • 33% of the boards address Computer and information security (Jody R. Westby, 2012) • 67% of board approve risk appetite statement (E&Y, 2013), • 2/3 of Forbes Global 2000 companies have full-time personnel in key roles responsible for security and privacy Identified practices Effectiveness Adopted Drivers for integration
10 Information Security Governance at the Board • Severe incidents • Legal/compliance • Regulations • Accountability Identified practices Effectiveness Adopted Drivers for integration
11 Information Security Governance at the Executive Committee • Information Security Framework • Chief Security Officer / Chief Information Security Officer • Implementation of information security • Monitoring and assessment • Awareness and communication Identified practices Effectiveness Adopted Drivers for integration
12 Information Security Governance at the Executive Committee • Large majority of staff knows the security policy, at least of its existence. (Koen Maris, 2013) • Only 26% of respondents with a security policy believe their employees have a good understanding of it. (PWC, 2012) • Almost 40% of the CISO/CSO reports to the CIO, almost 30% to someone other than CFO, CEO/COO.(Jody R. Westby, 2012) • 80% claim not to evaluate the ROI of security investments(PWC, 2012) • Adopting to new risks is done by blocking for approx. 50% of the companies (E&Y, 2012) • Only 8% of CSO/CISO measure the value and effectiveness of their enterprise cyber security organisation (Deloitte, 2012) • Reporting only occurs in case of severe incident and happen at a too low level (Tripwire-Ponemon, 2013) Identified practices Effectiveness Adopted Drivers for integration
13 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • 95% of large companies have a security policy in place (PWC, 2012) • Majority of Exec’s agree that they should have someone responsible for information security (Koen Maris, 2013) • 47% of the companies have an information security strategy committee in place (PWC, 2012) • 56% claim security budgets are in a federated model, making it hard to measure and determine the real available budget. (Deloitte, 2012) • About 50% monitor and measure trends in security/incidents costs. Approx. 20% does not evaluate at all (PWC, 2012) • Only 32% of staff in claim to have received awareness training (ESET, 2012)
14 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • Response on an incident • Legal and compliance • Not done because it is too technical & complex • Reduce risk • Severe incident
15 Conclusion Board Exec. committee • Unclear if a company having thoughtful leadership and enterprise risk management in place also had identified a security leader • Audit and monitoring parts are well in place but measuring effectiveness remains doubtful, not always strict separation between risk and audit committee • Leadership, alignment and value are the least adopted • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
16 Conclusion Board Exec. committee • An ISMS is often in place, but the level of understanding and knowledge across the company remains low • A CSO/CISO is in place in the majority of larger companies. Measuring the effectiveness remains difficult. • Reporting line is not always clear, and reporting bottom-up shows some clear shortcomings • Awareness and steering committee have a low degree of adoption, though the majority recognises the importance of awareness • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
17 End Note • Would good ERM and correct bottom up reporting provide better awareness and increase the alignment for information security? • The effectiveness and the links between structures and procedures are not well addressed. How do the influence each other? • Would good bottom-up reporting provide better strategy? • More questions than answers….

Recomendados

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Recomendados

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?Aaron Clark-Ginsberg
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityDhani Ahmad
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 

Mais conteúdo relacionado

Mais procurados

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesPECB
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantIlesh Dattani
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityDhani Ahmad
 

Mais procurados (20)

Security risk management
Security risk managementSecurity risk management
Security risk management
 
What is cyber resilience?
What is cyber resilience?What is cyber resilience?
What is cyber resilience?
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Security policies
Security policiesSecurity policies
Security policies
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guide
 
GDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliantGDPR and ISO 27001 - how to be compliant
GDPR and ISO 27001 - how to be compliant
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 

Destaque

Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governancedigitallibrary
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Sampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademikSampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademikSlamet Suprihanto
 
Governance - how does information & security drive your architecture
Governance - how does information & security drive your architectureGovernance - how does information & security drive your architecture
Governance - how does information & security drive your architectureRandy Williams
 
Introduction to cyber security by cyber security infotech (csi)
Introduction to cyber security by cyber security infotech (csi)Introduction to cyber security by cyber security infotech (csi)
Introduction to cyber security by cyber security infotech (csi)Cyber Security Infotech
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?IT Governance Ltd
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security TrainingAngela Samuels
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceGwanhoo Lee
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 

Destaque (20)

Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Developing Metrics for Information Security Governance
Developing Metrics for Information Security GovernanceDeveloping Metrics for Information Security Governance
Developing Metrics for Information Security Governance
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Sampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademikSampul tugas desain sistem informasi akademik
Sampul tugas desain sistem informasi akademik
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
 
Governance - how does information & security drive your architecture
Governance - how does information & security drive your architectureGovernance - how does information & security drive your architecture
Governance - how does information & security drive your architecture
 
Introduction to cyber security by cyber security infotech (csi)
Introduction to cyber security by cyber security infotech (csi)Introduction to cyber security by cyber security infotech (csi)
Introduction to cyber security by cyber security infotech (csi)
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
IT Governances
IT GovernancesIT Governances
IT Governances
 
Data Driven Cybersecurity Governance
Data Driven Cybersecurity GovernanceData Driven Cybersecurity Governance
Data Driven Cybersecurity Governance
 
Executive Information Security Training
Executive Information Security TrainingExecutive Information Security Training
Executive Information Security Training
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity Governance
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
Information risk management
Information risk managementInformation risk management
Information risk management
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Tata Kelola Keamanan Informasi
Tata Kelola Keamanan InformasiTata Kelola Keamanan Informasi
Tata Kelola Keamanan Informasi
 

Semelhante a Information security governance

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentIBM Security
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challengeFERMA
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009edcervantes
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Digital trust and cyber challenge now extends beyond the Enterprise
Digital trust and cyber challenge now extends beyond the Enterprise Digital trust and cyber challenge now extends beyond the Enterprise
Digital trust and cyber challenge now extends beyond the Enterprise Mourad Khalil
 

Semelhante a Information security governance (20)

Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of Security
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009Deloitte Global Security Survey 2009
Deloitte Global Security Survey 2009
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Risk - IT Services
Risk - IT ServicesRisk - IT Services
Risk - IT Services
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
Digital trust and cyber challenge now extends beyond the Enterprise
Digital trust and cyber challenge now extends beyond the Enterprise Digital trust and cyber challenge now extends beyond the Enterprise
Digital trust and cyber challenge now extends beyond the Enterprise
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Information security governance

  • 1. 1 Information Security Governance: Awareness at the Board of Directors and Executive Committee Koen Maris ©2014
  • 2. 2 Problem statement • Information security is associated with technology • Interest of decision makers not proportional with the dependence on information technology and related information security issues* • Information security seen by senior management and board as a too complex and technology oriented • Information security considered as a discretionary budget line item* • Difficult to align information security with business requirements taken into account the defined risk appetite * Julia H. Allen, Governing for enterprise security Carnegie Mellon Cylab
  • 3. 3 Research questions * knowledge or perception of a situation or fact (Oxford dictionary) Which level of information security governance “awareness” is present at the level of Board of Directors and executive management in a contemporary enterprise? • Which practices (structures, procedures) have been identified? • To what extent are these practices considered effective? • Which practices are well adopted in today's enterprise? • What are the main drivers for implementing these practices?
  • 4. 4 Methodology Literature research Public surveys Custom made survey Academic papers Books Papers from commercial companies Surveys from large consultancy firms Various industries Different levels of hierarchy Respondent volume ranging from + 100 to +9000 Focus on board and executive management Peer review on which practices deemed most important Small number of respondentsIdentification of common practices with focus on Board of Directors and Executive Management Frameworks, methodologies, standards ISO 2700x COBIT 5 ISACA, Business model for information security ISC2, common body of knowledge NIST 800-53
  • 5. 5 Background on master project Information security and cyber security hot news items Many high level incidents Information security is a shared responsibility Information security and technology change at high velocity Aligning business, technology (IT) and information security remains difficult
  • 6. 6 What is information security governance Definition (NIST) Information security governance can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk. Information security governance framework (ISACA) • A comprehensive security strategy explicitly linked with business and IT objectives • An effective security organisational structure • A security strategy that talks about the value of information protected and delivered • Security policies that address each aspect of strategy, control and regulation • A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy • Institutionalised monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk • A process to ensure continued evaluation and update of security policies, standards, procedures and risks
  • 7. 7 Information Security Governance at the Board • Risk Management, setting the tone by defining the risk appetite • Identify information security leaders, provide resources and support • Direction, strategy and leadership, put information security on the board's agenda • Ensure effectiveness of the information security policy • Integrate a strategic committee • Staff awareness and training • Measurement, monitoring and audit Identified practices Effectiveness Adopted Drivers for integration
  • 8. 8 Information Security Governance at the Board • 23% see lack of leadership as an important obstacle in the overall strategic effectiveness of their organisation’s security strategy (PWC, 2012) • 68% assume their information security strategy is aligned with the business needs (E&Y, 2012) • Little or no involvement when aligning risk-based security with business objectives(Tripwire-Ponemon, 2013) • Lack of strict segregation between risk and audit committee, only 8% and half of those only oversee privacy and security (Jody R. Westby, 2012) • 16% of board members is prepared to deviate from risk appetite (Koen Maris, 2013) • 68% of the CRO functions have a direct reporting line to the board Identified practices Effectiveness Adopted Drivers for integration
  • 9. 9 Information Security Governance at the Board • 27% indicate that their board had an outside director with cyber security experience though 64% think it is important to have it (Jody R. Westby (2012) • 42% have their information security strategy aligned with business objectives(E&Y, 2012) • 50% thinks information is too technical to be understood by non-technical management(Tripwire-Ponemon, 2013) • 33% of the boards address Computer and information security (Jody R. Westby, 2012) • 67% of board approve risk appetite statement (E&Y, 2013), • 2/3 of Forbes Global 2000 companies have full-time personnel in key roles responsible for security and privacy Identified practices Effectiveness Adopted Drivers for integration
  • 10. 10 Information Security Governance at the Board • Severe incidents • Legal/compliance • Regulations • Accountability Identified practices Effectiveness Adopted Drivers for integration
  • 11. 11 Information Security Governance at the Executive Committee • Information Security Framework • Chief Security Officer / Chief Information Security Officer • Implementation of information security • Monitoring and assessment • Awareness and communication Identified practices Effectiveness Adopted Drivers for integration
  • 12. 12 Information Security Governance at the Executive Committee • Large majority of staff knows the security policy, at least of its existence. (Koen Maris, 2013) • Only 26% of respondents with a security policy believe their employees have a good understanding of it. (PWC, 2012) • Almost 40% of the CISO/CSO reports to the CIO, almost 30% to someone other than CFO, CEO/COO.(Jody R. Westby, 2012) • 80% claim not to evaluate the ROI of security investments(PWC, 2012) • Adopting to new risks is done by blocking for approx. 50% of the companies (E&Y, 2012) • Only 8% of CSO/CISO measure the value and effectiveness of their enterprise cyber security organisation (Deloitte, 2012) • Reporting only occurs in case of severe incident and happen at a too low level (Tripwire-Ponemon, 2013) Identified practices Effectiveness Adopted Drivers for integration
  • 13. 13 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • 95% of large companies have a security policy in place (PWC, 2012) • Majority of Exec’s agree that they should have someone responsible for information security (Koen Maris, 2013) • 47% of the companies have an information security strategy committee in place (PWC, 2012) • 56% claim security budgets are in a federated model, making it hard to measure and determine the real available budget. (Deloitte, 2012) • About 50% monitor and measure trends in security/incidents costs. Approx. 20% does not evaluate at all (PWC, 2012) • Only 32% of staff in claim to have received awareness training (ESET, 2012)
  • 14. 14 Information Security Governance at the Executive Committee Identified practices Effectiveness Adopted Drivers for integration • Response on an incident • Legal and compliance • Not done because it is too technical & complex • Reduce risk • Severe incident
  • 15. 15 Conclusion Board Exec. committee • Unclear if a company having thoughtful leadership and enterprise risk management in place also had identified a security leader • Audit and monitoring parts are well in place but measuring effectiveness remains doubtful, not always strict separation between risk and audit committee • Leadership, alignment and value are the least adopted • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
  • 16. 16 Conclusion Board Exec. committee • An ISMS is often in place, but the level of understanding and knowledge across the company remains low • A CSO/CISO is in place in the majority of larger companies. Measuring the effectiveness remains difficult. • Reporting line is not always clear, and reporting bottom-up shows some clear shortcomings • Awareness and steering committee have a low degree of adoption, though the majority recognises the importance of awareness • Severe incidents and legal, regulatory and compliance remain the main drivers for integration
  • 17. 17 End Note • Would good ERM and correct bottom up reporting provide better awareness and increase the alignment for information security? • The effectiveness and the links between structures and procedures are not well addressed. How do the influence each other? • Would good bottom-up reporting provide better strategy? • More questions than answers….