1/8/2012. Gordon Shevlin, Allgress, Founder, CEO Kyle Starkey, CISO, Early Warning Services. Effectively Communicating IT Risk to Senior Management

Transcription

1 Gordon Shevlin, Allgress, Founder, CEO Kyle Starkey, CISO, Early Warning Services Effectively Communicating IT Risk to Senior Management 1/8/2012

2 Agenda The evolution of IT Security Key Challenges in Communicating Risk Practices that Drive Better Business Results & Less Risk Benefits of a Business Focus Approach Connecting with Executives What is the process? Essential Components of A Risk Management Solution Summary

3 The Evolution of IT Security Being business leaders, security and risk management leaders must create a deliberate strategy to run, grow and transform the business of their organizations We must no longer focus exclusively on technology; and engage all controls, including behavior, process and technology. We must realize that it is impossible to stop every threat; we must prioritize risks to allow conscious choices by business leaders about what will and will not be done to address threats. Security and Risk Management are no longer buried deep in IT; we musty understand the impact that IT risk and security have on business outcomes. We must no longer depends Security Super Hero s; instead formalizing programs with repeatable, persistent and measurable processes. Source: Gartner - Agenda Overview for Security and Risk Management Leaders, 2013

4 Key Challenges in Communicating Risk IT security more technically oriented Too much data Reporting siloed Information not in context of the stake holder Call to actions not clearly communicated

5 Practices that Drive Better Business Results & Less Risk Source: Itpolicycompliance.com - Data Driven Reporting and Communications about IT: Better Results, Less Risk

6 Benefits of a Business Focused Approach Source: Aberdeen Group The ROI of information Governance: Reducing Corporate Liability and Enabling New Business Opportunity, June 2012 Source: Itpolicycompliance.com - Data Driven Reporting and Communications about IT: Better Results, Less Risk, February 2012

7 Connecting with Executives Ensure data is defensible, repeatable and consistent Abstract the technology out and put the business context in Articulate the impact or business performance because executives don t care about technical issues Communicate in terms of regulatory, operational, financial or reputational risk

8 What is the process? Formalize your risk management program Determine your business objectives with executive stake holders Utilize (or acquire) technology driven risk and compliance management solutions Implement continuous monitoring to identify and communicate your overall risk posture Evaluate and remediate risks that drive better business outcomes

9 Asset Intelligent Communications Essential Components of A Risk Management Solution Business Risk Intelligence Repository Audit Assessment Mitigation Policies Audit Data Compliance DB & Mapping Risk Model Technical Business Vulnerability /Threat Configuration, GRC Surveys SIM/SEM, DLP Assets People. Processes, Systems, Devices Policy

10 Putting Risk Posture in Business Context Immediate view of risk posture Animated heat maps show trending Customizable metrics that relate security risk to your specific business Prioritize remediation based on importance to business goals Scenario modeling

11 Summary A Successful risk management and intelligence strategy will improve corporate performance and business decision making Formalize a program of continuous risk management where risk is identified, assessed, tracked and reported in way various audiences understand Implement a common infrastructure that will support the integration of assessment and vulnerability data from different silos to support executive staff to make business decisions Link risk management to corporate performance to enable business decision makers using Key Performance Indicators (KPI s) and Leading Risk Indicators (LRI s) Bridge the gap between the objectives of IT and the business

12 Contact Information Gordon Shevlin Kyle Starkey

13 Allgress Risk and Intelligence Manager Web Site: General Information: