International Information Integrity Institute. I-4: An overview of the I-4 Programme

International Information Integrity Institute I-4: An overview of the I-4 Programme July - August 2014

2 I-4: An Overview International Information Integrity Institute A service provided by KPMG Contents 1 What is I-4 3 2 Overview of I-4 member services 4 3 The benefits of I-4 membership 5 4 I-4 differentiators 6 Appendices i Eighteen months of I-4 activities 9 ii The I-4 team 17

3 I-4: An Overview 1 What is I-4 What is I-4 Keeping members at the forefront of information security Founded in 1986 by Donn Parker of the Stanford Research Institute International the International Information Integrity Institute (I-4) was the first knowledge and experience sharing forum for senior information security leaders. Acquired by KPMG in December 2009, I-4 is the leading forum for senior information security leaders involved in implementing sophisticated risk management and security operations, many of whom hold the highest ranking positions within some of the most influential global organisations. I-4 brings together some of the leading minds in the world of information security and risk to help its members stay one step ahead of the big issues. It is at the forefront of the information security industry, pushing the boundaries on thought leadership, collaboration and innovation. The fundamental ethos of the I-4 concept is trust, collaboration, participation, contribution and the willingness to share not only the extensive experience of its membership community but also their valuable intellectual property. For example, a financial services member which joined in 2011 has made available to the wider membership their extensive library of highly regarded awareness and education material, including online, audio and written content. I-4 is a global forum with a difference, enabling members to tap into the latest thinking and anticipate emerging trends before they can impact their organizations. Members are able to separate the facts from the scare stories and get more from their investment in security. Today s security leaders face an ever-widening range of challenges that are very much part of the top table agenda. I-4 membership helps its members give the Board and senior management greater assurance that valuable data is protected in a cost-effective way. The topics were relevant, tangible and provided great insight, which coupled with the numerous networking opportunities made this an excellent Forum. I-4 Member, Forum 81, March 2014

4 I-4: An Overview 2 Overview of I-4 member services Forums These three-day conferences take place three times a year, one each on the west and east coasts of the US, and a third in Europe. The emphasis is very much upon learning, sharing knowledge and solving real problems by interacting with other members, relevant guests and external specialist contributors. The March 2012 Forum was the highest rated in I-4 s twenty five year history, with one highly experienced CISO Member who attended saying, Great Forum, I picked up half a dozen things to follow up when I get back in the office. Webinars Members may not always have the time to attend events in person, so I-4 s monthly webinars offer an ideal way to keep abreast of important security issues. The content of two recent webinars covering social media security and social engineering attacks have been adopted by a number of members to feed directly into their education and awareness programmes. Ad hoc member teleconferences These are convened at short notice and are facilitated teleconference workshops designed to explore breaking news to help members understand and deal with new and emerging issues. The December 2013 member call that followed on from the incident sharing discussion in that month s Threat and Intell call being the most recent example. Member queries If a member organization is struggling to overcome a particular challenge, it can readily tap into the collective power of the I-4 membership. Responses to query are analysed, collated and then published to the member raising the query and to the broader membership all members thereby quickly benefiting from the collective knowledge and experience of the group. Regional meetings Held several times a year, one-day regional and half day executive events allow members to focus on one or two specific issues in considerably greater detail, in some cases following up queries and discussions raised in Forums. The open sharing of information face-to-face during Forums is just invaluable, particularly as our organisation has considerably complex issues, therefore having a resource where experiences are shared in a trusted environment is very useful indeed. I-4 Member, May 2014

5 I-4: An Overview 3 Benefits of I-4 membership I-4 event content I-4 runs at least one event each month and strives to deliver value and benefit to its members by equipping them with the insights and knowledge to address new and emerging issuesrecent I-4 events, in Forums and through other channels, have included in-depth analyses of: an exploration the implications of recent certificate authority compromises; dealing with the complexity of the international legal and regulatory landscape; mobile security (devices, data and apps); situational awareness; what makes for effective information security awareness; targeted persistent attacks; cyber espionage; securing the end-point; working in potentially hostile territories; and intelligence led security. See the I-4 website (www.i4online.com) for a look at everything that has been going on recently. I-4 Projects Member events and projects delivered by the I-4 Team, such as developing a good practice guide to defending against, detecting and recovering from an APT attack, allow I-4 members to share and collaborate and build shared solutions to shared problems. The I-4 Threat and Intelligence Exchange Launched in April 2012, this service provides members with the opportunity to openly discuss threat and intell information currently on their agenda and explore threats, incidents and other intelligence that people are seeing and would like to explore with other members. This monthly interactive, facilitated, teleconference underlines the fact that I-4 is all about the sharing of real experience and knowledge and getting on to the front foot with the ever changing challenges facing the world of information security. I-4 collaboration groups Members form collaborative working groups to develop queries posted on the I-4 website, or following sessions or discussions at Forums, meetings or Webinars. A group may deal with a problem facing a member organization, or alternatively may investigate a more general area of concern. It may even choose to focus on issues affecting a particular industry, sector or region. The I-4 website www.i4online.com All I-4 content, including readily reusable awareness and education material, Forum presentations, recorded webinars, results of member queries and monthly Newsletters are all made available to I-4 members in the private section of the website. It can be a lonely job sometimes and having peers that you feel you can lean on from time to time at the CISO roundtable or broader I-4 meetings are very useful. The I-4 Member Query service is also very useful in asking a couple of key questions and gaining some very quick feedback that you can benchmark against the rest of the membership. I-4 Member, June 2013

6 I-4: An Overview 4 I-4 differentiators A highly experienced team Five of the I-4 Team members have backgrounds as CISOs and CSOs of complex global organizations and many years experience in senior security roles. Each of them brings a different perspective to I-4. This is a much greater depth than the competing programmes this means that I-4 provides a close match to the needs of senior security leaders in the following ways: Program content and deliverables are of a high standard and focused on meeting the needs of senior executives We are able to attract membership and participation from higher calibre individuals, giving attendance at I-4 events a greater value The experienced perspective means that our horizon scanning is conducted through the lens of pragmatic experience keeping it grounded to implementable improvements in the short and medium term, while at the same time identifying future issues in advance and equipping the members with front foot knowledge Trust and intimacy One of the firm foundations of the I-4 Program is an operating model and culture that encourages trust between the members. While this is backed by an NDA, the degree of trust that I-4 operates under is unprecedented compared to its competitors. This means that participants are much more willing and able to tell it like it is. Some recent examples of this are: A member talking through their post incident response and remediation following an almost catastrophic near-miss attack on what were previously considered low-risk websites A member presenting the history of their approach to pitching the investment case for increased spending on security, what had worked, what had not worked and why An investment bank discussing their approach to using cloud services for security and how cloud related risks were managed in an inherently conservative technology group During I-4 meetings the relationship building is as important as the content itself we strive to create an environment where business friendships are made and built. Most members should leave a meeting having made at least two good connections with peers that will help to solve common problems in the short and long-term. The Forum content was spot on. Every topic was relevant and timely and the speakers were engaging. I-4 Member, Forum 80, October 2013

7 I-4: An Overview 4 I-4 differentiators (cont.) Focus on larger more complex organisations Many of the other providers services are targeted at a wide range of customers, meaning that the content delivered trends towards the lowest common denominator. Because I-4 focuses on the needs of senior executives at large and complex organizations the output covers the issues that challenge these organisations we see the basics as being covered by other knowledge sharing organizations and so do not cover them regularly or in great depth. The current membership ranges from some of the world s largest technology and services companies to global financial institutions and industrials and telecoms. While a small number of these also participate in other organizations the biggest players are increasingly choosing to go with I-4 as their sole choice. Backing by KPMG In addition to establishing a highly experienced team, KPMG is investing heavily in I-4: Taking the quality of content and deliverables to a higher level than provided by our competitors Driving the growth in the number and quality of membership Using KPMG specialists to contribute content and experience and do heavy lifting on behalf of members I-4 services comparison There are currently a number of information security membership organizations which have either complementary or competing services to that of I-4. The following table provides a high level overview of how I-4 compares to other organization in key service areas. While this is not intended to be a definitive or truly scientific comparison it nonetheless helps illustrate why I-4 should be considered the first choice for all leading players. Service Description I-4 Gartner IREC ISF RSA SANS Thought leadership think tank One-on-one interactions with members facilitates trust and personal growth Encourages active participation Annual meetings * Proven knowledge sharing with top executives Exposure to latest technology and theory Executive management training Targeted technical training No-cost regional conferences All discussions under NDA creating an environment of trust and sharing * I-4 runs three day Forum events three times a year, along with a programme of one day Regional Meetings

Appendices

9 I-4: An Overview i Since January 2013, I-4 has delivered: Forums Forum 78 San Diego Forum 78 was held from Monday 4 th March Wednesday 6 th March 2013 and Members rated the Forum highly overall. Highlights from Forum 78 included: A keynote presentation about the importance of rigour and discipline in tackling the dual challenges of rapid change and stability of systems. Four case studies focused on providing real learnings across a range of topics and sectors. Participants given an update on the latest developments in the attacker s domain where one criminal website describes their services as accessible, affordable and scalable, suggesting that cybercrime is now big business. Forum 79 Edinburgh Forum 79 took place from Monday 24 th June Wednesday 26 th June 20123 and proved very popular among the I-4 membership. Highlights from Forum 79 included: A diverse set of case studies Linked together through all being both real and recent Decision support What s on your dashboard; examining what I-4 Members are doing with metrics and management information to support their information security decision making Far from the Purely Academic Security research is increasingly having an immediate impact on security tasks we need to do now. We hear on a range of topics with near term application. Smart metering An increasingly hot topic that is likely to become relevant to us all as consumers and to many of us as security leaders with its many technical and legal challenges. The London 2012 Games: The challenges and many successes of delivering a cyber-secure large scale event. Forum 80 Houston The I-4 Forum 80 took place in Houston from Monday 21 st Wednesday 23 rd October. Highlights from Forum 80 included: Case Studies the real world a series of Member case study presentations across a range of topics and sectors, including securing big data, the SOC journey from in-house to outsource to highly effective in-house again, and how to manage the enterprise in the world of social media Data Analytics can information security benefit? exploring if the Big Data analytics platform can be used to consolidate structured and unstructured security data SCADA & Control System Security demonstrating the huge importance and reliance on these systems beyond the traditional boundaries of the process and utility sectors. Forum 81 Phoenix Eighteen months of I-4 activities The I-4 Forum 81 took place in Phoenix from Monday 10 th Wednesday 12 th March. Highlights from Forum 81 included: Case Studies four diverse member case studies ranging from records management to life after a significant APT attack Data Scientist: Actionable Insights from Big Data investigating the possibility of using Data Science capabilities for security, including the skills required to obtain the most value from this concept. Seeing your Way Clearly Through the Cloud sharing current experiences of cloud security and the latest developments in this field, particularly the emerging sources of cloud assurance information. Business and Operational Resilience keynote session, which emphasised how operational resilience requires a well established enterprise-wide operational risk management capability and that this function needs to converge risk management views (e.g. physical, Information security, IT ops management).

10 I-4: An Overview i Forums (Cont.) Forum 82 Geneva The I-4 Forum 82 took place in Geneva from Monday 23 rd Wednesday 25 th June. Highlights from Forum 82 included: An opening keynote presentation that shared experiences of reporting directly to the CEO of the company and how their mission has evolved to provide the best security when it comes to innovation, transparency and effectiveness. Engaging the Board and Executive Risk appetite and informed decision making. Entire session dedicated to sharing techniques that have been used to good effect when making Executive aware of the risks associated with information security and providing them with the key information they need to make decisions. Attracting, Finding, Developing and Retaining: Where has all the talent gone? Four key lessons learnt during this session were: talent is there but demand is outstripping demand; qualifications and certifications remain key considerations; succession planning is vital; and support diversity and the next generation. Awareness and Behaviours: winning the arms race. Highly interactive session focused on the latest techniques organisations have used to attempt a change in behaviour among staff about securing information. The need to eliminate the underlying reason for poor practices is a high priority, however measuring the effectiveness of awareness messages remains a challenge. European Regional Meetings 25 th September 2013 - The theme for the one day event was Disruptive Technologies: What enterprise IT and information security look like in the new world order and was hosted by the BAE Systems Detica in London. With future looking views from finance, oil and gas, high technology and telecommunications. Webinars Eighteen months of I-4 activities The Insider Threat...An Insidious Information Security Reality Participants were presented with a series of real-life documented cases of insider actions that have compromised a variety of organisations and which have led to perhaps the largest amount of intellectual property loss in modern history. A business based perspective on information security This presentation focussed on the business perspective of information security controls and processes and why they are so important for the business. Innovative solutions were also shared that could deliver control requirements to the business. Mobile, smart device security and the Cloud A member organisation shared their knowledge of mobile and smart devices in relation to the Cloud with particular emphasis on the key challenges of securing consumerised devices accessing cloud services, the security of mobile apps from cloud providers and the legal and regulatory challenges around BYOD. Software assurance A representative from the U.S. Department of Homeland Security provided a very useful and in-depth analysis of software assurance techniques and tools that could help quantify and improve the security and reliability of systems. Finding the Needle in a Needle Stack: Surveillance Analytics A member organisation presented an overview of how to set up an effective end-to-end approach for analytics and placed a great deal of emphasis on gaining operational benefit from the output this approach produces. Examples were shared about how the approach could work in practice, particularly insider threats and APT, which was of great interest to members who joined the webinar.

11 I-4: An Overview i Webinars (Cont.) Enhancing decision-making through the Cyber Security Cartographies project (CySeCa) A variety of ways in which both people and technology protect important data were presented and attendees were particularly interested to learn about the range of techniques available to better inform security managers about the strength of data protection across their cyber estate. Keeping Up With the Next Generation of Security Risk With a consideration of the more sophisticated malware attacks against critical infrastructure and mobile devices, the webinar explored how IT and security risk affects the IT infrastructure, cyber security and the business overall. KPMG Cyber Index FTSE 350 This I-4 webinar provided an opportunity to share and discuss the research performed by KPMG across the UK s FTSE 350 constituent companies (over January to June 2013), with the aim of performing the same initial steps that hackers and organised criminals would perform when profiling a target organisation for attack or infiltration. Information Security and Business Continuity Management This I-4 webinar presented a Member s perspective on the two disciplines, supported by real-world examples, outlining where the two are different but also overlap in terms of the activities which they cover. Why SCADA Security is NOT like Computer Centre Security This webinar presentation provided a recap of the current situation about the threats posed to control systems and what can be done to change the way we manage these systems to make them even more robust. Security Strategy from a Government perspective This webinar provided I-4 Members with a clear insight into the UK Government s Cyber Security Strategy from a representative of the UK Cabinet Office. The webinar focused on initiatives of the UK Government undertaken to strengthen the UK s resilience to cyber-attack, the impact of the Cyber Security Strategy on the private sector, particularly financial services, and the cultivation of safe and stable international cyberspace. Threat Management Response & Process in the I-4 community An I-4 Member provided insights into the process they followed to manage threats, including how they respond to threats from a variety of sources and why they are continuously developing and improving their threat management process. I-4 Members then shared knowledge and experience about what works well and what could be improved about threat management, particularly how intelligence collaboration could be exploited further in the I-4 community. The evolution of cybercrime Eighteen months of I-4 activities Overview of the cyber threats facing financial services organisations today and the nature of the actors by which they are being targeted. Consumer Insights, Privacy and Overtime: The Good, the Bad and the Ugly of the Internet of Things for Business. An understanding of how the Internet of Things impacts businesses in ways that may not have been anticipated, which included a discussion about the advantages offered by the Internet of Things and how any benefits should be weighed up against compliance requirements and legal and regulatory issues.

12 I-4: An Overview i Member Queries Social Media Access to social media, the restrictions that have been enforced and the coverage of acceptable use of social media in policy gained a number of varied responses. Remote Printing Restrictions over employees printing remotely, including those controls over contractors and third parties printing material was explored in this Member query. Card data security One multinational financial services organisation was looking to understand how similar entities were addressing core security best practices relative to card data security vs. PCI DSS itself and how they are separating or intertwining the two topics. Information classification and handling An I-4 Member was interested in finding out whether there is a better way of approaching information classification and handling, specifically if other organisations have successfully implemented their policies with evidence of good practices being adopted. Clear desk/document destruction Clear desk/document destruction routines were being refreshed by one organisation and while this programme was being finalised, they wanted the chance to benchmark their policies, approach, audit approach and consequence models against other Member organisations. Layered anti-virus defence Anti-malware defence mechanisms were being reassessed by one Member who was keen to understand what the industry standard was regarding layered anti-virus defence on the email infrastructure. Backup media encryption The risk associated with backup media (tapes, etc.) as it is transported to and from offsite storage facilities was being reassessed by one Member who wanted to find out how other organisations were approaching the same issue. Security Framework Alignment Questions were asked in relation to whether aligning the information security policy to a standard framework has benefited in minimizing and mitigating risks in other organisations. Security Auditing This query was seeking to understand whether information security audits are performed by external entities and if using a security framework helps in these assessments. Procurement practices and processes One Member organisation was reviewing their IT in an Operational Technology environment to better understand and mitigate any security risks, as part of this work they were looking to review their procurement practices and processes against other Members. Measuring policy compliance Eighteen months of I-4 activities This query was initiated by a Member organisation who was looking to survey the I-4 membership about what they have based their policies on and how they have measured compliance against policy in their organisations. Mail and SharePoint PII Security The current legislative trends around encrypting PII and the desire to protect sensitive information from accidental mishandling, insider theft, third party theft and mishandling led one organisation to explore what protections including encryption other companies are applying in their unstructured environment.

13 I-4: An Overview i Member Queries (Cont.) Implementing a SIEM An I-4 Member was building a business case for implementing an internal SEIM as part of their Security Operations Centre and wanted to know the approach taken by other I-4 members. Cyber security legislation One Member organisation was looking to find out more about the changing legislative landscape from a Cyber perspective in order to better understand the risks and impact associated with cyber security. Monitoring and logging This query came from a Member organisation seeking to understand how their peer organisations monitor user and system activities and the logging techniques they undertake. Third Party Suppliers Awareness about how Member organisations undertake due diligence reviews of potential third party suppliers prior to contracts being signed and how they gain assurance that their suppliers are meeting their information security obligations during the contract term. Information Security Awareness A quick benchmark about the different types of information security awareness and training that organisations deliver to their customers and third party suppliers. Information Classification Guidance on how large, complex organisations classify their information, and in particular whether they have any special handling requirements for customer information. Social Media Good practice that has been adopted across the membership to help address the risks and opportunities presented by social media. Application security Survey of I-4 Members about the techniques that are currently being used to secure applications Information Security Policy One Member organisation wanted to find out how other organisations measure policy effectiveness, which they define as the degree of correspondence of employee behaviour compared to policy requirements Patching Completion Criteria This Member was making improvements to vulnerability remediation / patching processes and wanted to survey the membership about their approaches. Business continuity planning An increase in customer demand for business continuity information, plans, test results, and audits were experienced by an I-4 Member organisation. They wanted to understand how other Member companies reply to these requests while safeguarding confidential information and handling the volume of requests. Most Confidential data on Smartphones A Member organisation was looking to move to an alternative, Smartphone based solution and were keen to understand what solutions other companies have deployed, or are deploying, to protect such data on mobile devices. Cloud messaging services Eighteen months of I-4 activities Members were asked whether the use of Cloud messaging services was routinely accepted or whether these services were actively blocked.

14 I-4: An Overview i Member Queries (Cont.) Architecture Standards Survey of Members about their architecture standards, including how they are used to help manage information security more effectively. End User Computing One Member organisation wanted to gain awareness of End User Computing, particularly focused on how assurance is gained and where governance is carried out. Cyber Security Awareness Innovative solutions towards ensuring the effectiveness of cyber security awareness were probed in this query, which included whether any new approaches were being designed and undertaken. Managing obsolete software An I-4 Member was interested in hearing about any approaches other Members may be considering, particularly when Win XP goes out of support in April 2014. Consequence management To effectively change behaviours and desired actions, one Member organisation was implementing consequences against their established data security behaviours and wanted to ask other I-4 Members whether they had put in place a similar initiative to increase compliance in data security. Compliance Monitoring Member query initiated to discover how I-4 Members monitor security controls and ensure systems are patched in a timely manner. Internet facing services Financial services organisation looking to understand how their peers approach the subject of managing external vulnerabilities and Internet facing services. Maturity models This Member query formed part of one Member organisation's research into exploring the applicability of maturity models for assessing and managing cyber security activities. Using live data This query helped one organisation to understand whether other large, complex organisations use live data in their testing processes, and if so what steps they take to protect the data. Project Reports Eighteen months of I-4 activities Advanced Persistent Threats: Stage Two Stage Two of the Advanced Persistent Threat (APT) project focused on identifying and reporting on what good should look like for APT defence. Emphasis was placed on detective monitoring, the use of forensic information and what needs to be done to reach a position of strength. Information Security Awareness This project gathered Member experiences in the aspects of designing and running user awareness programmes: understanding what makes a good user awareness programme; obtaining business sponsorship and funding; developing the messages and the communication methods; and gaining assurance that objectives are met. Existing I-4 resources on awareness were revisited to update the key messages and make this material more accessible for Members to use within their own organisations. Creating a future direction for Mobile Security Results from the I-4 mobile security survey are outlined in this report, which captures how large, global organisations view their capability for managing mobile devices. Launch of the Threat and Intell Exchange At the March 2012 Forum, there was much discussion as to how those of us in information security can better share information about attacks, threat intelligence etc and how I-4 can help with this. As a result, in April 2012 we held the first in a brand new teleconference service that I-4 and run every month (or ad hoc to pick up breaking incident news) to provide Members with the opportunity to discretely and openly discuss threat and intell information currently on their agenda.

15 I-4: An Overview ii The I-4 team Since December 2009 I-4 has been owned and operated by KPMG LLP, who continue to invest in and develop the Programme to meet the changing needs of its members. Individuals from KPMG LLP serve upon the I-4 leadership team, which can also call on highly experienced specialists from KPMG member firms around the world, as well as external security analysts and seasoned industry practitioners and leaders. Mark Waghorne: Head of the I-4 Programme Mark has been working in information technology, systems, and security for over 25 years, specializing as an information security practitioner since the late 1980s and focusing on security management since the mid 1990s. Before joining KPMG seven years ago, Mark was Global Head of Information Security for Standard Chartered Bank with responsibility for all aspects of information security across all the Group s lines of business and geographic operations. Since then, he has helped a range of clients implement security management organizations and processes. His experience covers a wide range of sectors including financial services, energy, industrial products, telecommunications, construction, and infrastructure, and Mark has filled interim head of information security positions in the finance, civil engineering, and mobile telecommunications sectors. Mark was an active member in I-4 for a number of years while at Standard Chartered and has led the I-4 Program since its acquisition by KPMG in December 2009. Malcolm Marshall: I-4 Sponsoring Partner Malcolm is global leader for KPMG s market leading Information Protection and Business Resilience services. He has over twenty years experience in advising clients in information risk management. Clients include several of the world s largest corporations and Central Government departments. Recent work includes security improvement programmes, data breach investigations, identity and access management projects, privacy advisory and security compliance programmes. The interaction between likeminded individuals, particularly those with considerable experience in information security is typically not found anywhere else. The validation of thought processes can be achieved face to face at Forums, which is particularly valuable and helps you to look at issues in a variety of different ways. Outside of Forums, monthly webinars and Member queries tackle issues that are very relevant and give you a point of contact to discuss further with individuals across different industry sectors. I-4 Member, May 2013

16 I-4: An Overview ii The I-4 team Greg Bell: I-4 Sponsoring Partner US, East Greg has in-depth experience in IT risk management and business ennoblement. He s managed complex projects implementing, administrating, and securing complex client-server and heterogeneous network technologies. Greg previously worked for Eaton Corporation and the Coca-Cola Company and is a frequent speaker and author on information security, privacy, and risk management. Paul Dorey: Senior I-4 Advisor An acknowledged thought leader in security, Paul has over 25 years of experience as a security and risk executive at Morgan Grenfell/Deutsche Bank, Barclays Bank, and BP. He has received several awards including Chief Security Officer of the Year, IT Security Executive of the Year, and IT Security Hall of Fame. His involvement with I- 4 goes back to the late 1980s including a period on the Membership Advisory Committee (MAC). He is a Visiting Professor in Information Security at Royal Holloway, University of London and is a director and cofounder of Security Faculty. In addition to his speaking and lecturing activities he helps companies and government departments in building their information security strategies, risk governance and metrics including acting in interim CISO roles and supporting CISOs in developing their functions. Marissa Goulding: I-4 Events Manager Marissa is the I-4 Events Manager and has been with the programme for more than fifteen years. Regardless of the question or help needed, for participants in I-4 events she is the point of contact and coordination for speakers, session chairs and of course I-4 members. Marissa s knowledge of I-4 and how to make an event run effectively are central to I-4 Forums and other meetings delivering real value to the I-4 Membership. Charles King: Senior I-4 Advisor Charles is a highly experienced information security practitioner, his career began with cryptography and electronics in the U.S. Navy. After his career in the Navy, Charles moved into industry notably filling C-Suite roles at State Street Corporation and SunGard Financial Systems. In all these positions he brought a business-oriented approach to both information security and for software sales and the delivery of financial services. For over thirty years, he has led and executed high profile programs including organizational transformation, vulnerability assessment, and governance framework alignment. His information security approach balances the strategic with the practical. As a member of The King Group, Charles currently supports global advisory clients, system integrators, information security firms, and public sector clients with thought leadership and strategic messaging. Shahed Latif: I-4 Sponsoring Partner US, West Shahed is an acknowledged world authority on cloud computing and co-author of Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. He has worked for KPMG for 25 years and was an initial member of the firm s North American Information Protection practice. He has extensive contacts in information protection across the west coast, with excellent relationships with the major technology vendors and customers. In addition, Shahed has worked closely with some of the largest enterprises develop their information security vision, strategy, and roadmaps.

17 I-4: An Overview ii The I-4 team David Morgan: Senior I-4 Advisor David is a recognized and respected thought leader in the security and risk management industry with over 20 years experience focusing on information security, fraud prevention, business continuity and physical/personal security. Prior to moving into training & development and consultancy, David held a number of Board level executive roles including Lloyds TSB (Chief Security Officer), ING Group (Global Head of Information Risk Management & CISO) and Barclays (Group IT Risk & Security Director). He has a proven track record in delivering strategic and organisational change within large complex organisations. David is extremely passionate about people development, is a certified Insights practitioner, and has run numerous leadership development groups and security master classes for large multinational companies. In addition he has provided strategic consulting services and interim management to a variety of blue chip organizations in Financial Services, Energy, Telecoms and High Tech sectors. He was an active I-4 member for many years, having attended his first meeting in 1995. David is also a Director and co-founder of Security Faculty. Gerry O Neill: Senior I-4 Advisor Gerry is an information security professional with over 27 years of experience in the field of Information Security, Risk Management, Audit and Governance, holding senior positions in a number of major consultancies, and in financial services and government. Gerry was a hands-on I-4 member during his time as Head of Group IT Risk at Barclays PLC, and subsequently, in 2003, he joined the I-4 Team as Senior European Representative. He is also a recent Chief Executive Officer of the Institute for Information Security Professionals (IISP). Among other recent initiatives, he was a member of the Steering Committee for the CAMM initiative (Common Assurance Maturity Model), and is Former (and Founding) Vice-president of the Cloud Security Alliance UK & Ireland Chapter. Martin Tully: I-4 Content Manager Martin is an experienced security consultant, having worked previously in another major professional services firm. Martin has a strong background in working across most industry sectors in the development of the best practice guidance and methodologies. Martin is currently responsible for producing the I-4 newsletter, facilitating webinars and managing responses to Member queries. He also contributes towards the delivery of I-4 research projects such as the Advanced Persistent Threat project and Security Awareness. Martin holds a Bachelors degree from Royal Holloway University of London. Natalia Stepan: I-4 Projects Assistant Natalia joined the KPMG Information Protection team in October 2013. She completed her Bachelor s in Philosophy, Politics and Economics at the University of Oxford in 2012 and her Master s in Local Economic Development at the London School of Economics in 2013. Before joining I-4, Natalia worked on a project in the Data Analytics department. She is currently assisting on all aspects of I-4 including content, research and supporting current and potential members. Natalia is a first port of call for any member support queries.

Malcolm Marshall malcolm.marshall@kpmg.co.uk +44 (0)20 7311 5456 Mark Waghorne mark.waghorne@kpmg.co.uk +44 (0)20 7311 5220 Greg Bell rgregbell@kpmg.com +1 404 222 7197 Shahed Latif slatif@kpmg.com +1 650 404 4217 John Hermans hermans.john@kpmg.nl +31 206 568 394 I-4 is a membership service provided by member firms of KPMG International, a Swiss entity. All rights reserved. 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss entity.