security principles for ceos

© 2014 IBM Corporation

IBM Security

1© 2014 IBM Corporation

Security Principles for CEOsFundamentals of a Risk-Aware Organization

Morten Bjørklund

Software Client Architect

IBM Security

October 24, 2014


IBM Security

2

The soaring impact of breaches has created a new security reality

Security Principles for CEOs

More Risk and Bigger Impact

500,000,000records breached3

3Xincrease in Java

vulnerabilities1

1) Q3 2014 IBM X-Force Research and Development, increase from 2012 to 2013

2) 2014 Cost of a Data Breach, Ponemon Institute, global average cost, 15% increase from 2012 to 2013

3) Q3 2014 IBM X-Force Report

15%

increase in

cost of a breach2$

$3.5Maverage cost / breach2


IBM Security

3

To address security, leaders must avoid common myths

Your company’s not infected (it is).

There’s a silver bullet to protect you (there’s not).

You need to put your company on lock-down (you don’t).


Your company is not infected. (It is.)

Whatever you’ve done is enough. (It is not.)

You need to put your company in lock-down. (You don’t.)

There’s a silver bullet to protect you (there’s not).There’s a silver bullet to protect you. (There isn’t.)


IBM Security

4

Use five fundamental security principles to help guide you

(incidents will happen)

Prepare to respond,

faster

(train, test, trick)

Increase the security IQ

of every employee


(analytics = threat insights)

Leverage

security intelligence

Protect your

crown jewels

(define, protect, monitor) (the vanishing perimeter)

Safeguard

BYOD


IBM Security

5

Make security education a continuous process – for everyone


Increase the security IQ of every employee

Make training a priority from the

start, then provide annual education

– keep it fun and engaging

Require testing for all employees,

and spell out the consequences

for non-compliance

Provide real-life scenarios that

catch your employees off-guard

with learning traps – “phish” them

Nearly 60% of security incidents are caused internally1

1,2014 Cost of a Data Breach, Ponemon Institute

Train Test Trick

Your help needed for IBM Cloud opportunity

Christina Martin to: Daniel Allen Please respond to chris.martyn.ibm.executive

Hi Daniel Allen,

Your manager recommended you to contribute to a proposal for an important new client opportunity

that I am working on. This is a great opportunity for IBM with large commissions likely when we win

this account. Please review the material posted on CloudFile and provide your feedback by EOD.

We’re counting on you!

http://fileinthesky.com/IBMClientOpportunity

Thanks,


IBM Security

6

Prepare to respond more quickly and effectively to attacks


Prepare to respond, faster

12013 IBM CISO Assessment, 2Verizon 2013 Data Breach Investigations Report3 Surviving the Technical Security Skills Crisis: a commissioned study conducted by Forrester Consulting on behalf of IBM, May 2013

Constantly monitor to

see if someone has

breached your defenses

of data breaches took

months or more to

discover266%

Have an emergency

response and forensics

partner

of security decision-

makers say that staffing

issues contribute to a

heightened level of risk392%

Keep your incident

response plan updated

of incident response

plans are outdated150%


IBM Security

7

Get ahead of do-it-yourself BYOD with a formal program

Safeguard BYOD

Mobile workers use at least one business-focused app in a year2

200M

of employed adults use at least one personally-owned device for business1

81%

of users surveyed had corporate security on their personal devices1

<1%

* BYOD means ‘bring your own device’

Security Principles for CEOs 1) Harris Interactive, 2012; 2) Global Mobile Enterprise 2011-2017 Forecast, Strategy Analytics

Protect the

data

Protect the

apps

Manage the

device

Protect the

transaction

Corporate

container


IBM Security

8

Identify your most critical data and protect these vital assets

Protect your crown jewels

12013 Commission on the Theft of American Intellectual PropertySecurity Principles for CEOs

of publicly traded corporations’ value1

is represented by intellectual property

and other enterprise-critical data

1

Define Protect Monitor

your organization’s

“crown jewels”

these valuable assets

at all stages

the access and

usage of the data


IBM Security

9

Use analytics and insights for smarter prevention and defense

Leverage security intelligence


Prioritized incidents

Endpoints

Mobile devices

Cloud infrastructure

Data center devices

Threat intelligence

Network activity

Automated

offense

identification

Real-time correlation and analytics

Anomaly detection

Industry and geo trending


IBM Security

10

Make security an enabler, not an inhibitor.

Take an active role in policy – even if it’s unpopular.

Cybersecurity is a business risk that you need to manage actively

Everyone is part of the solution in a risk aware culture,

and effective security starts at the top

Get involved. Set the tone and develop a governance model.


Engage the senior leadership.


IBM Security

11

We can help you get started

Increase the security IQ

of every employee

IBM Security Essentials and Maturity

Consulting

IBM Cybersecurity Awareness and Training

How

Protect your

crown jewels

IBM Critical Data Protection Program

IBM InfoSphere Guardium®

Leverage security

intelligence

Safeguard BYOD

IBM QRadar Security Intelligence Platform

IBM Managed Security Services

IBM Fiberlink® Mobile Security Solutions

IBM Mobile Application Security

Assessment


Prepare to respond,

faster

IBM Incident Response Planning

IBM Emergency Response Services


IBM Security

12

One final tip

Tip: Ask your security team,

“How many incidents did you handle last week?”

Hint: if they say zero, consider getting

a maturity benchmark assessment


Our research shows that nearly

every large enterprise deals with at

least two incidents a week


IBM Security

13

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use

or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily

involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

http://www.ibm.com/security

security principles for ceos

Leadership & Management