Security  &  Risk  Management  

Firewalls,    An--­‐virus,    An--­‐spam  

Security  guards,  Locks,  

Nuts  &  bolts  

It’s  all  about…  

Security  is  not  about…  

Protec7ng  the  business  against  discon7nuity  as  a  result  of  danger  and  risk  

1.  Damage  to  reputa-on  2.  Business  interrup-on  3.  Third  party  liability  4.  Distribu-on  or  supply  chain  failure  5. Market  environment  

Global  Risk  Management  Survey  AON,  april  2007  

Your  concerns  

6.  Regulatory/legisla-ve  changes  7.  Failure  to  aUract  or  retain  staff  8. Market  risk  (financial)  

9.  Physical  damage  

10. Merger/acquisi-on/restruc-ng  

11. Failure  of  disaster  recovery  plan  

Global  Risk  Management  Survey  AON,  april  2007  

More  concerns  

Shareholders'  trust:   Customers'  trust:  

Corporate  viability   Business  integrity  

Compe--ve  advantage   Service  availability  

Brand  name  value  preserva-on   Protec-on  of  customers'  sensi-ve  informa-on  

Legal  and  regulatory  compliance  

CHRISTOS  K.  DIMITRIADIS  in  Soa  &  Woa:  Informa-on  Security  from  a  Business  Perspec-ve  

Reputa7on  =  Trust  

It  takes  years  to  build  trust  but  a  few  seconds  to  destroy  it    

Opera-onal  risk  

Insurance  risk  

Liquidity  risk  Market  risk  

Credit  risk  

Enterprise  risk  

Types  of  risk  

The  risk  of  loss  resul-ng  from  inadequate  or  failed  internal  processes,  people  and  systems,  or  from  external  events.  

Basel  II  

Opera7onal  Risk  

Define  

Measure  

Analyze  Improve  

Control  

Managing  Risk  

   Threats  of  natural  origin;  

   Threats  due  to  (consciously  or            unconscious)  human  ac-on;  

   Threats  caused  by  technology.  

Types  of  Threats  

Start  thinking  in  risks,  stop  thinking  in  security  measures  

To  much  

Mismatch  

The  challenge  

•  Business  •  Processes  •  Informa-on  •  Assets  •  Staff  

What  could  hit  (y)our…  

Low   High  

Low  

High  

Probability  

Impact  

Risk  =  Impact  of  Risk  x  Probability  of  Occurrence  

Risk  

Risk  taking  

Risk  neutral  

Risk  averse  

Low   High  

Low  

High  

Probability  

Impact  

Risk  appe7te  

Share  (transfer)  

Avoidance  (eliminate)  

Reten-on  (accept)  

Reduc-on  (mi-gate)  

Low   High  

Low  

High  

Probability  

Impact  

Poten7al  risk  treatments  

The biggest risk is the risk you don’t see

Arson  

Fire  

Loss  of  loca-on  

Loss  of  produc-on  

Loss  of  turnover  

Cause  and  effect  

DON’T AIM AT THE EFFECT, TRY TO PREVENT THE CAUSE

Think  outside  the  circle…  

‘Everything should be made as simple as possible, but not simpler’!Albert  Einstein  

Assess    Risks  

Manage    Risks  

Manage  Incidents  

…and  keep  it  simple  

Reputa-on  damage  is  not  the  threat,  it’s  a  consequence  of  something  else.  

Just  like:  •  Loss  of  turnover  •  Loss  of  customers  •  Bad  publicity  •  Regulators  sanc-ons  

Reputa7on  

Do  you  want  them  to  be  compliant…  

          …or  ‘in  control’?  

Compliance  versus  “in  control”  

Reading  a  book  about  skiing  does    not  mean  you  know  how  to  ski  

(and  even  the  best    skiers  can  break  a  leg)  

It’s  just  like  skiing  

Risk  is  percep7on  

Whats  your  defini7on  of  skiing?  

Fire  

Reputa-on  damage  

Data  leakage  

Burglary  

Virus  

Customer  loss   Regulators  

sanc-ons  

SPAM  

Flooding  

Power  failure  

Fraud  

Thel  

Sabotage  

Spionage  

Errors  

Bad  publicity  

System  failure  

Terrorism  

Storm  Strikes  Incompetent  

personnel  

Effect:    discon-nuity  lost  sales  

increased  costs  

…and?  

And  if  all  goes  wrong  

Continuity!(based  on  risk  assessment)  

The  holy  grail  

www.B-­‐Mature.com  of  direct  contact  via  info@b-­‐mature.com    …most  organisa7ons  never  fully  mature,  they  simply  grow  taller