Information security (un)awareness by Marc Vael

1

Marc Vael CONFENIS

ISACA September 2012

Information Security (Un)Awareness

Marc Vael International Vice-President

Information Security

(un)awareness

“My management

just does not “get”

information

security!” Anonymous CISO of a large financial institution

2

Marc Vael CONFENIS



“I am overwhelmed with

all the passwords I have

to remember. I just write

them down & leave them

with my executive

assistant.” Anonymous manager working in an insurance company

“Management has

authorized acquisition of

security monitoring tools,

but they did not give me

any budget for people to

do this monitoring.” Anonymous CISO of a multinational service organisation

3

Marc Vael CONFENIS



“Sure, I support

information security,

but my people need to

work and make money.”

Anonymous CEO of a retailer

“Our information security

department keeps getting

more tools, but I do not

think we are any more

secure.” Anonymous CRO of a large financial institution

4

Marc Vael CONFENIS



“Security policy is one

thing. Reality is another.”

Anonymous COO from a consulting company

“All that information security people do is

say “No!”.

They should learn how

we really work.

Angry manager of a governmental agency

5

Marc Vael CONFENIS



6

Marc Vael CONFENIS



7

Marc Vael CONFENIS



8

Marc Vael CONFENIS



Cyberwarfare is

"the fifth domain of

warfare“

9

Marc Vael CONFENIS



Impact of an attack on the business

10

Marc Vael CONFENIS



People are the weakest link.

You can have the best technology, firewalls, intrusion-detection systems,

biometric devices - and somebody can call an unsuspecting employee.

That's all she wrote, baby. They got everything.

Kevin Mitnick, ex hacker, IT security consultant.

11

Marc Vael CONFENIS



Business Model for Information Security

12

Marc Vael CONFENIS



13

Marc Vael CONFENIS



14

Marc Vael CONFENIS



Managing risks appropriately

15

Marc Vael CONFENIS



Risk always exists! (whether or not it is

detected / recognised by the organisation).

16

Marc Vael CONFENIS



EDUCATION!

17

Marc Vael CONFENIS



18

Marc Vael CONFENIS



Corporate governance : ERM = COSO

Support from Board of Directors & Executive Management

19

Marc Vael CONFENIS



Policies & Standards

Project Management

20

Marc Vael CONFENIS



Providing proper funding

Providing proper resources

21

Marc Vael CONFENIS



Measuring performance

Review / Audit

22

Marc Vael CONFENIS



Your security solution

is as strong …

… as its weakest link

23

Marc Vael CONFENIS



24

Marc Vael CONFENIS



www.isaca.org/knowledgecenter

25

Marc Vael CONFENIS



www.isaca.org/cobit

Marc Vael

International Vice-President

Chairman of the Knowledge Board

ISACA

http://www.isaca.org/

For more information…

[email protected]

http://www.linkedin.com/in/marcvael

@marcvael

Technology

Information security (un)awareness by Marc Vael