making a difference! how both csos & cisos are positioning ... · microsoft powerpoint -...
TRANSCRIPT
Making a difference! How both CSOs & CISOs are positioning security on the CISOs are positioning security on the corporate agenda
Alan Jenkins Simon Marvell
www.acuityrm.com
www.csc.com
Who Acuity works with… customers
� Actual, forecast and historic
performance against targets
Business performance reporting
� Financial position vs targets,
e.g. sales, earnings, market
share……
� Highlights, e.g. Top 10
accounts
� Performance levels, e.g.
service availability, failure
rates
� Project delays, loss of key
contracts……
� Exception reports
� Key actions and responsibilities
� Actual, forecast and historic
performance against targets
� Risk position vs targets,
e.g. risk appetite, tolerance
for losses……
� Highlights, e.g. Top 10
Actionable GRC reporting
� Exception reports
� Key actions and responsibilities
risks
� Performance levels, e.g.
compliance levels, incident
rates
� Major incidents, serious non-
compliances……
Risk position vs risk appetite
Highlights, e.g. Top 10 risks
Performance against targets –security metrics
Performance against targets –incidents & near misses
Performance against targets –compliance
Historical views
DELIVERING CONFIDENCE
UK SRM: Support, Guide and Protect the Business
How active Security Risk Managementenables our Business
CSC Proprietary
Since 1959, We’ve Helped Clients Achieve Competitive Advantage from Every Major Technology Wave
We are a world leader in leveraging IT to develop business solutions and services
Market-leading corporations and major government agencies partner with us when delivery is critical to their mission
Our approximately 93,000 professionals serve clients in more
COMPANY OVERVIEW 7/11/2011 3:51 PM 6208-10_CSC Overview 12
Our approximately 93,000 professionals serve clients in more than 90 countries
We have a 50-year track record of client service excellence
Our global delivery network provides consistent delivery of solutions and services ― common processes and highly skilled, cost-effective, multilingual resources
We are CSC: an NYSE, Fortune 150 and Fortune “Most Admired Company” ― 50 Years Strong
Across the globe ― when delivery is critical
DELIVERING CONFIDENCE
World-Class Customers Turn to CSC to Solve Their Most Critical Issues — Every Day
CSC Proprietary
Transforming technology into business results, services to citizens, and operations support
DELIVERING CONFIDENCE
Broadening security value to the business
Co-shapingIndividual expectations
Shaping
Our strategic intent is to deliver increased value to CSC
& our Clients through intelligent application of our
Security Governance, Risk & Compliance activities
Sta
ges in
Man
ag
ing
Exp
ecta
tio
ns
CSC Proprietary
Anticipatory
Responsive
Reactive
Internally Hassle-free User- Engaging Co-Shapingoriented friendly and exciting individual
experiences
Stages in Managing Experiences
Sta
ges in
Man
ag
ing
Exp
ecta
tio
ns
DELIVERING CONFIDENCE
Company information: something to consider ...
CSC Proprietary
� We must be able to answer the ‘So what?’
� Ideally in terms of fiscal impact, if not directly on business
� We must remember that Threat is but one Risk factor
� Risk is dynamic, not static
� Varies due to other factors, eg timeline, 3rd party interest
DELIVERING CONFIDENCE
CSC Requirements for automated support
� Support for consistent, efficient risk and
compliance processes across multiple accounts
� Fully aligned with ISO 27001, with a threat and
asset based risk management approach and
able to generate the various deliverables
CSC Proprietary
able to generate the various deliverables
required by our External ISO 27001 Auditors
� Configurable to meet CSC’s, and clients,
specific requirements, including other risk and
compliance frameworks
� Intuitive and easy to use
DELIVERING CONFIDENCE
How CSC UK is delivering GRC reporting
� Primary use has been to support our ISO 27K
certification
� Highlighted network as area not previously
reviewed well
� Clear evidence, previously only anecdotal
CSC Proprietary
� Clear evidence, previously only anecdotal
� Takes multiple low level performance metrics,
e.g. Vulnerability scan output, and provides
business with visibility of risk exposure
� Our GRC reporting has matured over past 3
years as both STREAM & our understanding
have evolved to match business requirements
DELIVERING CONFIDENCE
Pilot project and account roll-out
� Initial deployment was to 3 business areas
� UK Data Centres, NHS CfH & RMG
� In 2010 decision taken to roll-out STREAM to
100+ UK accounts and extend scope to include
BS 25999, PCI-DSS, IAMM and ISO 9001/20K
CSC Proprietary
BS 25999, PCI-DSS, IAMM and ISO 9001/20K
� Roll-out Pilot underway, with objectives:� Prove partitioning of data between accounts while allowing secure
sharing of common risk and compliance data
� Demonstrate a common approach but with local configurability to meet specific account requirements
� Develop and prove a cost effective training plan
� Interim results of Pilot are very positive
DELIVERING CONFIDENCE
STREAM aids automation of Sy GRC Role/Function across Enterprise� Principles
� Use technology to provide a leveraged GRC service for both CSC internal
and customer use
� Tool should not be security only but for GRC across all parts of a business
� Use the service to break the current cultural barriers inherent within the
company – cultural change
CSC Proprietary
company – cultural change
� Approach
� Use technology to replace majority of manual tasks, thereby enabling the
Compliance Manager to support multiple accounts
� Create a centralised, leveraged service to support the technology and a
centralised team to carry out the initial GRC assessment.
�BAU then becomes simpler for the remaining team who mostly only have to deal with exceptions.
� Explore how this technology can be used within other functional areas such
as Finance, Facilities, Legal etc.
DELIVERING CONFIDENCE
Benefits� Reputational
� Positive response from existing clients,
reassurance that CSC is providing ‘best in
class’ risk management & compliance
� Helping new business acquisition
� ISO 27001 auditor perception – “CSC are
CSC Proprietary
� ISO 27001 auditor perception – “CSC are
ahead of our client base”
� Efficiency
� Risk and compliance processes – bringing
new services in more quickly (Westlakes)
� Audits, including SAS70 & SOX
� Reduces risk - commercial and security
Summary & Conclusion
� CSOs & CISOs are making a difference and
positioning security on the corporate agenda by:
� Providing actionable GRC reporting on risk position,
compliance levels and incidents
� Enhancing reputation with customers
� Helping new business acquisition� Helping new business acquisition
� Getting greater productivity from available resources
� Extending to related risk areas: business continuity,
HSSE, environmental, ERM etc.
� For further information please contact us –
www.acuityrm.com [email protected]
� Or see Simon and Alan on the Acuity stand (F81)
CSC Computer Sciences LimitedRoyal PavilionWellesley RoadAldershot +44 1252 534000 Hampshire GU11 1PZ www.csc.com
Acuity Risk Management LLPLiberty House222 Regent Street +44 20 7297 2086 LondonW1B 5TR www.acuityrm.com
STREAM Integrated Risk Manager Risk management made simple