Making a difference! How both CSOs & CISOs are positioning security on the CISOs are positioning security on the corporate agenda

Alan Jenkins Simon Marvell

simon.marvell@acuityrm.com

www.acuityrm.com

ajenkins5@csc.com

www.csc.com

Who Acuity works with… customers

� Actual, forecast and historic

performance against targets

Business performance reporting

� Financial position vs targets,

e.g. sales, earnings, market

share……

� Highlights, e.g. Top 10

accounts

� Performance levels, e.g.

service availability, failure

rates

� Project delays, loss of key

contracts……

� Exception reports

� Key actions and responsibilities

� Actual, forecast and historic

performance against targets

� Risk position vs targets,

e.g. risk appetite, tolerance

for losses……

� Highlights, e.g. Top 10

Actionable GRC reporting

� Exception reports

� Key actions and responsibilities

risks

� Performance levels, e.g.

compliance levels, incident

rates

� Major incidents, serious non-

compliances……

Risk position vs risk appetite

Highlights, e.g. Top 10 risks

Performance against targets –security metrics

Performance against targets –incidents & near misses

Performance against targets –compliance

Historical views

DELIVERING CONFIDENCE

UK SRM: Support, Guide and Protect the Business

How active Security Risk Managementenables our Business

CSC Proprietary

Since 1959, We’ve Helped Clients Achieve Competitive Advantage from Every Major Technology Wave

We are a world leader in leveraging IT to develop business solutions and services

Market-leading corporations and major government agencies partner with us when delivery is critical to their mission

Our approximately 93,000 professionals serve clients in more

COMPANY OVERVIEW 7/11/2011 3:51 PM 6208-10_CSC Overview 12

Our approximately 93,000 professionals serve clients in more than 90 countries

We have a 50-year track record of client service excellence

Our global delivery network provides consistent delivery of solutions and services ― common processes and highly skilled, cost-effective, multilingual resources

We are CSC: an NYSE, Fortune 150 and Fortune “Most Admired Company” ― 50 Years Strong

Across the globe ― when delivery is critical

DELIVERING CONFIDENCE

World-Class Customers Turn to CSC to Solve Their Most Critical Issues — Every Day

CSC Proprietary

Transforming technology into business results, services to citizens, and operations support

DELIVERING CONFIDENCE

Broadening security value to the business

Co-shapingIndividual expectations

Shaping

Our strategic intent is to deliver increased value to CSC

& our Clients through intelligent application of our

Security Governance, Risk & Compliance activities

Sta

ges in

Man

ag

ing

Exp

ecta

tio

ns

CSC Proprietary

Anticipatory

Responsive

Reactive

Internally Hassle-free User- Engaging Co-Shapingoriented friendly and exciting individual

experiences

Stages in Managing Experiences

Sta

ges in

Man

ag

ing

Exp

ecta

tio

ns

DELIVERING CONFIDENCE

Company information: something to consider ...

CSC Proprietary

� We must be able to answer the ‘So what?’

� Ideally in terms of fiscal impact, if not directly on business

� We must remember that Threat is but one Risk factor

� Risk is dynamic, not static

� Varies due to other factors, eg timeline, 3rd party interest

DELIVERING CONFIDENCE

CSC Requirements for automated support

� Support for consistent, efficient risk and

compliance processes across multiple accounts

� Fully aligned with ISO 27001, with a threat and

asset based risk management approach and

able to generate the various deliverables

CSC Proprietary

able to generate the various deliverables

required by our External ISO 27001 Auditors

� Configurable to meet CSC’s, and clients,

specific requirements, including other risk and

compliance frameworks

� Intuitive and easy to use

DELIVERING CONFIDENCE

How CSC UK is delivering GRC reporting

� Primary use has been to support our ISO 27K

certification

� Highlighted network as area not previously

reviewed well

� Clear evidence, previously only anecdotal

CSC Proprietary

� Clear evidence, previously only anecdotal

� Takes multiple low level performance metrics,

e.g. Vulnerability scan output, and provides

business with visibility of risk exposure

� Our GRC reporting has matured over past 3

years as both STREAM & our understanding

have evolved to match business requirements

DELIVERING CONFIDENCE

Pilot project and account roll-out

� Initial deployment was to 3 business areas

� UK Data Centres, NHS CfH & RMG

� In 2010 decision taken to roll-out STREAM to

100+ UK accounts and extend scope to include

BS 25999, PCI-DSS, IAMM and ISO 9001/20K

CSC Proprietary

BS 25999, PCI-DSS, IAMM and ISO 9001/20K

� Roll-out Pilot underway, with objectives:� Prove partitioning of data between accounts while allowing secure

sharing of common risk and compliance data

� Demonstrate a common approach but with local configurability to meet specific account requirements

� Develop and prove a cost effective training plan

� Interim results of Pilot are very positive

DELIVERING CONFIDENCE

STREAM aids automation of Sy GRC Role/Function across Enterprise� Principles

� Use technology to provide a leveraged GRC service for both CSC internal

and customer use

� Tool should not be security only but for GRC across all parts of a business

� Use the service to break the current cultural barriers inherent within the

company – cultural change

CSC Proprietary

company – cultural change

� Approach

� Use technology to replace majority of manual tasks, thereby enabling the

Compliance Manager to support multiple accounts

� Create a centralised, leveraged service to support the technology and a

centralised team to carry out the initial GRC assessment.

�BAU then becomes simpler for the remaining team who mostly only have to deal with exceptions.

� Explore how this technology can be used within other functional areas such

as Finance, Facilities, Legal etc.

DELIVERING CONFIDENCE

Benefits� Reputational

� Positive response from existing clients,

reassurance that CSC is providing ‘best in

class’ risk management & compliance

� Helping new business acquisition

� ISO 27001 auditor perception – “CSC are

CSC Proprietary

� ISO 27001 auditor perception – “CSC are

ahead of our client base”

� Efficiency

� Risk and compliance processes – bringing

new services in more quickly (Westlakes)

� Audits, including SAS70 & SOX

� Reduces risk - commercial and security

Summary & Conclusion

� CSOs & CISOs are making a difference and

positioning security on the corporate agenda by:

� Providing actionable GRC reporting on risk position,

compliance levels and incidents

� Enhancing reputation with customers

� Helping new business acquisition� Helping new business acquisition

� Getting greater productivity from available resources

� Extending to related risk areas: business continuity,

HSSE, environmental, ERM etc.

� For further information please contact us –

www.acuityrm.com info@acuityrm.com

� Or see Simon and Alan on the Acuity stand (F81)

CSC Computer Sciences LimitedRoyal PavilionWellesley RoadAldershot +44 1252 534000 Hampshire GU11 1PZ www.csc.com

Acuity Risk Management LLPLiberty House222 Regent Street +44 20 7297 2086 LondonW1B 5TR www.acuityrm.com

STREAM Integrated Risk Manager Risk management made simple