Going UP? More you know, less you no! How to talk about Privacy with your boss in the elevator?

Transcription

1 Going UP? How to talk about Privacy with your boss in the elevator? Before you do things right, you have to do the right things. Why good communication between business and IT areas is so important to help organizations delivering value and how to put everyone speaking the same language using COBIT 5 related materials. Reality check and lessons learned from projects and initiatives developed to improve Information Security & Privacy savviness at small medium enterprises in a small medium country like Portugal. Bruno Horta Soares, CISA, CGEIT, CRISC, PMP Founder & Senior Advisor at GOVaaS - Governance Advisors, as-a-service ISACA Lisbon Chapter Founder and President More you know, less you no! ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 1

2 BRUNO HORTA SOARES Everything Should Be Made as Simple as Possible, But Not Simpler Albert Einstein ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 2

3 Agenda 1. You have the size of your dreams! 2. Going up? ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 3

4 1. You have the size of your dreams! Does size matter? The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding 50 million euro, and/or an annual balance sheet total not exceeding 43 million euro. Source: Extract of Article 2 of the Annex of Recommendation 2003/361/EC ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 4

5 1. You have the size of your dreams! An evolution Gap The essence of systems theory is that a system need to be viewed holistically not merely as a sum of its parts to be accurately understood von Bertalanffy, L.; General System Theory: Foundation, Development, Applications ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 5

6 1. You have the size of your dreams! How CIOs See IT? By 2017, 80% of the CIO's time will be focused on analytics, cybersecurity, and creating new revenue streams through digital services. IDC FutureScape Close the Gap! How LoB See IT? LoB executives are taking charge of their destiny. Business leaders are taking control of their technology because it is integral to their outcomes. IDC FutureScape Operating model Business Strategy Digital Strategy Customer experience Product & Services IT Strategy ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 6

7 1. You have the size of your dreams! Size doesn t matter: Its all about Value Creation? Risks Benefits Resources Pressure Rationalization Oportunity Determination Sofistication Assets/Resources Assets/Resources Actors Threats Vulnerabilities ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 7

8 Elevator pitch How about the weather? ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 8

9 Adopt and adapt COBIT 5 Solutions that focus on specifics will be outdated rapidly; a principle-based approach is required World Economic Forum COBIT 5 provides a comprehensive business framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT. ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 9

10 Tip#1 There is always two sides of the story I don t know X if you heard about the new EU Data Privacy/Protection Regulation and had the opportunity to analyze the budget regarding ISO / IEC certification is not urgent... but we are always afraid of an attack or non compliance that will end our business ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 10

11 Tip#1 There is always two sides of the story My security & privacy guy is 5 stars, have lots of certifications and is very concerned... It s a shame I don t understand anything he says or what he does! The boss Benefits Realisation Stakeholders drivers Influence Necessidades dos Stakeholders Risk Oprimisations Cascade to Business Goals Cascade to IT Related Goals Cascade to Resource Optimization Enablers Goals COBIT 5 Principle 1: Meeting Stakeholder Needs ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 11

12 Tip#1 There is always two sides of the story Compliance with external laws and regulations Ilustrative IT compliance and support for business compliance with external laws and regulations Security of information, processing infrastructure and applications EDM03 Ensure Risk Optimisation APO01 Manage the IT Management Framework APO12 Manage Risk APO13 Manage Security BAI06 Manage Changes BAI10 Manage Configuration DSS05 Manage Security Services MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance With External Requirements COBIT 5 Principle 1: Meeting Stakeholder Needs ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 12

13 Tip#1 There is always two sides of the story We know that Compliance with external laws and regulations is critical to our business and we are setting IT compliance and Security as two of our critical goals. We ll identify relevant enablers to support this goal and I would appreciate your sponsorship to our Security & Privacy Program. Do you know that By 2019, Geopolitical Divisions and Global Economic Instability Will Result in Supplier Cyberattacks, Prompting Spending by 25% or More on Supply Chain Risks IDC FutureScape ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 13

14 Tip#2 Remember, there are no technical problems X I m so sorry for all the inconvenient the privacy incident caused! We are already doing an audit and we are almost sure it was an outsourcer s responsibility. I promise it will not happen again! ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 14

15 Tip#2 Remember, there are no technical problems Our Clients Information appear in newspapers!!! Who s the responsability? I m taking care of the business, you have to take care of the Security & Privacy! The boss Owners and Stakeholders Delegate Governing Body Set Direction Management Instruct and align Operations and Execution Accountable Monitor Report COBIT 5 Principle 2: Covering the Enterprise End-to-end ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 15

16 Tip#2 Remember, there are no technical problems Compliance with external laws and regulations Ilustrative IT compliance and support for business compliance with external laws and regulations Security of information, processing infrastructure and applications EDM03 Ensure Risk Optimisation APO01 Manage the IT Management Framework APO12 Manage Risk APO13 Manage Security BAI06 Manage Changes BAI10 Manage Configuration DSS05 Manage Security Services MEA02 Monitor, Evaluate and Assess the System of Internal Control MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Board Chief Risk Officer Chief Information Security Officer Audit Chief Information Officer Head IT Operations COBIT 5 Principle 2: Covering the Enterprise End-to-end ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 16

17 Tip#2 Remember, there are no technical problems "The analysis of the incident allowed us to conclude that it s necessary a better involvement of the entire organization in Security & Privacy decisions. We would suggest the creation of the CISO function to get all areas involved and to increase our savvinness. " Do you know that By 2017, One-Third of Corporate Boards Will Fill a Seat With a Risk Mitigation Expert Who Can Provide Guidance on Data Privacy and Security Initiatives IDC FutureScape ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 17

18 Tip #3 Speak the same language "We are so X happy for our recent achievements. We received two awards related with ITIL and ISO27001 certification and our KPIs are all green. We are 100% focused on providing our best support to our users, that s why those new compliance projects from business are a little bit delayed!" ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 18

19 Tip #3 Speak the same language Why are we paying every year so much money to be certified and our regulators keep saying we are not answering their needs! The boss Drivers Performance Complience COBIT 5 Principle 3: Applying a Single Integrated Framework ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 19

20 Tip #3 Speak the same language "We care about the continuous improvement of our Security & Privacy. We improved the coordination between internal and external Security and Legal Teams, we reviewed business areas' needs, adjusted our SLAs to better manage all stakeholders expectations and enforced new compliance controls." Do you know that By 2019, 25% of Security Spend Will Be Driven by the European Union and Other Jurisdictional Data Regulations, Leading to a Patchwork of Compliance Regimes IDC FutureScape ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 20

21 Tip #4 Show him the big picture X Our Data Lekeage software is out of date. We are now studying new solutions to replace it and as soon we have the new technology we believe that our Security & Privacy will improve." ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 21

22 Tip #4 Show him the big picture A friend of mine told me about these new security services in the cloud. I think it's a great opportunity to get rid of security & privacy internal costs and focus in my core business. The boss Enablers Processes Information Organisational structures Principles, policies and frameworks Services, infrastructure and applications Culture, ethics and behaviour People, skills and competencies Resources COBIT 5 Principle 4: Enabling a Holistic Approach ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 22

23 Tip #4 Show him the big picture We analysed why Security incidents happen and we believe that only by aligning people, processes and technologies it will be possible to deliver better Security & Privacy related initiatives. We ll review our Security & Privacy framework, update our supporting tools, implement a new CISO and train our people! Do you know that By 2020, More than Half of Web Security Market Revenue Will Come from Cloud-Based Offerings Over Traditional On-Premises Gateways IDC FutureScape ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 23

24 Tip #5 There are unknowns unknowns X We have been implementing a new Security & Privacy Governance framework and set all associated processes. As soon we finish it we will send it for your approval. ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 24

25 Tip #5 There are unknowns unknowns Stakeholder needs I m already responsible for the Corporate Governance, you can take care of Security & Privacy governance. The boss Direct Governance Evaluate Feedback Management Control Plan Build Run Monitor Operations Plan Build Run Monitor COBIT 5 Principle 5: Separating Governance From Management ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 25

26 Tip #5 There are unknowns unknowns "We are designing the Security & Privacy Governance and Management framework to focus in value creation and we would like to discuss with the Board it s role and how better Security & Privacy can contribute to benefits realization, risk and resources optimization. It would be very important to have your direction." Do you know that By 2017, the Security Services Market Will Increase At Least 30%, Driven by the Scarceness and High Price of Available Data Scientists IDC FutureScape ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 26

27 Next steps Since most organizations have strong love for complexity, few will believe that a firm s success is based on such simple premises. The knowing doing gap, Jeffrey Pfeffer ad Robert I Sutton, 2000 ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 27

28 Bruno Horta Soares, CISA, CGEIT, CRISC TM, PMP Founder & Senior Advisor GOVaaS - Governance Advisors, as-a-service Rua do Tamisa, BL D 1.ºC Parque das Nações Lisboa Mobile: bruno.soares@govaas.com Q&A More you know, less you no! ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 28

29 Bruno Horta Soares, CISA, CGEIT, CRISC, PMP Academic training 5 years degree in Management and Computer Science, from ISCTE and a postdegree in Project Management, from ISLA Campus Lisboa. Professional certifications Certified in Project Management Professional (PMP), from Project Management Institute (PMI), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) and COBIT 5 Foundation from ISACA, ITIL version 3 Foundation, ISO/IEC Lead Auditor and Training for Trainers Certification (CAP). He s also APMG individual accredited trainer for COBIT 5. Founder and Senior Advisor at GOVaaS Governance Advisors, as-a-service IT Executive Senior Advisor on IT Strategy and Governance at IDC Portugal Visiting professor and coordinator at ISCAC - Coimbra Business School - Coimbra, Portugal Visiting professor at Instituto Superior Técnico (IST) - Lisbon, Portugal Visiting professor at Universidade Portucalense (UPT) - Porto, Portugal Visiting professor and coordinator at Universidade Europeia Laureate International Universities - Lisbon, Portugal Visiting professor at Unipê - Centro Universitário de João Pessoa - Paraíba, Brasil Visiting professor at Universidade Católica Portuguesa - Lisbon, Portugal Visiting professor at Porto Business School - Porto, Portugal Founder and President at ISACA Lisbon Chapter Member of ISACA Government and Regulatory Advocacy Regional Subcommittee Area 3 IT Governance coordinator at the Portuguese Institute of Directors ISACA Knowledge Center Topic Leader - COBIT 5 APMG individual accredited trainer for COBIT 5 ISACA Malta Chapter Protecting Privacy in an Information-Driven Economy Bruno Horta Soares 29