Addressing Cyber Risk Building robust cyber governance

Transcription

1 Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services

2 The future of security The business environment is changing The IT environment is changing The cyber threat environment is changing Cyber security must be addressed at the most senior levels Cyber security must be business back rather than technology forward Move from protecting the perimeter to protecting data Refresh cyber security strategies to address rapidly evolving business needs and threats If the information security function does not change, the result will be losing influence, control and in this environment a real opportunity for impact with the business?

3 The future of security The scale of change to ship 1 million units 2 years 74 days 28 days 2012 Deloitte LLP. Private and confidential.

4 The future of security A changing business environment A greater reliance on: - Data (business information, competitive advantage, as the business) - Technology for employees and customers Globalisation and 24x7 operations - Offices, users and IT assets around the globe Changing customer perceptions - Baby Boomers to Generation X, and now Generation Y not forgetting Generation G Competitive advantage is difficult - the economy makes it even harder

5 The future of security Technology change dealing with complexity Cloud Security Fraud risk Data loss Privacy Social media Cyber security Online fraud System downtime Encryption Threat Intelligence Corporate Espionage Securing mobile devices The insider threat Hacking Vulnerability Management Identity Management e-crime Prevention

6 The future of security A changing threat environment - they only have to win once... Anonymous and other Hackivists From waste management to e-crime Low risks and high rewards mean that the security threat landscape is changing. Targets of choice, not chance Organised crime Increasing third party access Insider threats Statesponsored cyber threats APTs Stuxnet, Conficker

7 The future of security Your security capability? Activities are still largely reactive and compliance-driven: Largely compliance focused Developing policies Meeting industry baselines Audit Often limited visibility or interest to the business unless something goes wrong Touching some change programmes Limited future watching Low operational agility Political forces Environmental forces Social forces Organisation Technological forces Legislative forces Economic forces

8 Practical steps to a step change 8 Presentation title

9 Approach to tackling cyber Identify Risks Map Capabilities Identify assets Identify threats Capability and control maturity Identify Key asset lists and owners. Map Critical business processes and owners. Identify current and emerging threats. Perform Risk assessment. Assess Business Impact. Identify key capabilities for each risk area. Identify emerging capability requirement from threat trends. Map key controls to business risks. Identify capability and control stakeholders. Assess and Benchmark Set Risk Appetite Assess current state of control maturity. Assess current capability maturity. Derive target state of capability maturity from high level costs versus business impact mitigation. Validate target against peer and sector benchmark. Prioritise & Execute Prioritisation and Planning Identify major risk exposures and quick wins. Identify strategic capability improvements and break down in to bounded deliverables. Prioritise strategic improvement roadmap. Continue monitoring of threat landscape to identify required changes of focus.

10 Comprehensive Cyber Governance This is not a technology issue people, technology and process Cyber Security Steering Committee Executive governance by making policy and investment decisions. Members include business and IT leaders as well as the CISO Cyber Security Advisory Board The brain trust a forum for sharing and discussing tactics and best practise amongst security leaders Business Partners IT Functions - security architecture - system design - security operations - security training Corporate Body - risk strategy - security policy - security awareness GOVERNANCE Business Partners Business Units - risk management - security awareness Cyber Security Comms Forum Often an distribution list of security practitioners used to communicate management decisions and best practises CyberSecurity Programme Strategic coordination of security initiatives normally sponsored and governed by the Security Steering Committee

11 Integrating cyber into ERM Board level Oversight Tone at the top Risk Governance Executive Management Common risk architecture (people process technology) Risk Infrastructure Risk Processes Identify Asses Respond Design Implement Monitor Business Units Risk classes Risk ownership Data System Compliance Reporting 11

12 Developing the capability is a journey with costs. Proactive Threat Management Media & SMEs Consumer Business & Life Sciences Retail Banks & Energy Providers Investment Banks Military & Defence Blissful Ignorance Basic Network Protection Acceptable Usage Policy IT BC & DR Exercises Transformation Ad Hoc Infrastructure & Application Protection Ad Hoc System / Malware Forensics Ad-hoc Threat Intelligence Sharing with Peers Commercial & Open Source Threat Intelligence Feeds Network & System Centric Activity Profiling General Information Security Training & Awareness IT Cyber Attack Simulations Enterprise-Wide Infrastructure & Application Protection Operational Excellence Basic Online Brand Monitoring Automated Malware Forensics & Manual Electronic Discovery Government / Sector Threat Intelligence Collaboration Criminal / Hacker Surveillance Workforce / Customer Behaviour Profiling Targeted Intelligence-Based Cyber Security Awareness Business-Wide Cyber Attack Exercises Identity-Aware Information Protection Situational Awareness of Cyber Threats Online Brand & Social Media Policing Automated Electronic Discovery & Forensics Global Cross-Sector Threat Intelligence Sharing Baiting & Counter-Threat Intelligence Real-time Business Risk Analytics & Decision Support Business Partner Cyber Security Awareness Sector-Wide & Supply Chain Cyber Attack Exercises Adaptive & Automated Security Control Updates Brand Monitoring E-Discovery & Forensics Intelligence Collaboration External Threat Intelligence Behavioural Analytics Training & Awareness Cyber Attack Preparation Asset Protection IT Service Desk & Whistleblowing Security Log Collection & Ad Hoc Reporting 24x7 Technology Centric Security Event Reporting External & Internal Threat Intelligence Correlation Cross-Channel Malicious Activity Detection Security Event Monitoring Traditional Signature-Based Security Controls Periodic IT Asset Vulnerability Assessments Automated IT Asset Vulnerability Monitoring Targeted Cross-Platform User Activity Monitoring Tailored & Integrated Business Process Monitoring Internal Threat Intelligence Cyber Security Maturity Levels Level 1 Level 2 Level 3 Level 4 Level 5 12

13 The future of security The business environment is changing The IT environment is changing The cyber threat environment is changing Cyber security must be addressed at the most senior levels Cyber security must be business back rather than technology forward Move from protecting the perimeter to protecting data Refresh cyber security strategies to address rapidly evolving business needs and threats If the information security function does not change, the result will be losing influence, control and in this environment a real opportunity for impact with the business?

14 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) Fax: +44 (0) Member of Deloitte Touche Tohmatsu Limited