Upload
emmet
View
58
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Improving the effectiveness of cyber security – controlling people, process and technology. 10 April 2014. You could be under cyber attack — now ! Today’s cyber threats. Under cyber attack EY’s Global Information Security Survey. Awareness. - PowerPoint PPT Presentation
Citation preview
Improving the effectiveness of cyber security – controlling people, process and technology
10 April 2014
Page 2
You could be under cyber attack — now!Today’s cyber threats
Improving the effectiveness of cyber security
Page 3
Under cyber attack EY’s Global Information Security Survey
Improving the effectiveness of cyber security
EY’s Global Information Security Survey was structured to explores 3 areas:
1. Improve 2. Expand3. Innovate
Know
Proa
ctiv
eRe
activ
e
Don’t know
Awareness
Beha
vior
InnovateExpand
Improve
Page 4
Improve. Expand. Innovate.Today’s cyber threats
Improve For many organizations, this is the current state. Over the past year, organizations have made substantial progress in improving their defences against cyber attacks. Yet their position remains reactive, addressing the threats they know, but not seeking to understand the threats that may be just around the corner.
Expand Leading organizations are taking bolder steps to combat cyber threats. They are more proactive in determining both the known and unknown risks within their security programs. However, there remains room to expand security measures.
Innovate Organizations aspiring to be information security innovators need to set their sights on new frontiers. These organizations need to continuously review, rethink and potentially redesign their entire information security framework in order to be better prepared. In many cases, innovating may require a fundamental transformation of the information security program to proactively fortify against both the known and the unknown risks in the cyber risk environment.
Improving the effectiveness of cyber security
Page 5
Everyone and every organization is a target
Certain circumstances can further significantly challenge data security and privacy:
► M&A
► Entering new markets
► New product launch
► Front page news
► Major organizational change
► Audit responsibilityImproving the effectiveness of cyber security
Page 6
Under cyber attack EY’s Global Information Security SurveyKnowing that an attack will inevitably occur sparks improvements.Our survey indicates that many organizations recognize the extent and depth of the threats they face — from the top of the organization to the shop floor. For nearly three quarters of organizations surveyed, information security policies are now owned at the highest organizational level.
Improving the effectiveness of cyber security
Page 7
Under cyber attack EY’s Global Information Security Survey
Improving the effectiveness of cyber security
Page 8
Under cyber attackEY’s Global Information Security Survey
Improving the effectiveness of cyber security
Page 9
Beating cybercrime by transforming security program and improving business performance
Improving the effectiveness of cyber security
Five questions forthe C-suite► Do you know how much
damage a security breach can do to your reputation or brand?
► Are internal and external threats considered when aligning your security strategy to your risk management efforts?
► How do you align key risk priorities in relation to your spending?
► Do you understand your risk appetite and how it allows you to take controlled risks?
► How does your IT risk management strategy support your overall business strategy?
Page 10
Identify the real risks
Improving the effectiveness of cyber security
Questions to ask
Conventional thinking• Budget and organize a security program focused
primarily on meeting immediate compliance needs
• Protect the perimeter and keep external threats out
• Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident
Leading thinking• Define the organization’s overall risk appetite and how
information risk fits
• Identify the most important information and applications, where they reside and who has/needs access
• Assess the threat landscape and develop predictive models highlighting your real exposures
► What is your organization’s risk culture?► Are you detecting and monitoring threats inside and outside the organization?► Have you anticipated new technology risks, such as mobile devices, social media and
cloud computing?
Page 11
Protect what matters most
Improving the effectiveness of cyber security
Questions to ask
Conventional thinking
• Security program budget and organization focused primarily on meeting immediate compliance needs
• Set goal and expectation to stop all attacks and threats
• Disproportionate focus on maintaining lower-risk/lower-value security activities
• User access and roles are set up based on last employee hired
Leading thinking• Develop a security strategy focused on business
drivers and protecting high-value data
• Assume breaches will occur — improve processes that plan, protect, detect and respond
• Balance fundamentals with emerging threat management
• Establish and rationalize access control models for applications and information
► Have you considered automating security controls?► Are you using predictive indicators to analyze seemingly legitimate network activity?► Are your resources focused on emerging threats?
Page 12
Optimize business performance
Improving the effectiveness of cyber security
Questions to ask
Conventional thinking• Various security aspects exist in silos and are driven by
compliance only
• Largest portion of security budget goes to technology solutions
• Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives
Leading thinking• Align all aspects of security (information, privacy,
physical and business continuity) with the business
• Spend wisely in controls and technology — invest more in people and processes
• Consider selectively outsourcing operational security program areas
► Are you balancing spending money among key risk priorities?► Have you investigated the latent functionality of your existing tools?► Are you outsourcing any of your information security?
Page 13
Sustain an enterprise program
Improving the effectiveness of cyber security
Questions to ask
Conventional thinking• Security viewed as sub-function of IT with little top
management visibility
• Security program budget and organization focused on meeting immediate compliance needs
• Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents
• Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite
Leading thinking
• Get governance right — make security a board-level priority
• Allow good security to drive compliance, not vice versa
• Measure leading indicators to catch problems while they are still small
• Accept manageable risks that improve performance
► Are you taking controlled risks rather than striving to eliminate risks altogether?► Are your key indicators trailing or leading?
Page 14
Enable business performance
Improving the effectiveness of cyber security
Questions to ask
Conventional thinking• Security viewed as merely a function of the security team
• Ban emerging technologies (social media, mobile) until they are mature
• Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)
• Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers
Leading thinking
• Make security everyone’s responsibility
• Don’t restrict newer technologies; use the forces of change to enable them
• Broaden program to adopt enterprise-wide information risk management concepts
• Set security program goals/metrics that impact business performance
► Do all of the organization’s stakeholders understand the importance of information security?
► Is your organization up-to-date with the new technologies hitting the workforce?► Does your organization have the right measures to create a scorecard on information
security at the enterprise level?
Page 15
Framework to enable your security programto address business needs
Improving the effectiveness of cyber security
Page 16
Contact details:
► Arial 24 point► Arial 20 point
► Arial 18 point► Arial 16 point
► Arial 16 point
Improving the effectiveness of cyber security
Georgi Dimitrov, CISA, CISM, MCSE, MCSA