Improving the effectiveness of cyber security – controlling people, process and technology

Improving the effectiveness of cyber security – controlling people, process and technology

10 April 2014

Page 2

You could be under cyber attack — now!Today’s cyber threats

Improving the effectiveness of cyber security

Page 3

Under cyber attack EY’s Global Information Security Survey


EY’s Global Information Security Survey was structured to explores 3 areas:

1. Improve 2. Expand3. Innovate

Know

Proa

ctiv

eRe

activ

e

Don’t know

Awareness

Beha

vior

InnovateExpand

Improve

Page 4

Improve. Expand. Innovate.Today’s cyber threats

Improve For many organizations, this is the current state. Over the past year, organizations have made substantial progress in improving their defences against cyber attacks. Yet their position remains reactive, addressing the threats they know, but not seeking to understand the threats that may be just around the corner.

Expand Leading organizations are taking bolder steps to combat cyber threats. They are more proactive in determining both the known and unknown risks within their security programs. However, there remains room to expand security measures.

Innovate Organizations aspiring to be information security innovators need to set their sights on new frontiers. These organizations need to continuously review, rethink and potentially redesign their entire information security framework in order to be better prepared. In many cases, innovating may require a fundamental transformation of the information security program to proactively fortify against both the known and the unknown risks in the cyber risk environment.


Page 5

Everyone and every organization is a target

Certain circumstances can further significantly challenge data security and privacy:

► M&A

► Entering new markets

► New product launch

► Front page news

► Major organizational change

► Audit responsibilityImproving the effectiveness of cyber security

Page 6

Under cyber attack EY’s Global Information Security SurveyKnowing that an attack will inevitably occur sparks improvements.Our survey indicates that many organizations recognize the extent and depth of the threats they face — from the top of the organization to the shop floor. For nearly three quarters of organizations surveyed, information security policies are now owned at the highest organizational level.


Page 7

Under cyber attack EY’s Global Information Security Survey


Page 8

Under cyber attackEY’s Global Information Security Survey


Page 9

Beating cybercrime by transforming security program and improving business performance


Five questions forthe C-suite► Do you know how much

damage a security breach can do to your reputation or brand?

► Are internal and external threats considered when aligning your security strategy to your risk management efforts?

► How do you align key risk priorities in relation to your spending?

► Do you understand your risk appetite and how it allows you to take controlled risks?

► How does your IT risk management strategy support your overall business strategy?

Page 10

Identify the real risks


Questions to ask

Conventional thinking• Budget and organize a security program focused

primarily on meeting immediate compliance needs

• Protect the perimeter and keep external threats out

• Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident

Leading thinking• Define the organization’s overall risk appetite and how

information risk fits

• Identify the most important information and applications, where they reside and who has/needs access

• Assess the threat landscape and develop predictive models highlighting your real exposures

► What is your organization’s risk culture?► Are you detecting and monitoring threats inside and outside the organization?► Have you anticipated new technology risks, such as mobile devices, social media and

cloud computing?

Page 11

Protect what matters most


Questions to ask

Conventional thinking

• Security program budget and organization focused primarily on meeting immediate compliance needs

• Set goal and expectation to stop all attacks and threats

• Disproportionate focus on maintaining lower-risk/lower-value security activities

• User access and roles are set up based on last employee hired

Leading thinking• Develop a security strategy focused on business

drivers and protecting high-value data

• Assume breaches will occur — improve processes that plan, protect, detect and respond

• Balance fundamentals with emerging threat management

• Establish and rationalize access control models for applications and information

► Have you considered automating security controls?► Are you using predictive indicators to analyze seemingly legitimate network activity?► Are your resources focused on emerging threats?

Page 12

Optimize business performance


Questions to ask

Conventional thinking• Various security aspects exist in silos and are driven by

compliance only

• Largest portion of security budget goes to technology solutions

• Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives

Leading thinking• Align all aspects of security (information, privacy,

physical and business continuity) with the business

• Spend wisely in controls and technology — invest more in people and processes

• Consider selectively outsourcing operational security program areas

► Are you balancing spending money among key risk priorities?► Have you investigated the latent functionality of your existing tools?► Are you outsourcing any of your information security?

Page 13

Sustain an enterprise program


Questions to ask

Conventional thinking• Security viewed as sub-function of IT with little top

management visibility

• Security program budget and organization focused on meeting immediate compliance needs

• Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents

• Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite

Leading thinking

• Get governance right — make security a board-level priority

• Allow good security to drive compliance, not vice versa

• Measure leading indicators to catch problems while they are still small

• Accept manageable risks that improve performance

► Are you taking controlled risks rather than striving to eliminate risks altogether?► Are your key indicators trailing or leading?

Page 14

Enable business performance


Questions to ask

Conventional thinking• Security viewed as merely a function of the security team

• Ban emerging technologies (social media, mobile) until they are mature

• Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)

• Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers

Leading thinking

• Make security everyone’s responsibility

• Don’t restrict newer technologies; use the forces of change to enable them

• Broaden program to adopt enterprise-wide information risk management concepts

• Set security program goals/metrics that impact business performance

► Do all of the organization’s stakeholders understand the importance of information security?

► Is your organization up-to-date with the new technologies hitting the workforce?► Does your organization have the right measures to create a scorecard on information

security at the enterprise level?

Page 15

Framework to enable your security programto address business needs


Page 16

Contact details:

► Arial 24 point► Arial 20 point

► Arial 18 point► Arial 16 point

► Arial 16 point


Georgi Dimitrov, CISA, CISM, MCSE, MCSA

[email protected]

Documents

Improving the effectiveness of cyber security – controlling people, process and technology