Changing the game on cyber risk: The imperative to become secure, vigilant, and resilient

Transcription

1 Changing the game n cyber risk: The imperative t becme secure, vigilant, and resilient Vikram Ra Senir Manager Delitte & Tuche LLP Nv 2015

2 The innvatins that drive grwth als create cyber risk Threat actrs explit weaknesses that are byprducts f business grwth and technlgy innvatin. M&A r crprate restructuring New custmer service and sales mdels New surcing and supply chain mdels New applicatins and mbility tls Use f new technlgies fr efficiency gains and cst reductin Cyber threats are asymmetrical risks Perfect security is nt feasible. Instead, minimize the impact f cyber incidents by becming: SECURE Enabling business innvatin by prtecting critical assets against knwn and emerging threats acrss the ecsystem VIGILANT Gaining detective visibility and preemptive threat insight t detect bth knwn and unknwn adversarial activity RESILIENT Strengthening yur ability t recver when incidents ccur Small, highly skilled grups exact disprprtinate damage They ften have very targeted mtives They re spread acrss the glbe, ften beynd the reach f law enfrcement Threat velcity is increasing The windw t respnd is shrinking Rather than being a necessary burden, the cyber risk prgram is a psitive aspect f managing business perfrmance. 1 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

3 Cmpanies Like Yurs (vide) 2 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

4 3 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

5 Executives must set risk appetite, and drive fcus n what matters It starts by understanding wh might want t attack, why, and hw 4 Wh might attack? What are they after, and what are the key business risks I need t mitigate? Cyber Risk Prgram and Gvernance SECURE Are cntrls in place t guard against knwn and emerging threats? What tactics might they use? VIGILANT Can we detect malicius r unauthrized activity, including the unknwn? RESILIENT Can we act and recver quickly t minimize impact? Theft f intellectual prperty r strategic plans Financial fraud Reputatin damage Business disruptin Destructin f critical infrastructure Threats t health & safety Gvernance and perating mdel Plicies and standards Management prcesses and capabilities Risk reprting Risk awareness and culture Perimeter defenses Vulnerability management Asset management Identity management Secure SDLC Data prtectin Cyber criminals Hacktivists (agenda driven) Natin states Insiders / partners Cmpetitrs Skilled individual hacker Spear phishing, drive by dwnlad, etc. Sftware r hardware vulnerabilities Third party cmprmise Multi-channel attacks Stlen credentials and thers Incident respnse Frensics BC/DR, Crisis management Threat intelligence Security mnitring Behaviral analysis Risk analytics Cpyright 2015 Delitte Develpment LLC. All rights reserved.

6 5 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

7 Threat actrs and their mtives vary by industry and rganizatin A typical cyber risk heat map fr the Insurance sectr Ntable insights: As stewards f trves f persnally identifiable infrmatin (PII), including claim histry, the driving cncern is t prtect private infrmatin t avid reputatin damage assciated with breaches. IMPACTS ACTORS Organized criminals Hacktivists Financial theft / fraud Theft f IP r strategic plans Business disruptin Destructin f critical infrastructure Reputatin damage Threats t life r safety Regulatry issues Fr many, cmpliance cncerns are augmented by newer Payment Card Industry and Electrnic Prtected Health Infrmatin (ephi) requirements. Natin states Insiders / Partners Cmpetitin drives grwing use f mbile, Web-based applicatins and telematics t prvide nvel ways f serving custmers, intrducing new threat vectrs t be managed. Grwing cncern abut transactin fraud t rerute claims payuts and retirement plan payments. Cmpetitrs Skilled individual hackers Grwing use f Big Data analytics t develp risk mdels, premium pricing mdels, and set prduct directin heightens cncern abut securing centralized data, and the strategic utput f analytic prcessing. KEY Very high High Mderate Lw 6 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

8 Threat actrs and their mtives vary by industry and rganizatin A typical cyber risk heat map fr the Banking sectr Ntable insights: Cncern has shifted t natinstates, glbal rganized criminal gangs and highly skilled hacktivists r hackers. While financial risks are imprtant, senir leaders are mre wrried abut destructive attacks and lss f client / investr cnfidence. Cncern abut harm nt nly t individual rganizatins but als abut system risks t the US ecnmy via a cncerted cyber attack. Cyber attacks may be a particular risk during times f cnventinal war r internatinal crisis. Cyber dependencies acrss the ecsystem between financial institutins, critical suppliers, industry partners, etc. intrduce high levels f third party risks, insider risks, scial media risks, etc. ACTORS Organized criminals IMPACTS Hacktivists Natin states Insiders / Partners Cmpetitrs Skilled individual hackers Financial theft / fraud Theft f IP r strategic plans Business disruptin Destructin f critical infrastructure Reputatin damage KEY Threats t life / safety Very high High Regulatry Mderate Lw 7 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

9 Threat actrs and their mtives vary by industry and rganizatin A typical cyber risk heat map fr the Pwer & Utilities sectr Ntable insights: There is financial risk tied t failure t cmply with Nrth American Electric Reliability Cntrl Critical Infrastructure Prtectin (NERC CIP) versin 5, and ther regulatins, but greater cncern is lss f rate payer and bard cnfidence shuld systems be breached. Hacktivists and natin-state actrs culd be behind the increase f publicized and unpublicized attacks n Industrial Cntrl Systems (ICS), which are als vulnerable t accidental r intentinal damage by business partners and insiders. While vendrs have imprved sftware security, fear f destabilizing the infrastructure leads many rganizatins t lag in keeping sftware up t date, magnifying the risk level. Metering and accunting systems may be vulnerable t tampering, resulting in financial lss. 8 ACTORS Organized criminals Hacktivists Natin states Insiders / Partners IMPACTS Cmpetitrs Skilled individual hackers Financial Theft / Fraud Theft f custmer data Cyber attacks are increasing, but defenses lag. Business disruptin Destructin f critical infrastructure Frm Oct. 1, 2012 t Apr. 30, 2013, ICS-CERT respnded t ver 200 incidents acrss all critical infrastructure sectrs, mre than had been reprted the entire previus year. (ICS-CERT Mnitr, April-June 2013) In 2012, a researcher identified ver 20,000 ICS-related devices directly IP addressable and vulnerable t explitatin thrugh weak r default authenticatin. (ICS-CERT Mnitr Oct.-Dec. 2012) Reputatin damage KEY Threats t life /safety Very high High Regulatry Mderate Lw Cpyright 2015 Delitte Develpment LLC. All rights reserved.

10 9 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

11 Greater fcus n defense against cyber threats What d rganizatins wrry abut? What attack techniques r vulnerabilities cncern yu the mst? * 69% list increasing sphisticatin f cyber threats as a tp barrier in addressing cyber risk and cyber security challenges. The threat actr f greatest cncern is the rganized criminal; 76% express higher-than-average threat level. Nn threat Very lw threat Smewhat lw threat Average threat Higher threat Very high threat Cmpsite > Average Scial engineering 0.0% 6.9% 10.3% 20.7% 31.0% 24.1% 55.1% Prliferatin f malicius sftware 0.0% 0.0% 3.4% 17.2% 37.9% 41.4% 79.3% Phishing and pharming 0.0% 0.0% 3.4% 24.1% 44.8% 27.6% 72.4% Zmbie netwrks (e.g., bts) 0.0% 3.4% 20.7% 41.4% 31.0% 3.4% 34.4% Attacks expliting mbile netwrk vulnerabilities 0.0% 13.8% 27.6% 41.4% 17.2% 0.0% 17.2% Attacks via mbile devices 0.0% 20.7% 24.1% 34.5% 20.7% 0.0% 20.7% Tp attack techniques explit human as the weak link Explitatin f vulnerabilities in emerging technlgies Explits against insecure sftware cde Attacks expliting end pint device vulnerabilities 0.0% 10.3% 20.7% 37.9% 27.6% 3.4% 31.0% 0.0% 3.4% 13.8% 34.5% 41.4% 6.9% 48.3% 0.0% 0.0% 10.3% 48.3% 27.6% 10.3% 37.9% Advanced persistent threats 0.0% 3.4% 3.4% 51.7% 31.0% 10.3% 41.3% Zer-day attacks 0.0% 3.4% 10.3% 48.3% 34.5% 3.4% 37.9% Other 0.0% 0.0% 0.0% 3.4% 0.0% 0.0% 0.0% 10 * Delitte Survey in Retail Industry Cpyright 2015 Delitte Develpment LLC. All rights reserved.

12 Cyber Security Evlved (vide) 11 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

13 12 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

14 Reprting practices suggest gvernance is still technlgy-fcused Wh wns the prgram, wh s watching, and wh is engaged? >75% f CISOs reprt t the CIO Sme engage regularly with the Bard and the CEO The mst active versight is by CIO (wh mst CISOs reprt t) Engagement with CTOs, marketing fficers, cmpliance / privacy fficers and business stakehlders is weak, relative t hw rganizatins define their prgram missins Never Weekly Mnthly Quarterly Annually Ad-Hc External Auditrs 13.8% 0.0% 0.0% 34.5% 37.9% 10.3% Bard f Directrs 10.3% 0.0% 0.0% 37.9% 20.7% 31.0% CEO 17.2% 3.4% 13.8% 37.9% 10.3% 17.2% General Cuncil, Legal r Audit Cmmittees Hw frequently are yu required t reprt n enterprise cyber security r cyber risk psture t the fllwing psitins? * 24.1% 3.4% 10.3% 31.0% 6.9% 24.1% CCO, Chief Privacy Officer 55.2% 3.4% 3.4% 17.2% 3.4% 6.9% CIO 6.9% 44.8% 31.0% 6.9% 0.0% 10.3% CTO 58.6% 10.3% 3.4% 3.4% 0.0% 10.3% Chief Marketing Officer 69.0% 0.0% 6.9% 0.0% 0.0% 17.2% Business Stakehlders 44.8% 6.9% 6.9% 20.7% 0.0% 17.2% Other 20.7% 0.0% 0.0% 0.0% 0.0% 3.4% * These are preliminary indicatrs. Survey results are nt final yet. Survey data may change 13 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

15 Executive spnsrship is the key t success Every leader has a distinct rle t play in driving alignment Bard & CEO Tne at the tp, establish senir management accuntability and a cyber-aware culture CYBER RISK GOVERNANCE Senir Management (COO, CAO, CRO) IT Leadership (CIO) IT Risk Leadership (CISO / CITRO) Line f Business Leaders Define the rganizatin s cyber risk appetite and be accuntable fr cyber risk management. Empwer the extended leadership team. Lead (nt delegate) in defining and executing the strategy t becme secure, vigilant, and resilient. Establish an effective interactin mdel with CISO and IT risk fficer. Define the right balance between threat-centric vs. cmpliance-centric prgrams. Be a business enabler, withut shying away frm the rle f risk custdian. Supprt integratin f cyber risk management int business grwth and develpment activities. Appint line-fbusiness risk fficers. IT DOMAINS Execute n strategy Manage and reprt n risks Fully integrate cyber risk management int IT disciplines design fr Six Sigma, nt quality cntrl. Integrate current technlgies t address the latest threats Architecture & Engineering Infrastructure Applicatin Develpment Security Operatins Other functins 14 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

16 Tp actins and questins fr executives Key actins yu need t wn Key questins yu need t ask Put a senir executive at the helm. He r she must be able t lead in a crisis, and als guide the prgram and enlist cllabratin acrss diverse functins. Map threats t the business assets that matter. Set directin, purpse, and risk appetite fr the prgram. Establish pririties, and ensure funding and resurcing. Drive early wins. Establish mmentum by fcusing n pilt initiatives that measurably impact business success. Use these t plant the seeds f lng-term cultural change. Accelerate behavir change. Create active learning scenaris that instill awareness f the impact f daily activity n cyber risk. Embed cyber risk management gals int evaluatin f Tp 100 executives. Trust but verify. Cnduct mnthly r quarterly reviews abut key risks and risk metrics, and address radblcks. Are we fcused n the right things? Often said, but hard t execute. Understand hw value is created in yur rganizatin, where yur critical assets are, hw they are vulnerable t key threats. Practice defense-in-depth. D we have the right talent? Quality ver quantity. There is nt enugh talent t d everything inhuse, s take a strategic apprach t surcing decisins. Are we practive r reactive? Retrfitting fr security is very expensive. Build it upfrnt in yur management prcesses, applicatins and infrastructure. Are we incentivizing penness and cllabratin? Build strng relatinships with partners, law enfrcement, regulatrs, and vendrs. Fster internal cperatin acrss grups and functins, and ensure that peple aren t hiding risks t prtect themselves. Are we adapting t change? Plicy reviews, assessments, and rehearsals f crisis respnse prcesses must be regularized t establish a culture f perpetual adaptatin t the threat and risk landscape. 15 Cpyright 2015 Delitte Develpment LLC. All rights reserved.

17 This presentatin cntains general infrmatin nly and Delitte is nt, by means f this presentatin, rendering accunting, business, financial, investment, legal, tax, r ther prfessinal advice r services. This presentatin is nt a substitute fr such prfessinal advice r services, nr shuld it be used as a basis fr any decisin r actin that may affect yur business. Befre making any decisin r taking any actin that may affect yur business, yu shuld cnsult a qualified prfessinal advisr. Delitte shall nt be respnsible fr any lss sustained by any persn wh relies n this presentatin. Cpyright 2015 Delitte Develpment LLC. All rights reserved. Member f Delitte Tuche Thmatsu Limited

18 Resume Vikram Ra CIA, CISA, CISSP, CRMA, PMP Senir Manager, Delitte & Tuche LLP Tel: Vikram is a Senir Manager in Delitte s Advisry Business with ver 11 years f experience. He has deep experience prviding Technlgy Risk Services t variety f industries. Within Technlgy Risk, Vikram is part f Delitte s Cyber Risk Services practice, which helps clients t be Secure, Vigilant, and Resilient in the face f an ever increasing array f cyber threats and vulnerabilities. He was successfully executed several cyber risk strategy, gvernance, and implementatin engagements fr Frtunate 500 cmpanies t strengthen their security psture and help them enable their business. Vikram has deep knwledge and experience that cvers the breadth and depth f infrmatin and technlgy risks. In additin, Vikram als has experience in Internal Audit, Risk & Cmpliance Assessments & Remediatin including prject management. During his career in Delitte, Vikram has served a number f large glbal Frtune 500 clients in varius industries. Vikram lead the Greater Bstn Chapter f IIA in 2013 as the President and sits n the bard currently. He certificatins include CISSP, CISA, CIA, CRMA and PMP. Befre jining Delitte, Vikram wrked in the IT industry as a cmputer engineer. Vikram has a Bachelr s in Cmputer Engineering and a Master s in Systems Science. DRAFT Fr Discussin Purpses Only