A Disciplined Approach to Cyber Security Transformation

Transcription

1 A Disciplined Approach to Cyber Security Transformation Information Protection and Business Resiliency December 2014

2 Key takeaways from today s cyber security discussion 1. Our colleagues are not waving - they are drowning¹ 2. When you go out into the world, watch out for traffic cyber threats, hold hands, and stick together² 3. Your primary cyber security risk is not what you think 4. Cyber security starts and ends with sensitive information ¹Not Waving but Drowning by Stevie Smith ²All I Really Need To Know I Learned In Kindergarten by Robert Fulghum 1

3 My deconstructed view of cyber security Behavior Access Sensitive Information

4 The primary cyber security risk facing organizations today is the misallocation of scarce resources SMARTER ATTACKERS with better resources, better tooling, and more advanced goals. Evolving Threat Actors EVOLVING IT CAPABILITIES from BYOD to cloud to big data have serious impact on the cyber security controls we need and can use. Changing IT Delivery Models CYBER SECURITY RISKS Sensationalized Media Coverage DRUMBEAT OF FEAR, uncertainty, and doubt. Did you read the paper today? Incredible Vendor Claims In 2013, cyber security products and services were a $58bn (USD) market (source: IDC). MARKETING DEPARTMENTS HAVE TAKEN NOTE. 3

5 The evolutionary journey of cyber security capability stumbles forward with most organizations preoccupied with firefighting (i.e. the spin cycle ) Healthcare 4

6 A business-aligned, back-to-basics cyber security approach can help your organization break the spin cycle Most organization s STARTING LINE begins with Implementation attributes instead of focusing on The Basics. The Basics Understanding Planning and Implementation Control Governance People Portfolio, Program and Project Management Business Strategy and Goals Ownership Risk Management Assets Accountability Processes Intelligence Technology Vendor & Supplier Management One Policy (Behavior/Control) Compliance Regulatory Environment Funding & Sponsorship 5

7 Case Study #1: Limited understanding of sensitive data assets and no data ownership Background Exploding data asset population No clear view of data ownership Limited understanding of data sensitivity Result Started with records view first, then BCP view, then? Did not address unstructured data assets Could not agree on data owners ( project failed) The Basics Understanding Planning and Implementation Control Governance People Portfolio, Program and Project Management Business Strategy and Goals Ownership Risk Management Assets Accountability Processes Intelligence One Policy (Behavior/Control) Technology Vendor & Supplier Management Compliance Regulatory Environment Funding & Sponsorship 6

8 Case Study #2: Reactive approach with no teaming and poor communications The Basics Understanding Planning and Implementation Control Governance People Portfolio, Program and Project Management Business Strategy and Goals Ownership Risk Management Assets Accountability Processes Background Spike in attacks against industrial control systems (ICS) CISO office designed new security standards No engagement of IT architecture or ICS engineering Result Vendors did not support new security standards Internal audit issued control finding Project re-start ( attacks continue) Intelligence One Policy (Behavior/Control) Technology Vendor & Supplier Management Compliance Regulatory Environment Funding & Sponsorship 7

9 A few tenets to help avoid the spin cycle 1. Define / identify BUSINESS CRITICAL SYSTEMS and supporting infrastructure 2. Catalog SENSITIVE DATA ASSETS and assess relevant controls 3. Determine KEY VENDORS and their capability / willingness to support (in addition to SLAs) 4. Cyber projects should provide improved DATA ASSET and CONTROL VISIBILITY as key output 5. Cyber projects must produce OPERATIONAL INDICATORS (e.g. compliance) before completion 6. Cyber security is EVERYONE S RESPONSIBILITY - do not neglect governance / communication Top agenda items that break the spin cycle: Privileged identity management Directory services clean-up Vulnerability management Network segregation mapping & tuning Cyber projects typically introduced too early: Data leakage prevention Database security monitoring Security incident and event management 8

10 KPMG s I4 organization developed a cyber security capability maturity model to help clients improve cyber controls on an iterative basis Our model provides a detailed control framework for (i) defining target state; (ii) benchmarking current state; (iii) agreeing cyber investments; and (iv) communicating progress to executive stakeholders. WITHOUT AN AGREED TARGET STATE TAILORED FOR YOUR ORGANIZATION - YOU WILL CONTINUE TO FOCUS ON FIREFIGHTING 9

11 In summary START WITH THE BASICS Agree ownership Understand business goals and strategy Initiate stakeholder outreach Understand regulatory demands Catalog sensitive information assets DEFINE TARGET STATE Revisit / update your target state cyber security control framework Perform gap analysis Prioritize strategic change Engage vendor community ADDRESS TARGET STATE GAPS Understand business and IT project portfolio Align and update project portfolio to include cyber security control framework Consider emerging technology / trends 10

12 Knowledge check

13 Thank you David Remick Partner US Cyber Lead for Life Sciences KPMG US Tel Cell