www.pwc.com/me Cybersecurity Session IIA Conference 2018
Wael Fattouh Partner PwC Cybersecurity and Technology Risk PwC 2
There are only two types of companies: Those that have been hacked, and those that will be. Robert Mueller, FBI Director, PwC 2012 3
What comes to mind when we think of cyber security? PwC 4
PwC 5
But can firewalls, anti-virus software and a well designed network architecture protect you against threats rising from resent IT trends? PwC 6
Trends of 2018 Fintech Internet of things Self driving cars Smart cities Facial recognition Bots Operational technology Drones PwC 7
Brought down Twitter, the Guardian, Netflix, Reddit Dyn was attacked by 100,000 hacked devices Punjab National Bank earlier this week announced that it had been the victim of a $2 M hack The attack strength was estimated at 1.2Tbps PwC 8
So what do you think? PwC 9
Still think this could protect you? Nowadays security looks more like this PwC 10
Asset Management Asset Asset Classificatio Inventory n 1 4 0 4 Reporting Engine Device Access Control User Provisionin g Privileged Identity Managemen t Change Managemen t Recommended FTE FTE Cyber Security Operations Asset Discovery Logging and Monitoring Reporting Log and Repositor Dashboar y ds Aggr. / Correl. Forensic 1 Engine 4 Analysis Network Monitorin g Identity and Access Management Access Certification Password Managemen t Privileged Access Managemen t It s a strategy Having The ability the right to resources quantify to technological manage It's your a blueprint capabilities technology Access Certification Governance Web Access Managemen t User Access Control 1 4 GAP Privileged Access Governance Identity Federation Multi- Factor Authenticati on 10 User Provisionin g 5 Governance Fully Implemented Partially in Place Why has cyber security 30 25 20 15 0 Patch Manageme nt Application Patching Windows OS Patching Firmware Patching Linux OS Patching 5 Not in Place Security Patch ID / 2Prioritize 5 Tools with staff who have received formal training Cyber Defense Management Vulnerabilit y Scanning 2 4 Penetration Testing Database Security Data Loss Prevention 2 4 0 3 1 4 Governance, Risk, and Compliance Risk Compliance 60Vendor Risk Managemen Managemen Managemen t t t 1 5 1 4 501 4 Remediatio Audit n Managemen Managemen 40 t 0 3 1 t 5 Security Patch Config. Exception 1Scanning 4 1Tracking 4 Application Security Dynamic 20 Source Code Security in App. App. the SDLC Testing Testing 2 4 10 0 4 2 4 Hardened Defect Mobile App. Software 0 Managemen Testing Libs. t 0 4 0 3 1 4 Analytics Security Analytics 0 4 Metrics, Dash. and Reporting 1 4 System Manageme nt Anti-Virus / Malware 5 5 Staffing Training Roles and Responsibilities become so complicated and expensive? 2 4 Indicators of Compromis 0 e File 4 Integrity Monitoring 1 3 Endpoint Protection TBD 4 Device Config. Monitoring 1 1 4 PwC 11 25 Yes No Non IT-Sec 30 30 Tools with Defined Roles Threat and Responsibilities Intelligence 57 Because hacking has become so Currently Not Applicable to Implementing easy and TVM cheap and its only getting easier 3 Yes No Unclear
Cybersecurity & privacy A growing challenge Economic Environmental Industry/ Competitors Regulatory Customer Suppliers Cybersecurity & Privacy Global Consumer Service Providers Legal JV/ Partners Geo-political Technology Socio-political *Source: PwC s 2016 Global State of Information Security Survey. PwC 12
Opportunistic Targeted Who is attacking you? Nation State Terrorists Motives/Targets Trade secrets Sensitive business information Emerging technologies Critical infrastructure Public and government systems and services. Critical infrastructure Resources Enormous resources Focus on result rather than cost Considerable amount of resources Potentially large network of supporters Organized Crime Financial / Payment Systems Personally Identifiable Information Payment Card Information Protected Health Information Business Driven by profit/loss Vandals Fame Reputation Minimal financial resource Hacktivists Corporate secrets Sensitive business information Information related to key executives, employees, customers & business partners Minimal financial resources PwC 13
So what can we do? PwC
Know your role Senior Management Board/Audit Committee 1 st 2 nd 3 rd 1 st Line of defense: Functional and line management are responsible for operationalizing risk management and internal controls 2 nd Line of defense: Risk management and compliance functions are responsible for establishing and monitoring policies and standards 3 rd Line of defense: Internal audit is responsible for providing objective assurance and advice on governance, risk, and compliance External Audit and Regulators can be placed in a fourth line of defense outside the organization. IA has the unique ability to effectively coordinate across the first and second lines! PwC 15
Focus on adding value Be Strategic Educate and Inform Comprehensi ve Risk Trusted Advisor Value Add Relevant Relevant Capabilities Dynamic Plans Advisory Reviews PwC 16
IT Risk, Cybersecurity & Privacy Audit Universe (Examples) Change Management and Computer Operations Program / System Change Controls SDLC & Project Management Pre Implementation reviews Data Conversions or System Migrations Capacity Monitoring & Management Outsourcing & Vendor Management Disaster Recovery / Business Continuity IT Cybersecurity and Technical Reviews Vulnerability assessment and penetration testing Security Architecture Platform or OS Security Database Security Identity & Access Management Privileged Access/Break Glass Controls Network Security Remote Access Security Security Patch Management Threat & vulnerability management Data Center Physical Security & Environmental Controls Cyber Security / Cyber Threat & Incident Management Security & Privacy Breach / Incident Response IT Risk, Cybersecurity & Privacy IT Governance Risk assessments Strategy Framework GAP analysis Awareness training Review on policies and procedures Compliance Application control assessment Third party and vendor risk management Data inventory Continuous monitoring process Data Privacy Data Privacy & Compliance with Privacy Laws/Regulations Data Governance Data Loss Prevention M&A Privacy Due Diligence and Compliance Privacy Training and Awareness Privacy Policy Compliance Privacy by Design Projects & Initiatives Privacy Impact Assessments IT Security and Applications Application Key Controls ERP Systems (e.g. Oracle) Segregation of Duties End User Computing PwC 17
Build your Cyber Confidence You can t secure everything Priorities Risk Knowing is half the battle It s not if but when Crisis Connections Their risk is your risk Technology People Fix the basics People matter PwC 18
Cyber Conversations Engaging with the Leadership Third Party Vendors & Cloud Computing Insider Threats Cyber Threat Intelligence Incident Response Management Obtaining leadership level and executive level support for security initiatives is imperative to maintain an effective security program. While risks associated with third parties and cloud computing continue to increase, these conversations are becoming more critical to have Organizations needs to focus on the insider threat along with the cyber threat. Cyber security will have to integrate all threat intelligence sources in a state of perpetual analysis to enhance and safeguard the organization s operations. The organization needs to focus on creating a comprehensive Incident Response Management Program and conducting periodic cyber scenarios testing. Threat & Vulnerability Management Privacy & Data Protection Big Data Analytics for Cybersecurity Mobility & Social Media Competitive Advantage There is a critical need to stay informed about the constantly changing threat environment. Plan and prepare, in order to improve privacy management as it relates to employee and customer information. The organization needs to learn to assess and mitigate the risks along with using big data to enhance threat intelligence mechanisms. Mobile devices, mobile applications, social media, and accelerated product life cycles are just the latest contributors to risk in any organization Leverage security and privacy programs as market competitive advantages through the issuance of SOC 2 and other client facing reports. PwC 19
Final Thoughts You play a leading role in the Risk conversation, be pro-active and be strategic Technology Audit is not an assignment, it s a strategic part of your function use it effectively The growing technology needs of the organization mean a growing need for a technology confident IA function Ask the hard questions. You don t have to be an IT professional to have technology conversations Be ready for a day when there is no distinction between Technology and non-technology audits PwC 20
Questions and comments Key Contact Wael Fattouh Partner, Cybersecurity and IT Risk PwC Middle East Email: Wael.fattouh@pwc.com Mobile: +966 547 533 883 2016 PricewaterhouseCoopers. All rights reserved. PwC 21