Improving the effectiveness of cyber security – controlling people, process and technology 10 April 2014

You could be under cyber attack — now! Today’s cyber threats Improving the effectiveness of cyber security

Under cyber attack EY’s Global Information Security Survey EY’s Global Information Security Survey was structured to explores 3 areas: Improve Expand Innovate Know Proactive Reactive Don’t know Awareness Behavior Innovate Expand Improve Improving the effectiveness of cyber security

Improve. Expand. Innovate. Today’s cyber threats Improve For many organizations, this is the current state. Over the past year, organizations have made substantial progress in improving their defences against cyber attacks. Yet their position remains reactive, addressing the threats they know, but not seeking to understand the threats that may be just around the corner. Expand Leading organizations are taking bolder steps to combat cyber threats. They are more proactive in determining both the known and unknown risks within their security programs. However, there remains room to expand security measures. Innovate Organizations aspiring to be information security innovators need to set their sights on new frontiers. These organizations need to continuously review, rethink and potentially redesign their entire information security framework in order to be better prepared. In many cases, innovating may require a fundamental transformation of the information security program to proactively fortify against both the known and the unknown risks in the cyber risk environment. Improving the effectiveness of cyber security

Everyone and every organization is a target Certain circumstances can further significantly challenge data security and privacy: M&A Entering new markets New product launch Front page news Major organizational change Audit responsibility Improving the effectiveness of cyber security

Under cyber attack EY’s Global Information Security Survey Knowing that an attack will inevitably occur sparks improvements. Our survey indicates that many organizations recognize the extent and depth of the threats they face — from the top of the organization to the shop floor. For nearly three quarters of organizations surveyed, information security policies are now owned at the highest organizational level. Improving the effectiveness of cyber security

Under cyber attack EY’s Global Information Security Survey Improving the effectiveness of cyber security

Under cyber attack EY’s Global Information Security Survey Improving the effectiveness of cyber security

Beating cybercrime by transforming security program and improving business performance Five questions for the C-suite Do you know how much damage a security breach can do to your reputation or brand? Are internal and external threats considered when aligning your security strategy to your risk management efforts? How do you align key risk priorities in relation to your spending? Do you understand your risk appetite and how it allows you to take controlled risks? How does your IT risk management strategy support your overall business strategy? Improving the effectiveness of cyber security

Identify the real risks Questions to ask What is your organization’s risk culture? Are you detecting and monitoring threats inside and outside the organization? Have you anticipated new technology risks, such as mobile devices, social media and cloud computing? Conventional thinking Leading thinking Budget and organize a security program focused primarily on meeting immediate compliance needs Protect the perimeter and keep external threats out Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident Define the organization’s overall risk appetite and how information risk fits Identify the most important information and applications, where they reside and who has/needs access Assess the threat landscape and develop predictive models highlighting your real exposures Improving the effectiveness of cyber security

Protect what matters most Questions to ask Have you considered automating security controls? Are you using predictive indicators to analyze seemingly legitimate network activity? Are your resources focused on emerging threats? Conventional thinking Leading thinking Security program budget and organization focused primarily on meeting immediate compliance needs Set goal and expectation to stop all attacks and threats Disproportionate focus on maintaining lower-risk/lower- value security activities User access and roles are set up based on last employee hired Develop a security strategy focused on business drivers and protecting high-value data Assume breaches will occur — improve processes that plan, protect, detect and respond Balance fundamentals with emerging threat management Establish and rationalize access control models for applications and information Improving the effectiveness of cyber security

Optimize business performance Questions to ask Are you balancing spending money among key risk priorities? Have you investigated the latent functionality of your existing tools? Are you outsourcing any of your information security? Conventional thinking Leading thinking Various security aspects exist in silos and are driven by compliance only Largest portion of security budget goes to technology solutions Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives Align all aspects of security (information, privacy, physical and business continuity) with the business Spend wisely in controls and technology — invest more in people and processes Consider selectively outsourcing operational security program areas Improving the effectiveness of cyber security

Sustain an enterprise program Questions to ask Are you taking controlled risks rather than striving to eliminate risks altogether? Are your key indicators trailing or leading? Conventional thinking Leading thinking Security viewed as sub-function of IT with little top management visibility Security program budget and organization focused on meeting immediate compliance needs Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite Get governance right — make security a board-level priority Allow good security to drive compliance, not vice versa Measure leading indicators to catch problems while they are still small Accept manageable risks that improve performance Improving the effectiveness of cyber security

Enable business performance Questions to ask Do all of the organization’s stakeholders understand the importance of information security? Is your organization up-to-date with the new technologies hitting the workforce? Does your organization have the right measures to create a scorecard on information security at the enterprise level? Conventional thinking Leading thinking Security viewed as merely a function of the security team Ban emerging technologies (social media, mobile) until they are mature Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing) Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers Make security everyone’s responsibility Don’t restrict newer technologies; use the forces of change to enable them Broaden program to adopt enterprise-wide information risk management concepts Set security program goals/metrics that impact business performance Improving the effectiveness of cyber security

Framework to enable your security program to address business needs Improving the effectiveness of cyber security

Georgi Dimitrov, CISA, CISM, MCSE, MCSA Contact details: Arial 24 point Arial 20 point Arial 18 point Arial 16 point Georgi Dimitrov, CISA, CISM, MCSE, MCSA georgi.dimitrov@bg.ey.com Improving the effectiveness of cyber security