changing the game on cyber risk: the imperative to …...cyber attacks are increasing, but defenses...
TRANSCRIPT
Changing the game on cyber risk:The imperative to becomesecure, vigilant, and resilient
Nov 2015
Vikram RaoSenior ManagerDeloitte & Touche LLP
Copyright © 2015 Deloitte Development LLC. All rights reserved.1
• Threat actors exploit weaknesses that are byproducts of business growth and technology innovation.o M&A or corporate restructuring
o New customer service and sales models
o New sourcing and supply chain models
o New applications and mobility tools
o Use of new technologies for efficiency gains and cost reduction
• Perfect security is not feasible. Instead, minimize the impact of cyber incidents by becoming:
o SECURE —Enabling business innovation by protecting critical assets against known and emerging threats across the ecosystem
o VIGILANT —Gaining detective visibility and preemptive threat insight to detect both known and unknown adversarial activity
o RESILIENT —Strengthening your ability to recover when incidents occur
The innovations that drive growth also create cyber risk
Cyber threats are asymmetrical risks
o Small, highly skilled groups exact disproportionate damage
o They often have very targeted motives
o They’re spread across the globe, often beyond the reach of law enforcement
o Threat velocity is increasing
o The window to respond is shrinking
Rather than being a necessary burden, the cyber risk program is a positive aspect of managing business performance.
Copyright © 2015 Deloitte Development LLC. All rights reserved.2
Companies Like Yours (video)
Copyright © 2015 Deloitte Development LLC. All rights reserved.3
Copyright © 2015 Deloitte Development LLC. All rights reserved.4
• Perimeter defenses• Vulnerability management• Asset management• Identity management• Secure SDLC• Data protection• …
Cyber Risk Program and Governance
Executives must set risk appetite, and drive focus on what mattersIt starts by understanding who might want to attack, why, and how
• Cyber criminals• Hacktivists (agenda driven)• Nation states• Insiders / partners• Competitors• Skilled individual hacker
• Theft of intellectual property or strategic plans
• Financial fraud• Reputation damage• Business disruption• Destruction of critical infrastructure • Threats to health & safety
Who might attack?
What are they after, and what are the key business risks I need to mitigate?
What tactics might they use?
• Governance and operating model• Policies and standards• Management processes and
capabilities • Risk reporting • Risk awareness and culture
• Spear phishing, drive by download, etc.
• Software or hardware vulnerabilities
• Third party compromise• Multi-channel attacks• Stolen credentials• … and others
• Incident response • Forensics• BC/DR, Crisis management• …
SECURE
Are controls in place to guard
against known and emerging threats?
VIGILANT
Can we detect malicious or
unauthorized activity, including
the unknown?
RESILIENT
Can we act and recover quickly to minimize impact?
• Threat intelligence• Security monitoring• Behavioral analysis• Risk analytics• …
Copyright © 2015 Deloitte Development LLC. All rights reserved.5
Copyright © 2015 Deloitte Development LLC. All rights reserved.6
IMPACTS
ACTORS
Financial theft / fraud
Theft of IP or strategic
plans
Business disruption
Destruction of critical
infrastructure
Reputationdamage
Threats to life or safety
Regulatory issues
Organizedcriminals
Hacktivists
Nation states
Insiders / Partners
Competitors
Skilled individualhackers
Threat actors and their motives vary by industry and organizationA typical cyber risk heat map for the Insurance sector
Very high
High
Moderate
Low
KEY
Notable insights:
• As stewards of troves of personally identifiable information (PII), including claim history, the driving concern is to protect private information to avoid reputation damage associated with breaches.
• For many, compliance concerns are augmented by newer Payment Card Industry and Electronic Protected Health Information (ePHI) requirements.
• Competition drives growing use of mobile, Web-based applications and telematics to provide novel ways of serving customers, introducing new threat vectors to be managed.
• Growing concern about transaction fraud to reroute claims payouts and retirement plan payments.
• Growing use of Big Data analytics to develop risk models, premium pricing models, and set product direction heightens concern about securing centralized data, and the strategic output of analytic processing.
Copyright © 2015 Deloitte Development LLC. All rights reserved.7
IMPACTS
ACTORS
Financial theft / fraud
Theft of IP or strategic
plans
Business disruption
Destruction of critical
infrastructure
Reputationdamage
Threats to life / safety Regulatory
Organizedcriminals
Hacktivists
Nation states
Insiders / Partners
Competitors
Skilled individualhackers
Threat actors and their motives vary by industry and organization
Notable insights:
• Concern has shifted to nation-states, global organized criminal gangs and highly skilled hacktivists or hackers.
• While financial risks are important, senior leaders are more worried about destructive attacks and loss of client / investor confidence.
• Concern about harm not only to individual organizations but also about system risks to the US economy via a concerted cyber attack. Cyber attacks may be a particular risk during times of conventional war or international crisis.
• Cyber dependencies across the ecosystem between financial institutions, critical suppliers, industry partners, etc. introduce high levels of third party risks, insider risks, social media risks, etc.
A typical cyber risk heat map for the Banking sector
Very high
High
Moderate
Low
KEY
Copyright © 2015 Deloitte Development LLC. All rights reserved.8
Notable insights:
• There is financial risk tied to failure to comply with North American Electric Reliability Control Critical Infrastructure Protection (NERC CIP) version 5, and other regulations, but greater concern is loss of rate payer and board confidence should systems be breached.
• Hacktivists and nation-state actors could be behind the increase of publicized and unpublicized attacks on Industrial Control Systems (ICS), which are also vulnerable to accidental or intentional damage by business partners and insiders. While vendors have improved software security, fear of destabilizing the infrastructure leads many organizations to lag in keeping software up to date, magnifying the risk level.
• Metering and accounting systems may be vulnerable to tampering, resulting in financial loss.
A typical cyber risk heat map for the Power & Utilities sector
IMPACTS
ACTORS
Financial Theft / Fraud
Theft of customer
data
Business disruption
Destruction of critical
infrastructure
Reputationdamage
Threats to life /safety Regulatory
Organizedcriminals
Hacktivists
Nation states
Insiders / Partners
Competitors
Skilled individualhackers
Threat actors and their motives vary by industry and organization
Cyber attacks are increasing, but defenses lag.• From Oct. 1, 2012 to Apr. 30, 2013, ICS-CERT responded to over 200 incidents
across all critical infrastructure sectors, more than had been reported the entire previous year. (ICS-CERT Monitor, April-June 2013)
• In 2012, a researcher identified over 20,000 ICS-related devices directly IP addressable and vulnerable to exploitation through weak or default authentication. (ICS-CERT Monitor Oct.-Dec. 2012)
Very high
High
Moderate
Low
KEY
Copyright © 2015 Deloitte Development LLC. All rights reserved.9
Copyright © 2015 Deloitte Development LLC. All rights reserved.10
Non threat
Very low threat
Somewhat low threat
Average threat
Higher threat
Very high threat
Composite > Average
Social engineering 0.0% 6.9% 10.3% 20.7% 31.0% 24.1% 55.1%
Proliferation of malicious software 0.0% 0.0% 3.4% 17.2% 37.9% 41.4% 79.3%
Phishing and pharming 0.0% 0.0% 3.4% 24.1% 44.8% 27.6% 72.4%
Zombie networks (e.g., bots) 0.0% 3.4% 20.7% 41.4% 31.0% 3.4% 34.4%
Attacks exploiting mobile network vulnerabilities 0.0% 13.8% 27.6% 41.4% 17.2% 0.0% 17.2%
Attacks via mobile devices 0.0% 20.7% 24.1% 34.5% 20.7% 0.0% 20.7%
Exploitation of vulnerabilities in emerging technologies 0.0% 10.3% 20.7% 37.9% 27.6% 3.4% 31.0%
Exploits against insecure software code 0.0% 3.4% 13.8% 34.5% 41.4% 6.9% 48.3%
Attacks exploiting end point device vulnerabilities 0.0% 0.0% 10.3% 48.3% 27.6% 10.3% 37.9%
Advanced persistent threats 0.0% 3.4% 3.4% 51.7% 31.0% 10.3% 41.3%
Zero-day attacks 0.0% 3.4% 10.3% 48.3% 34.5% 3.4% 37.9%
Other 0.0% 0.0% 0.0% 3.4% 0.0% 0.0% 0.0%
• 69% list increasing sophistication of cyber threats as a top barrier in addressing cyber risk and cyber security challenges.
• The threat actor of greatest concern is the organized criminal; 76% express higher-than-average threat level.
Greater focus on defense against cyber threats
What attack techniques or vulnerabilities concern you the most? *What do organizations worry about?
* Deloitte Survey in Retail Industry
Top attack techniques exploit human as the
weak link
Copyright © 2015 Deloitte Development LLC. All rights reserved.11
Cyber Security Evolved (video)
Copyright © 2015 Deloitte Development LLC. All rights reserved.12
Copyright © 2015 Deloitte Development LLC. All rights reserved.13
Who owns the program, who’s watching, and who is engaged?
• >75% of CISOs report to the CIO
• Some engage regularly with the Board and the CEO
• The most active oversight is by CIO (who most CISOs report to)
Reporting practices suggest governance is still technology-focused
Never Weekly Monthly Quarterly Annually Ad-Hoc
External Auditors 13.8% 0.0% 0.0% 34.5% 37.9% 10.3%
Board of Directors 10.3% 0.0% 0.0% 37.9% 20.7% 31.0%
CEO 17.2% 3.4% 13.8% 37.9% 10.3% 17.2%
General Council, Legal or Audit Committees 24.1% 3.4% 10.3% 31.0% 6.9% 24.1%
CCO, Chief Privacy Officer 55.2% 3.4% 3.4% 17.2% 3.4% 6.9%
CIO 6.9% 44.8% 31.0% 6.9% 0.0% 10.3%
CTO 58.6% 10.3% 3.4% 3.4% 0.0% 10.3%
Chief Marketing Officer 69.0% 0.0% 6.9% 0.0% 0.0% 17.2%
Business Stakeholders 44.8% 6.9% 6.9% 20.7% 0.0% 17.2%
Other 20.7% 0.0% 0.0% 0.0% 0.0% 3.4%
How frequently are you required to report on enterprise cyber security or cyber risk posture to the following positions? *
Engagement with CTOs, marketing
officers, compliance / privacy officers and
business stakeholders is weak, relative to how organizations define
their program missions
* These are preliminary indicators. Survey results are not final yet. Survey data may change
Copyright © 2015 Deloitte Development LLC. All rights reserved.14
Executive sponsorship is the key to successEvery leader has a distinct role to play in driving alignment
Board & CEO
Senior Management(COO, CAO, CRO)
IT Leadership (CIO)
IT Risk Leadership (CISO / CITRO)
Tone at the top, establish senior management accountability and a cyber-aware culture
Define the organization’s cyber risk appetite and be accountable for cyber risk management. Empower the extended leadership team.
Lead (not delegate) in defining and executing the strategy to become secure, vigilant, and resilient. Establish an effective interaction model with CISO and IT risk officer.
Define the right balance between threat-centric vs. compliance-centric programs. Be a business enabler, without shying away from the role of risk custodian.
Line of Business Leaders
Support integration of cyber risk management into business growth and development activities. Appoint line-of-business risk officers.
Architecture & Engineering Infrastructure Application
DevelopmentSecurity
Operations
IT DOMAINS Manage and report on risks
Execute on strategy
Other functions…
CYBER RISK GOVERNANCE
Fully integrate cyber risk management into IT disciplines – design for Six Sigma, not quality control. Integrate current technologies to address the latest threats
Copyright © 2015 Deloitte Development LLC. All rights reserved.15
Top actions and questions for executives
• Put a senior executive at the helm.He or she must be able to lead in a crisis, and also guide the program and enlist collaboration across diverse functions.
• Map threats to the business assets that matter. Set direction, purpose, and risk appetite for the program. Establish priorities, and ensure funding and resourcing.
• Drive early “wins.” Establish momentum by focusing on pilot initiatives that measurably impact business success. Use these to plant the seeds of long-term cultural change.
• Accelerate behavior change.Create active learning scenarios that instill awareness of the impact of daily activity on cyber risk. Embed cyber risk management goals into evaluation of Top 100 executives.
• Trust but verify. Conduct monthly or quarterly reviews about key risks and risk metrics, and address roadblocks.
Key actions you need to own
Key questions you need to ask
• Are we focused on the right things? Often said, but hard to execute. Understand how value is created in your organization, where your critical assets are, how they are vulnerable to key threats. Practice defense-in-depth.
• Do we have the right talent? Quality over quantity. There is not enough talent to do everything in-house, so take a strategic approach to sourcing decisions.
• Are we proactive or reactive? Retrofitting for security is very expensive. Build it upfront in your management processes, applications and infrastructure.
• Are we incentivizing openness and collaboration? Build strong relationships with partners, law enforcement, regulators, and vendors. Foster internal cooperation across groups and functions, and ensure that people aren’t hiding risks to protect themselves.
• Are we adapting to change? Policy reviews, assessments, and rehearsals of crisis response processes must be regularized to establish a culture of perpetual adaptation to the threat and risk landscape.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
Copyright © 2015 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited
DRAFT – For Discussion Purposes Only
ResumeVikram RaoCIA, CISA, CISSP, CRMA, PMP
Senior Manager, Deloitte & Touche LLP
Tel: +1 617 437 3950Email: [email protected]
Vikram is a Senior Manager in Deloitte’s Advisory Business with over 11 years of experience. He has deep experience providing Technology Risk Services to variety of industries. Within Technology Risk, Vikram is part of Deloitte’s Cyber Risk Services practice, which helps clients to be Secure, Vigilant, and Resilient in the face of an ever increasing array of cyber threats and vulnerabilities. He was successfully executed several cyber risk strategy, governance, and implementation engagements for Fortunate 500 companies to strengthen their security posture and help them enable their business. Vikram has deep knowledge and experience that covers the breadth and depth of information and technology risks. In addition, Vikram also has experience in Internal Audit, Risk & Compliance Assessments & Remediation including project management.
During his career in Deloitte, Vikram has served a number of large global Fortune 500 clients in various industries. Vikram lead the Greater Boston Chapter of IIA in 2013 as the President and sits on the board currently. He certifications include CISSP, CISA, CIA, CRMA and PMP. Before joining Deloitte, Vikram worked in the IT industry as a computer engineer. Vikram has a Bachelor’s in Computer Engineering and a Master’s in Systems Science.