CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Transcription

1 CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

2 INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes more complex, CISOs, security committees, executives and boards of directors are demanding meaningful information for decision-making. However, cyber security stakeholders face significant challenges identifying, obtaining, processing and aggregating key information that enables them to steer towards defined targets effectively, and ultimately be in better control of their organisation s cyber security. In practice, the responsibility for cyber security is often distributed amongst different organisational areas as is the relevant information. In addition, the range of activities related to cyber security is so broad that it is not easy to identify the key elements that indicate how cyber security is contributing to (or even preventing) the achievement of the business s goals. And, as if that isn t enough of a challenge, the highly technical, specialist origins of cyber security often result in highly technical, specialist sets of information that, although essential for operational activities, are not valuable for high-level, business decision-making. The good news is that complexity, interdependency, specialisation and large quantities of information are not new challenges for the business world. As mentioned in our publication The five most common cyber security mistakes, KPMG approaches cyber security as business as usual an area of risk that requires the same level of attention as fraud. And in the same way that other business areas are monitored and measured, cyber security can be monitored and measured with the support of dashboards that display the right key performance indicators (KPIs). 1 Cyber Security is the endeavor to prevent damage by disruption, outage or misuse of IT and, if damage does occur, the repair of this damage. The damage may consist of: impairment of the reliability of IT, restriction of its availability, and the breach of confidentiality and/or the integrity of information stored in the IT system. (Source: National Cyber Security Strategy ). 2 FEEL FREE Cyber Security Dashboard

3 WHY A CYBER SECURITY DASHBOARD? In short, a Cyber Security Dashboard will help you steer your organisation towards the desired cyber security position, while providing answers to key questions often raised by executives. Examples of these questions are: BOARD OF DIRECTORS What is the status of our cyber resilience capabilities compared to the current and expected threat level? What is the impact that cyber security risks have on our strategy? How do our measures and investments compare to the rest of our sector? Are we compliant with the relevant cyber security and related regulations? Are we in control of cyber security in the value chain? CIO What are the key drivers in cyber security risk management and how are they developing? What is the status of our preventative capabilities, as related to cyber security? What is the status of our detective and reactive capabilities, as related to cyber security? What is the status of the compliance framework? What were the root causes and actions taken in relation to the high-impact incidents in the last period? FEEL FREE Cyber Security Dashboard 3

4 When adequately designed and implemented, Cyber Security Dashboards also provide: INSIGHT into the overall state of cyber security, as related to business targets. This allows for improved decision-making and better control of cyber security; FOCUS on what is important for the business. Cyber security efforts should be balanced between business risks and opportunities. Nevertheless, it is easy to lose focus when the information available is too spread, detailed or technical to provide a consistent overview; COMMUNICATION & AWARENESS. Business executives and boards of directors are demanding relevant information, while cyber security professionals are trying to raise the awareness of executives and boards of directors. A Cyber Security Dashboard provides a means of communication that facilitates awareness of major areas of concern from both perspectives: cyber security and organisational goals; STANDARDISATION AND EFFICIENCY, particularly across regions and functional units within large organisations. As mentioned earlier, the responsibility for information security is often scattered, with local or regional security officers often interpreting, customising and implementing policies that are usually defined at corporate level. This sometimes results in nonstandard reporting formats, increasing the time required to compile and produce aggregated reports, as well as the work required to interpret them. Depending on the specific purpose of the dashboard, some benefits may be more prevalent than others; in any case, the dashboard will contribute by providing an overview of the main information needed to control cyber security and make decisions that further the business objectives. But what information should a Cyber Security Dashboard display? In the same way that each organisation has a unique strategy, culture and maturity, it has unique cyber security information needs. Through a combination of research and our extensive experience, KPMG has identified six key areas of focus that provide a comprehensive overview of cyber security. 4 FEEL FREE Cyber Security Dashboard

5 THE CYBER SECURITY DASHBOARD FOUNDATION: SIX AREAS OF FOCUS The areas of focus serve as the foundation for identifying the most relevant measures to be considered on a company s dashboard. They cover the core areas of cyber security: risks, compliance, incidents, awareness & culture, threat level and key cyber security projects in development. PROJECTS - Impact on risk reduction - Progress - Cyber Security Maturity RISKS - Benchmark with peers - Coverage - Top risks - Others AWARENESS & CULTURE - Learning scores - Training coverage - Incidents and other violations associated with awareness AREAS OF FOCUS COMPLIANCE - External - Internal - Readiness THREAT LEVEL - External - Internal INCIDENTS - Statistics - Incident Management - Benchmark with peers FEEL FREE Cyber Security Dashboard 5

6 CYBER SECURITY RISKS Cyber security management and business decisionmaking are closely related to risk management. Executives and board members need to understand and monitor the cyber risks that may hinder the organisation s ability to achieve its goals. These risks are represented by key risk indicators (KRIs) that are directly derived from the organisation s strategy. For example, if a retail company s strategy is to grow through increased revenue and market share on e-commerce channels, then the downtime of online shopping sites directly affects the realisation of the strategy, becoming a KRI. Another perspective on risk may be provided via benchmarking. Executives often want to know their organisation s status compared to industry peers or best practices. Benchmarks related to organisational maturity levels and framework compliance are available in the marketplace. Likelihood TOP 10 RISKS 6 5 R3 R8 4 R4 R6 R R9 R5 R10 R7 R Impact Top Risks RISK DESCRIPTION LEVEL TREND COMMENTS R1 LOSS OR ALTERATION OF INTELLECTUAL PROPERTY Very High Existing system does not allow control of administrators. Analysis for change of system in progress. R2 SENSITIVE COSTUMER DATA DISCLOSURE Medium Inventory of repositories is at 80%. Identified repositories are compliant with risk apetite. R3 UNAVAILABILITY OF ONLINE SALES CHANNELS High Penetration test identified severe vulnerabilities in configuration. Changes in progress. R8 STRATEGIC INFORMATION LEAKAGE Very High Increased impact with new business project. IT acquisition and awareness trainings in process. R7 FINANCIAL FRAUD Medium Recent audit findings identified failures in user management processes. Changes in progress. Benchmark Security Forum Control Framework 2014: second quartile 6 FEEL FREE Cyber Security Dashboard

7 COMPLIANCE In practice, one of the main drivers of cyber security is compliance. Typical requirements that organisations need to comply with include laws, regulations and contractual demands from business partners, suppliers and customers. Failing to comply may result in substantial fines, termination of contracts with strategic partners or customers and, ultimately, suspension to operate. Furthermore, as threats increase and customers demand higher levels of data protection, new compliance requirements are continuously emerging. Being able to proactively monitor your organisation s readiness to meet coming requirements may allow for a more timely and cost-effective compliance strategy. Overall Maturity per Requirement (Europe) Other ISF Current Target DNB PII Internal Framework ISO CYBER SECURITY INCIDENTS Incidents do happen, and we need to react to, and learn from them. Analysis of information security incidents often provides business stakeholders with an additional perspective on risk levels, making it highly valuable. Usual measures of interest are general statistics on severe incidents such as the number, business impact and source; benchmarking with industry peers; and elements associated with the effectiveness of the incident management process, such as average incident detection/response time. Impact of incidents per category of threats (in millions) Error Physical theft/loss Insider Misuse Social Malware Hacking FEEL FREE Cyber Security Dashboard 7

8 AWARENESS & CULTURE As important as awareness is, measuring it objectively poses a significant challenge. Current social and technology trends are forcing organisations to become more reliant on end-user behaviour to protect information. Telecommuting and bring-your-own-device are common practices worldwide, making information readily available almost everywhere, and more difficult and expensive to protect. Cyber security awareness aims to develop specific behaviours in employees, contractors and other parties that process or use the organisation s information. The main objectives are to reduce risks related to human error, as well as the time required to identify incidents and violations. There is no single metric that accurately and objectively assesses people s level of understanding, or their expected reaction should a cyber security situation arise. This is why KPMG approaches this dimension from two perspectives: KPMG measures behaviour by looking at 8 soft controls: clarity of rules; exemplary behaviour; practicability; involvement; visibility; organizational openness; peer Openness and enforcement. Being able to determine and compare security awareness levels between business units and regions supports decision-makers in prioritising resources and activities. Awareness Current Target Enforcement Response Clarity of Rules 100% 80% 60% 40% Exemplary Behaviour Prevention training what is the company doing towards culture development and actual behaviour what is the result of those actions. Peer Openness 20% 0% Practicabillity Indicators in training are usually related to coverage of the target audience and scores on assessments such as e-quizzes or surveys. Organizational Openness Involvement Detection Visibility 8 FEEL FREE Cyber Security Dashboard

9 AWARENESS KEY SECURITY PROJECTS/INITIATIVES Knowing the progress and general status of the major security projects is essential to cyber security management. Furthermore, executives want to be able to assess the potential impact of these projects on cyber security posture, the potential constraints they may pose to target achievement, and whether actions are required to guarantee alignment with business objectives. THREAT LEVEL Modern cyber resilience is based on threat intelligence. The better an organisation understands its threat environment, the better it can prepare and 0 respond to it. 100 Threats in the cyber landscape include nations, activists, organised crime, the competition 70 and the organisation s insiders, amongst others. By gathering and analysing data from internal and external - No sources, recent incidents and identifying their implications in your - Positive own environment, scores test it (Q3-2013) is possible to obtain an overview of a general threat level that can be used as a point of reference. Threat level Key cyber security projects/initiatives Project Division Status vs. target IRM Cyber Security Governance Outsourcing review ISO Certification Awareness EMEA EMEA ASIA AMERICAS ALL Progress vs. plan No discernible activity with a moderate or severe risk rating. Source: ThreatCon These areas of focus are not exhaustive, but they cover the key areas KPMG has found to make the difference in controlling cyber security. The goal is to identify the areas that better fit your organisation s current and future business needs and include them as part of the dashboard. It is possible that additional topics, such as costs and budget-related indicators also need to be considered, but at the end, what matters is that the selected elements actually contribute to business decision-making, respond to the audience s needs and are aligned with the company s current security practices. FEEL FREE Cyber Security Dashboard 9

10 STRATEGIC APPROACH TO A CYBER SECURITY DASHBOARD Defining and implementing a dashboard is a challenging project. Difficulties commonly found on the way include selecting the dashboard elements that will support decision-making, unforeseen impacts on operational and tactical processes, and complex data sources sometimes dependent on third parties. This is why KPMG has developed a strategic, phased approach: by incrementally defining and constructing the dashboard, requirements are constantly refined, while enabling optimal management of investment and creating situational awareness of the target audience. The dashboard is built in two main phases, so from the beginning the benefits are tangible: first the reporting elements & prototype are defined, and then the dashboard is automated and embedded in the processes. REPORTING ELEMENTS & PROTOTYPE DEFINITION INITIAL DESIGN PROTOTYPE Identification of key stakeholders and their needs Design prototype Assessment of delivery capabilities Evaluation and refinements DETAILED DESIGN Develop dashboard growth model Build business case DASHBOARD IMPLEMENTATION & AUTOMATION PROOF-OF- CONCEPT BUILD DASHBOARD Build PoC Phased approach for dashboard development Evaluate PoC Implementation and embedding per phase TRAINING & SUPPORT Training of users and administrators Establish organisation for support and enhancements 10 FEEL FREE Cyber Security Dashboard

11 The initial design should be balanced against what we refer to as delivery capabilities, in other words, elements within the organisation that enable the desired outcome. Examples of these capabilities are the organisation s maturity, management support, internal processes, and available data sources and technology. Delivery capabilities often pose important challenges for the project. For example, a data source may seem reliable and comprehensive, but later on it can be found that the data only covers a low percentage of the target population, or that the originating process is highly prone to human error. Once the initial design is finalised, a prototype is built. The prototype allows for validation of the initial requirements, and results in design and metric adjustments. The subsequent two stages focus on the development of a proofof-concept that will determine whether the organisation is ready to build the dashboard, provided a growth model and a business case. After the proof-of-concept has been positively evaluated, the dashboard is developed. This is achieved by following a phased approach that allows for gradual embedding in the internal processes. During this stage, common challenges relate to stakeholder management and dashboard embedding, since certain (parts of) processes may require changes to successfully incorporate the tool. Finally the transition activities take place, including training, implementation of the support scheme, and update and expansion processes. FEEL FREE Cyber Security Dashboard 11

12 CONCLUSION Strategic Risk 4 Measuring and reporting on cyber security to the strategic level is not an easy task. Most existing security metrics focus on operational and technical aspects, while executives are demanding high-level, meaningful businessrelated information. In addition, the delegation of cyber security activities to local/regional security officers often results in non-standardised reporting, hindering in turn decision-making processes. Impact R5 R3 R2 R1 R4 The end result may look simple but to deliver and successfully embed a reliable Cyber Security Dashboard requires skills and experience in many diverse areas, during each of the development phases. A strategic approach to the definition of a Cyber Security Dashboard helps your organisation steer on key focus areas, create situational awareness, standardise reporting practices, align cyber security with the business and improve the control over cyber security activities Chance Maturity 3,5 3,0 2,5 2,0 1,5 1,0 0,5 0,0 IT Health Finance Administration HR Risk Marketing Treasury Industry 12 FEEL FREE Cyber Security Dashboard

13 Strategic Projects Key Incidents CMDB setup project 4 External penetration test 3 Hiring SOC personnel Information security plan 2015 Internal vulnerability scanner Occurance % ,000 10,000 Impact % Status vs. Target % Target vs. Plan Denial of Service Misc. Errors Unknown Insider Misuse Physical Theft Compliance Threat Level Requirement Category Current level Current level COBIT 75% 80% 80% Competitors 3 DNB (banks) 90% 90% 20% Cyber Investigators 2 Internal Framework 60% 30% 10% Cyberpunks and scriptkiddies 4 ISF 60% 60% 60% External consultants 2 ISO % 65% 65% Hacktivists 1 SANS 70% 70% 65% Internal employee 4 SOx 70% 90% 90% Organized cyber criminals 4 States 2 FEEL FREE Cyber Security Dashboard 13

14 WHY KPMG? The Cyber Security Dashboard is one component of KPMG s Global Cyber Transformation Service[s]. Our vision is to make cyber security an integral part of your business through: EXPERIENCE We understand the business and know about cyber security. We have supported organisations in diverse industry sectors in developing Cyber Security Dashboards, and have identified key information and metrics that strategic stakeholders are looking for; INTEGRATED APPROACH We bring together specialists in information protection, risk management, organisational design, behavioural change and intelligence management. These combined skills are utilised to tailor a solution relevant to your risk appetite and the cyber threats your organisation faces; END-TO-END VISION We do not just display data on a dashboard but also analyse the related processes and identify potential areas of improvement. By analysing the dashboard audiences and their activities, we develop the dashboard accordingly. Assistance is provided with embedding the dashboard within existing processes and leveraging it to further the organisation s capabilities; DATA RELIABILITY KPMG is an audit firm. We look for reliable data. We challenge the data sources and assist in taking the steps required to make it accurate, complete and, ultimately, suitable for decision-making. 14 FEEL FREE Cyber Security Dashboard

15 FEEL FREE Cyber Security Dashboard 15

16 Contact John Hermans Partner Tel: Dennis de Geus Director Tel: Koos Wolters Director Tel: kpmg.com/nl/cybersecurity, registered with the trade register in the Netherlands under number , is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The name KPMG, logo and cutting through complexity are registered trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.