Cyber Security: from threat to opportunity

Transcription

1 IT ADVISORY Cyber Security: from threat to opportunity From threat to opportunity / Cyber security / 1

2 FOREWORD OPPORTUNITY-DRIVEN CYBER SECURITY Cyber security (also known as information security or information protection) is a key theme in today s business reality. Now that the success of many organisations has proven to be dependent on digital assets, it would be easy to elaborate only on cyber security threats. The question is: does focusing on fear, uncertainty and doubt really help your organisation to move any further along in this area? 1 COMPETITIVE ADVANTAGES Let there be no misunderstanding: we believe it is of the utmost importance to be adequately protected against cyber threats. These threats create cyber risks that organisations need to manage as part of their enterprise risk management - in order to have a licence to operate. But it is time to look at cyber security from a different angle. Organisations should start looking at cyber security as an opportunity that will add extra value to a company s products and services. John Hermans Partner, KPMG Risk Consulting We are convinced that making the right decisions when it comes to cyber security can result in a competitive advantage. Being well prepared means that organisations can prepare for innovations and new market opportunities better than competitors can. Such organisations will also earn more trust from customers and other stakeholders. Examples of this potential for a competitive advantage: Organisations that can assure their customers, stakeholders and employees that their information is properly protected are more trustworthy in the eye of the public; Governments and large corporates demand confidence in information management and use it as a qualifier for contracts and/or partnerships; Better cyber security results in lower costs arising from IT failures; Visible compliance with privacy regulations strengthens the brand reputation. To unlock this potential we need a holistic, intelligence-led, and partnership-based approach aimed at building a cyber-resilient organisation. 2 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 3

3 In an ideal world, the following statements summarise the roles and responsibilities that each person in an organisation must assume with regard to cyber security. Following a wave of high-profile incidents, cyber security is no longer seen as just an IT issue. It is increasingly becoming a topic for the executive board. The Chairman Cyber security is a standing agenda item for the board. We have a robust cyber security strategy in place, regularly review our threat landscape and hold our executives accountable for their responsibilities. The CISO We effectively manage information risks within the organisation together with our delivery and supply partners. We know where our critical data is stored and who has access to it. Risk & Legal Our regulatory and international certification standards are relevant and up to date. We know about the latest fines and consequences for data breaches. The CEO We are prepared to deal with security events. Should hackers claim success via the media, we can demonstrate that we have not been subject to a breach. The Chief Operating Officer on operations and external suppliers We are aware of the safeguards required when adopting new business models such as outsourcing, offshoring and cloud services. Cyber security is an integral part of our procurement process. The CIO on IT development and IT operations All new systems, products and services are developed using secure-by-design principles. Effective monitoring in the value chain helps us to identify risks and minimise the impact of compromise. Audit commitees and Performance functions Monitoring and reporting our organisational Monitoring and reporting our organisational status quo and areas of cyber security enables us to instil confidence. The Head of Human Resources Throughout our organisation, people have the awareness, skills and knowledge to minimise cyber risks. We vet our contractors and carefully manage our induction and exit process. The Chief Financial Officer We have made targeted investments in cyber security, taking the value of our assets, our vulnerabilities and the changing threat landscape into account. 2 CLEAR RESPONSIBILITIES 4 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 5

4 3 INTERLINKING BUILDING BLOCKS KPMG s approach towards cyber security paints a picture of how cyber security is and should be embedded in the organisation, looking at all the building blocks required for a resilient organisation and how these interact. Economic Technological Changing Threat Landscape Market Market Legal Under what circumstances could security throw a spanner in the works when it comes to realising my business strategy? And what does it take for my organisation to prevent such risks from materialising? Effective cyber security measures help organisations to better reach their strategic goals. In short, when is my organisation sufficiently resilient? echnological evelopments Changing Threat Landscape KPMG has developed an integrated approach to help you answer these questions and develop the desired security operating model Leadership and governance Board demonstrating due diligence, ownership and effective management of risk. Information risk management Market Legal The approach to achieve comprehensive and effective risk management of information throughout the organisation and its delivery and supply partners. Human factors The level and integration of a security culture which empowers people with the right skills, knowledge and responsibility. Leadership and governance Information risk management Human factors Leadership and governance 4 5 Business operations and technology. The level of physical and digital security measures implemented to address identified risks across the information value chain and to minimise the impact of compromise. This includes the development of new products, processes and services, IT operations and third party management. Business continuity and crisis management Preparations to detect and address security events and the ability to prevent or minimise its impact. Business operations and technology Business continuity and crisis management Information risk management 6 Legal and compliance Regulatory and international certification standards as relevant. Legal and compliance Human factors 7 Monitoring and reporting The Board of Management getting the management information needed to effectively govern cyber security across the organisation and to effectively drive the strategic security risks. Monitoring and reporting 6 / Cyber Security security / From threat to opportunity From threat to opportunity / Cyber security / 7

5 4 FROM AD HOC RESPONSES TO INTELLIGENCE-BASED FOCUS Resilient enterprise The enterprise has incorporated cyber resilience through its value chains, implemented cyber security measures based on strategic threat and vulnerability assessments Rome wasn t built in a day and neither is it possible to create a resilient organisation overnight. The challenge is to place the right focus on the different building blocks in the right order. Together we tailor an approach which will guide your organisation through the various maturity levels to reach the desired end state as efficiently as possible. In today s rapidly changing world an intelligence-led way of working is the key to ensuring the real threats to the organisation are known and addressed. Dynamic defence Predictive and agile, the enterprise instantiates policy and implements measures in its processes and procedures KPMG has the expertise and experience to develop a cyber security roadmap tailored to your organisation. This roadmap shows when and how to focus on the different building blocks and which targeted investments are needed to build an intelligence-led resilient organisation. Tools-based Applying tools and technologies piecemeal to assist people in reacting faster Integrated picture Loosely integrated with a focus on interoperability and standards, initial situational awareness Our four step approach to determine the security operating model needed to support your business strategy: 1. Obtain a solid understanding of the organisation s strategy 2. Determine the security operating model & maturity level needed to achieve the strategic goals 3. Assess the current level of security maturity of each building block Reactive & manual People unquestioningly following doctrine and doing their best to put out fires 4. Develop a tailored action plan for each building block 8 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 9

6 5 OUR SERVICES KPMG can help you understand your current state of preparedness against cyber attacks and assist you in closing any gaps. Whether from a governance, people, process or technology viewpoint, our services can help you improve your state of preparedness. To achieve that, we have developed KPMG s Cyber Security Framework consisting of four major phases: Phase 1: Prepare Prepare Developing an approach tailored to your specific organisation and ambitions CYBER Integrate THREAT INTELLIGENCE TRANSFORMATION Protect Everyone can go off and buy security solutions, but wouldn t it be much better if someone listened to your concerns, views and questions? Someone who helps you to complete the picture of threats and opportunities? The prepare phase of KPMG s Cyber Security Framework helps our clients to develop a cyber security strategy tailored to their specific business settings and ambitions. The secret to success is to gain deep insights into your business strategy and understand which processes and/ or systems represent the greatest assets from a cyber security perspective. It is also important to get clarity on how much risk you are willing to take in relation to these processes and/or systems (risk appetite). It is essential to focus on the right areas. To ensure we do this, we start by jointly determining the strategic security risks of your organisation. The central question: where can a lack of security throw a spanner in the works when it comes to the realisation of your business strategy? This marks the starting point of this tailored approach. KPMG has developed a complete model showing the different maturity levels and what to do to achieve them. Using this model we can quickly help you design a tailored plan to achieve the desired level of security maturity and bring risks back to an acceptable level. KPMG can help your organisation in: Cyber security awareness: demonstrating to your stakeholders (e.g. via cyber gaming) what cyber security is all about; Security governance: developing or assessing the governance model needed for effective cyber security. Verify its alignment within the three lines of defence model; Risk management methodology: developing a methodology that will facilitate security risk management within the organisation; Cyber maturity assessment: painting an integral picture of the cyber state of your organisation with our cyber maturity assessment and security compliance & in-control scan; Threat trends analysis: analysing your current cyber threat landscape; Business impact assessment: providing a pragmatic approach to identify the security risks in your key processes; Business continuity and recovery: establishing policies and practices for dealing with major operational disruption. Developing and testing the recovery plans needed to face the continuity challenges; Security risk assessment: assess the dependence on processes & applications, threats & vulnerabilities to determine the current risks that need to be mitigated; Security strategy and vision development: designing a security strategy that will position cyber security as your business enabler and will realise your ambitions in the desired timeframes. Detect & respond 10 / Cyber security / From threat to opportunity KPMG Advisory N.V. N.V KPMG Advisory N.V. From threat to opportunity / Cyber security / 11

7 Phase 2: Protect Phase 3: Detect & respond Balancing threats, risks and resources against business goals Timely detection of incidents Realising effective cyber security entails ensuring a baseline level of security across the organisation and establishing tailored protection of your crown jewels and critical assets. This requires balancing preventive and detective controls in the domains of governance, people, processes and technology. The protect phase of KPMG s Cyber Security Framework helps our clients to increase their resilience against cyber attacks in all domains. Establishing a baseline level of security throughout the whole organisation starts with an organisation that is built on capable people and effective processes for the protection of your assets. It also means that your technology landscape of applications, internet perimeter, internal network, websites, servers and workstations is regularly assessed. You can achieve this through a combination of security tests, configuration reviews, architecture assessments and authorisation reviews. After having established a level of basic security housekeeping, the next step is to focus on the areas that are most important to your business for fine-tuning your security: your organisation s crown jewels and critical assets. KPMG will help you with tailor-made actions and by implementing specific security measures regarding these areas, based on risk assessments and industry best practices. KPMG can help your organisation in: Cyber defence operating model: designing and implementing your defence organisation and infrastructure using the three lines of defence model; Secure architecture: defining or assessing the desired security architecture for processes and technology within your organisation; Assets, processes and resources alignment: enabling technology to link asset management, security monitoring, threat-, vulnerability-and incident management processes with the cyber strategy of your organisation; Security testing: assessing the security of your applications, systems and networks by ethical hackers; Identity and access management: designing and implementing an identity and access management infrastructure that is in control, manageable and compliant; Red teaming: testing your preventive and detective controls by performing a simulation of a real-world attack; Cloud security: security assessment, control and transformation of your cloud computing environment; Mobile security: security testing and advisory on your mobile applications or BYOD environment; Technical reviews: assessment against industry standards such as PCI-DSS. With the global proliferation of cyber attacks, the question for organisations is not if they will be attacked but when. The ability to effectively manage business during a major operational disruption is now a key success factor. With reputational damage occurring in an increasingly short time-span, organisations are looking for business and technical specialists who can help them design and execute incident response plans accordingly. The detect and respond phase of KPMG s Cyber Security Framework helps our clients respond to and investigate cyber attacks. The foundation for timely detection and response is a Security Operations Centre (SOC) that is supported by the functions of vulnerability management (to identify weaknesses in your assets), threat management (to identify and predict new attacks), and incident management (for prompt and thorough follow-up on incidents). KPMG has the experience to help you establish robust processes and technology. Even more important, we help you ensure that the people in these processes work as one, so that cyber threats are dealt with proactively. KPMG can help your organisation in: Serious gaming: organising red and blue team cyber incident response training to help you develop your responsive capabilities; Incident response capability development: enhancing your incident response capabilities including internal and external communications, service prioritisation and many other aspects; Stakeholder management: determining which stakeholders should be part of your crisis management process, what their needs and responsibilities are; Cyber attack detection: helping with deployment and optimisation of monitoring and sophisticated data analytics on your networks; Security and threat monitoring use-cases: advising on, designing and implementing security information and event management processes and architectures; Rapid response teams: helping you to contain, manage and recover from cyber attacks; Forensic evidence recovery & investigation: providing advanced digital forensics capability to gather, preserve and interpret large data sets, deleted or ephemeral data in order to prove a chain of events; DDoS protection: helping your organisation in dealing with DDoS attacks.. 12 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 13

8 Integrate Protect THREAT INTELLIGENCE Phase 4: Integrate Threat intelligence Detect & respond Integrating cyber security into everything you do Cyber threats have become part of the business environment and as such, there are risks which need to be managed. This necessitates that cyber security not be seen as a topic in isolation within the business, but as an integral part of your way of working. The integrate phase of KPMG s Cyber Security Framework helps our clients to embed cyber security in the culture and decisionmaking processes to help ensure their business stays one step ahead. Firstly we assess all key business processes to jointly determine which risks could and should be addressed in those processes. Next, using industry best practices we determine how security measures can best be embedded in the existing processes to mitigate these risks. Our specialists will then help you to implement those security measures in the daily operations of your organisation. Naturally, the main focus will be on automated controls (which can be built directly into your systems) as well as soft controls (such as cyber security awareness and training). KPMG can help your organisation in: Security reporting and measurements: determining security KPIs and developing cyber security dashboards; Security by design: assessing R&D processes for security embedding and providing support in determining security requirements for new products and services; Security in culture: embedding cyber security in the decision-making process of your organisation that facilitates culture of right skills and behaviours; Sourcing parties: managing your sourcing parties and ensuring that third parties deal with information in line with your requirements; Security operating model: developing a holistic security operating model in line with your business strategy and goals. The financial and reputational costs to recover from a cyber attack can materially impact public and private organisations. The most mature organisations anticipate cyber threats to help minimise the impact rather than merely respond to the attacks. Matching our industry experience with our technical skills, KPMG works closely with clients to design and implement cyber intelligence functions, answering questions such as how to move from reacting to anticipating cyber attacks, how to make sense of the cyber threats we face, how to establish an effective Security Operations Center, who to share threat intelligence with and how. Our experience in the intelligence and law enforcement community gives us a unique perspective on effective intelligence capabilities and processes. Combined with our deep technical knowledge in cyber security we: Work with organisations to design and implement in-house and government cyber intelligence functions and security operations centers; Help optimise aspects of current intelligence functions and security operations centers; Work in partnership with private intelligence and law enforcement agencies to enhance intelligence flows. 14 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 15

9 6 OPERATING PRINCIPLES BEHIND OUR SERVICES 7 OUR INDUSTRY SECTORS With more than 25 years of information security experience, we have been helping organsiations of all sizes from a variety of sectors: Offshore Chemicals Healthcare An intelligence-led approach. KPMG has gained a deep understanding and experience of intelligence best practices through working extensively with law enforcement and leaders in this field. A joint approach. Designing a plan is one thing, designing a plan which receives full support from the organisation is something entirely different. This is why we always work closely together with your team to ensure success. Industrial manufacturing Retail Engineering & construction Banking Government & public services Boundaries, national or organisational, are irrelevant to cyber security. Which is why we offer you a global network of 2000 cyber security professionals from across our 156 member firms and all industry sectors who seamlessly cooperate in multinational, crossfunctional teams. Cyber security is not an IT issue. KPMG brings together specialists in information protection and business continuity, forensic technology, risk management, privacy, organisational design, behavioural change and threat intelligence to help you manage cyber security across people, processes and technology. Confident cyber security choices are the key to ensuring trust among customers, shareholders and employees. Our global cyber security framework provides an holistic view of the cyber security lifecycle pre- and post-attack. It will help you develop a strategy on how to balance your efforts and where to invest. Pharmaceuticals Insurance Communications Oil & gas 16 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 17

10 WE HELP YOU TO BUILD YOUR RESILIENT ORGANISATION Our Cyber Security Framework is what distinguishes KPMG from other cyber security advisors. We view cyber security from an integrated perspective and provide solutions and recommendations suited to your business environment. For us, cyber security is an enabler for success, rather than a necessity for dealing with threats. Our specialists know what steps need to be taken to make cyber security an integral part of the way you do business. Once this has been achieved we can subsequently help you to investigate and identify where security can be positioned to add value to your products and services. We know how to report from a non-technical perspective. The technical heart of cyber security may result in observations and recommendations that are only understandable to technical experts. Working with KPMG, you can expect to receive crisp and clear recommendations that address the challenges from a business perspective instead of pages of technical buzzwords. Our ultimate aim in everything we do is to help you build a cyberresilient organisation. It may take some time to get to this level and may involve a reiterative process. We are more than happy to guide you through all the steps along the way. You can expect our cyber security professionals to go the extra mile in order to get you there. 18 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 19

11 Contact John Hermans Partner Tel: Dennis de Geus Director Tel: Koos Wolters Director Tel: kpmg.com/nl/cybersecurity The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG Advisory N.V., registered with the trade register in the Netherlands under number , is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The name KPMG, logo and cutting through complexity are registered trademarks of KPMG International