Addressing Cyber Risk Building robust cyber governance

Similar documents
The enemies ashore Vulnerabilities & hackers: A relationship that works

ISO27032 Guidelines for Cyber Security

The cyber security imperative. Protect your organization from cyber threats

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

Robotic Process Automation Overview and RPA Case Study. November 2015

A NEW APPROACH TO CYBER SECURITY

The Internal Audit fraud challenge Prevention, protection, detection

Cyber Security Evolved

Transforming customer management in the water sector How to become a leader in customer service

CIIA South West Analytics in Internal Audit - Tackling Fraud

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Developmental assignments Enablers not solutions

Global Mobility for Professional Practices Managing a mobile workforce

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft


Cyber security Building confidence in your digital future

D-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Into the cybersecurity breach

Deloitte Shared Services, GBS & BPO Conference Shared Services Design Through to Implementation

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Finance Transformed. Changing the focus Finance Business Partnering

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Cybersecurity. Considerations for the audit committee

The Internet of Things Risks and Challenges

Annual Shared Services and BPO Conference 2013 Shared services from feasibility through to implementation. Tibor Nagy & Jeppe Larsen

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cybersecurity The role of Internal Audit

Finance Business Partnering Less than the sum of the parts. Organisational perception of Finance, percentage of respondents agreeing with statements

CYBER SECURITY, A GROWING CIO PRIORITY

Deloitte Service Code: D-G6-L4-543 December 2014

Deloitte Shared Services, GBS & BPO Conference SMAC / Enabling Technologies and Shared Services in the Public Sector

Managing Complex Transformations Achieving excellence

Charity Audit Committee performance evaluation Self assessment checklist. October 2014

On the horizon 2016 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint

Cybersecurity and internal audit. August 15, 2014

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Cyber security Building confidence in your digital future

Enhanced Portfolio Management in uncertain times

Cybercrime: risks, penalties and prevention

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

Current issues and trends in the Aerospace supply chain

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

ESKISP Conduct security testing, under supervision

Extract of article published in International HR Adviser magazine The role of HR in global mobility

Cyber threat intelligence and the lessons from law enforcement. kpmg.com.au

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Cyber intelligence exchange in business environment : a battle for trust and data

January Senior Insurance Managers Regime Strengthening accountability in insurance

UK Indirect Tax Conference 2015 Automating Indirect Tax Compliance. Jilly McCullagh 11 November 2015

Internal Audit at the University of Cambridge.

D-G4-L4-025 Mobile Working Technology Feasibility Study for a Healthcare Body Deloitte LLP Service for G-Cloud IV

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

REPORT. Next steps in cyber security

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cyber Security key emerging risk Q3 2015

Business Plan 2012/13

This image cannot currently be displayed. D-G4-L4-241 Predictive analytics (software as service) Deloitte LLP Service for G-Cloud IV

Annual Shared Services and BPO Conference 2013 The art of the possible for shared services how to streamline your local finance organisation

G Cloud III Framework Lot 4 (SCS) Project Management

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

MiFID II/MiFIR. Implications for Fund Managers. May Deloitte LLP. All rights reserved.

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Can We Become Resilient to Cyber Attacks?

How To Manage Risk On A Scada System

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Cyber Security - What Would a Breach Really Mean for your Business?

Key Cyber Risks at the ERP Level

Government Procurement Service

1. Understanding Big Data

Be Prepared. For Anything. Cyber Security - Confronting Current & Future Threats The role of skilled professionals in maintaining cyber resilience

Italy. EY s Global Information Security Survey 2013

Committees Date: Subject: Public Report of: For Information Summary

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Low Default Portfolio (LDP) modelling

D-G5-L4-318 Data Integration Hub Deloitte LLP Service for G-Cloud V

CYBER SECURITY TRAINING SAFE AND SECURE

Defending against modern cyber threats

Transcription:

Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services

The future of security The business environment is changing The IT environment is changing The cyber threat environment is changing Cyber security must be addressed at the most senior levels Cyber security must be business back rather than technology forward Move from protecting the perimeter to protecting data Refresh cyber security strategies to address rapidly evolving business needs and threats If the information security function does not change, the result will be losing influence, control and in this environment a real opportunity for impact with the business?

The future of security The scale of change to ship 1 million units 2 years 74 days 28 days 2012 Deloitte LLP. Private and confidential.

The future of security A changing business environment A greater reliance on: - Data (business information, competitive advantage, as the business) - Technology for employees and customers Globalisation and 24x7 operations - Offices, users and IT assets around the globe Changing customer perceptions - Baby Boomers to Generation X, and now Generation Y not forgetting Generation G Competitive advantage is difficult - the economy makes it even harder

The future of security Technology change dealing with complexity Cloud Security Fraud risk Data loss Privacy Social media Cyber security Online fraud System downtime Encryption Threat Intelligence Corporate Espionage Securing mobile devices The insider threat Hacking Vulnerability Management Identity Management e-crime Prevention

The future of security A changing threat environment - they only have to win once... Anonymous and other Hackivists From waste management to e-crime Low risks and high rewards mean that the security threat landscape is changing. Targets of choice, not chance Organised crime Increasing third party access Insider threats Statesponsored cyber threats APTs Stuxnet, Conficker

The future of security Your security capability? Activities are still largely reactive and compliance-driven: Largely compliance focused Developing policies Meeting industry baselines Audit Often limited visibility or interest to the business unless something goes wrong Touching some change programmes Limited future watching Low operational agility Political forces Environmental forces Social forces Organisation Technological forces Legislative forces Economic forces

Practical steps to a step change 8 Presentation title

Approach to tackling cyber Identify Risks Map Capabilities Identify assets Identify threats Capability and control maturity Identify Key asset lists and owners. Map Critical business processes and owners. Identify current and emerging threats. Perform Risk assessment. Assess Business Impact. Identify key capabilities for each risk area. Identify emerging capability requirement from threat trends. Map key controls to business risks. Identify capability and control stakeholders. Assess and Benchmark Set Risk Appetite Assess current state of control maturity. Assess current capability maturity. Derive target state of capability maturity from high level costs versus business impact mitigation. Validate target against peer and sector benchmark. Prioritise & Execute Prioritisation and Planning Identify major risk exposures and quick wins. Identify strategic capability improvements and break down in to bounded deliverables. Prioritise strategic improvement roadmap. Continue monitoring of threat landscape to identify required changes of focus.

Comprehensive Cyber Governance This is not a technology issue people, technology and process Cyber Security Steering Committee Executive governance by making policy and investment decisions. Members include business and IT leaders as well as the CISO Cyber Security Advisory Board The brain trust a forum for sharing and discussing tactics and best practise amongst security leaders Business Partners IT Functions - security architecture - system design - security operations - security training Corporate Body - risk strategy - security policy - security awareness GOVERNANCE Business Partners Business Units - risk management - security awareness Cyber Security Comms Forum Often an email distribution list of security practitioners used to communicate management decisions and best practises CyberSecurity Programme Strategic coordination of security initiatives normally sponsored and governed by the Security Steering Committee

Integrating cyber into ERM Board level Oversight Tone at the top Risk Governance Executive Management Common risk architecture (people process technology) Risk Infrastructure Risk Processes Identify Asses Respond Design Implement Monitor Business Units Risk classes Risk ownership Data System Compliance Reporting 11

Developing the capability is a journey with costs. Proactive Threat Management Media & SMEs Consumer Business & Life Sciences Retail Banks & Energy Providers Investment Banks Military & Defence Blissful Ignorance Basic Network Protection Acceptable Usage Policy IT BC & DR Exercises Transformation Ad Hoc Infrastructure & Application Protection Ad Hoc System / Malware Forensics Ad-hoc Threat Intelligence Sharing with Peers Commercial & Open Source Threat Intelligence Feeds Network & System Centric Activity Profiling General Information Security Training & Awareness IT Cyber Attack Simulations Enterprise-Wide Infrastructure & Application Protection Operational Excellence Basic Online Brand Monitoring Automated Malware Forensics & Manual Electronic Discovery Government / Sector Threat Intelligence Collaboration Criminal / Hacker Surveillance Workforce / Customer Behaviour Profiling Targeted Intelligence-Based Cyber Security Awareness Business-Wide Cyber Attack Exercises Identity-Aware Information Protection Situational Awareness of Cyber Threats Online Brand & Social Media Policing Automated Electronic Discovery & Forensics Global Cross-Sector Threat Intelligence Sharing Baiting & Counter-Threat Intelligence Real-time Business Risk Analytics & Decision Support Business Partner Cyber Security Awareness Sector-Wide & Supply Chain Cyber Attack Exercises Adaptive & Automated Security Control Updates Brand Monitoring E-Discovery & Forensics Intelligence Collaboration External Threat Intelligence Behavioural Analytics Training & Awareness Cyber Attack Preparation Asset Protection IT Service Desk & Whistleblowing Security Log Collection & Ad Hoc Reporting 24x7 Technology Centric Security Event Reporting External & Internal Threat Intelligence Correlation Cross-Channel Malicious Activity Detection Security Event Monitoring Traditional Signature-Based Security Controls Periodic IT Asset Vulnerability Assessments Automated IT Asset Vulnerability Monitoring Targeted Cross-Platform User Activity Monitoring Tailored & Integrated Business Process Monitoring Internal Threat Intelligence Cyber Security Maturity Levels Level 1 Level 2 Level 3 Level 4 Level 5 12

The future of security The business environment is changing The IT environment is changing The cyber threat environment is changing Cyber security must be addressed at the most senior levels Cyber security must be business back rather than technology forward Move from protecting the perimeter to protecting data Refresh cyber security strategies to address rapidly evolving business needs and threats If the information security function does not change, the result will be losing influence, control and in this environment a real opportunity for impact with the business?

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. 2012 Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. Member of Deloitte Touche Tohmatsu Limited

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information