CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY



Similar documents
A NEW APPROACH TO CYBER SECURITY

Cyber Security: from threat to opportunity

Cyber Security, a theme for the boardroom

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

How To Transform It Risk Management

Cyber threat intelligence and the lessons from law enforcement. kpmg.com.au

Address C-level Cybersecurity issues to enable and secure Digital transformation

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Cyber security Building confidence in your digital future

Addressing Cyber Risk Building robust cyber governance

Running the business of IT metrics that matter

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Cyber Security - What Would a Breach Really Mean for your Business?

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

How to measure your business resiliency

Cyber Security Risks for Banking Institutions.

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY, A GROWING CIO PRIORITY

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Italy. EY s Global Information Security Survey 2013

Feature. Developing an Information Security and Risk Management Strategy

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

A Guide to the Cyber Essentials Scheme

Configuration Management System:

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

VENDOR MANAGEMENT. General Overview

Into the cybersecurity breach

HR Function Optimization

TAX MANAGEMENT CONSULTING. How can you be more efficient at managing tax?

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

IT Governance Regulatory. P.K.Patel AGM, MoF

State of Security Survey GLOBAL FINDINGS

Symantec Control Compliance Suite. Overview

Leveraging a Maturity Model to Achieve Proactive Compliance

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Understanding and articulating risk appetite

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Information Security Management System for Microsoft s Cloud Infrastructure

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

IT Insights. Managing Third Party Technology Risk

Cyber Risks and Insurance Solutions Malaysia, November 2013

CYBER RISK SECURITY, NETWORK & PRIVACY

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Cyber Security and the Impact on Banks in China

Risk Considerations for Internal Audit

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Cyber security Building confidence in your digital future

Information Technology Risk Management

How To Transform Insurance Through Digital Transformation

Cyber security: Are consumer companies up to the challenge?

Committees Date: Subject: Public Report of: For Information Summary

Stakeholder management and. communication PROJECT ADVISORY. Leadership Series 3

How To Manage Social Media Risk

2 Gabi Siboni, 1 Senior Research Fellow and Director,

NSW Government Digital Information Security Policy

The economics of IT risk and reputation

Title here. Successful Business Model Transformation. in the Financial Services Industry. KPMG s Evolving World of Risk Management SECTORS AND THEMES

Cybersecurity Strategic Consulting

Procuring Penetration Testing Services

Applying ITIL v3 Best Practices

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Cyber Security Metrics Dashboards & Analytics

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

The five most common cyber security mistakes

Cyber Risks in the Boardroom

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Vital Risk Insights kpmg.com

Supporting information technology risk management

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Service Management. A framework for providing worlds class IT services

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

OCC 98-3 OCC BULLETIN

Smart Security. Smart Compliance.

Information Security Program CHARTER

SUSTAINING COMPETITIVE DIFFERENTIATION

Sytorus Information Security Assessment Overview

Managing IT Security with Penetration Testing

Third Party Risk Management 12 April 2012

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Reputation. Further excellence. business continuity. risk management. Data security

FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER

Transcription:

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes more complex, CISOs, security committees, executives and boards of directors are demanding meaningful information for decision-making. However, cyber security stakeholders face significant challenges identifying, obtaining, processing and aggregating key information that enables them to steer towards defined targets effectively, and ultimately be in better control of their organisation s cyber security. In practice, the responsibility for cyber security is often distributed amongst different organisational areas as is the relevant information. In addition, the range of activities related to cyber security is so broad that it is not easy to identify the key elements that indicate how cyber security is contributing to (or even preventing) the achievement of the business s goals. And, as if that isn t enough of a challenge, the highly technical, specialist origins of cyber security often result in highly technical, specialist sets of information that, although essential for operational activities, are not valuable for high-level, business decision-making. The good news is that complexity, interdependency, specialisation and large quantities of information are not new challenges for the business world. As mentioned in our publication The five most common cyber security mistakes, KPMG approaches cyber security as business as usual an area of risk that requires the same level of attention as fraud. And in the same way that other business areas are monitored and measured, cyber security can be monitored and measured with the support of dashboards that display the right key performance indicators (KPIs). 1 Cyber Security is the endeavor to prevent damage by disruption, outage or misuse of IT and, if damage does occur, the repair of this damage. The damage may consist of: impairment of the reliability of IT, restriction of its availability, and the breach of confidentiality and/or the integrity of information stored in the IT system. (Source: National Cyber Security Strategy 2 2013). 2 FEEL FREE Cyber Security Dashboard

WHY A CYBER SECURITY DASHBOARD? In short, a Cyber Security Dashboard will help you steer your organisation towards the desired cyber security position, while providing answers to key questions often raised by executives. Examples of these questions are: BOARD OF DIRECTORS What is the status of our cyber resilience capabilities compared to the current and expected threat level? What is the impact that cyber security risks have on our strategy? How do our measures and investments compare to the rest of our sector? Are we compliant with the relevant cyber security and related regulations? Are we in control of cyber security in the value chain? CIO What are the key drivers in cyber security risk management and how are they developing? What is the status of our preventative capabilities, as related to cyber security? What is the status of our detective and reactive capabilities, as related to cyber security? What is the status of the compliance framework? What were the root causes and actions taken in relation to the high-impact incidents in the last period? FEEL FREE Cyber Security Dashboard 3

When adequately designed and implemented, Cyber Security Dashboards also provide: INSIGHT into the overall state of cyber security, as related to business targets. This allows for improved decision-making and better control of cyber security; FOCUS on what is important for the business. Cyber security efforts should be balanced between business risks and opportunities. Nevertheless, it is easy to lose focus when the information available is too spread, detailed or technical to provide a consistent overview; COMMUNICATION & AWARENESS. Business executives and boards of directors are demanding relevant information, while cyber security professionals are trying to raise the awareness of executives and boards of directors. A Cyber Security Dashboard provides a means of communication that facilitates awareness of major areas of concern from both perspectives: cyber security and organisational goals; STANDARDISATION AND EFFICIENCY, particularly across regions and functional units within large organisations. As mentioned earlier, the responsibility for information security is often scattered, with local or regional security officers often interpreting, customising and implementing policies that are usually defined at corporate level. This sometimes results in nonstandard reporting formats, increasing the time required to compile and produce aggregated reports, as well as the work required to interpret them. Depending on the specific purpose of the dashboard, some benefits may be more prevalent than others; in any case, the dashboard will contribute by providing an overview of the main information needed to control cyber security and make decisions that further the business objectives. But what information should a Cyber Security Dashboard display? In the same way that each organisation has a unique strategy, culture and maturity, it has unique cyber security information needs. Through a combination of research and our extensive experience, KPMG has identified six key areas of focus that provide a comprehensive overview of cyber security. 4 FEEL FREE Cyber Security Dashboard

THE CYBER SECURITY DASHBOARD FOUNDATION: SIX AREAS OF FOCUS The areas of focus serve as the foundation for identifying the most relevant measures to be considered on a company s dashboard. They cover the core areas of cyber security: risks, compliance, incidents, awareness & culture, threat level and key cyber security projects in development. PROJECTS - Impact on risk reduction - Progress - Cyber Security Maturity RISKS - Benchmark with peers - Coverage - Top risks - Others AWARENESS & CULTURE - Learning scores - Training coverage - Incidents and other violations associated with awareness AREAS OF FOCUS COMPLIANCE - External - Internal - Readiness THREAT LEVEL - External - Internal INCIDENTS - Statistics - Incident Management - Benchmark with peers FEEL FREE Cyber Security Dashboard 5

CYBER SECURITY RISKS Cyber security management and business decisionmaking are closely related to risk management. Executives and board members need to understand and monitor the cyber risks that may hinder the organisation s ability to achieve its goals. These risks are represented by key risk indicators (KRIs) that are directly derived from the organisation s strategy. For example, if a retail company s strategy is to grow through increased revenue and market share on e-commerce channels, then the downtime of online shopping sites directly affects the realisation of the strategy, becoming a KRI. Another perspective on risk may be provided via benchmarking. Executives often want to know their organisation s status compared to industry peers or best practices. Benchmarks related to organisational maturity levels and framework compliance are available in the marketplace. Likelihood TOP 10 RISKS 6 5 R3 R8 4 R4 R6 R1 3 2 1 0 R9 R5 R10 R7 R2 0 1 2 3 4 5 6 Impact Top Risks RISK DESCRIPTION LEVEL TREND COMMENTS R1 LOSS OR ALTERATION OF INTELLECTUAL PROPERTY Very High Existing system does not allow control of administrators. Analysis for change of system in progress. R2 SENSITIVE COSTUMER DATA DISCLOSURE Medium Inventory of repositories is at 80%. Identified repositories are compliant with risk apetite. R3 UNAVAILABILITY OF ONLINE SALES CHANNELS High Penetration test identified severe vulnerabilities in configuration. Changes in progress. R8 STRATEGIC INFORMATION LEAKAGE Very High Increased impact with new business project. IT acquisition and awareness trainings in process. R7 FINANCIAL FRAUD Medium Recent audit findings identified failures in user management processes. Changes in progress. Benchmark Security Forum Control Framework 2014: second quartile 6 FEEL FREE Cyber Security Dashboard

COMPLIANCE In practice, one of the main drivers of cyber security is compliance. Typical requirements that organisations need to comply with include laws, regulations and contractual demands from business partners, suppliers and customers. Failing to comply may result in substantial fines, termination of contracts with strategic partners or customers and, ultimately, suspension to operate. Furthermore, as threats increase and customers demand higher levels of data protection, new compliance requirements are continuously emerging. Being able to proactively monitor your organisation s readiness to meet coming requirements may allow for a more timely and cost-effective compliance strategy. Overall Maturity per Requirement (Europe) Other ISF Current Target DNB 4 3 2 1 0 PII Internal Framework ISO 27001 CYBER SECURITY INCIDENTS Incidents do happen, and we need to react to, and learn from them. Analysis of information security incidents often provides business stakeholders with an additional perspective on risk levels, making it highly valuable. Usual measures of interest are general statistics on severe incidents such as the number, business impact and source; benchmarking with industry peers; and elements associated with the effectiveness of the incident management process, such as average incident detection/response time. Impact of incidents per category of threats (in millions) Error Physical theft/loss Insider Misuse Social Malware Hacking 1 10 100 FEEL FREE Cyber Security Dashboard 7

AWARENESS & CULTURE As important as awareness is, measuring it objectively poses a significant challenge. Current social and technology trends are forcing organisations to become more reliant on end-user behaviour to protect information. Telecommuting and bring-your-own-device are common practices worldwide, making information readily available almost everywhere, and more difficult and expensive to protect. Cyber security awareness aims to develop specific behaviours in employees, contractors and other parties that process or use the organisation s information. The main objectives are to reduce risks related to human error, as well as the time required to identify incidents and violations. There is no single metric that accurately and objectively assesses people s level of understanding, or their expected reaction should a cyber security situation arise. This is why KPMG approaches this dimension from two perspectives: KPMG measures behaviour by looking at 8 soft controls: clarity of rules; exemplary behaviour; practicability; involvement; visibility; organizational openness; peer Openness and enforcement. Being able to determine and compare security awareness levels between business units and regions supports decision-makers in prioritising resources and activities. Awareness Current Target Enforcement Response Clarity of Rules 100% 80% 60% 40% Exemplary Behaviour Prevention training what is the company doing towards culture development and actual behaviour what is the result of those actions. Peer Openness 20% 0% Practicabillity Indicators in training are usually related to coverage of the target audience and scores on assessments such as e-quizzes or surveys. Organizational Openness Involvement Detection Visibility 8 FEEL FREE Cyber Security Dashboard

AWARENESS KEY SECURITY PROJECTS/INITIATIVES Knowing the progress and general status of the major security projects is essential to cyber security management. Furthermore, executives want to be able to assess the potential impact of these projects on cyber security posture, the potential constraints they may pose to target achievement, and whether actions are required to guarantee alignment with business objectives. THREAT LEVEL Modern cyber resilience is based on threat intelligence. The better an organisation understands its threat environment, the better it can prepare and 0 respond to it. 100 Threats in the cyber landscape include nations, activists, organised crime, the competition 70 and the organisation s insiders, amongst others. By gathering and analysing data from internal and external - No sources, recent incidents and identifying their implications in your - Positive own environment, scores test it (Q3-2013) is possible to obtain an overview of a general threat level that can be used as a point of reference. Threat level Key cyber security projects/initiatives Project Division Status vs. target IRM Cyber Security Governance Outsourcing review ISO 27001 Certification Awareness EMEA EMEA ASIA AMERICAS ALL Progress vs. plan 0 10 100 No discernible activity with a moderate or severe risk rating. Source: ThreatCon These areas of focus are not exhaustive, but they cover the key areas KPMG has found to make the difference in controlling cyber security. The goal is to identify the areas that better fit your organisation s current and future business needs and include them as part of the dashboard. It is possible that additional topics, such as costs and budget-related indicators also need to be considered, but at the end, what matters is that the selected elements actually contribute to business decision-making, respond to the audience s needs and are aligned with the company s current security practices. FEEL FREE Cyber Security Dashboard 9

STRATEGIC APPROACH TO A CYBER SECURITY DASHBOARD Defining and implementing a dashboard is a challenging project. Difficulties commonly found on the way include selecting the dashboard elements that will support decision-making, unforeseen impacts on operational and tactical processes, and complex data sources sometimes dependent on third parties. This is why KPMG has developed a strategic, phased approach: by incrementally defining and constructing the dashboard, requirements are constantly refined, while enabling optimal management of investment and creating situational awareness of the target audience. The dashboard is built in two main phases, so from the beginning the benefits are tangible: first the reporting elements & prototype are defined, and then the dashboard is automated and embedded in the processes. REPORTING ELEMENTS & PROTOTYPE DEFINITION INITIAL DESIGN PROTOTYPE Identification of key stakeholders and their needs Design prototype Assessment of delivery capabilities Evaluation and refinements DETAILED DESIGN Develop dashboard growth model Build business case DASHBOARD IMPLEMENTATION & AUTOMATION PROOF-OF- CONCEPT BUILD DASHBOARD Build PoC Phased approach for dashboard development Evaluate PoC Implementation and embedding per phase TRAINING & SUPPORT Training of users and administrators Establish organisation for support and enhancements 10 FEEL FREE Cyber Security Dashboard

The initial design should be balanced against what we refer to as delivery capabilities, in other words, elements within the organisation that enable the desired outcome. Examples of these capabilities are the organisation s maturity, management support, internal processes, and available data sources and technology. Delivery capabilities often pose important challenges for the project. For example, a data source may seem reliable and comprehensive, but later on it can be found that the data only covers a low percentage of the target population, or that the originating process is highly prone to human error. Once the initial design is finalised, a prototype is built. The prototype allows for validation of the initial requirements, and results in design and metric adjustments. The subsequent two stages focus on the development of a proofof-concept that will determine whether the organisation is ready to build the dashboard, provided a growth model and a business case. After the proof-of-concept has been positively evaluated, the dashboard is developed. This is achieved by following a phased approach that allows for gradual embedding in the internal processes. During this stage, common challenges relate to stakeholder management and dashboard embedding, since certain (parts of) processes may require changes to successfully incorporate the tool. Finally the transition activities take place, including training, implementation of the support scheme, and update and expansion processes. FEEL FREE Cyber Security Dashboard 11

CONCLUSION Strategic Risk 4 Measuring and reporting on cyber security to the strategic level is not an easy task. Most existing security metrics focus on operational and technical aspects, while executives are demanding high-level, meaningful businessrelated information. In addition, the delegation of cyber security activities to local/regional security officers often results in non-standardised reporting, hindering in turn decision-making processes. Impact 3 2 1 R5 R3 R2 R1 R4 The end result may look simple but to deliver and successfully embed a reliable Cyber Security Dashboard requires skills and experience in many diverse areas, during each of the development phases. A strategic approach to the definition of a Cyber Security Dashboard helps your organisation steer on key focus areas, create situational awareness, standardise reporting practices, align cyber security with the business and improve the control over cyber security activities. 0 0 1 2 3 4 Chance Maturity 3,5 3,0 2,5 2,0 1,5 1,0 0,5 0,0 IT Health Finance Administration HR Risk Marketing Treasury Industry 12 FEEL FREE Cyber Security Dashboard

Strategic Projects Key Incidents CMDB setup project 4 External penetration test 3 Hiring SOC personnel Information security plan 2015 Internal vulnerability scanner Occurance 2 1 0 20 40 60 80 100% 0 0 10 100 1,000 10,000 Impact % Status vs. Target % Target vs. Plan Denial of Service Misc. Errors Unknown Insider Misuse Physical Theft Compliance Threat Level Requirement 2012 2013 2014 Category Current level Current level COBIT 75% 80% 80% Competitors 3 DNB (banks) 90% 90% 20% Cyber Investigators 2 Internal Framework 60% 30% 10% Cyberpunks and scriptkiddies 4 ISF 60% 60% 60% External consultants 2 ISO 27001 50% 65% 65% Hacktivists 1 SANS 70% 70% 65% Internal employee 4 SOx 70% 90% 90% Organized cyber criminals 4 States 2 FEEL FREE Cyber Security Dashboard 13

WHY KPMG? The Cyber Security Dashboard is one component of KPMG s Global Cyber Transformation Service[s]. Our vision is to make cyber security an integral part of your business through: EXPERIENCE We understand the business and know about cyber security. We have supported organisations in diverse industry sectors in developing Cyber Security Dashboards, and have identified key information and metrics that strategic stakeholders are looking for; INTEGRATED APPROACH We bring together specialists in information protection, risk management, organisational design, behavioural change and intelligence management. These combined skills are utilised to tailor a solution relevant to your risk appetite and the cyber threats your organisation faces; END-TO-END VISION We do not just display data on a dashboard but also analyse the related processes and identify potential areas of improvement. By analysing the dashboard audiences and their activities, we develop the dashboard accordingly. Assistance is provided with embedding the dashboard within existing processes and leveraging it to further the organisation s capabilities; DATA RELIABILITY KPMG is an audit firm. We look for reliable data. We challenge the data sources and assist in taking the steps required to make it accurate, complete and, ultimately, suitable for decision-making. 14 FEEL FREE Cyber Security Dashboard

FEEL FREE Cyber Security Dashboard 15

Contact John Hermans Partner Tel: +31 20 656 8394 Email: hermans.john@kpmg.nl Dennis de Geus Director Tel: +31 20 656 8093 Email: degeus.dennis@kpmg.nl Koos Wolters Director Tel: +31 20 656 4048 Email: wolters.koos@kpmg.nl kpmg.com/nl/cybersecurity, registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The name KPMG, logo and cutting through complexity are registered trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information