Why cybersecurity is a strategic issue



Similar documents
Tapping cloud s full potential

Navigating the big data challenge

The value of Big Data: How analytics differentiates winners

Is your company ready for the Internet of Things?

Big Data: The organizational challenge

Power struggle: Making the most of generation assets in turbulent times

Big Data analytics in oil and gas

Reimagining IT for an omnichannel world. By Will Poindexter and Coleman Mark

Why customer experience matters more than ever for enterprise IT

Impact of Data Breaches

Mobile payments: The next step in a bank s digital journey

How SaaS providers can use pricing to achieve their ambitions. By Tim Cochrane, Sachin Shah, Justin Murphy and Jonny Holliday

Why some merging companies become synergy overachievers

RETHINKING CYBER SECURITY

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

RETHINKING CYBER SECURITY Changing the Business Conversation

The changing face of technology buyers

Collateral Effects of Cyberwar

Resetting digital strategy in Australia: Delivering what customers really want

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

How Australia s utilities can boost customer loyalty

Reinventing Network Security Vectra s cyber-security thinking machine delivers a new experience in network security

Network Security Redefined. Vectra s cybersecurity thinking machine detects and anticipates attacks in real time

The Benefits of an Integrated Approach to Security in the Cloud

NNIT Cybersecurity. A new threat landscape requires a new approach

Cyber Risks in the Boardroom

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

FFIEC Cybersecurity Assessment Tool

Managing IT Security with Penetration Testing

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

State of Security Survey GLOBAL FINDINGS

Module 1: Introduction to Designing Security

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

OCIE Technology Controls Program

Cybersecurity The role of Internal Audit

Assessing the strength of your security operating model

Phone: Fax:

Cyber-Security Risk in the Global Organization:

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Managing data security and privacy risk of third-party vendors

How To Get A Cloud Service For A Small Business

AskAvanade: Answering the Burning Questions around Cloud Computing

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Do you see what we see? The future of independent optometry

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Turn your supply chain into a profitable growth engine

EHS Privacy and Information Security

Security Risk Management Strategy in a Mobile and Consumerised World

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

PCI Compliance for Healthcare

Cybersecurity and internal audit. August 15, 2014

Beyond the Hype: Advanced Persistent Threats

Combating a new generation of cybercriminal with in-depth security monitoring

CGI Cyber Risk Advisory and Management Services for Insurers

CYBER SECURITY, A GROWING CIO PRIORITY

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Mitigating and managing cyber risk: ten issues to consider

Integrating work and life

EY Cyber Security Hacktics Center of Excellence

Mobile payments: Finally ready to take off?

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

ALERT LOGIC FOR HIPAA COMPLIANCE

Solving the Security Puzzle

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

The Oracle Mobile Security Suite: Secure Adoption of BYOD

The Symantec Approach to Defeating Advanced Threats

Managing the Ongoing Challenge of Insider Threats

Transcription:

Why cybersecurity is a strategic issue Is your business one hack away from disaster? By Syed Ali, Vishy Padmanabhan and Jim Dixon

Syed Ali is a principal with Bain & Company in Chicago. Vishy Padmanabhan is a partner with Bain & Company in Dallas. Jim Dixon is a partner in Bain s Palo Alto office. All three work with Bain s Global Information Technology practice. Copyright 2014 Bain & Company, Inc. All rights reserved.

Why cybersecurity is a strategic issue When you think of the billions of dollars organizations spend to protect their digital assets, it s amazing that hardly a week goes by without news of a major security breach. We see not only more attacks, but larger, more complex and targeted incursions on organizations for financial gain (see Figure 1). Some enterprises face advanced persistent threats (APTs), a highly sophisticated form of malware that permeates the organization, mutates into variants, remains innocuous and undetected for a long time, and stealthily accesses and transmits corporate assets. The sought-after digital assets include intellectual property (IP), trade secrets, and customer and financial data (see Figure 2). Organizations are having a tougher time mitigating security breaches, and the average financial impact of each breach on an organization is increasing (see Figure 3). What s more, it s becoming harder to keep these attacks out of the news. Often, clients or regulatory agencies require companies to disclose breaches; in other cases, attackers themselves distribute the pilfered information online. In many cases, the consequences for organizations can be devastating in terms of lost revenue, impugned reputations and financial repercussions. For example, an October 2013 attack on Adobe resulted in the theft of customer data from 38 million accounts and of valuable source code behind some of Adobe s most widely used products, including Reader, Photo- Shop and ColdFusion. Only two months later, in December 2013, Target Corporation confirmed that it suffered a massive security breach resulting in the loss of credit and debit card data on 40 million customers over a 19-day period. The data may have been harvested by malware affecting physical point-of-sale systems at nearly 2,000 Target stores. The immediate consequences for a company dealing with a customer data breach are severe and may include negative press, sales and stock price decline (at least immediately after the breach), the threat of lawsuits from customers and partners, and long legal investigations. When attackers gain access to the source code Figure 1: Deeper and broader security vulnerabilities seem to correlate with more attacks and malware Increasing rate of newly reported vulnerabilities, especially in mobile platforms seems to be correlated with a higher rate of attacks and exponential growth in malware New vulnerabilities across all platforms Daily Web attacks blocked 4.2K 6% 50% 44% +27% 5.3K 10% 57% 33% Low severity Medium severity High severity 190.4K +30% 247.4K 2011 2012 New vulnerabilities in mobile platforms Cumulative volume of Android malware 315 +32% 415 14% +30,335% 350.0K 52% 41% Other 29% 19% 45% ios Android 1.2K 2011 2012 Sources: MITRE CVE; Symantec; Trend Micro; Bain analysis 1

Why cybersecurity is a strategic issue Figure 2: Most attacks come from outsiders looking for financial gain An increasing number of organizations are being targeted directly with financial gain as the primary motivation resulting in the loss of sensitive data that can easily be monetized +51% 1% 2% 3% 2% 3% 6% Other corporate information 82 116 94% Personal grudge Curiosity or pride Hactivism Financial gain 94% Protected health information (PHI) Corporate trade secrets and IP Customer records Motivation Targeted assets Sources: Symantec; Verizon 2011 investigations; Trustwave; Bain analysis Figure 3: Security breaches are becoming more difficult and expensive to detect and mitigate Organizations are having a harder time detecting and resolving security breaches and the average financial impact of each breach on an organization is increasing +22% 234 24 $8M +6% $9M 192 18 210 174 Average days to resolve Average days to detect Sources: Trustwave; Ponemon Institute; Bain analysis 2

Why cybersecurity is a strategic issue of software products, they can find and exploit new vulnerabilities (so-called zero-day attacks) that could affect corporate and customer systems, data and devices. With stakes so high, CEOs and boards must begin to think about security in a new way. IT security a task that could once be delegated to the IT staff has become a top-level strategic issue because the consequences of failure can ruin a business. Any organization may be only a few hacks away from disaster. And yet, every organization that found itself on the wrong end of a security breach already had some form of cybersecurity in place. The names in recent headlines include banks, technology and media companies, retailers, research universities as well as security agencies none of which are new to the game of protecting information. So how is it that they found themselves ill-equipped to deal with the rising tide of threats? In our experience working with many leading enterprises on this important and sensitive issue, we see too many organizations that fail to align their IT security capabilities with their larger goals and appetite for risk. At some companies, business and IT don t discuss emerging threats or the relative importance of different classes of digital assets. Not surprisingly, we frequently see disconnects between an organization s risk-management efforts and the development of necessary cybersecurity capabilities. And too often, we see fits and starts, as teams take an inconsistent approach to security planning, operations and funding. Taken together, these mistakes create gaps in strategy and operations that leave the organization vulnerable. New challenges for cybersecurity Cybersecurity has never been more essential, for at least four major reasons. First, companies have more digital assets than they did 10 years ago, and these assets are worth more than they were before. They include customers personal, financial and transaction information; proprietary assets, including source code for products; automated business processes; sensitive communications with suppliers and partners; and other data. The security around these assets varies greatly depending upon the perceived (as opposed to the actual) financial and strategic value to the business, as well as the effectiveness of the security technologies and processes in place. What s more, organizations are shifting to hybrid cloud architectures as they continue to adopt software, security and other solutions as services (SaaS, SECaaS and so on). Historically, digital assets were protected within the company s data center, where it was easier to guard the perimeter and manage user access, authorization and authentication from known locations and devices. Today, corporate and customer data resides in the organization s own data centers as well as public and private clouds, distributed across remote locations. While hybrid cloud architectures offer significant economic benefits, their adoption requires a more sophisticated approach to cybersecurity, including security management at the level of individual digital assets and integrated monitoring and management capabilities across the hybrid cloud environment. Further complicating the challenge is the pervasive use of mobile devices by staff and executives. Corporate IT now has to manage the security of many more platforms and devices, some owned by the company and others that belong to employees who use them under bringyour-own-device (BYOD) plans. A recent survey by ISACA 1 found that up to 66% of organizations will soon adopt BYOD policies, yet half of IT staff members remain concerned about the inherent security risks. To manage these policies effectively, IT organizations will need to provide ubiquitous security across many devices and comprehensively manage user identity and access to sensitive corporate data. Finally, compliance remains the most important cybersecurity driver, especially for companies in regulated industries or with contractual obligations. In a recent Bain survey, more than 75% of CIOs identified compliance requirements as the main determinant of investment in IT security. Another recent survey of IT staff by ISACA found that outside of compliance obligations, 3

Why cybersecurity is a strategic issue IT has insufficient resources and limited business engagement for effective risk management. 2 These findings highlight the operational approach to cybersecurity taken by many organizations. Compliance should define the lower bound for security capabilities while the upper bound should aspire to meet the organization s strategic priorities, including IP protection, continuous operations and a secure corporate reputation. Protecting your data, reputation and business Leading organizations take a more strategic rather than an operational approach to security to respond to the new challenges. Understand the organization s key assets and appetite for risk. Align business and IT leaders on the prioritization of digital assets based on value and risk to the organization to ensure the proper design of technology, processes and supporting resources. For example, customer data, point-of-sale and order management systems are a higher priority while marketing and promotion systems may be lower. Identify the security risks and gaps. Assess current security capabilities and determine the likelihood of experiencing known and emerging risks. Business and IT leaders should then align on the gaps and the estimated mitigation costs. Define the cybersecurity strategy. Based on a thorough understanding of the organization s security priorities and gaps, IT should create comprehensive technology, process and organizational designs and blueprints with strategic and operational elements that protect digital assets (see Figure 4). Emphasize gaps, priorities and strategy to the CEO and board. Leadership should know about the securityrelated risks and gaps they face, so they can understand the importance of the investments required. Engage recognized security specialists. As the threat landscape expands and attacks become more sophisticated, organizations should work closely with firms that can provide ongoing services to diagnose, redesign and monitor their cybersecurity. Figure 4: Bain s approach to cybersecurity aligns strategic imperatives with the necessary operational capabilities Operational Strategic Business alignment IT risk management Administration Architecture and engineering Monitoring and operations Physical security Does IT understand the organization s security needs and its appetite for risk? Are senior leaders involved? How is risk proactively gauged and managed? Who aligns risk mitigation with IT policies? Does IT have an accountable and empowered chief information security officer and team? Does IT have funding for the necessary security capabilities? Does the strategic security plan and solution design reflect standards and best practices for dealing with current and emerging threats? Is security applied at the digital asset level? Is security equipped to identify and make a coordinated response to threats? Is there ongoing user training on security practices and threat awareness? Are there integrated monitoring capabilities across the hybrid cloud environment? Are data centers and other facilities as secure as virtual assets? Are user devices encrypted and enabled for remote security management? Source: Bain & Company 1 ISACA: 2013 IT Risk/Reward Barometer Global Results 2 ISACA: 2012 Study on Application Security 4

Shared Ambition, True Results Bain & Company is the management consulting firm that the world s business leaders come to when they want results. Bain advises clients on strategy, operations, technology, organization, private equity and mergers and acquisitions. We develop practical, customized insights that clients act on and transfer skills that make change stick. Founded in 1973, Bain has 50 offices in 32 countries, and our deep expertise and client roster cross every industry and economic sector. Our clients have outperformed the stock market 4 to 1. What sets us apart We believe a consulting firm should be more than an adviser. So we put ourselves in our clients shoes, selling outcomes, not projects. We align our incentives with our clients by linking our fees to their results and collaborate to unlock the full potential of their business. Our Results Delivery process builds our clients capabilities, and our True North values mean we do the right thing for our clients, people and communities always.

Key contacts in Bain s Global Information Technology practice: Americas: Asia-Pacific: Europe, Middle East and Africa: Syed Ali in Chicago (syed.ali@bain.com) Steve Berez in Boston (steve.berez@bain.com) Vishy Padmanabhan in Dallas (vishy.padmanabhan@bain.com) Rudy Puryear in Chicago (rudy.puryear@bain.com) Jean-Claude Ramirez in São Paulo (jean-claude.ramirez@bain.com) Jonathan Stern in San Francisco (jonathan.stern@bain.com) Rasmus Wegener in Atlanta (rasmus.wegener@bain.com) Arpan Sheth in Mumbai (arpan.sheth@bain.com) Peter Stumbles in Sydney (peter.stumbles@bain.com) Thomas Gumsheimer in Frankfurt (thomas.gumsheimer@bain.com) Marc Lino in Amsterdam (marc.lino@bain.com) Stephen Phillips in London (stephen.phillips@bain.com) Sachin Shah in London (sachin.shah@bain.com) For more information, visit www.bain.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information