Security and Privacy Trends 2014

Similar documents
Cybersecurity and internal audit. August 15, 2014

Seamus Reilly Director EY Information Security Cyber Security

Italy. EY s Global Information Security Survey 2013

A NEW APPROACH TO CYBER SECURITY

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

How To Be Prepared For A Cybercrime

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Cyber security Building confidence in your digital future

The Path Ahead for Security Leaders

CYBER SECURITY, A GROWING CIO PRIORITY

Assessing the strength of your security operating model

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Address C-level Cybersecurity issues to enable and secure Digital transformation

Risk Considerations for Internal Audit

Cybersecurity The role of Internal Audit

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Key Cyber Risks at the ERP Level

Title here. Successful Business Model Transformation. in the Financial Services Industry. KPMG s Evolving World of Risk Management SECTORS AND THEMES

fs viewpoint

THE CUSTOMER EXPERIENCE

Cybersecurity and Privacy Hot Topics 2015

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Mitigating and managing cyber risk: ten issues to consider

Cyber security: Are consumer companies up to the challenge?

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

HEALTH CARE AND CYBER SECURITY:

RETHINKING CYBER SECURITY

Building a Roadmap to Robust Identity and Access Management

Cyber Security: from threat to opportunity

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Cyber Security and the Board of Directors

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

How To Buy Nitro Security

Developing National Frameworks & Engaging the Private Sector

Cisco Security Optimization Service

PwC Cybersecurity Briefing

Cyber security Building confidence in your digital future

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Managing cyber risks with insurance

Testing the Security of your Applications

How To Protect Your Organization From Insider Threats

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Odgers Berndtson Board Survey. Among CEOs in Denmark s largest corporations

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

A strategic approach to fraud

Cyber threat intelligence and the lessons from law enforcement. kpmg.com.au

The Essential Guide to: Risk Post IPO

Management Update: The Eight Building Blocks of CRM

Accenture Technology Consulting. Clearing the Path for Business Growth

Protecting against cyber threats and security breaches

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

RETHINKING CYBER SECURITY Changing the Business Conversation

Gaining the upper hand in today s cyber security battle

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Information Security Services

Sytorus Information Security Assessment Overview

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Cybersecurity Awareness for Executives

Healthcare Internal Audit: In a Time of Transition

How To Protect Your Network From Attack From A Network Security Threat

CyberArk Privileged Threat Analytics. Solution Brief

Surviving Contact with Reality Crisis exercises as a key element of cyber incident and crisis management response.

Cyber Governance Preparing for the Inevitable Perimeter Breach

Blending Corporate Governance with. Information Security

Accenture Cyber Security Transformation. October 2015

2015 VORMETRIC INSIDER THREAT REPORT

Financial services regulatory compliance. Changing demands require the right perspective

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Module 6 Essentials of Enterprise Architecture Tools

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

WMACCA Small Law Department Initiative. Scaling a Compliance Program To Your Organization And Small Law Department

Transcription:

2014

Agenda Today s cyber threats 3 You could be under cyber attack now! Improve 6 Awareness of cyber threats propels improvements Expand 11 Leading practices to combat cyber threats Innovate 20 To survive, innovation must power transformation Conclusion 26 Combating cyber attacks requires leadership and accountability Page 1

EY s Global Information Security Survey Now in its 16th year, EY s Global Information Security Survey is among the world s leading sources of information and insight into the global state of information security. This year s 1,909 respondents from 64 countries represent most of the world s largest and most-recognized global companies, and include some of the world s leading information security authorities. Strong data, blended with EY s industry-leading perspectives help our clients focus on the most critical risks, identify their strengths and weaknesses, and improve their information security. Page 2

You could be under cyber attack now! Today s cyber threats Cyber security attacks have increased exponentially in the last few years. Every day, as the rapid-fire evolution of technology marches forward, new, more complex cyber risks emerge, threatening significant harm to an organization s brand and bottom line. Awareness Know Don t know We have structured our Global Information Security Survey report to explore three areas: 1. Improve 2. Expand 3. Innovate Behavior Proactive Reactive Page 3

Improve. Expand. Innovate. Today s cyber threats Improve For many organizations, this is the current state. Over the past year, organizations have made substantial progress in improving their defenses against cyber attacks. Yet their position remains reactive, addressing the threats they know, but not seeking to understand the threats that may be just around the corner. Expand Leading organizations are taking bolder steps to combat cyber threats. They are more proactive in determining both the known and unknown risks within their security programs. However, there remains room to expand security measures. Innovate Organizations aspiring to be information security innovators need to set their sights on new frontiers. These organizations need to continuously review, rethink and potentially redesign their entire information security framework in order to be better prepared. In many cases, innovating may require a fundamental transformation of the information security program to proactively fortify against both the known and the unknown risks in the cyber risk environment. Page 4

Everyone and every organization is a target Certain circumstances can further significantly challenge data security and privacy Mergers and acquisitions Corporate transactions change your IT infrastructure and processes and significantly impact your cyber risk profile Entering new markets Different markets can impose different regulatory conditions on cyber security which may impact the effectiveness of your operations New product launch Investments in R&D can be wasted if cyber criminals gain access to your IP even if they don t steal it, corrupting or copying your data can irreparably damage your brand Front page news Just being well known can make you a target, and if you hit the headlines under difficult circumstances you can become the focus of revenge attacks Major organizational change Information security relies on thoroughly robust mechanisms, total cooperation from your staff and a clear view of the risk landscape. Major organizational change can disrupt all of these. Audit responsibility Audit committees are increasingly being asked to take responsibility for assessing cyber risk to safeguard the interests of shareholders, but security measures need to avoid being too restrictive so that it negatively impacts operations and value generation Page 5

Improve Awareness of cyber threats propels improvement Knowing that an attack will inevitably occur sparks improvements. 2013 EYGM Limited All Rights Reserved EY s Global Information Security Survey 2013 6

Improve Awareness of cyber threats propels improvement Knowing that an attack will inevitably occur sparks improvements. Our survey indicates that many organizations recognize the extent and depth of the threats they face from the top of the organization to the shop floor. For nearly three quarters of organizations surveyed, information security policies are now owned at the highest organizational level. The leaps that organizations are making Organizations are making moves to focus more on the right priorities The steps that organizations still need to take Information security departments continue to struggle with a lack of skilled resources, executive awareness and support Page 7

Improve Awareness of cyber threats propels improvement The leaps that organizations are making Organizations are investing more in information security The steps that organizations still need to take Information security departments are still feeling the pinch Organizations are shifting their focus from operations and maintenance to improving and innovating Despite the security improvements organizations have made, many remain exposed Page 8

Improve Awareness of cyber threats propels improvement The leaps that organizations are making Organizations demonstrate alignment among strategies and drivers The steps that organizations still need to take A lack of alignment in other critical areas is still too common Efforts to improve cyber security programs are growing Threats are growing too, often at a faster pace Page 9

Improve Key questions Where have improvements been made related to information security in your organization within the past year? What are the steps you still need to take? Information security Privacy Emerging risks Notes: Page 10

Expand Leading practices to combat cyber threats Organizations must send clear signals from the top that they need to be proactive and ready for the unknown. Those that are satisfied with merely being reactive may not survive the next attack. 2013 EYGM Limited All Rights Reserved EY s Global Information Security Survey 2013 11

Four leading practices organizations can apply to improve their security and privacy programs 1. Commitment from the top. Gain board support to establish a charter and a long-term strategy for security and privacy protection. 2. Organizational alignment. As part of the strategy, develop a formal governance and operating model, align all aspects of security and privacy to the business and build relationships across the enterprise. 3. People, processes and technology. Make business processes related to security and privacy agile. Consider new technology choices in terms of their benefits as well as the privacy risks they may pose. 4. Operational enablement. Allow good security and privacy governance to drive compliance, not the other way around. Change the culture: Accountability for security and privacy needs to be everyone s responsibility. Use the forces of change to enable the use of new technologies with appropriate security and privacy protocols rather than banning them entirely. Page 12

Expand Leading practices to combat cyber threats Commitment from the top Executive and board support - Organizations need executive support to establish a clear charter for the information security and privacy functions and a long-term strategy for its growth. Our information security solution has changed from the traditional architecture of protecting the business practices itself to protecting the services that can complete the overall business practices. This turns the closely business coupled model into a relatively flexible loosely coupled model, providing security functions by means of services, packaging security services to release into the system. Financial services organization Page 13

Expand Leading practices to combat cyber threats Commitment from the top Articulate risk appetite to provide clear unambiguous direction Measure information security performance and the criteria for success Foster an information security and privacy culture throughout all levels of the organization Understand how security events can impact the business, its services and products Integrate information security and privacy insights directly into management decision making processes Define what is considered to be a secure organization; define KPIs to monitor success Build an information security organization and operating model that anticipates rather than reacts Identify who pays for information security and privacy Executive and board support Page 14

Expand Leading practices to combat cyber threats Organizational alignment Strategy - Information security and privacy departments must develop strong, clearly defined relationships with a wide range of stakeholders across the business, and establish a clearly defined and formalized governance and operating model. Investment - Organizations need to be willing to invest in cyber security and privacy. From our point of view, the most successful practice within information security was the changing of the idea: from considering issues solely on the operational level in the past, to the new approach which is risk-oriented. Analysis, reporting, presentation and other methods are used to spot potential problems, and these problems are communicated and solved together with the business departments now in a more active way, which was rather passive in the past. Technology organization Page 15

Expand Leading practices to combat cyber threats People, processes and technology to implement People - Today s information security and privacy functions requires a broad range of capabilities with a diversity of experiences. Technical IT skills alone are no longer enough. Processes - Processes need to be documented and communicated, but information security and privacy functions also need to develop change management mechanisms to quickly update processes when opportunities for improvement arise. Technology - To gain the most value from a technology solution, information security and privacy functions must supplement their technology deployment efforts with strategic initiatives that address proper governance, process, training and awareness. It s important to have skilled professionals with business vision. The biggest challenge in today s security market is to find professionals who are capable to innovate and adapt to the changes in the required speed. Mining and metals organization Page 16

Expand Leading practices to combat cyber threats People, processes and technology to implement People, Process and Technology Make information security and privacy part of the performance assessment of employees Know and control who holds elevated privileges Use tested, enforceable contract clauses to make partners and vendors responsible and accountable for information security and privacy Ensure information security and privacy is an integral part of the GRC (risk management) function of the organization; not a stand alone function Implement cyber governance into the business and business processes Balance the technology choices with the threats and vulnerabilities the technology brings Ensure information security and privacy are an integral part of IT projects; as a result new information systems are secure from the start Develop the capability to monitor technology assets hosting sensitive data and critical business services in real time Page 17

Expand Leading practices to combat cyber threats Operational enablement Continuous improvement - Organizations must establish a framework for continuously monitoring performance and improving their information security programs in the areas of people, process and technology. Physical security - Organizations should ensure that all their information security technology is physically secure, especially with consideration for access to Wi-Fi. A security operations center (SOC) can enable information security functions to respond faster, work more collaboratively and share knowledge more effectively. Analytics and reporting - Signature and rule-based tools are no longer as effective in today s environment. Instead, Information Security functions may wish to consider using behavior-based analytics against environmental baselines. Environment - Information Security requires an environment that includes a wellmaintained enterprise asset management system (which includes criticality of supported business processes) to manage events associated with business priorities and assess the true risk or impact to the organization. Page 18

Expand Key questions Which leading practices are already in place? Which leading practices should be prioritized for adoption? How does your organization plan to expand its information security and data privacy functions? How many FTEs are planned to be dedicated to information security and data privacy in the next three years? What are the strategic priorities for expansion? Notes: Page 19

Innovate To survive, innovation must power transformation Innovative information security solutions can protect organizations against known cyber risks and prepare them for a great unknown the future. 2013 EYGM Limited All Rights Reserved EY s Global Information Security Survey 2013 20

Innovate To survive, innovation must power transformation Budget allocations toward security innovation are rising slowly, enabling organizations to channel more resources and effort toward innovating solutions that can protect them against the great unknown the future. Many organizations still feel that their budgets are insufficient to become innovating pioneers. Once the unknown becomes known, the organization can then prioritize and address the risks in order of importance. Page 21

Innovate To survive, innovation must power transformation Page 22

Privacy advocates, governments and regulators continue to forge ahead with privacy protection despite setbacks In 2013, a number of jurisdictions around the world improved or expanded their privacy regulations. We expect similar progress to occur around the world in 2014. Page 23

Privacy needs to be a higher priority on the corporate agenda According to EY s Global Information Security Survey 2013, 30% of respondents rate privacy as their number one or two priority in terms of investment, putting privacy tenth in the hierarchy of required information security investments. Privacy needs to rank higher. Page 24

Innovate Key questions In today s fast-moving technological world, security and privacy shouldn t be an either/or proposition Key Questions What new technologies are planned for the coming year? Is privacy a board-level priority within your organization? What steps do you take to anonymize the data to ensure customer privacy? Is privacy a consideration when acquiring and implementing new technology? Do you have privacy governance and operating models? The future shouldn t be about technology versus security versus privacy The goal should be and : technology and security and privacy To achieve this goal, organizations will have to do more than comply; they will need to innovate new policies for privacy protection as fast as emerging technology threatens to compromise it This will require a fundamental change by all stakeholders in how we view privacy and what we are willing to do to protect it Page 25

Conclusion Combating cyber attacks requires leadership and accountability The rapid-fire pace of technology (r)evolution that we have seen in recent years will only accelerate in the years to come as will the cyber risks. Not considering them until they arise gives cyber attackers the advantage. In fact, chances are, they re already in! 2013 EYGM Limited All Rights Reserved EY s Global Information Security Survey 2013 26

Combating cyber attacks requires leadership and accountability Organizations are making good progress in improving how they manage the risks they already know. However, with only 17% of respondents indicating that their Information Security function fully meets the needs of the company, they still have a long way to go. The volume of cyber risks that organizations don t know, particularly when it comes to emerging technologies that are just around the corner or appearing on the horizon, is growing at a rate too fast for many organizations to keep up with. New technologies now drive marketing and customer-oriented initiatives, while Information Security chases associated cyber threats from behind. Mergers or acquisitions, structural changes within the organization or entering new markets all place additional stress on the information security function to provide adequate protection. Organizations need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions. These efforts need to be championed by executives at the highest level of the organization, who need to be aware that 80% of the solution is non-technical it s a case of good governance. Page 27

Attacks aren t going to stop In the past 12 months, more than twice as many respondents indicate that the frequency of attacks has gone up compared to those who indicate that they ve decreased. If they succeed in infiltrating an organization s security perimeter, the consequences are distracting at the least, paralyzing at the worst. Security breaches can derail key objectives; undermine the confidence of shareholders, analysts and consumers; damage your brand reputation; and cause significant financial harm. Too frequently, information security is perceived as a compliance necessity and a cost burden to the business. Executives need to view information security as an opportunity that can truly benefit the company and its customers. They need to look at the leading practices outlined in this report and consider how they can be applied to their business. However, with respondents indicating that they are devoting only 14% of their budget spend on innovating new security solutions in the next 12 months, the possibility of hackers wreaking havoc on organizations becomes not only likely, but inevitable. Page 28

Security challenges for organizations Unaware of existing incidents, or limited ability to detect Has not adapted to emerging risks around mobile, cloud, social Reactive versus proactive security Driven by compliance Spend is not optimized or inefficient Strategy not aligned to business objectives or lack of defined strategy Security positions are not appropriately filled; internal technical skills lacking Awareness is lacking sponsorship Security posture lags other industry peers Page 29

Identifying your need: Current state vs. future state Environment Analytics and reporting Board support Physical security Strategy Continuous improvement Investment Technology People Process Page 30

Want to learn more? Please visit our Insights on governance, risk and compliance series at ey.com/grcinsights Security Operations Centers against cybercrime: Tope 10 considerations for success www.ey.com/soc Beating cybercrime: Security Program Management from the Board s perspective www.ey.com/spm Privacy trends 2013: the uphill climb continues www.ey.com/privacy2013 Mobile device security: understanding vulnerabilities and managing risk www.ey.com/mobiledevicesecurity Protecting and strengthening your brand: social media governance and strategy www.ey.com/protectingbrand Information security in a borderless world: time for a rethink www.ey.com/infosec_borderless Identity and access management (IAM): beyond compliance www.ey.com/iam Bring your own device: security and risk considerations for your mobile device program www.ey.com/byod Key considerations for your internal audit plan: enhancing the risk assessment and addressing emerging risks www.ey.com/iaplan Page 31

Contact information Adam Wright Senior Manager, Advisory Services adam.wright@ey.com Page 32

EY Assurance Tax Transactions Advisory Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. About EY s Advisory Services Improving business performance while managing risk is an increasingly complex business challenge. Whether your focus is on broad business transformation or more specifically on achieving growth, optimizing or protecting your business, having the right advisors on your side can make all the difference. Our 30,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and exceptional client service. We use proven, integrated methodologies to help you solve your most challenging business problems, deliver a strong performance in complex market conditions and build sustainable stakeholder confidence for the longer term. We understand that you need services that are adapted to your industry issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where your strategy and change initiatives are delivering the value your business needs.. www.ey.com/grcinsights Page 33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information