Secure by design: taking a strategic approach to cybersecurity

Similar documents
CYBER SECURITY TRAINING SAFE AND SECURE

Corporate Security in 2016.

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

OCIE Technology Controls Program

Who s next after TalkTalk?

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES

NNIT Cybersecurity. A new threat landscape requires a new approach

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

developing your potential Cyber Security Training

A NEW APPROACH TO CYBER SECURITY

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Address C-level Cybersecurity issues to enable and secure Digital transformation

Cyber Security - What Would a Breach Really Mean for your Business?

The Path Ahead for Security Leaders

Big Data, Big Risk, Big Rewards. Hussein Syed

A Guide to the Cyber Essentials Scheme

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

The Internet of Things: 4 security dimensions of smart devices

Five keys to a more secure data environment

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

CONSULTING IMAGE PLACEHOLDER

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cybersecurity and internal audit. August 15, 2014

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Cyber Security solutions

BIG DATA TRIAGE & DIGITAL FORENSICS

A COMPLETE APPROACH TO SECURITY

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

OECD PROJECT ON CYBER RISK INSURANCE

ISO27032 Guidelines for Cyber Security

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Developing a robust cyber security governance framework 16 April 2015

Cybersecurity The role of Internal Audit

Government Procurement Service

The Value of Automated Penetration Testing White Paper

The Protection Mission a constant endeavor

CYBERSECURITY EXAMINATION SWEEP SUMMARY

The Recover Report. It s business. But it s personal.

ESKISP Conduct security testing, under supervision

How To Manage Risk On A Scada System

Cyber Security Management

Cybersecurity and Privacy Hot Topics 2015

SBL Integration, Capabilities, and Enablement in Defence

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Addressing Cyber Risk Building robust cyber governance

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

EA-ISP-012-Network Management Policy

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

CYBER SECURITY, A GROWING CIO PRIORITY

Cybersecurity on a Global Scale

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Today s Cybersecurity Technology: Is Your Business Getting Full Protection?

CYBER SECURITY Audit, Test & Compliance

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Cybersecurity Strategic Consulting

Cyber Security Evolved

A HELPING HAND TO PROTECT YOUR REPUTATION

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Application Security in the Software Development Lifecycle

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

PCI Solution for Retail: Addressing Compliance and Security Best Practices

How To Protect Your Organization From Insider Threats

IT Infrastructure Services. White Paper. Cyber Risk Mitigation for Smart Cities

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Information Technology Security Review April 16, 2012

HP Fortify Software Security Center

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

future data and infrastructure

SORTING OUT YOUR SIEM STRATEGY:

Bellevue University Cybersecurity Programs & Courses

Cyber Security: from threat to opportunity

Transcription:

Secure by design: taking a strategic approach to cybersecurity The cybersecurity market is overly focused on auditing policy compliance and performing vulnerability testing when the level of business risk presented demands a holistic risk assessment and agile security architecture to be developed proactively. The threat from cyber attacks is clear and acknowledged Nearly all UK corporations have seen hackers successfully penetrate their IT systems in an attempt to steal, change or make public their sensitive data. i Criminals are not only targeting financial institutions or looking for financial data, they are also now seeking personal data of employees and customers, corporate intelligence and to hijack IT infrastructure for criminal use. The UK Government s National Security Council recently announced that attacks on computer networks are among the biggest emerging threats to the UK, ranking them alongside terrorism and flu pandemic as the key dangers to the UK s security. Recent high-profile attacks reported across a variety of industries include: Fiat Chrysler, who had to recall 1.4 million vehicles in the US for an upgrade to the computer systems, after security researchers demonstrated they could take full control of a Jeep Cherokee from 10 miles away by hacking into its on-board computer system ii Carphone Warehouse, who acknowledged a serious data breach that may have seen the banking details of 2.4 million customers stolen by hackers iii Hacking rings that have targeted three pharmaceutical companies in the last 18 months to get access to details for their financial gain iv Page 1 of 5

Telstra s newly acquired Asian subsidiary, Pacnet, had its IT network hacked into, just before the acquisition took place v Whilst the majority of firms are actively engaged in setting up security governance policies and carrying out security audits to aim to safeguard themselves against cyber crime, almost one tenth of UK firms have not acted in any way at all to protect themselves from hacking. vi That aside, cybersecurity is starting to get the right level of attention within large corporates. It is no longer just seen as a policy issue, a compliance issue, or an IT issue. Instead, it is now seen much more as a strategic and corporate risk issue, which has to be considered throughout all internal project lifecycles and as part of business-as-usual, not just as a one-off activity. Board members of many firms now hold the CEO primarily responsible for cybersecurity, with the CIO as the second-most responsible executive, showing the importance of cybersecurity within the organisation. The elevating profile of cybersecurity has yet to take real effect In a recent survey on behalf of the UK Department for Business Innovation and Skills and contributed to by 200 corporate directors, just over one third said cybersecurity in some capacity was discussed at every board meeting and nearly half said it was discussed at most meetings. vii This is likely to be a significant increase from comparable responses 12 months ago. However, two thirds of board members are not confident of their companies' in-house ability to fully defend themselves against cyber attacks with only 4% being "very" confident of their defences. Despite this lack of confidence, integration of security into the design of new products ranked second to last in priority when considering the development of new products and services. The limited amount of new products being released within the security area, together with the rapid increase in volume and criticality of the threats in recent times shows that the level and availability of technical knowledge of the cybersecurity field as a whole has not grown at the same pace as demand. A strategic and holistic approach is needed to address the threat effectively The cybersecurity ecosystem is disparate and encompasses professional services firms, technology vendors, defence system providers, IT systems integrators as well as niche cybersecurity specialists. However in most examples the focus of these organisations can be traced back to their roots; for instance many of the professional services firms offer security audit services, building on their financial audit experience into a new market to fill an emerging gap. As a result, many services in the cybersecurity advisory market tend to be based on audit and compliance checks against industry and government standards including ISO27001 and CESG Assured Service (CAS). Technology vendors and defence system providers have also been able to offer cybersecurity advice but this has predominantly been focused on whether the hardware and software within the IT environment of a company and its security architecture is fit for purpose at that point in time or at the point of installation. Only a few have developed genuine creative capabilities by addressing both the business and the technical risk perspectives and therefore offering advice in a more rounded holistic way. This holistic approach requires knowledge of business risks and the security standards and how these can be applied to the technical architecture and end-user business environment. This must be underpinned by knowledge and learning gained from recent industry cyber-attacks to determine the best prevention strategies to manage risk. The diagram below illustrates the complexity of the cybersecurity industry and the diversity of companies that are within it, all offering slightly different services and advice to businesses from their own individual perspectives. Hudson & Yorke believes organisations need Cybersecurity Domain Specialists that offer a more holistic approach to cybersecurity by drawing in the knowledge and expertise across all areas of the domain. Page 2 of 5

Figure 1: The cybersecurity ecosystem Corporations and their advisors need to address and mitigate risk at a business level The cybersecurity market can become overly focussed on auditing policy compliance and performing one off vulnerability tests when the level of business risks demands a more holistic risk assessment across its entire estate and an agile security architecture to be developed in defence, which is monitored and reviewed on an on-going basis. Some companies have independent audits carried out which confirm that they have fully met security compliance standards. They may even have had their IT network redesigned or upgraded to make it harder for a cybersecurity attacks to occur. However, it is not unusual to find that a few months later they have been subject to a cyber attack. To be cyber-secure requires hitting a moving target: the assessment and mitigation of cyber-attacks requires continuous and proactive risk management to be part of the security strategy. We advocate that organisations shouldn t build a castle without internal protection within its walls, instead they should build along the lines of the airport model with multiple layers of security that monitor and adapt to threats as needed. They should seek specialist professional support to ensure that secure by design principles are adopted across the business and permeate through all business processes, products and services. The objective of this approach is to proactively build security into the design of services instead of adding layers of security at a later stage in reaction to events. How to initiate the secure by design approach To address the challenge of secure by design, the Chief Information Security Officer (CISO) should organise their team to provide expert support to all projects and product development activities. Their objective should be to build mutualised security services and to increase the security competencies of project managers, developers and architects: The first step should be to ensure that any project management process includes an initial information security assessment to identify whether the project involves a number of security-critical areas. For example, Page 3 of 5

does the project require the usage of personal data, of payment information, confidential data or a direct connection to Internet? Each affirmative answer will increase the level of attention required by the project. Projects requiring a high level of focus will often benefit from the including a security expert in the project team. To ease the integration of security in the project, the CISO should also consider building security commodities. Capabilities such as database encryption or strong authentication will be required by many projects. The ability to standardise security services is a keystone to ensure security will be really integrated into all projects. Finally, to enhance the security by default, the training of the developers and architects is required. As of today, many project team members have a limited awareness of security threats as a result applications are built without security embedded. Often, just before being put in production, audits show numerous security flaws, adding delay to the project and increasing the cost as remediation is put in place. To fully implement a global, integrated secure by design culture in a large organisation is a long-term strategic activity and may take between 3 and 5 years. However, the first quick wins can be obtained in around 3 months with the support of a Cybersecurity Domain Specialist. It could deliver considerable cost savings as information security related costs can range from 2% to 20% of total project cost. Find out more If you d like to find out more about how we can help you to adopt a more holistic approach to cybersecurity including more detail on our Airport not Castle approach to cybersecurity, please contact us by calling at +44 20 7947 4176, or via email at enquiries@hudsonyorke.com or visit our website at. Get all our latest insights online This insight is one of an ongoing, updated series of papers from Hudson & Yorke. They re free to download and you can find them all at /our-views/insights/. About us Hudson & Yorke is a specialist management consultancy focused on delivering strategic ICT advisory services that deliver commercial, service and operational benefits to our clients. Hudson & Yorke is part of Solucom, which is headquartered in France with more than 1500 consultants. Solucom has a strong capability in cybersecurity with a specialist team of over 230 consultants. Hudson and Yorke has extensive knowledge of the IT vendor market and the large end-user enterprise and public sectors. Our consultants fully understand the security policy standards, the defence sector and deliver both business and IT technical architecture projects for our extensive client base. This knowledge enables Hudson & Yorke to provide security by design services to your organisation with a more strategic and holistic approach. Page 4 of 5

1. http://www.computerweekly.com/news/4500248063/nearly-all-uk-corporations-have-been-hacked-a-survey-shows 2. http://www.computerweekly.com/news/4500250565/fiat-chrysler-recall-highlights-importance-of-security-by-design 3. http://www.finextra.com/news/fullstory.aspx?newsitemid=27707 4. http://www.fiercebiotechit.com/story/financially-motivated-hackers-break-3-major-pharma-companies-18-months/2015-07-10 5. http://www.computerweekly.com/news/4500246705/telstra-pacnet-hack-shows-telcos-are-a-prime-targets-say-security-experts 6. http://www.computerweekly.com/news/4500248063/nearly-all-uk-corporations-have-been-hacked-a-survey-shows 7. http://www.computerworlduk.com/news/security/cybersecurity-now-being-discussed-at-most-board-meetings-survey-shows- 3613503/ Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information