DL
Uploaded byDoreen Loeber
1,199 views

Cyber Security Maturity Assessment

1) innogy SE conducted a Cyber Security Maturity Assessment (CSMA) to gain transparency into its cyber security measures and maturity levels. 2) The CSMA analyzed all cyber security controls and measures to determine their cost, maturity, and economic efficiency. It provided actual and planned maturity levels for the company and its units. 3) The CSMA helped innogy SE optimize its cyber security efforts by reducing overlaps, redundancies, and over or under achievement. It identified the most cost-effective approach to achieve its target maturity levels.

Embed presentation

ASIS EUROPE 2019 Cyber Security Maturity Assessment innogy SE · 30.03.2019 · Christoph Hagenbuch
innogy Group Security Content About innogy SE1 Motivation2 Approach3 Success4
innogy Group Security Thanks to our employees and customers … About innogy SE Source: innogy SE | Facts and Figures 2018 ≈42,000 EMPLOYEES 23 MILLION CUSTOMERS The average football stadium has around 42,000 seats. Converted to the equivalent of full-time positions. Equivalent to the population of Denmark and the Netherlands put together. Netherlands Population: ≈17 millions Denmark Population: ≈6 millions 3
innogy Group Security Sustainable generation of electricity Efficient distribution of energy Products and services for our customers Future business models Overview of our operations About innogy SE Renewables Grid & Infrastructure Retail New Businesses Source: innogy SE | Factbook 2018 Wind Hydro Solar (EPC/O&M/IPP) Grid assets Grid+ FTTx Commodity Energy+ eMobility Innovation Hub 4
innogy Group Security Content About innogy SE1 Motivation2 Approach3 Success4
innogy Group Security Cyber security has an increasing importance Motivation For a successful and sustainable digitisation, CYBER SECURITY creates essential foundations and is therefore crucial for the PERFORMANCE and SUCCESS OF EVERY COMPANY. 6
innogy Group Security The challenges for cyber security have changed dramatically and are constantly increasing Motivation RISK ENVIRONMENT New and constantly increasing cyber attacks are omnipresent and have unprecedented dynamics. IT ENVIRONMENT IT environments are becoming increasingly complex and fast-moving. 7
innogy Group Security Maximum transparency of cyber security measures is required: key parameters Motivation MATURITY EFFECTIVE- NESS COST 8
innogy Group Security In addition, specialists and decision makers do not always speak the same language Motivation Decision makers are obliged to set up an EARLY WARNING SYSTEM and need specific and COMPREHENSIBLE information instead of technical terminology A methodology is required to communicate QUICKLY and COMPREHENSIBLY the concrete need for action to the decision makers. 9
innogy Group Security The Cyber Security Maturity Cockpit enables Motivation The Cyber Security Maturity Assessment creates maximum transparency & enables decision makers to make optimal use of financial & human resources. The following questions are answered in an understandable way: What are we doing? What does it cost? How well are we doing it? Are we doing the right things? 10
innogy Group Security Content About innogy SE1 Motivation2 Approach3 Success4
innogy Group Security Highest possible efficiency and considerable savings Approach CSMA makes it possible to achieve the optimum between the accepted residual risk and the resources used, thus ensuring a considerable increase in efficiency and cost reduction. 1 2 3 Targeted reduction of the cyber security risk through transparency about maturity levels and adaptation or implementation of appropriate cyber security measures Reduction of overlaps, redundancies and over- or underachievement of self-defined degree of target maturity depending on risk appetite The resources used achieve the desired degree of maturity with the lowest total expenditure. The optimum between the accepted residual risk and the resources used is sustainably achieved Underfulfillment Optimum Overfulfillment Overall effort (€) = Risk + Resources Risk (€) Resources (€) 1 3 2 12
innogy Group Security Analysis of all cyber security measures Approach Measurement of maturity & effectiveness per measure Economic Efficiency Analysis Cost Maturity/effectiveness Optimal economic efficiency Optimise economic efficiency Critical economic efficiency 13
innogy Group Security Exemplary Cyber Security maturity actuals and planning Approach Current Cyber Security maturity [%] 1% – 39% Initial 40% – 59% Repeatable 60% – 79% Defined 80% – 94% Managed Optimised Company overview Control Global DE UK NL PL CZ SK CA.05 Information security policies 79 79 79 79 79 79 79 CA.06 Organisation of information security 80 80 79 80 80 81 80 CA.07 Human resources security 67 62 59 62 60 84 72 CA.08 Asset management 53 52 52 52 51 58 55 CA.09 Access control 65 62 59 63 60 79 68 CA.10 Cryptography 80 80 78 80 80 78 82 CA.11 Physical & environmental security 81 80 80 80 82 84 80 CA.12 Operations security 68 66 67 65 68 72 72 CA.13 Communications security 68 65 67 67 65 73 69 CA.14 System acquisition development & maintenance 49 43 54 43 48 62 43 CA.15 Supplier relationships 71 71 75 71 67 71 71 CA.16 Information security incident mgmt. 82 85 78 84 74 84 85 CA.17 Information security aspects of BCM 79 80 80 80 78 75 80 CA.18 Compliance 72 71 74 71 66 76 71 Total ø 72 70 70 70 68 75 72 Cyber Security maturity planning [%] 62 69 7280 0 20 100 40 60 Jan 18 Dec 18 Jun 19 60 Mar 18 Jun 18 Sep 18 Mar 19 Sep 19 Dec 19 Target: 80 Planning Actual CSMA methodology and tool awarded with the Security Innovation Award. Fictitious example 14
innogy Group Security Effectivity updates of local services have very little impact on Total effectivity Approach Evaluation Level Example: Impact of ATP on effectivity CSMA evaluation Aggre- gation Global (all control areas, all countries) Sub-control • Average of control areas across units • New: 69% • Average of all control areas in GER • New: 68.59% • Average of all controls in GER • New Effectivity for A.12: 67% • Average of sub-controls • New Effectivity A.12.2: 80% • Evaluation of services in sub-control • New Effectivity A.12.2.1: 80% Services • Maturity for ATP service: 80  100  Increase of service effectivity Control Control area Total (all control areas per unit) 15
innogy Group Security Objectivation of maturity judgement Approach CSMA TODAY Expert knowledge based (feeling) Attendees change from time to time Subjective CSMA TOMORROW Make CSMA more constant/objective Add Simulation features & unit & control weighting Save time by automation 16
innogy Group Security Content About innogy SE1 Motivation2 Approach3 Success4
innogy Group Security The SCMA makes us successful Success UNIQUE TRANS- PARENCY CYBER SECURITY … methodology based on ISO 27001 … awareness & communication increased … budget & human resources increased by factor 2 18
innogy Group Security Q & A Questions & Answers
innogy Group Security CHRISTOPH HAGENBUCH Cyber Security Management Phone +49 (0) 201 12 21610 Mobile +49 (0) 152 09053637 Email christoph.hagenbuch@innogy.com innogy SE Opernplatz 1 45128 Essen – Germany 20

More Related Content

PPTX
SOC 2 Compliance and Certification
byControlCase
 
PPTX
Security Information and Event Management (SIEM)
byk33a
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PDF
Cyber security maturity model- IT/ITES
byPriyanka Aash
 
PPTX
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
PDF
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
byPriyanka Aash
 
PDF
Need of SIEM when You have SOAR
bySiemplify
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
SOC 2 Compliance and Certification
byControlCase
 
Security Information and Event Management (SIEM)
byk33a
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
Cyber security maturity model- IT/ITES
byPriyanka Aash
 
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
byPriyanka Aash
 
Need of SIEM when You have SOAR
bySiemplify
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 

What's hot

PPTX
What is Zero Trust
byOkta-Inc
 
PPTX
Cloud Security
byAWS User Group Bengaluru
 
PPTX
Zero Trust
byBoaz Shunami
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
byParishSummer
 
PPTX
Security operation center
byMuthuKumaran267
 
PPTX
Secure SDLC Framework
byRishi Kant
 
PDF
Security architecture
byDuncan Unwin
 
PPTX
ISO 27001 Awareness/TRansition.pptx
byDr Madhu Aman Sharma
 
PPT
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
byAllen Baranov
 
PPTX
Zero trust deck 2020
byGuido Marchetti
 
PPTX
Cissp- Security and Risk Management
byHamed Moghaddam
 
PPTX
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
byOWASP Delhi
 
PPTX
Zero Trust Network Access
byEr. Ajay Sirsat
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Introduction to Cloud Security
bySusanne Tedrick
 
PPT
information security management
byGurpreetkaur838
 
PDF
Microsoft Zero Trust
byDavid J Rosenthal
 
PPTX
The Zero Trust Model of Information Security
byTripwire
 
What is Zero Trust
byOkta-Inc
 
Cloud Security
byAWS User Group Bengaluru
 
Zero Trust
byBoaz Shunami
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
byParishSummer
 
Security operation center
byMuthuKumaran267
 
Secure SDLC Framework
byRishi Kant
 
Security architecture
byDuncan Unwin
 
ISO 27001 Awareness/TRansition.pptx
byDr Madhu Aman Sharma
 
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
byAllen Baranov
 
Zero trust deck 2020
byGuido Marchetti
 
Cissp- Security and Risk Management
byHamed Moghaddam
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
byOWASP Delhi
 
Zero Trust Network Access
byEr. Ajay Sirsat
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Introduction to Cloud Security
bySusanne Tedrick
 
information security management
byGurpreetkaur838
 
Microsoft Zero Trust
byDavid J Rosenthal
 
The Zero Trust Model of Information Security
byTripwire
 

Similar to Cyber Security Maturity Assessment

PDF
ICS Cyber Security Effectiveness Measurement
byAleksey Lukatskiy
 
PDF
CYBER-i Corporate Dossier
byAGC Networks Ltd
 
PDF
Credit Union Cyber Security
byStacy Willis
 
PDF
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
PDF
Cyber-Security-Whitepaper.pdf
byAnil
 
PDF
Cyber-Security-Whitepaper.pdf
byAnil
 
PDF
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
byNRBsanv
 
PPTX
Data Security Solutions - Cyber Security & Security Intelligence - @ Lithuani...
byAndris Soroka
 
PDF
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
byitnewsafrica
 
PPTX
cybersecurityandthe importance of the that
byJayachanduHNJc
 
DOCX
Information Security Assurance Capability Maturity Model (ISA-.docx
bylanagore871
 
PDF
Capgemini Consulting Information Security Benchmarking 2017
byCapgemini
 
PPTX
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
byInfosectrain3
 
PDF
Hp arc sight_state of security ops_whitepaper
byrickkaun
 
PPTX
CyberSecurity Portfolio Management
byPriyanka Aash
 
PDF
Best Cyber Security Training Certification | ACS Networks and Technologies Pv...
byACS Networks and Technologies Pvt. Ltd.
 
PDF
Cisco Advanced Services
byCisco do Brasil
 
PPTX
Draft_ppt_dmss[1][2] (1) FINAL123455667.pptx
bymazumderdevangshu
 
PPT
ITS Datamatix Gitex Conference 2009 New ICT Security V2
byJorge Sebastiao
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
ICS Cyber Security Effectiveness Measurement
byAleksey Lukatskiy
 
CYBER-i Corporate Dossier
byAGC Networks Ltd
 
Credit Union Cyber Security
byStacy Willis
 
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
Cyber-Security-Whitepaper.pdf
byAnil
 
Cyber-Security-Whitepaper.pdf
byAnil
 
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
byNRBsanv
 
Data Security Solutions - Cyber Security & Security Intelligence - @ Lithuani...
byAndris Soroka
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
byitnewsafrica
 
cybersecurityandthe importance of the that
byJayachanduHNJc
 
Information Security Assurance Capability Maturity Model (ISA-.docx
bylanagore871
 
Capgemini Consulting Information Security Benchmarking 2017
byCapgemini
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
byInfosectrain3
 
Hp arc sight_state of security ops_whitepaper
byrickkaun
 
CyberSecurity Portfolio Management
byPriyanka Aash
 
Best Cyber Security Training Certification | ACS Networks and Technologies Pv...
byACS Networks and Technologies Pvt. Ltd.
 
Cisco Advanced Services
byCisco do Brasil
 
Draft_ppt_dmss[1][2] (1) FINAL123455667.pptx
bymazumderdevangshu
 
ITS Datamatix Gitex Conference 2009 New ICT Security V2
byJorge Sebastiao
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 

More from Doreen Loeber

PDF
The growth of young professionals into the security industry (a live case study)
byDoreen Loeber
 
PDF
Burnout: When bad things happen to good security professionals
byDoreen Loeber
 
PDF
The New APP Certification
byDoreen Loeber
 
PDF
How to Secure an Open Campus
byDoreen Loeber
 
PDF
True or False in the Age of Fake News
byDoreen Loeber
 
PDF
Sharing is caring: Duty of Care and the Sharing Economy
byDoreen Loeber
 
PDF
Video Surveillance in Marine Environments
byDoreen Loeber
 
PDF
How Access Control is impacted by cloud, mobile and GDPR
byDoreen Loeber
 
PDF
Insurance and security: finding common ground in a volatile security risk env...
byDoreen Loeber
 
PDF
Vendor Partnering. The A to Z of Developing Great Relationships
byDoreen Loeber
 
PDF
The competitive advantage of holding a professional certification
byDoreen Loeber
 
PDF
Career Development Workshop
byDoreen Loeber
 
PDF
The ESRM Skills Cocktail
byDoreen Loeber
 
PDF
Research revealed on access control challenges for multinationals
byDoreen Loeber
 
PDF
Artificial Intelligence and Automation in Mobility Risk Management
byDoreen Loeber
 
PDF
Your building is talking. Are you listening?
byDoreen Loeber
 
PDF
The weakest link in today’s physical security … and no, it’s not people
byDoreen Loeber
 
PDF
Why a Unified Approach to Critical Event Management Improves Operational Resi...
byDoreen Loeber
 
PDF
Data-driven crime prevention using AI
byDoreen Loeber
 
PDF
Case Study: Digitalization of Systems Brings Smarter Buildings
byDoreen Loeber
 
The growth of young professionals into the security industry (a live case study)
byDoreen Loeber
 
Burnout: When bad things happen to good security professionals
byDoreen Loeber
 
The New APP Certification
byDoreen Loeber
 
How to Secure an Open Campus
byDoreen Loeber
 
True or False in the Age of Fake News
byDoreen Loeber
 
Sharing is caring: Duty of Care and the Sharing Economy
byDoreen Loeber
 
Video Surveillance in Marine Environments
byDoreen Loeber
 
How Access Control is impacted by cloud, mobile and GDPR
byDoreen Loeber
 
Insurance and security: finding common ground in a volatile security risk env...
byDoreen Loeber
 
Vendor Partnering. The A to Z of Developing Great Relationships
byDoreen Loeber
 
The competitive advantage of holding a professional certification
byDoreen Loeber
 
Career Development Workshop
byDoreen Loeber
 
The ESRM Skills Cocktail
byDoreen Loeber
 
Research revealed on access control challenges for multinationals
byDoreen Loeber
 
Artificial Intelligence and Automation in Mobility Risk Management
byDoreen Loeber
 
Your building is talking. Are you listening?
byDoreen Loeber
 
The weakest link in today’s physical security … and no, it’s not people
byDoreen Loeber
 
Why a Unified Approach to Critical Event Management Improves Operational Resi...
byDoreen Loeber
 
Data-driven crime prevention using AI
byDoreen Loeber
 
Case Study: Digitalization of Systems Brings Smarter Buildings
byDoreen Loeber
 

Recently uploaded

PDF
Botswana Diamonds plc Corporate Presentation Jan 2026
byJames AH Campbell
 
PDF
Camil Institutional Presentation_Jan26.pdf
byCAMILRI
 
DOCX
Top 10 Sites to Buy Aged Snapchat Accounts in 2026.docx
byBuyGmailAccounts10
 
PDF
IFS state pension.pdf From IFS and Oxford
byHenry Tapper
 
PDF
_The Ultimate Guide to Buying Twitter Accounts Safely.pdf
byp7u0tz3g7favwxkjrlwm
 
DOCX
Proven Ways to Buy Verified PayPal Accounts in Los Angeles Safely.docx
byUsaservicepoint
 
PDF
Raman Bhaumik - A Licensed Pharmacist In Multiple States
byRaman Bhaumik
 
DOCX
Buy Verified PayPal Account Online_ A Comprehensive ....docx
byBusiness
 
DOCX
How to Choose the Best Site to Buy Old Facebook Accounts.docx
bybusiness by pvaisback
 
DOCX
How to Buy Facebook Verified Accounts_ A Guide.docx
byDigital Marketing in the USA
 
PDF
Where and why Buy Verified Binance Accounts With Full KYC ....pdf
byhttps://propvaservice.com/
 
PPTX
Exterior Front Entry Door Design Trends, 2025–2026
bydoornmore
 
DOCX
_Buy Old Gmail Accounts with Real Age and Trust with 2fa
bypvasmmpath
 
PDF
IT Administration Staffing Jobs in Albany,Ny.pdf
byThe Sculpt Aesthetics Sculpt Cosmetic Surgery
 
DOCX
Why Should I Buy Old Gmail Accounts_losangeless _______________.docx
byjoshuabellc7
 
PDF
brand anthropologist.pdf lalalalalalalal
bySimiBlaker
 
PDF
Gmail Accounts and Email Communication Architecture: An Academic Study of Dig...
bythumberjames7
 
PDF
V3Cube On-Demand House Cleaning App Solution
byV3CUBE TECHNOLABS
 
PPT
Business Process outsourcing SMPBPO101_003 v2013 QCCI.ppt
bycmaranan
 
DOCX
How To Buy LinkedIn Accounts – 100% PVA, Aged & Bulk..docx
byhttps://pvaallit.com/product/buy-old-gmail-accounts/
 
Botswana Diamonds plc Corporate Presentation Jan 2026
byJames AH Campbell
 
Camil Institutional Presentation_Jan26.pdf
byCAMILRI
 
Top 10 Sites to Buy Aged Snapchat Accounts in 2026.docx
byBuyGmailAccounts10
 
IFS state pension.pdf From IFS and Oxford
byHenry Tapper
 
_The Ultimate Guide to Buying Twitter Accounts Safely.pdf
byp7u0tz3g7favwxkjrlwm
 
Proven Ways to Buy Verified PayPal Accounts in Los Angeles Safely.docx
byUsaservicepoint
 
Raman Bhaumik - A Licensed Pharmacist In Multiple States
byRaman Bhaumik
 
Buy Verified PayPal Account Online_ A Comprehensive ....docx
byBusiness
 
How to Choose the Best Site to Buy Old Facebook Accounts.docx
bybusiness by pvaisback
 
How to Buy Facebook Verified Accounts_ A Guide.docx
byDigital Marketing in the USA
 
Where and why Buy Verified Binance Accounts With Full KYC ....pdf
byhttps://propvaservice.com/
 
Exterior Front Entry Door Design Trends, 2025–2026
bydoornmore
 
_Buy Old Gmail Accounts with Real Age and Trust with 2fa
bypvasmmpath
 
IT Administration Staffing Jobs in Albany,Ny.pdf
byThe Sculpt Aesthetics Sculpt Cosmetic Surgery
 
Why Should I Buy Old Gmail Accounts_losangeless _______________.docx
byjoshuabellc7
 
brand anthropologist.pdf lalalalalalalal
bySimiBlaker
 
Gmail Accounts and Email Communication Architecture: An Academic Study of Dig...
bythumberjames7
 
V3Cube On-Demand House Cleaning App Solution
byV3CUBE TECHNOLABS
 
Business Process outsourcing SMPBPO101_003 v2013 QCCI.ppt
bycmaranan
 
How To Buy LinkedIn Accounts – 100% PVA, Aged & Bulk..docx
byhttps://pvaallit.com/product/buy-old-gmail-accounts/
 

Cyber Security Maturity Assessment

  • 1.
    ASIS EUROPE 2019 CyberSecurity Maturity Assessment innogy SE · 30.03.2019 · Christoph Hagenbuch
  • 2.
    innogy Group Security Content Aboutinnogy SE1 Motivation2 Approach3 Success4
  • 3.
    innogy Group Security Thanksto our employees and customers … About innogy SE Source: innogy SE | Facts and Figures 2018 ≈42,000 EMPLOYEES 23 MILLION CUSTOMERS The average football stadium has around 42,000 seats. Converted to the equivalent of full-time positions. Equivalent to the population of Denmark and the Netherlands put together. Netherlands Population: ≈17 millions Denmark Population: ≈6 millions 3
  • 4.
    innogy Group Security Sustainablegeneration of electricity Efficient distribution of energy Products and services for our customers Future business models Overview of our operations About innogy SE Renewables Grid & Infrastructure Retail New Businesses Source: innogy SE | Factbook 2018 Wind Hydro Solar (EPC/O&M/IPP) Grid assets Grid+ FTTx Commodity Energy+ eMobility Innovation Hub 4
  • 5.
    innogy Group Security Content Aboutinnogy SE1 Motivation2 Approach3 Success4
  • 6.
    innogy Group Security Cybersecurity has an increasing importance Motivation For a successful and sustainable digitisation, CYBER SECURITY creates essential foundations and is therefore crucial for the PERFORMANCE and SUCCESS OF EVERY COMPANY. 6
  • 7.
    innogy Group Security Thechallenges for cyber security have changed dramatically and are constantly increasing Motivation RISK ENVIRONMENT New and constantly increasing cyber attacks are omnipresent and have unprecedented dynamics. IT ENVIRONMENT IT environments are becoming increasingly complex and fast-moving. 7
  • 8.
    innogy Group Security Maximumtransparency of cyber security measures is required: key parameters Motivation MATURITY EFFECTIVE- NESS COST 8
  • 9.
    innogy Group Security Inaddition, specialists and decision makers do not always speak the same language Motivation Decision makers are obliged to set up an EARLY WARNING SYSTEM and need specific and COMPREHENSIBLE information instead of technical terminology A methodology is required to communicate QUICKLY and COMPREHENSIBLY the concrete need for action to the decision makers. 9
  • 10.
    innogy Group Security TheCyber Security Maturity Cockpit enables Motivation The Cyber Security Maturity Assessment creates maximum transparency & enables decision makers to make optimal use of financial & human resources. The following questions are answered in an understandable way: What are we doing? What does it cost? How well are we doing it? Are we doing the right things? 10
  • 11.
    innogy Group Security Content Aboutinnogy SE1 Motivation2 Approach3 Success4
  • 12.
    innogy Group Security Highestpossible efficiency and considerable savings Approach CSMA makes it possible to achieve the optimum between the accepted residual risk and the resources used, thus ensuring a considerable increase in efficiency and cost reduction. 1 2 3 Targeted reduction of the cyber security risk through transparency about maturity levels and adaptation or implementation of appropriate cyber security measures Reduction of overlaps, redundancies and over- or underachievement of self-defined degree of target maturity depending on risk appetite The resources used achieve the desired degree of maturity with the lowest total expenditure. The optimum between the accepted residual risk and the resources used is sustainably achieved Underfulfillment Optimum Overfulfillment Overall effort (€) = Risk + Resources Risk (€) Resources (€) 1 3 2 12
  • 13.
    innogy Group Security Analysisof all cyber security measures Approach Measurement of maturity & effectiveness per measure Economic Efficiency Analysis Cost Maturity/effectiveness Optimal economic efficiency Optimise economic efficiency Critical economic efficiency 13
  • 14.
    innogy Group Security ExemplaryCyber Security maturity actuals and planning Approach Current Cyber Security maturity [%] 1% – 39% Initial 40% – 59% Repeatable 60% – 79% Defined 80% – 94% Managed Optimised Company overview Control Global DE UK NL PL CZ SK CA.05 Information security policies 79 79 79 79 79 79 79 CA.06 Organisation of information security 80 80 79 80 80 81 80 CA.07 Human resources security 67 62 59 62 60 84 72 CA.08 Asset management 53 52 52 52 51 58 55 CA.09 Access control 65 62 59 63 60 79 68 CA.10 Cryptography 80 80 78 80 80 78 82 CA.11 Physical & environmental security 81 80 80 80 82 84 80 CA.12 Operations security 68 66 67 65 68 72 72 CA.13 Communications security 68 65 67 67 65 73 69 CA.14 System acquisition development & maintenance 49 43 54 43 48 62 43 CA.15 Supplier relationships 71 71 75 71 67 71 71 CA.16 Information security incident mgmt. 82 85 78 84 74 84 85 CA.17 Information security aspects of BCM 79 80 80 80 78 75 80 CA.18 Compliance 72 71 74 71 66 76 71 Total ø 72 70 70 70 68 75 72 Cyber Security maturity planning [%] 62 69 7280 0 20 100 40 60 Jan 18 Dec 18 Jun 19 60 Mar 18 Jun 18 Sep 18 Mar 19 Sep 19 Dec 19 Target: 80 Planning Actual CSMA methodology and tool awarded with the Security Innovation Award. Fictitious example 14
  • 15.
    innogy Group Security Effectivityupdates of local services have very little impact on Total effectivity Approach Evaluation Level Example: Impact of ATP on effectivity CSMA evaluation Aggre- gation Global (all control areas, all countries) Sub-control • Average of control areas across units • New: 69% • Average of all control areas in GER • New: 68.59% • Average of all controls in GER • New Effectivity for A.12: 67% • Average of sub-controls • New Effectivity A.12.2: 80% • Evaluation of services in sub-control • New Effectivity A.12.2.1: 80% Services • Maturity for ATP service: 80  100  Increase of service effectivity Control Control area Total (all control areas per unit) 15
  • 16.
    innogy Group Security Objectivationof maturity judgement Approach CSMA TODAY Expert knowledge based (feeling) Attendees change from time to time Subjective CSMA TOMORROW Make CSMA more constant/objective Add Simulation features & unit & control weighting Save time by automation 16
  • 17.
    innogy Group Security Content Aboutinnogy SE1 Motivation2 Approach3 Success4
  • 18.
    innogy Group Security TheSCMA makes us successful Success UNIQUE TRANS- PARENCY CYBER SECURITY … methodology based on ISO 27001 … awareness & communication increased … budget & human resources increased by factor 2 18
  • 19.
    innogy Group Security Q& A Questions & Answers
  • 20.
    innogy Group Security CHRISTOPHHAGENBUCH Cyber Security Management Phone +49 (0) 201 12 21610 Mobile +49 (0) 152 09053637 Email christoph.hagenbuch@innogy.com innogy SE Opernplatz 1 45128 Essen – Germany 20