Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Current enterprise information security measures continue to fail us. Why is this and what can you do to fix it?

320 views

Published on

Conventional information security measures continue to fail our businesses in today’s rapidly changing world of cyber-risk. Adverse cyber-events manifest themselves as the usual suspects including data breaches, information theft, ransom- and malware, viruses, payment card fraud, DDOS attacks or physical loss – to name but a few.

Problem is, the tally of adverse events keeps mounting up. While headline adverse cyber incidents are now reported in the media with regularity, this represents the tip of the cyber-risk iceberg. Most known events are either unreported or hidden from public disclosure. Not helping, is the industry analysis suggesting that, on average, nearly half of all adverse cyber-risk events impacting organisations are self-inflicted and avoidable. No industry is untouched.

Delivered at the CIO Summit in Melbourne, Australia in November 2016, in this presentation, Rob offers valuable strategic insights into the problem and why it continues to be a problem.

He outlines some practical steps that will be helpful for CIOs and CISOs in reshaping their own organisation’s approach in building a more effective and resilient information security capability.

Published in: Technology
  • Be the first to comment

Current enterprise information security measures continue to fail us. Why is this and what can you do to fix it?

  1. 1. Why enterprise IT security measures are failing and what you can do to fix them IDG CIO Summit Melbourne November 2016 Presentation by: Rob Livingstone – Principal © All rights reserved
  2. 2. 1. Are organisations really failing at cybersecurity? 2. Challenges facing business leaders in ‘new world’ of IT 3. The changing role of the IT department 4. The diffusion of IT/Digital accountabilities 5. Some practical guidelines to build effective cybersecurity. 6. Open discussion Agenda
  3. 3. 1. Are organisations really failing at cybersecurity? • Fact is that the rate of successful cyber- hacks and data breaches is increasing. • A recent global industry survey ranks cyber incidents as the third highest Global Business Risks for 2016. • This has jumped by 17% on the previous year Allianz Risk Barometer 2016
  4. 4. 1. Are organisations really failing at cybersecurity? A wide range of authoritative assessments have been published that report on known adverse cyber incidents. Some of these include: • Verizon’s 2016 Data Breach Investigations Report, • Ponemon’s 2016 Cost of Data Breach study, • The 2015 US Association of Corporate Counsel’s State of Cyber Security report, • The Defender’s Dilemma – RAND Corporation’s 2015 • The SANS 2016 State of ICS Security Survey • ….. And the list goes on! All share the same theme ……
  5. 5. 1. Are organisations really failing at cybersecurity? Fact is Data breaches are almost a daily occurrence
  6. 6. Let’s look inside some of the published industry reports Causes of actual Data Breaches include: • Use of legitimate user credentials associated with most data breaches. [63% using weak, default, or stolen passwords] • 33% by end users with access to sensitive data to do their jobs • Equal 14% were Executives and privileged IT staff (Administrators, Developers, etc) Source: 2016 Verizon Data Breach Investigations Report (DBIR) 1. Are organisations really failing at cybersecurity?
  7. 7. http://www.informationisbeautiful.net/ visualizations/worlds-biggest-data- breaches-hacks/ Data Breaches larger that 30k records 2016 2006 ExternalSelf Inflicted 1. Are organisations really failing at cybersecurity? Let’s look at some of the published industry reports
  8. 8. Source: Ponemon Institute: Managing Insider Risk through Training & Culture (2016) Let’s look at some of the published industry reports 1. Are organisations really failing at cybersecurity?
  9. 9. The evidence is both compelling and worrying: • Irrespective of the cause – Water-tight Information security is a pipe dream in many – if not most organisations. • The complexity and breadth of enterprise digital and IT footprint in increasing. • IT is also becoming more fragmented and complex. Let’s consider the influences of IoT + Shadow IT. 1. Are organisations really failing at cybersecurity?
  10. 10. 2. Challenges facing business leaders in ‘new world’ of IT http://www.crm-daily.com/ For many organisations, 1. IoT is a fact of life – and a security risk 2. Shadow IT is a fact of live – and a security risk 3. The corporate IT department’s remit over both 1 and 2 are, on average, limited to nil. Consequence: The corporate IT department’s capability of assuring and ensuring enterprise-wide information security is being seriously compromised.
  11. 11. http://www.crm-daily.com/ For many organisations, 1. IoT is a fact of life – and a security risk 2. Shadow IT is a fact of live – and a security risk 3. The corporate IT department’s remit over both 1 and 2 are, on average, limited to nil. Consequence: The corporate IT department’s capability of assuring and ensuring enterprise-wide information security is being seriously compromised. 2. Challenges facing business leaders in ‘new world’ of IT
  12. 12. 2. Challenges facing business leaders in ‘new world’ of IT IoT https://krebsonsecurity.com
  13. 13. 2. Challenges facing business leaders in ‘new world’ of IT IoT http://www.crm-daily.com/
  14. 14. Up to about 2005…………. After about 2005 You must use this application! I’ve just installed this great cloud application – without IT’s involvement! 2. Challenges facing business leaders in ‘new world’ of Shadow IT
  15. 15. 2. Challenges facing business leaders in ‘new world’ of Shadow IT M Silic, A Back. Computers & Security 45, 274-283, 2014
  16. 16. The challenge facing modern business leaders is in striking the optimal balance between the business cost, value and risk resulting from any IT initiatives – then maintaining this balance in the face of constant change. 2. Challenges facing business leaders in ‘new world’ of IT
  17. 17. Let’s look through the lens of perceived certainty by the business of: IT Cost: Can be determined with relative accuracy. IT’s Value: Can be validated by modelling, testing, prototyping, comparative scenario analyses, operations research, etc. Business risk related to IT: Open to interpretation 2. Challenges facing business leaders in ‘new world’ of IT
  18. 18. Question: How can or should business define IT related risk? 2. Challenges facing business leaders in ‘new world’ of IT Most common approach: • Risk appetite and profile is not constant over time. • Identification, categorization and ranking of technical and functional risks is most widely used approach i.e.: Risk of a specific event = (Impact x Probability of that event occurring) + Risk Adjustment • Underpins methodologies behind risk certification – eg ISO 2700x
  19. 19. 2. Challenges facing business leaders in ‘new world’ of IT • The risk register approach does not cater for the dynamic interaction between risks effectively. • It is this interaction between risks that defines the systemic risks • Systemic risks are those with the greatest potential impact as they affect the entire system (ie: Your organisation, its customers and other stakeholders) • Systemic risks are also the hardest to identify – especially for siloed organisations Question: How can or should business define IT related risk?
  20. 20. 2. Challenges facing business leaders in ‘new world’ of IT • Governance processes that are well integrated and orchestrated across the organisation are key to the identification of systemic risks. • Info Sec is only one aspect of this governance • Test the validity of centralised or federated governance for Info Sec • Get this balance wrong, and you could either miss key controls over key cross-functional dependencies, or overload the organisation with unwarranted, ineffective and costly governance processes. Question: How can or should business manage systemic risk?
  21. 21. 3. The changing role of the IT department
  22. 22. 3. The changing role of the IT department The new IT: From Cost Center to Value Driver If the IT department is seen primarily as an expense in the eyes of the business, the focus will be on cost reduction. • In many instances, the ‘value’ of IT cannot be clearly and precisely defined in the eyes of the business. IT bears the ‘cost’ – Business drive ‘value’ Question is: • If IT is seen as ‘accountable’ for Information Security, who else is actively interested in Info Sec across the organisation?
  23. 23. 3. The changing role of the IT department Build it Broker Drive value 1990s 2000s 2010s Speed of delivery / User impatience / Market agility
  24. 24. © All rights reserved – Rob Livingstone Advisory Pty Ltd • ‘The digital world, however, runs faster than the typical IT department’s default speed.’ • ‘The IT crowd worry that haste has hidden costs’ • ‘Corporate budgets everywhere are under strain, and IT is often still seen as a cost rather than as a source of new business models and revenues’ https://goo.gl/wz8PIZ 3. The changing role of the IT department
  25. 25. Fact: Majority of established organisations structured along functional lines Fact: The interdependencies between differing systems, technologies, information taxonomies, governance and risk profiles enterprise-wide are not well understood at the leadership level. Result: Defining accountability parameters and boundaries increasingly blurred due to these interdependencies – many of which are situational and vary over time. Question: When things change tomorrow, how does this shift accountabilities? 4. The Diffusion of IT/Digital accountabilities
  26. 26. 4. The Diffusion of IT/Digital accountabilities Question: In your organisation, who exactly is ultimately accountable for Information Security?
  27. 27. #1: Enterprise Governance should be seen as a business ASSET and not a cost or imposition. Adapt and adopt only appropriate elements of proven InfoSec governance frameworks that: • Add value / mandated • Can be tested and based in evidence • Make commercial sense • Are visible / reportable / measurable • Are adaptable, not bureaucratic. 4. Some practical guidelines to build effective cybersecurity
  28. 28. #2: Information security is not just the CIO/ CISOs job • Effective information security and digital asset protection relies on effective collaboration across the organisation. • Adopting a multidisciplinary approach is key. • Adjust incentive schemes to ‘share the pain / gain’ #3: Get on top of Shadow IT - now • Both Business and IT leaders should ensure that they develop a collaborative culture supported by appropriate business processes that encourages ‘shadow IT’ in a controlled environment 4. Some practical guidelines to build effective cybersecurity
  29. 29. #4: Acknowledge the shared security responsibility model. • Can your Executives (& key business stakeholders) describe, in plain language, their specific contributions to ensuring information security measures? • Are their explanations aligned or not? • How are business executives incentivized for their contribution to effective Info Sec controls? 4. Some practical guidelines to build effective cybersecurity
  30. 30. #5: Where appropriate, key IT vendor contracts should be on ‘gain- share, pain-share’ basis, not buck passing. • Ensure that your key vendors are able to collaboratively and proactively work across and within your technology ecosystem as needed. #6: Visit DevSecOps.org 4. Some practical guidelines to build effective cybersecurity
  31. 31. #7: Recognise that your staff, not technology - are the real and present InfoSec risk 4. Some practical guidelines to build effective cybersecurity https://goo.gl/262ByN
  32. 32. #7: Recognise that your staff, not technology - are the real and present InfoSec risk • How ‘engaged’ are your staff? • What are your staff satisfaction levels? • Have a revolving door of part timers, contractors and consultants? • How well ‘educated’ are your staff / contractors in ‘best practice’ of Info Sec, and how do you measure its relevance and value across your organisation? 4. Some practical guidelines to build effective cybersecurity
  33. 33. #8: Ensure your Info Sec regime is responsive to rapid change • Change can come from anywhere: Innovative cybercriminals, business policy shifts, technology change, disruptive competitor, internal innovation, etc 4. Some practical guidelines to build effective cybersecurity
  34. 34. Q&A

×