Conventional information security measures continue to fail our businesses in today’s rapidly changing world of cyber-risk. Adverse cyber-events manifest themselves as the usual suspects including data breaches, information theft, ransom- and malware, viruses, payment card fraud, DDOS attacks or physical loss – to name but a few.
Problem is, the tally of adverse events keeps mounting up. While headline adverse cyber incidents are now reported in the media with regularity, this represents the tip of the cyber-risk iceberg. Most known events are either unreported or hidden from public disclosure. Not helping, is the industry analysis suggesting that, on average, nearly half of all adverse cyber-risk events impacting organisations are self-inflicted and avoidable. No industry is untouched.
Delivered at the CIO Summit in Melbourne, Australia in November 2016, in this presentation, Rob offers valuable strategic insights into the problem and why it continues to be a problem.
He outlines some practical steps that will be helpful for CIOs and CISOs in reshaping their own organisation’s approach in building a more effective and resilient information security capability.
2. 1. Are organisations really failing at cybersecurity?
2. Challenges facing business leaders in ‘new world’ of IT
3. The changing role of the IT department
4. The diffusion of IT/Digital accountabilities
5. Some practical guidelines to build effective cybersecurity.
6. Open discussion
Agenda
3. 1. Are organisations really failing at
cybersecurity?
• Fact is that the rate of successful cyber-
hacks and data breaches is increasing.
• A recent global industry survey ranks
cyber incidents as the third highest
Global Business Risks for 2016.
• This has jumped by 17% on the previous
year
Allianz Risk Barometer 2016
4. 1. Are organisations really failing at
cybersecurity?
A wide range of authoritative assessments have been published
that report on known adverse cyber incidents. Some of these
include:
• Verizon’s 2016 Data Breach Investigations Report,
• Ponemon’s 2016 Cost of Data Breach study,
• The 2015 US Association of Corporate Counsel’s State of Cyber Security
report,
• The Defender’s Dilemma – RAND Corporation’s 2015
• The SANS 2016 State of ICS Security Survey
• ….. And the list goes on!
All share the same theme ……
5. 1. Are organisations really failing at
cybersecurity?
Fact is Data breaches are almost a daily occurrence
6. Let’s look inside some of the published industry reports
Causes of actual Data Breaches include:
• Use of legitimate user credentials associated
with most data breaches. [63% using weak,
default, or stolen passwords]
• 33% by end users with access to sensitive data to
do their jobs
• Equal 14% were Executives and privileged IT staff
(Administrators, Developers, etc)
Source: 2016 Verizon Data Breach Investigations Report (DBIR)
1. Are organisations really failing at
cybersecurity?
8. Source: Ponemon Institute:
Managing Insider Risk through Training &
Culture (2016)
Let’s look at some of the published industry reports
1. Are organisations really failing at
cybersecurity?
9. The evidence is both compelling and worrying:
• Irrespective of the cause – Water-tight
Information security is a pipe dream in many –
if not most organisations.
• The complexity and breadth of enterprise
digital and IT footprint in increasing.
• IT is also becoming more fragmented and
complex.
Let’s consider the influences of IoT + Shadow IT.
1. Are organisations really failing at
cybersecurity?
10. 2. Challenges facing business leaders
in ‘new world’ of IT
http://www.crm-daily.com/
For many organisations,
1. IoT is a fact of life – and a security risk
2. Shadow IT is a fact of live – and a security risk
3. The corporate IT department’s remit over both 1 and 2 are, on
average, limited to nil.
Consequence:
The corporate IT department’s capability of assuring and ensuring
enterprise-wide information security is being seriously
compromised.
11. http://www.crm-daily.com/
For many organisations,
1. IoT is a fact of life – and a security risk
2. Shadow IT is a fact of live – and a security risk
3. The corporate IT department’s remit over both 1 and 2 are, on
average, limited to nil.
Consequence:
The corporate IT department’s capability of assuring and ensuring
enterprise-wide information security is being seriously
compromised.
2. Challenges facing business leaders
in ‘new world’ of IT
12. 2. Challenges facing business leaders
in ‘new world’ of IT IoT
https://krebsonsecurity.com
13. 2. Challenges facing business leaders
in ‘new world’ of IT IoT
http://www.crm-daily.com/
14. Up to about 2005…………. After about 2005
You must use this application! I’ve just installed this great cloud
application – without IT’s
involvement!
2. Challenges facing business leaders
in ‘new world’ of Shadow IT
15. 2. Challenges facing business leaders
in ‘new world’ of Shadow IT
M Silic, A Back. Computers &
Security 45, 274-283, 2014
16. The challenge facing modern business
leaders is in striking the optimal balance
between the business cost, value and
risk resulting from any IT initiatives –
then maintaining this balance in the
face of constant change.
2. Challenges facing business leaders
in ‘new world’ of IT
17. Let’s look through the lens of perceived certainty by the
business of:
IT Cost: Can be determined with relative accuracy.
IT’s Value: Can be validated by modelling, testing,
prototyping, comparative scenario analyses,
operations research, etc.
Business risk related to IT: Open to interpretation
2. Challenges facing business leaders
in ‘new world’ of IT
18. Question: How can or should business define IT related risk?
2. Challenges facing business leaders
in ‘new world’ of IT
Most common approach:
• Risk appetite and profile is not constant over time.
• Identification, categorization and ranking of
technical and functional risks is most widely used
approach
i.e.: Risk of a specific event =
(Impact x Probability of that event occurring) +
Risk Adjustment
• Underpins methodologies behind risk certification
– eg ISO 2700x
19. 2. Challenges facing business leaders
in ‘new world’ of IT
• The risk register approach does not cater for the dynamic interaction
between risks effectively.
• It is this interaction between risks that defines the systemic risks
• Systemic risks are those with the greatest potential impact as they
affect the entire system (ie: Your organisation, its customers and
other stakeholders)
• Systemic risks are also the hardest to identify – especially for siloed
organisations
Question: How can or should business define IT related risk?
20. 2. Challenges facing business leaders
in ‘new world’ of IT
• Governance processes that are well integrated and orchestrated
across the organisation are key to the identification of systemic
risks.
• Info Sec is only one aspect of this governance
• Test the validity of centralised or federated governance for Info Sec
• Get this balance wrong, and you could either miss key controls over
key cross-functional dependencies, or overload the organisation
with unwarranted, ineffective and costly governance processes.
Question: How can or should business manage systemic risk?
22. 3. The changing role of the IT department
The new IT: From Cost Center to Value Driver
If the IT department is seen primarily as an expense in the eyes
of the business, the focus will be on cost reduction.
• In many instances, the ‘value’ of IT cannot be clearly and
precisely defined in the eyes of the business.
IT bears the ‘cost’ – Business drive ‘value’
Question is:
• If IT is seen as ‘accountable’ for Information Security, who else
is actively interested in Info Sec across the organisation?
23. 3. The changing role of the IT department
Build it Broker Drive value
1990s 2000s 2010s
Speed of
delivery /
User
impatience /
Market
agility
25. Fact: Majority of established organisations structured along
functional lines
Fact: The interdependencies between differing systems, technologies,
information taxonomies, governance and risk profiles
enterprise-wide are not well understood at the leadership level.
Result: Defining accountability parameters and boundaries
increasingly blurred due to these interdependencies – many of
which are situational and vary over time.
Question: When things change tomorrow, how does this shift
accountabilities?
4. The Diffusion of IT/Digital
accountabilities
26. 4. The Diffusion of IT/Digital
accountabilities
Question:
In your organisation,
who exactly is
ultimately accountable
for Information
Security?
27. #1: Enterprise Governance should be seen as a business ASSET
and not a cost or imposition.
Adapt and adopt only appropriate elements of proven InfoSec
governance frameworks that:
• Add value / mandated
• Can be tested and based in evidence
• Make commercial sense
• Are visible / reportable / measurable
• Are adaptable, not bureaucratic.
4. Some practical guidelines to build
effective cybersecurity
28. #2: Information security is not just the CIO/ CISOs job
• Effective information security and digital asset protection
relies on effective collaboration across the organisation.
• Adopting a multidisciplinary approach is key.
• Adjust incentive schemes to ‘share the pain / gain’
#3: Get on top of Shadow IT - now
• Both Business and IT leaders should ensure that they develop
a collaborative culture supported by appropriate business
processes that encourages ‘shadow IT’ in a controlled
environment
4. Some practical guidelines to build
effective cybersecurity
29. #4: Acknowledge the shared security responsibility model.
• Can your Executives (& key business stakeholders) describe, in
plain language, their specific contributions to ensuring
information security measures?
• Are their explanations aligned or not?
• How are business executives incentivized for their contribution
to effective Info Sec controls?
4. Some practical guidelines to build
effective cybersecurity
30. #5: Where appropriate, key IT vendor contracts should be on ‘gain-
share, pain-share’ basis, not buck passing.
• Ensure that your key vendors are able to collaboratively and
proactively work across and within your technology ecosystem as
needed.
#6: Visit DevSecOps.org
4. Some practical guidelines to build
effective cybersecurity
31. #7: Recognise that your staff, not technology - are the real and
present InfoSec risk
4. Some practical guidelines to build
effective cybersecurity
https://goo.gl/262ByN
32. #7: Recognise that your staff, not technology - are the real and
present InfoSec risk
• How ‘engaged’ are your staff?
• What are your staff satisfaction levels?
• Have a revolving door of part timers, contractors and
consultants?
• How well ‘educated’ are your staff / contractors in ‘best
practice’ of Info Sec, and how do you measure its relevance
and value across your organisation?
4. Some practical guidelines to build
effective cybersecurity
33. #8: Ensure your Info Sec regime is responsive to rapid change
• Change can come from anywhere: Innovative cybercriminals,
business policy shifts, technology change, disruptive
competitor, internal innovation, etc
4. Some practical guidelines to build
effective cybersecurity