Cyber Security: From threat to opportunity

Page 1

IT ADVISORY

Cyber Security: from threat to opportunity

www.kpmg.com/nl/cybersecurity

From threat to opportunity / Cyber security / 1


FOREWORD

OPPORTUNITY-DRIVEN CYBER SECURITY Cyber security (also known as information security or information protection) is a key theme in today’s business reality. Now that the success of many organisations has proven to be dependent on digital assets, it would be easy to elaborate only on cyber security threats. The question is: does focusing on fear, uncertainty and doubt really help your organisation to move any further along in this area? Let there be no misunderstanding: we believe it is of the utmost importance to be adequately protected against cyber threats. These threats create cyber risks that organisations need to manage as part of their enterprise risk management - in order to have a ‘licence to operate’. But it is time to look at cyber security from a different angle. Organisations should start looking at cyber security as an opportunity that will add extra value to a company’s products and services.

John Hermans Partner, KPMG Risk Consulting

2 / Cyber security / From threat to opportunity

© 2014 KPMG Advisory N.V.


1

COMPETITIVE ADVANTAGES

We are convinced that making the right decisions when it comes to cyber security can result in a competitive advantage. Being well prepared means that organisations can prepare for innovations and new market opportunities better than competitors can. Such organisations will also earn more trust from customers and other stakeholders. Examples of this potential for a competitive advantage:

Organisations that can assure their customers, stakeholders and employees that their information is properly protected are more trustworthy in the eye of the public;

Governments and large corporates demand confidence in information management and use it as a qualifier for contracts and/or partnerships;

Better cyber security results in lower costs arising from IT failures;

Visible compliance with privacy regulations strengthens the brand reputation.

To unlock this potential we need a holistic, intelligence-led, and partnership-based approach aimed at building a cyber-resilient organisation.

Š 2014 KPMG Advisory N.V.

From threat to opportunity / Cyber security / 3


In an ideal world, the following statements summarise the roles and responsibilities that each person in an organisation must assume with regard to cyber security. Following a wave of high-profile incidents, cyber security is no longer seen as just an IT issue. It is increasingly becoming a topic for the executive board.

Risk & Legal

The Chairman

Cyber security is a standing agenda item for the board. We have a robust cyber security strategy in place, regularly review our threat landscape and hold our executives accountable for their responsibilities.

Our regulatory and international certification standards are relevant and up to date. We know about the latest fines and consequences for data breaches.

The CEO

We are prepared to deal with security events. Should hackers claim success via the media, we can demonstrate that we have not been subject to a breach.

The CISO

We effectively manage information risks within the organisation together with our delivery and supply partners. We know where our critical data is stored and who has access to it.

2

CLEAR RESPONSIBILITIES

4 / Cyber security / From threat to opportunity

Š 2014 KPMG Advisory N.V.


The CIO on IT development and IT operations

All new systems, products and services are developed using ‘secure-by-design’ principles. Effective monitoring in the value chain helps us to identify risks and minimise the impact of compromise.

The Chief Financial Officer

The Chief Operating Officer on operations and external suppliers

We are aware of the safeguards required when adopting new business models such as outsourcing, offshoring and cloud services. Cyber security is an integral part of our procurement process.

The Head of Human Resources

Throughout our organisation, people have the awareness, skills and knowledge to minimise cyber risks. We vet our contractors and carefully manage our induction and exit process.

We have made targeted investments in cyber security, taking the value of our assets, our vulnerabilities and the changing threat landscape into account.

Audit commitees and Performance functions

Monitoring and reporting our organisational Monitoring and reporting our organisational status quo and areas of cyber security enables us to instil confidence.

© 2014 KPMG Advisory N.V.

From threat to opportunity / Cyber security / 5


3

INTERLINKING BUILDING BLOCKS

KPMG’s approach towards cyber security paints a picture of how cyber security is and should be embedded in the organisation, looking at all the building blocks required for a resilient organisation and how these interact.

U

nder what circumstances could security throw a spanner in the works when it comes to realising my business s strategy? And what does it take for my organisation to prevent such risks from materialising? Effective cyber security measures help organisations to better reach their strategic goals. In short, when is my Technological organisation sufficiently resilient?

1

effective management of risk.

Changing Threat Landscape

developments

KPMG has developed an integrated approach to help you answer these questions and develop the desired security operating model.

Leadership and governance

Legal developments Board demonstrating due diligence, ownership and Leadership and governance

2

Information risk management Market The approach to achieve comprehensive and effective risk management of information throughout the organisation and developments its delivery and supply partners.

3

Human factors

4

Business operations and technology.

5

Business continuity and crisis management

The level and integration of a security culture which empowers people with the right skills, knowledge and responsibility.

The level of physical and digital security measures implemented to address identified risks across the information value chain and to minimise the impact of compromise. This includes the development of new products, processes and services, IT operations and third party management.

Preparations to detect and address security events and the ability to prevent or minimise its impact.

Information risk management

6

Legal and compliance

7

Monitoring and reporting

Human factors

6 / Cyber security / From threat to opportunity

Regulatory and international certification standards as relevant.

The Board of Management getting the management information needed to effectively govern cyber security across the organisation and to effectively drive the strategic security risks.

© 2014 KPMG Advisory N.V.


Legal developments

Economic developments

Changing Threat Landscape Market Market developments

Technological developments

Leadership and governance

Information risk management

Human factors

Business operations and technology

Business continuity and crisis management

Legal and compliance

Monitoring and reporting

Š 2014 KPMG Advisory N.V.

From threat to opportunity / Cyber security / 7


4

FROM AD HOC RESPONSES TO INTELLIGENCE-BASED FOCUS

Dynamic defence

Predictive and agile, the enterprise instantiates policy and implements measures in its processes and procedures

Integrated picture

Loosely integrated with a focus on interoperability and standards, initial situational awareness

Tools-based

Applying tools and technologies piecemeal to assist people in reacting faster

Reactive & manual

People unquestioningly following doctrine and doing their best to ‘put out fires’

8 / Cyber security / From threat to opportunity

© 2014 KPMG Advisory N.V.


Resilient enterprise

The enterprise has incorporated cyber resilience through its value chains, implemented cyber security measures based on strategic threat and vulnerability assessments

R

ome wasn’t built in a day and neither is it possible to create a resilient organisation overnight. The challenge is to place the right focus on the different building blocks in the right order. Together we tailor an approach which will guide your organisation through the various maturity levels to reach the desired end state as efficiently as possible. In today’s rapidly changing world an intelligence-led way of working is the key to ensuring the real threats to the organisation are known and addressed. KPMG has the expertise and experience to develop a cyber security roadmap tailored to your organisation. This roadmap shows when and how to focus on the different building blocks and which targeted investments are needed to build an intelligence-led resilient organisation.

Our four step approach to determine the security operating model needed to support your business strategy:

© 2014 KPMG Advisory N.V.

1.

Obtain a solid understanding of the organisation’s strategy

2.

Determine the security operating model & maturity level needed to achieve the strategic goals

3.

Assess the current level of security maturity of each building block

4.

Develop a tailored action plan for each building block

From threat to opportunity / Cyber security / 9


5

OUR SERVICES

KPMG can help you understand your current state of preparedness against cyber attacks and assist you in closing any gaps. Whether from a governance, people, process or technology viewpoint, our services can help you improve your state of preparedness. To achieve that, we have developed KPMG’s Cyber Security Framework consisting of four major phases:

Prepare R

AN SF RM O

N IO AT

CY BE

TR

Protect

Integrate THREAT INTELLIGENCE

Detect & respond 10 / Cyber security / From threat to opportunity

©© 2014 2014 KPMG KPMG Advisory Advisory N.V. N.V.


Phase 1:

Prepare Developing an approach tailored to your specific organisation and ambitions Everyone can go off and buy security solutions, but wouldn’t it be much better if someone listened to your concerns, views and questions? Someone who helps you to complete the picture of threats and opportunities? The prepare phase of KPMG’s Cyber Security Framework helps our clients to develop a cyber security strategy tailored to their specific business settings and ambitions. The secret to success is to gain deep insights into your business strategy and understand which processes and/ or systems represent the greatest assets from a cyber security perspective. It is also important to get clarity on how much risk you are willing to take in relation to these processes and/or systems (risk appetite). It is essential to focus on the right areas. To ensure we do this, we start by jointly determining the strategic security risks of your organisation. The central question: where can a lack of security throw a spanner in the works when it comes to the realisation of your business strategy? This marks the starting point of this tailored approach. KPMG has developed a complete model showing the different maturity levels and what to do to achieve them. Using this model we can quickly help you design a tailored plan to achieve the desired level of security maturity and bring risks back to an acceptable level.

© 2014 KPMG Advisory N.V.

KPMG can help your organisation in: • Cyber security awareness: demonstrating to your stakeholders (e.g. via cyber gaming) what cyber security is all about; • Security governance: developing or assessing the governance model needed for effective cyber security. Verify its alignment within the three lines of defence model; • Risk management methodology: developing a methodology that will facilitate security risk management within the organisation; • Cyber maturity assessment: painting an integral picture of the cyber state of your organisation with our cyber maturity assessment and security compliance & in-control scan; • Threat trends analysis: analysing your current cyber threat landscape; • Business impact assessment: providing a pragmatic approach to identify the security risks in your key processes; • Business continuity and recovery: establishing policies and practices for dealing with major operational disruption. Developing and testing the recovery plans needed to face the continuity challenges; • Security risk assessment: assess the dependence on processes & applications, threats & vulnerabilities to determine the current risks that need to be mitigated; • Security strategy and vision development: designing a security strategy that will position cyber security as your business enabler and will realise your ambitions in the desired timeframes.

From threat to opportunity / Cyber security / 11


Phase 2:

Protect Balancing threats, risks and resources against business goals Realising effective cyber security entails ensuring a baseline level of security across the organisation and establishing tailored protection of your crown jewels and critical assets. This requires balancing preventive and detective controls in the domains of governance, people, processes and technology. The protect phase of KPMG’s Cyber Security Framework helps our clients to increase their resilience against cyber attacks in all domains. Establishing a baseline level of security throughout the whole organisation starts with an organisation that is built on capable people and effective processes for the protection of your assets. It also means that your technology landscape of applications, internet perimeter, internal network, websites, servers and workstations is regularly assessed. You can achieve this through a combination of security tests, configuration reviews, architecture assessments and authorisation reviews. After having established a level of ‘basic security housekeeping’, the next step is to focus on the areas that are most important to your business for fine-tuning your security: your organisation’s crown jewels and critical assets. KPMG will help you with tailor-made actions and by implementing specific security measures regarding these areas, based on risk assessments and industry best practices.

KPMG can help your organisation in: • Cyber defence operating model: designing and implementing your defence organisation and infrastructure using the three lines of defence model; • Secure architecture: defining or assessing the desired security architecture for processes and technology within your organisation; • Assets, processes and resources alignment: enabling technology to link asset management, security monitoring, threat-, vulnerability-and incident management processes with the cyber strategy of your organisation; • Security testing: assessing the security of your applications, systems and networks by ethical hackers; • Identity and access management: designing and implementing an identity and access management infrastructure that is in control, manageable and compliant; • Red teaming: testing your preventive and detective controls by performing a simulation of a real-world attack; • Cloud security: security assessment, control and transformation of your cloud computing environment; • Mobile security: security testing and advisory on your mobile applications or BYOD environment; • Technical reviews: assessment against industry standards such as PCI-DSS.

.

12 / Cyber security / From threat to opportunity

© 2014 KPMG Advisory N.V.


Phase 3:

Detect & respond Timely detection of incidents With the global proliferation of cyber attacks, the question for organisations is not if they will be attacked but when. The ability to effectively manage business during a major operational disruption is now a key success factor. With reputational damage occurring in an increasingly short time-span, organisations are looking for business and technical specialists who can help them design and execute incident response plans accordingly. The detect and respond phase of KPMG’s Cyber Security Framework helps our clients respond to and investigate cyber attacks.

KPMG can help your organisation in: • Serious gaming: organising red and blue team cyber incident response training to help you develop your responsive capabilities; • Incident response capability development: enhancing your incident response capabilities including internal and external communications, service prioritisation and many other aspects; • Stakeholder management: determining which stakeholders should be part of your crisis management process, what their needs and responsibilities are;

The foundation for timely detection and response is a Security Operations Centre (SOC) that is supported by the functions of vulnerability management (to identify weaknesses in your assets), threat management (to identify and predict new attacks), and incident management (for prompt and thorough follow-up on incidents).

• Cyber attack detection: helping with deployment and optimisation of monitoring and sophisticated data analytics on your networks;

KPMG has the experience to help you establish robust processes and technology. Even more important, we help you ensure that the people in these processes work as one, so that cyber threats are dealt with proactively.

• Forensic evidence recovery & investigation: providing advanced digital forensics capability to gather, preserve and interpret large data sets, deleted or ephemeral data in order to prove a chain of events;

• Security and threat monitoring use-cases: advising on, designing and implementing security information and event management processes and architectures; • Rapid response teams: helping you to contain, manage and recover from cyber attacks;

• DDoS protection: helping your organisation in dealing with DDoS attacks.

© 2014 KPMG Advisory N.V.

From threat to opportunity / Cyber security / 13


Phase 4:

Integrate Integrating cyber security into everything you do Cyber threats have become part of the business environment and as such, there are risks which need to be managed. This necessitates that cyber security not be seen as a topic in isolation within the business, but as an integral part of your way of working. The integrate phase of KPMG’s Cyber Security Framework helps our clients to embed cyber security in the culture and decisionmaking processes to help ensure their business stays one step ahead. Firstly we assess all key business processes to jointly determine which risks could and should be addressed in those processes. Next, using industry best practices we determine how security measures can best be embedded in the existing processes to mitigate these risks. Our specialists will then help you to implement those security measures in the daily operations of your organisation. Naturally, the main focus will be on automated controls (which can be built directly into your systems) as well as soft controls (such as cyber security awareness and training).

14 / Cyber security / From threat to opportunity

KPMG can help your organisation in: • Security reporting and measurements: determining security KPIs and developing cyber security dashboards; • Security by design: assessing R&D processes for security embedding and providing support in determining security requirements for new products and services; • Security in culture: embedding cyber security in the decision-making process of your organisation that facilitates culture of right skills and behaviours; • Sourcing parties: managing your sourcing parties and ensuring that third parties deal with information in line with your requirements; • Security operating model: developing a holistic security operating model in line with your business strategy and goals.

© 2014 KPMG Advisory N.V.


Protect

grate THREAT INTELLIGENCE

Threat intelligence Detect & respond

The financial and reputational costs to recover from a cyber attack can materially impact public and private organisations. The most mature organisations anticipate cyber threats to help minimise the impact rather than merely respond to the attacks. Matching our industry experience with our technical skills, KPMG works closely with clients to design and implement cyber intelligence functions, answering questions such as how to move from reacting to anticipating cyber attacks, how to make sense of the cyber threats we face, how to establish an effective Security Operations Center, who to share threat intelligence with and how. Our experience in the intelligence and law enforcement community gives us a unique perspective on effective intelligence capabilities and processes. Combined with our deep technical knowledge in cyber security we: • Work with organisations to design and implement in-house and government cyber intelligence functions and security operations centers; • Help optimise aspects of current intelligence functions and security operations centers; • Work in partnership with private intelligence and law enforcement agencies to enhance intelligence flows.

© 2014 KPMG Advisory N.V.

From threat to opportunity / Cyber security / 15


6

OPE R AT IN G PR IN C I PLES BE H IN D OUR SE RV I C ES

An intelligence-led approach. KPMG has gained a deep understanding and experience of intelligence best practices through working extensively with law enforcement and leaders in this field.

Boundaries, national or organisational, are irrelevant to cyber security. Which is why we offer you a global network of 2000 cyber security professionals from across our 156 member firms and all industry sectors who seamlessly cooperate in multinational, crossfunctional teams.

A joint approach. Designing a plan is one thing, designing a plan which receives full support from the organisation is something entirely different. This is why we always work closely together with your team to ensure success.

Cyber security is not an IT issue. KPMG brings together specialists in information protection and business continuity, forensic technology, risk management, privacy, organisational design, behavioural change and threat intelligence to help you manage cyber security across people, processes and technology.

16 / Cyber security / From threat to opportunity

Confident cyber security choices are the key to ensuring trust among customers, shareholders and employees. Our global cyber security framework provides an holistic view of the cyber security lifecycle – pre- and post-attack. It will help you develop a strategy on ‘how to balance your efforts’ and ‘where to invest’.

© 2014 KPMG Advisory N.V.


7

OUR INDUSTRY SECTORS

With more than 25 years of information security experience, we have been helping organsiations of all sizes from a variety of sectors:

Offshore

Chemicals

Industrial manufacturing

Healthcare

Retail

Engineering & construction Banking Government & public services Insurance

Pharmaceuticals

Communications

Oil & gas Š 2014 KPMG Advisory N.V.

From threat to opportunity / Cyber security / 17


WE HELP YOU TO BUILD YOUR RESILIENT ORGANISATION Our Cyber Security Framework is what distinguishes KPMG from other cyber security advisors. We view cyber security from an integrated perspective and provide solutions and recommendations suited to your business environment. For us, cyber security is an enabler for success, rather than a necessity for dealing with threats. Our specialists know what steps need to be taken to make cyber security an integral part of the way you do business. Once this has been achieved we can subsequently help you to investigate and identify where security can be positioned to add value to your products and services. We know how to report from a non-technical perspective. The technical heart of cyber security may result in observations and recommendations that are only understandable to technical experts. Working with KPMG, you can expect to receive crisp and clear recommendations that address the challenges from a business perspective instead of pages of technical buzzwords. Our ultimate aim in everything we do is to help you build a cyberresilient organisation. It may take some time to get to this level and may involve a reiterative process. We are more than happy to guide you through all the steps along the way. You can expect our cyber security professionals to go the extra mile in order to get you there.

18 / Cyber security / From threat to opportunity

Š 2014 KPMG Advisory N.V.


Š 2014 KPMG Advisory N.V.

From threat to opportunity / Cyber security / 19


Contact

John Hermans Partner Tel: +31 20 656 8394 Email: hermans.john@kpmg.nl Dennis de Geus Director Tel: +31 20 656 8093 Email: degeus.dennis@kpmg.nl Koos Wolters Director Tel: +31 20 656 4048 Email: wolters.koos@kpmg.nl

kpmg.com/nl/cybersecurity

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2014 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The name KPMG, logo and ‘cutting through complexity’ are registered trademarks of KPMG International. 102014


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.