Deloitte Shared Services Conference 2018 · Ad Hoc Infrastructure & Application Protection Adaptive...
Transcript of Deloitte Shared Services Conference 2018 · Ad Hoc Infrastructure & Application Protection Adaptive...
Deloitte Shared Services Conference 2018Focus 2: Managing cyber risk in a digital worldUpen Sachdev, Deloitte
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
Principal, Advisory
Upen Sachdev
Current location: Costa Mesa, CA
Tel:+1.714.271.7277
Email: [email protected]
Introduction
Upen is a Principal with Deloitte's Cyber Risk Advisory team. He is passionately client-focused and brings more than 17 years of extensive technology management experience to his various roles as a cyber risk executive. He has spearheaded various award winning Managed Services solutions and is recognized as a pioneer in the field of Managed Security Services. He co-founded and led e-Cop GRC, a niche Information Security practice into a globally recognized firm with clients across various industries.
Background and Interests/Professional Affiliations
Upen is Certified in Risk and Information Systems Control (CRISC), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). He is a Certified Director from UCLA – Anderson and helps academia/industry forums to develop cybersecurity curriculum for board members.
Relevant Experience
Upen also draws upon a wealth of experience from his five plus years of experience as Chief of Information Security at various globally recognized brands – overseeing multiple subsidiaries and franchises under a federated security model. Most recently, he was responsible for Information Security, trust and technology compliance at DineEquity, Inc (IHOP and Applebee's).
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
1. Disruptions for Shared Services Organization
2. So How Do We Win?
Agenda
Disruptions for Shared Services Organizations
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
…and the adoption challenges
What is being Disrupted?
Adoption
• The snowflake challenge for technology adoption
• Every business unit and location is unique
Transactions
The way organizations transact is evolving quickly making it
easier to do business - driven by cloud, blockchain, and IOT
Automation
Organizations are exploring early stage methods to automate mundane tasks through AI and enabling SSO to perform high value duties
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
The current extended business environment with the adoption of new technologies creates and exacerbates information security risk for SSO and needs to be managed appropriately.
Today’s Business Environment
Sensitive data to protect
As stewards of sensitive information (e.g. PII, PHI, claim history), the driving concern is to protect sensitive information to avoid reputational damage associated with breaches
Concern is also growing across the manufacturing sector regarding compromise of industrial control systems (ICS)
Extended attack surface
Competition drives the growing use of mobile, web-based applications and telematics to provide novel ways of conducting business, in turn introducing new threat vectors to be managed
Organizations use an extended enterprise to achieve performance objectives (revenue growth, cost containment, customer satisfaction), which also increases the attack surface
Organized criminals stealing non-public financial information creating reputational risks
Employees exposing sensitive data intentionally or
unintentionally causing financial theft / fraud
Third party vendors with access to company data being hacked
Nation states conducting espionage or destroying data causing business disruption
Key Cyber Risks
Facilities
Financial
Technology
Human Resources
Operations
Hosted vendor
solutions
Disaster Recovery
Licensed vendor
solutions
Infrastructure and application support
Hardware lease Pension
Administration
Payroll
Recruiting
Operational Technology
ICS Systems
Call Center
Property Management
Real Estate
Equipment
Payroll
Professional Services
Investment Management
Supply Chain
Material Suppliers
MfgPartners
Background Checks
Collections
Audit
Market Research
Actuarial
TaxConsultingPublic
Relations
Marketing
AdvertisingAgency
Media and Sales
Government
Legal
Training
Healthcare
Network/Telecom
Supplies
Copy/Fax Furniture
Custody/Transfer Agent
Bank/CashManagement
Investor Relations
*The diagram is for illustrative purposes only.
SharedServices
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
The global regulatory landscape is complex, with a wide variety of often conflicting laws and requirements around how sensitive data can be collected, stored and used. This creates further challenges for SSO, as most rely on cross-border data transfer to function.
Increasing Regulatory Landscape
European Union• EU General Data Protection Regulations (GDPR) • United Kingdom - The Data Protection Act 1998 • United Kingdom - Privacy and Electronic
Communications Regulations 2003• United Kingdom - Employment Practices Data
Protection Code• Germany - Data Protection Act
Canada• PIPEDA • FOIPPA• PIPA
US• HIPAA • The Electronic Communications Privacy Act • The Fair Credit Reporting Act• California Consumer Privacy Act (CaCPA)
China• Tort Liability of
the Republic of China
• China Privacy Law
Australia• Federal Privacy Amendment Bill• State Privacy Bills in Victoria, New South
Wales and Queensland• New e-mail spam and privacy regulations
New Zealand• Privacy Act 1993
Amended 2008
Singapore• Personal Data
Protection Act
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
The convergence of digital disruptors and increased security risk result in many public cyber crises.
An Inflection Point has been reached
Understanding the tactics, techniques and procedures of attackers should inform any cyber risk management strategy.
Actors have varying motivations (e.g. financial crime, disruption, destruction etc.) and are often beyond the reach of law enforcement.
Rogue Third Parties
Nation States:ChinaNorth KoreaIranRussia
Hacktivists:Anonymous
Group Organized Crime:Russian Business
Network
Insider Threat:Systems
Administrator, Financial Analysts
The very forces that drive business innovation and operational efficiency often create cyber risks. Network boundaries are disappearing and the attack surface is increasing.
Mobile AutomationCloudIOT
Executive and board level engagement
Disgruntled Employees
Intellectual property
Industrial control systems (ICS)
Connected BUs
Artificial Intelligence
Key Cyber Risk Themes in SSO
JPMC
Home Depot
Ebay
2000 2015+2005 2010
AOL
Citi Group
TJ Maxx
US Military
Sony PSN
Ubisoft
Adobe
Sony Online
Entertainment
Anthem
Target
Egghead
Software
IRS/OPM
Sony
EquifaxYahoo
The pace, sophistication and impact of cyber attacks have steadily increased over the years.
Cyber Risk
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
Due to changing business and technology focus areas, SSO face numerous threats across their ecosystem:
The Evolving Cyber Threat Landscape
Actor ecosystem
Threat actors
Tool, tactics, and procedures
Threat vectors
Common corporate challenges
Potential impact
Social engineering
Phishing Botnets
ExploitsRansomware &
doxxing
Malware authors
Hosting entitiesDomain
generatorsCommand &
controlMoney mules
Payment processors
DDoS Website compromise
Password theft
Evasion tactics
SECURITY OPERATIONS
• Signature-based controls• Data encryption• Endpoint monitoring• Access management• Insufficient skills/staffing
PROCESS / GOVERNANCE
• Secure SDLC• Shadow IT• Change/asset management• Risk-asset mapping• Data management
IT COMPLEXITY
• Business innovation/change• Third party entities• Endpoint diversity• Rogue devices• Shadow users
Suppliers & partners
Data lossReputation
damageIP theft
Regulatory/ legal issues
Financial lossOperational disruption
Fraud
Nation-state actors
Ideological groups
Organized crime Individuals
EmployeesMobile devices
Smart devices
Customers Email
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
SSOs are still lagging in addressing the increased information security and compliance risks:
Threats in Digitization
55%of respondents sighted a significant increase in appetite for automation over past 12 months
95%of respondents do not have an organization wide IT policy or standard surrounding the governance and management of automation.
1Usage of automation across IT Risk Management and risk reporting…
49% of CIOs identified security and
privacy as a strategic investment.
32%Of CIOs report the usage of cloud infrastructure for critical business applications
2Compliance challenges…
34.5% of organizations can demonstrate GDPR compliance
30% of organizations feel discovery is harder
10.2%
of organizations which are yet to begin third-party GDPR compliance
3From the CIO’s lens…
1- https://www2.deloitte.com/ch/en/pages/risk/articles/it-risk-management-automation-pulse-survey.html
2- https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/few-organizations-are-gdpr-compliant-eu-data-privacy-contract-management.html
3- https://www2.deloitte.com/uk/en/pages/technology/articles/cio-survey.html
So How Do We Win?
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
Board and leadership for SSOs play a key role in creating a cyber-aware culture.
Executive Sponsorship is the Key to Success
Board & CEO
Senior Management(CFO, COO, CAO, CRO)
IT Leadership (CIO)
Risk Leadership (CISO / CITRO)
Tone at the top, establish senior management accountability and a cyber-aware culture
Define the organization’s Cyber Risk appetite and be accountable for Cyber Risk management. Empower the extended leadership team.
Lead in defining and executing the strategy to become Secure.Vigilant.Resilient. Establish an effective interaction model with CISO and IT risk officer.
Define the right balance between threat-centric vs. compliance-centric programs. Be a business enabler, without shying away from the role of risk custodian.
Shared Services Leaders
Support integration of Cyber Risk management into business growth and shared activities. Appoint line-of-business risk officers.
Architecture & Engineering
InfrastructureApplication Development
SecurityOperations
IT DOMAINS Manage and report on risks
Execute on strategy
Other functions…
CYBER RISK GOVERNANCE
Fully integrate Cyber Risk management into IT disciplines – design for Six Sigma, not quality control. Integrate current technologies to address the latest threats
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
It starts by understanding who might want to attack, why, and how?
SSO Executives should set Risk Appetite, and Drive Focus on What Matters
• Perimeter defenses• Vulnerability management• Asset management• Identity management• Secure SDLC• Data protection• …
Cyber Risk Program and Governance
• Cyber criminals• Hacktivists (agenda
driven)• Nation states• Insiders / partners• Competitors• Skilled individual
hacker
• Theft of intellectual property or strategic plans
• Financial fraud• Reputation damage• Business disruption• Destruction of critical
infrastructure • Threats to health & safety
Who might attack?
• Governance and operating model• Policies and standards• Management processes and
capabilities • Risk reporting • Risk awareness and culture
• Spear phishing, drive by download, etc.
• Software or hardware vulnerabilities
• Third party compromise
• Multi-channel attacks• Stolen credentials• … and others
• Incident response • Forensics• BC/DR, Crisis
management• …
SECURE
Are controls in place to
guard against
known and emerging threats?
VIGILANT
Can we detect
malicious or unauthorized
activity, including the unknown?
RESILIENT
Can we act and recover quickly to minimize impact?
• Threat intelligence• Security
monitoring• Behavioral analysis• Risk analytics• …
What are they after, and what are the key business risks I need to mitigate?
What tactics might they use?
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
Attacker Determination
Att
acker
So
ph
isti
cati
on
Accidental Discovery
Malware
Insider
Lone Hacker / Hobbyist
Business Partner
‘Script kiddy’Disgruntled
ex-Employee
Disgruntled Customer
Competitor
Disgruntled ex-IT
Administrator
‘Hacktivism’
Hacker Collectives
Cyber Terrorism
Organized Crime
State-sponsored Cyber Warfare
Leadership should help in managing risk and drive focus on what matters.
Cyber Threats – Illustrative Risk Appetite
Risk Appetite
Prevent Limit Impact
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
Defining goals and monitoring progress will assist SSOs in enhancing the cyber security posture.
Cyber Security Journey
IT Cyber AttackSimulations
Business-WideCyber Attack Exercises
Sector-Wide & Supply Chain Cyber Attack Exercises
Enterprise-Wide Infrastructure & Application Protection
Global Cross-Sector Threat Intelligence Sharing
Identity-AwareInformation Protection
IT BC & DRExercises
Ad Hoc Infrastructure & Application Protection
Adaptive & AutomatedSecurity Control Updates
IT Service Desk& Whistleblowing
Security Log Collection& Ad Hoc Reporting
External & Internal Threat Intelligence Correlation
Cross-Channel Malicious Activity Detection
24x7 Technology Centric Security Event Reporting
Automated IT Asset Vulnerability Monitoring
Targeted Cross-PlatformUser Activity Monitoring
Tailored & IntegratedBusiness Process Monitoring
Traditional Signature-Based Security Controls
Periodic IT AssetVulnerability Assessments
Pro
act
ive
Thre
at
Managem
ent
Level 1 Level 2 Level 3 Level 4 Level 5
Automated Electronic Discovery & Forensics
Situational Awareness of Cyber Threats
Basic OnlineBrand Monitoring
Automated Malware Forensics & Manual Electronic Discovery
Government / Sector Threat Intelligence Collaboration
Ad-hoc ThreatIntelligence Sharing
with Peers
Baiting & Counter-Threat Intelligence
Criminal / HackerSurveillance
Commercial & Open Source Threat Intelligence Feeds
Real-time Business Risk Analytics & Decision Support
Workforce / Customer Behaviour Profiling
Network & System CentricActivity Profiling
Business Partner CyberSecurity Awareness
Targeted Intelligence-Based Cyber Security Awareness
General Information Security Training & Awareness
Internal Threat Intelligence
Security Event Monitoring
Asset Protection
Cyber Attack Preparation
Training & Awareness
Behavioural Analytics
External Threat Intelligence
Intelligence Collaboration
E-Discovery & Forensics
Brand Monitoring
Cyber Security Maturity Levels
Basic Network Protection
AcceptableUsage Policy
Online Brand &Social Media Policing
Ad Hoc System / Malware Forensics
Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.
• Put a senior executive at the helm. He or she must be able to lead in a crisis, and also guide the program and enlist collaboration across diverse functions.
• Map threats to the business assets that matter. Set direction, purpose, and risk appetite for the program. Establish priorities, and ensure funding and resourcing.
• Drive early “wins.” Establish momentum by focusing on pilot initiatives that measurably impact business success. Use these to plant the seeds of long-term cultural change.
• Accelerate behavior change.Create active learning scenarios that instill awareness of the impact of daily activity on cyber risk. Embed cyber risk management goals into evaluation of Top 100 executives.
• Trust but verify. Conduct monthly or quarterly reviews about key risks and risk metrics, and address roadblocks.
Key actions Key questions
• Are we focused on the right things? Often said, but hard to execute. Understand how value is created in your organization, where your critical assets are, how they are vulnerable to key threats. Practice defense-in-depth.
• Do we have the right talent? Quality over quantity. There is not enough talent to do everything in-house, so take a strategic approach to sourcing decisions.
• Are we proactive or reactive? Retrofitting for security is very expensive. Build it upfront in your management processes, applications and infrastructure.
• Are we incentivizing openness and collaboration? Build strong relationships with partners, law enforcement, regulators, and vendors. Foster internal cooperation across groups and functions, and ensure that people aren’t hiding risks to protect themselves.
• Are we adapting to change? Policy reviews, assessments, and rehearsals of crisis response processes must be regularized to establish a culture of perpetual adaptation to the threat and risk landscape.
Top Actions and Questions for SSO ExecutivesThis slide highlights the key actions and questions as mentioned below:
Questions?