Deloitte Shared Services Conference 2018 · Ad Hoc Infrastructure & Application Protection Adaptive...

Deloitte Shared Services Conference 2018Focus 2: Managing cyber risk in a digital worldUpen Sachdev, Deloitte

Managing cyber risk in a digital worldCopyright © 2018 Deloitte Development LLC. All rights reserved.

Principal, Advisory

Upen Sachdev

Current location: Costa Mesa, CA

Tel:+1.714.271.7277

Email: [email protected]

Introduction

Upen is a Principal with Deloitte's Cyber Risk Advisory team. He is passionately client-focused and brings more than 17 years of extensive technology management experience to his various roles as a cyber risk executive. He has spearheaded various award winning Managed Services solutions and is recognized as a pioneer in the field of Managed Security Services. He co-founded and led e-Cop GRC, a niche Information Security practice into a globally recognized firm with clients across various industries.

Background and Interests/Professional Affiliations

Upen is Certified in Risk and Information Systems Control (CRISC), a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). He is a Certified Director from UCLA – Anderson and helps academia/industry forums to develop cybersecurity curriculum for board members.

Relevant Experience

Upen also draws upon a wealth of experience from his five plus years of experience as Chief of Information Security at various globally recognized brands – overseeing multiple subsidiaries and franchises under a federated security model. Most recently, he was responsible for Information Security, trust and technology compliance at DineEquity, Inc (IHOP and Applebee's).


1. Disruptions for Shared Services Organization

2. So How Do We Win?

Agenda

Disruptions for Shared Services Organizations


…and the adoption challenges

What is being Disrupted?

Adoption

• The snowflake challenge for technology adoption

• Every business unit and location is unique

Transactions

The way organizations transact is evolving quickly making it

easier to do business - driven by cloud, blockchain, and IOT

Automation

Organizations are exploring early stage methods to automate mundane tasks through AI and enabling SSO to perform high value duties


The current extended business environment with the adoption of new technologies creates and exacerbates information security risk for SSO and needs to be managed appropriately.

Today’s Business Environment

Sensitive data to protect

As stewards of sensitive information (e.g. PII, PHI, claim history), the driving concern is to protect sensitive information to avoid reputational damage associated with breaches

Concern is also growing across the manufacturing sector regarding compromise of industrial control systems (ICS)

Extended attack surface

Competition drives the growing use of mobile, web-based applications and telematics to provide novel ways of conducting business, in turn introducing new threat vectors to be managed

Organizations use an extended enterprise to achieve performance objectives (revenue growth, cost containment, customer satisfaction), which also increases the attack surface

Organized criminals stealing non-public financial information creating reputational risks

Employees exposing sensitive data intentionally or

unintentionally causing financial theft / fraud

Third party vendors with access to company data being hacked

Nation states conducting espionage or destroying data causing business disruption

Key Cyber Risks

Facilities

Financial

Technology

Human Resources

Operations

Hosted vendor

solutions

Disaster Recovery

Licensed vendor

solutions

Infrastructure and application support

Hardware lease Pension

Administration

Payroll

Recruiting

Operational Technology

ICS Systems

Call Center

Property Management

Real Estate

Equipment

Payroll

Professional Services

Investment Management

Supply Chain

Material Suppliers

MfgPartners

Background Checks

Collections

Audit

Market Research

Actuarial

TaxConsultingPublic

Relations

Marketing

AdvertisingAgency

Media and Sales

Government

Legal

Training

Healthcare

Network/Telecom

Supplies

Copy/Fax Furniture

Custody/Transfer Agent

Bank/CashManagement

Investor Relations

*The diagram is for illustrative purposes only.

SharedServices


The global regulatory landscape is complex, with a wide variety of often conflicting laws and requirements around how sensitive data can be collected, stored and used. This creates further challenges for SSO, as most rely on cross-border data transfer to function.

Increasing Regulatory Landscape

European Union• EU General Data Protection Regulations (GDPR) • United Kingdom - The Data Protection Act 1998 • United Kingdom - Privacy and Electronic

Communications Regulations 2003• United Kingdom - Employment Practices Data

Protection Code• Germany - Data Protection Act

Canada• PIPEDA • FOIPPA• PIPA

US• HIPAA • The Electronic Communications Privacy Act • The Fair Credit Reporting Act• California Consumer Privacy Act (CaCPA)

China• Tort Liability of

the Republic of China

• China Privacy Law

Australia• Federal Privacy Amendment Bill• State Privacy Bills in Victoria, New South

Wales and Queensland• New e-mail spam and privacy regulations

New Zealand• Privacy Act 1993

Amended 2008

Singapore• Personal Data

Protection Act


The convergence of digital disruptors and increased security risk result in many public cyber crises.

An Inflection Point has been reached

Understanding the tactics, techniques and procedures of attackers should inform any cyber risk management strategy.

Actors have varying motivations (e.g. financial crime, disruption, destruction etc.) and are often beyond the reach of law enforcement.

Rogue Third Parties

Nation States:ChinaNorth KoreaIranRussia

Hacktivists:Anonymous

Group Organized Crime:Russian Business

Network

Insider Threat:Systems

Administrator, Financial Analysts

The very forces that drive business innovation and operational efficiency often create cyber risks. Network boundaries are disappearing and the attack surface is increasing.

Mobile AutomationCloudIOT

Executive and board level engagement

Disgruntled Employees

Intellectual property

Industrial control systems (ICS)

Connected BUs

Artificial Intelligence

Key Cyber Risk Themes in SSO

JPMC

Home Depot

Ebay

2000 2015+2005 2010

AOL

Citi Group

TJ Maxx

US Military

Sony PSN

Ubisoft

Adobe

Sony Online

Entertainment

Anthem

Target

Egghead

Software

IRS/OPM

Sony

EquifaxYahoo

The pace, sophistication and impact of cyber attacks have steadily increased over the years.

Cyber Risk


Due to changing business and technology focus areas, SSO face numerous threats across their ecosystem:

The Evolving Cyber Threat Landscape

Actor ecosystem

Threat actors

Tool, tactics, and procedures

Threat vectors

Common corporate challenges

Potential impact

Social engineering

Phishing Botnets

ExploitsRansomware &

doxxing

Malware authors

Hosting entitiesDomain

generatorsCommand &

controlMoney mules

Payment processors

DDoS Website compromise

Password theft

Evasion tactics

SECURITY OPERATIONS

• Signature-based controls• Data encryption• Endpoint monitoring• Access management• Insufficient skills/staffing

PROCESS / GOVERNANCE

• Secure SDLC• Shadow IT• Change/asset management• Risk-asset mapping• Data management

IT COMPLEXITY

• Business innovation/change• Third party entities• Endpoint diversity• Rogue devices• Shadow users

Suppliers & partners

Data lossReputation

damageIP theft

Regulatory/ legal issues

Financial lossOperational disruption

Fraud

Nation-state actors

Ideological groups

Organized crime Individuals

EmployeesMobile devices

Smart devices

Customers Email


SSOs are still lagging in addressing the increased information security and compliance risks:

Threats in Digitization

55%of respondents sighted a significant increase in appetite for automation over past 12 months

95%of respondents do not have an organization wide IT policy or standard surrounding the governance and management of automation.

1Usage of automation across IT Risk Management and risk reporting…

49% of CIOs identified security and

privacy as a strategic investment.

32%Of CIOs report the usage of cloud infrastructure for critical business applications

2Compliance challenges…

34.5% of organizations can demonstrate GDPR compliance

30% of organizations feel discovery is harder

10.2%

of organizations which are yet to begin third-party GDPR compliance

3From the CIO’s lens…

1- https://www2.deloitte.com/ch/en/pages/risk/articles/it-risk-management-automation-pulse-survey.html

2- https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/few-organizations-are-gdpr-compliant-eu-data-privacy-contract-management.html

3- https://www2.deloitte.com/uk/en/pages/technology/articles/cio-survey.html

So How Do We Win?


Board and leadership for SSOs play a key role in creating a cyber-aware culture.

Executive Sponsorship is the Key to Success

Board & CEO

Senior Management(CFO, COO, CAO, CRO)

IT Leadership (CIO)

Risk Leadership (CISO / CITRO)

Tone at the top, establish senior management accountability and a cyber-aware culture

Define the organization’s Cyber Risk appetite and be accountable for Cyber Risk management. Empower the extended leadership team.

Lead in defining and executing the strategy to become Secure.Vigilant.Resilient. Establish an effective interaction model with CISO and IT risk officer.

Define the right balance between threat-centric vs. compliance-centric programs. Be a business enabler, without shying away from the role of risk custodian.

Shared Services Leaders

Support integration of Cyber Risk management into business growth and shared activities. Appoint line-of-business risk officers.

Architecture & Engineering

InfrastructureApplication Development

SecurityOperations

IT DOMAINS Manage and report on risks

Execute on strategy

Other functions…

CYBER RISK GOVERNANCE

Fully integrate Cyber Risk management into IT disciplines – design for Six Sigma, not quality control. Integrate current technologies to address the latest threats


It starts by understanding who might want to attack, why, and how?

SSO Executives should set Risk Appetite, and Drive Focus on What Matters

• Perimeter defenses• Vulnerability management• Asset management• Identity management• Secure SDLC• Data protection• …

Cyber Risk Program and Governance

• Cyber criminals• Hacktivists (agenda

driven)• Nation states• Insiders / partners• Competitors• Skilled individual

hacker

• Theft of intellectual property or strategic plans

• Financial fraud• Reputation damage• Business disruption• Destruction of critical

infrastructure • Threats to health & safety

Who might attack?

• Governance and operating model• Policies and standards• Management processes and

capabilities • Risk reporting • Risk awareness and culture

• Spear phishing, drive by download, etc.

• Software or hardware vulnerabilities

• Third party compromise

• Multi-channel attacks• Stolen credentials• … and others

• Incident response • Forensics• BC/DR, Crisis

management• …

SECURE

Are controls in place to

guard against

known and emerging threats?

VIGILANT

Can we detect

malicious or unauthorized

activity, including the unknown?

RESILIENT

Can we act and recover quickly to minimize impact?

• Threat intelligence• Security

monitoring• Behavioral analysis• Risk analytics• …

What are they after, and what are the key business risks I need to mitigate?

What tactics might they use?


Attacker Determination

Att

acker

So

ph

isti

cati

on

Accidental Discovery

Malware

Insider

Lone Hacker / Hobbyist

Business Partner

‘Script kiddy’Disgruntled

ex-Employee

Disgruntled Customer

Competitor

Disgruntled ex-IT

Administrator

‘Hacktivism’

Hacker Collectives

Cyber Terrorism

Organized Crime

State-sponsored Cyber Warfare

Leadership should help in managing risk and drive focus on what matters.

Cyber Threats – Illustrative Risk Appetite

Risk Appetite

Prevent Limit Impact


Defining goals and monitoring progress will assist SSOs in enhancing the cyber security posture.

Cyber Security Journey

IT Cyber AttackSimulations

Business-WideCyber Attack Exercises

Sector-Wide & Supply Chain Cyber Attack Exercises

Enterprise-Wide Infrastructure & Application Protection

Global Cross-Sector Threat Intelligence Sharing

Identity-AwareInformation Protection

IT BC & DRExercises

Ad Hoc Infrastructure & Application Protection

Adaptive & AutomatedSecurity Control Updates

IT Service Desk& Whistleblowing

Security Log Collection& Ad Hoc Reporting

External & Internal Threat Intelligence Correlation

Cross-Channel Malicious Activity Detection

24x7 Technology Centric Security Event Reporting

Automated IT Asset Vulnerability Monitoring

Targeted Cross-PlatformUser Activity Monitoring

Tailored & IntegratedBusiness Process Monitoring

Traditional Signature-Based Security Controls

Periodic IT AssetVulnerability Assessments

Pro

act

ive

Thre

at

Managem

ent

Level 1 Level 2 Level 3 Level 4 Level 5

Automated Electronic Discovery & Forensics

Situational Awareness of Cyber Threats

Basic OnlineBrand Monitoring

Automated Malware Forensics & Manual Electronic Discovery

Government / Sector Threat Intelligence Collaboration

Ad-hoc ThreatIntelligence Sharing

with Peers

Baiting & Counter-Threat Intelligence

Criminal / HackerSurveillance

Commercial & Open Source Threat Intelligence Feeds

Real-time Business Risk Analytics & Decision Support

Workforce / Customer Behaviour Profiling

Network & System CentricActivity Profiling

Business Partner CyberSecurity Awareness

Targeted Intelligence-Based Cyber Security Awareness

General Information Security Training & Awareness

Internal Threat Intelligence

Security Event Monitoring

Asset Protection

Cyber Attack Preparation

Training & Awareness

Behavioural Analytics

External Threat Intelligence

Intelligence Collaboration

E-Discovery & Forensics

Brand Monitoring

Cyber Security Maturity Levels

Basic Network Protection

AcceptableUsage Policy

Online Brand &Social Media Policing

Ad Hoc System / Malware Forensics


• Put a senior executive at the helm. He or she must be able to lead in a crisis, and also guide the program and enlist collaboration across diverse functions.

• Map threats to the business assets that matter. Set direction, purpose, and risk appetite for the program. Establish priorities, and ensure funding and resourcing.

• Drive early “wins.” Establish momentum by focusing on pilot initiatives that measurably impact business success. Use these to plant the seeds of long-term cultural change.

• Accelerate behavior change.Create active learning scenarios that instill awareness of the impact of daily activity on cyber risk. Embed cyber risk management goals into evaluation of Top 100 executives.

• Trust but verify. Conduct monthly or quarterly reviews about key risks and risk metrics, and address roadblocks.

Key actions Key questions

• Are we focused on the right things? Often said, but hard to execute. Understand how value is created in your organization, where your critical assets are, how they are vulnerable to key threats. Practice defense-in-depth.

• Do we have the right talent? Quality over quantity. There is not enough talent to do everything in-house, so take a strategic approach to sourcing decisions.

• Are we proactive or reactive? Retrofitting for security is very expensive. Build it upfront in your management processes, applications and infrastructure.

• Are we incentivizing openness and collaboration? Build strong relationships with partners, law enforcement, regulators, and vendors. Foster internal cooperation across groups and functions, and ensure that people aren’t hiding risks to protect themselves.

• Are we adapting to change? Policy reviews, assessments, and rehearsals of crisis response processes must be regularized to establish a culture of perpetual adaptation to the threat and risk landscape.

Top Actions and Questions for SSO ExecutivesThis slide highlights the key actions and questions as mentioned below:

Questions?

Deloitte Shared Services Conference 2018 · Ad Hoc Infrastructure & Application Protection Adaptive...

Documents

Transcript of Deloitte Shared Services Conference 2018 · Ad Hoc Infrastructure & Application Protection Adaptive...