View
4
Download
0
Category
Preview:
Citation preview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security strategy in a world of digital transformation 2nd April 2015
Chris Cooper
Security Strategy & Transformation
Practice Leader (UKI)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
1 Current challenges & trends
2 Implications of the New Style of IT 3
3 Security as a business enabler
4 HP Security / Q&A
Security strategy in a world of digital transformation
Agenda
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
HP’s industry-leading scale
Monthly security events
23billion
HP Secured User Accounts
47m HP Security Professionals
5000+
10 out of 10 Top telecoms
9
out
of
10
Major banks
HP managed security customers
1000+
All major branches US Department of Defense
9 out of 10 Top software companies
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
How HP leverages its own products and solutions for security, big data, mobility &
cloud
HP Internal Systems
Millions of lines of code scanned by
HP Fortify
240M hits per day on HP.com
41K+ servers
Optimized partner
program with real-time
sentiment
analysis
1,300+ enterprise
HPN routers
16K+ HPN switches
Manage
148K+
mobile devices
Analyze data from
100s of millions of active
devices
4PB data replicated per day
Prevented millions of denial of service attacks with
HP TippingPoint
2.5B security events logged per day with HP ArcSight of storage deployed on 3Par,
XP and EVA
73PB
435,000 mailboxes
managed
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Agenda
1 Current challenges & trends
2 Implications of the New Style of IT 3
3 Security as a business enabler
4 HP Security / Q&A
Security strategy in a world of digital transformation
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
The pressure on IT is high
Enterprise imperatives Mega trends
Increasing demand for a
New Style of IT
Speed innovation
Accelerate services
Improve flexibility
Do more with less
Manage risk
Cloud
Security
Big Data
Mobility
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Online Retail Sales
By 2017, Forrester predict that 60% of
retail sales will be conducted on mobile
devices or online
Gartner has forecasted that by 2016,
$22Bn will be transacted by Near Field
Communications (NFC) annually
‘The age of the consumer’
Source: Forrester Research Online Retail Forecast 2011-2017
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Industry research shows the scale of the threats
Average fine is
270% of annual
compliance spend3
50% of employees
Use personally-owned
device to access
organization's
business-critical apps4
The size of the blackmarket:
$104B2
1 Lloyd’s 2013 Risk index
2 Ponemon Institute: Mega Trends in Cyber Security Expert Opinion Study, May 2013
3 Ponemon Institute: Total Cost of Compliance Study, May 2012 (Organizations with more than 5,000 employees)
4 Ponemon Institute: Dangerous Insider Study, November 2012
5 McLean’s Magazine, August 19, 2013
Still, 65% of IT security positions remain open for 9 weeks or longer5
Cybercrime is on the rise, moving from 12th to 3rd place in risk factors faced by
businesses1
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Security risks and implications
Cyber threat 56% of organizations have been
the target of a cyber attack
Extended supply chain 44% of all data breach involved
third-party mistakes
Financial loss $8.6M average cost associated
with data breach
Cost of protection 8% of total IT budget
spent on security
Reputation damage 30% market capitalisation
reduction due to recent events
Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research
Key Points
• Security leadership is
under immense pressure
• Need for greater visibility
of business risks and to
make sound security
investment choices
Reactive vs. proactive 60% of enterprises spend more time
and money on reactive measures vs.
proactive risk management
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
average time to detect
breach 243
days
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Why enterprises can’t keep up: information risk
Legacy technologies Talent shortage
New style of IT Lack of visibility
Information risk is making our
organisation less agile
Agree: 43%
Disagree (or don’t know): 57%
43%
Lack an end-to-end security
strategy aligned with business
objectives and the new style of IT
Source: Economist Intelligence Unit, August
2013
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
The security conundrum
Primary challenges
Nature and motivation of attacks
(hacktivist, nation state) 1
Transformation of enterprise IT (delivery and consumption changes) 3
Traditional DC Mobility Big data Cloud
Delivery
Regulatory pressures (increasing risk, cost and complexity) 2
A new type of adversary
Enhanced regulatory environment
NERC • Sarbanes-Oxley •
Basel III • PCI Security Standards Council
Researc
h
Infiltration Exfiltration Discovery Capture
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Agenda
1 Current challenges & trends
2 Implications of the New Style of IT 3
3 Security as a business enabler
4 HP Security / Q&A
Security strategy in a world of digital transformation
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Disrupting IT shift
Mainframe Client/serve
r
Internet Mobile, social, big data, cloud
98,000+ tweets
698,445 Google searches
168 million+ emails sent
And every 60 seconds:
217 new mobile web users
• 2/3 of IT decision makers spending
less on traditional services as a result
of moving to the cloud
• Average cost of a security breach
$8.6M USD
• Volume of data by 2020: 35
Zettabytes
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
The result: a New Style of IT has emerged
Converged cloud Information
optimization
Systems of record (Legacy systems)
Systems of engagement
(Social and mobile)
• IT driven
• Host processes
• Deeply entrenched
• Need modernization, but
will remain in new model
• Driven by
organizational
objectives
• Touch people
• Analytics and cloud
technologies
Security
Mobile Apps Integration
How can security enable the
business?
This is THE question
From a system of record to a system of engagement and constant interaction
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Why is the New Style of IT such a big disruption? Economics of Information
Reach
Ric
hn
ess / C
usto
miz
atio
n
Inspired in the 1997 HBR Article “Strategy and the New
Economics of Information” by Philip B. Evans & Thomas S.
Wurster
Since the invention of the Printing Press,
back in the 15th century, the way we
interact follows this near universal trade-
off:
• To reach a large audience, interaction had to be
less customized and generic. e.g.
Advertisement on national television
• In order to maximize content richness,
interaction had to reach a smaller audience -
e.g. face-to-face meeting where we are able to
adapt the interaction to the participants
reactions, nonverbal communication, etc.
What changed with the New Style of IT?
Face-to-Face
TV
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Implications of the New Style of IT
More interaction = More network effect = More value - Metcalfe Law (v=n2) e.g. WhatsApp recently acquired by Facebook for $19B, only possible thanks to 450M users/1M new users per day
From a system of record to a system of engagement and constant interaction
Disruption in the Richness/Reach trade-off
Examples of new ways of interaction:
• People interaction – Social Media
• Data interaction – Analytics
• Systems interaction – Internet of Things
Mass scale interaction with high
customization
• This is just the beginning - e.g. 3D printing
• Creative Destruction / New Paradigm
New Style of IT
Reach
Face-to-Face
TV
Ric
hn
ess / C
usto
miz
atio
n
Metcalfe’s Law: the value of a network with n devices is proportional to n2
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
There is always a dark side Cyber Threats in the New Style of IT
What does it really mean?
Disruption in the Richness/Reach trade-off
also enabled new large scale, highly targeted
attacks:
• Hacktivism and highly interconnect hacker
communities
• Spear Phishing
• Large scale Command and Control
• Botnets
• APTs
Marginal cost to replicate a cyber attack is
zero
Spear Phishing
Reach
Phone Call Social Eng.
Phishing
Ric
hn
ess / C
usto
miz
atio
n
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
The adversary attack ecosystem
Discover
y
Researc
h
Our enterprise
Their ecosystem
Infiltration
Capture
Exfiltration
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Agenda
1 Current challenges & trends
2 Implications of the New Style of IT 3
3 Security as a business enabler
4 HP Security / Q&A
Security strategy in a world of digital transformation
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
3 Types of CISOs
Business Risk Leader Information and Board-level Risk
Management – aligned to business
operations, enterprise compliance
Information Security
Leader Information Security Risk and IT
operations, Security compliance and
standards.
Security Manager Information Security Controls and
operational delivery of security.
20%
45%
35%
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Business Risk Leader
New CISO roles
• Balance Security Risk with
Business Opportunity
• Identify more interaction
sources and opportunities
• Provide secure ways to
explore new business
opportunities that are aligned
with the organization’s risk
appetite
Opportunity
Security Risk
Identifies new business interaction opportunities with the lowest security risk
How can security be more than just reducing risk or “Brakes on a Car”?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Customer Experience Present call centre experience
We might be able to help.
What is your name?
Can you answer the
following security
questions?
What’s the invoice
number?
The loyalty points from the purchase I
made last Wednesday haven’t been
credited yet
Bob Smith
…
…
Customer experience
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Customer Experience Increasing customer interaction and loyalty
Tweet: The loyalty points from the
purchase I did last Wednesday weren’t
credited yet
Tweet: Thank you!
Tweet: Apologies for the
inconvenience. Just credited
the respective 325 points.
Travel and Transportation Retail
Identity Federation allows better customer experience
Examples of how Identity Federation with social media allow better customer
interaction, thus enabling the business.
Customer experience
Tweet: I just missed my flight
Tweet: Perfect!
Tweet: We might be able to help
Mr. Smith. Just rebooked your
flight. Please proceed to gate 9.
Your flight departs in 40
minutes.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
ISO 27001
Traditional Standards
ISO 27001:2013 is key but its
roots are 19 years old -
BS7799:1995
ISO 27001:2013 Controls
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset Management
[…]
A.16 Information security incident
management
A.17 Information security aspects of business
continuity management
A.18 Compliance
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
Traditional Approach
Ultimate
State Impregnable
Messaging Fear, Doubt, Uncertainty
Business
Proximity None
Accountabilit
y &
Leadership
IT / Risk department
Focus Perimeter & Information
Approach Complicate, obstruct, say
no
SOC Focus
Regional. Isolated.
Servers, network &
security devices
Traditional
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
ISO 27001 & NIST Cybersecurity Framework similar but with different mind-sets
Protect what matters & assume a state of
compromise ISO 27001:2013 is key but its
roots are 19 years old -
BS7799:1995
ISO 27001:2013 Controls
A.5 Information security policies
A.6 Organization of information security
A.7 Human resource security
A.8 Asset Management
[…]
A.16 Information security incident
management
A.17 Information security aspects of business
continuity management
A.18 Compliance
NIST Cyber Security Framework
Functions
Identify
Protect
Detect
Respond
Recover
First Category:
Asset Management
Protect what
matters
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
New Approach
Ultimate
State Impregnable
Messaging Fear, Doubt, Uncertainty
Business
Proximity None
Accountabilit
y &
Leadership
IT / Risk department
Focus Perimeter & Information
Approach Complicate, obstruct, say
no
SOC Focus
Regional. Isolated.
Servers, network &
security devices
Traditional New Style of IT
Assume a state of compromise. Stop exfiltration and
business disruption. Detect early. Quick and effective
response
Confidence, assurance, visibility, prepared to respond
Enabler. Provider of business outcomes
Board, CEO, business
Protect what matters, using a risk based approach, as we
can’t protect everything. Includes value chain, partner,
industry, etc.
Lean, agile. Maximize interaction opportunities at lowest
risk
Full cyber situational awareness. Global, sharing threat
intelligence. All devices including SCADA & physical
Security
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
Agenda
1 Current challenges & trends
2 Implications of the New Style of IT 3
3 New Approach
4 HP Security / Q&A
Security as a true business enabler
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
HP Graduate & Internships
• Hiring!
• Multiple streams & areas: 17 graduate streams, 27 intern streams
• Currently about 400 grads, 150 Interns in UK&I
• Big focus on Cyber Security (20 to 30 new positions to open in the next 2 to 4
weeks)
• Proud supporters of Women in IT
• www8.hp.com/uk/en/campaign/graduate/graduate-programmes.html
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Any Questions?
Chris Cooper
Security Strategy & Transformation Practice Leader (UKI)
chris.cooper2@hp.com
@infosecuk
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32
Make it matter.
Recommended