Cyber Security & GRC Metrics That Tell a Story!Presented by:Swarnika MehtaManager, KPMG Cyber Security Services

Eva BennSenior Associate, KPMG Cyber Security Services

2© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Contents

Introduction

4© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

In the news

Hackers Stole Credit Card Information From Thousands of Arby’s CustomersJonathan Vanian Feb 09, 2017

Hackers have stolen customer credit card information from an unknown number of Arby’s restaurants, according to a report on Thursday.

Read more at: http://fortune.com/2017/02/09/arbys-restaurants-hackers-data-breach/

Military personnel data leaked in Dun & Bradstreet databaseBy James Rogers, Published March 16, 2017

The huge leak of a Dun & Bradstreet database containing the details of almost 33.7 million people includes over 100,000 military personnel, according to the security researcher who reported the leak.

Read more at: http://www.foxnews.com/tech/2017/03/16/military-personnel-data-leaked-in-dun-bradstreet-database.html

5© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

The hard questions

“How do we distill the important information and complex metrics in a way that can be consumed by senior executives and the board?”

Information Security Metrics Program (ISMP)

Key Metrics

7© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Key reporting metrics

Application Security

Server Security

Endpoint Security

Incident Management

Vendor Security Operations

% Applications scanned

% Vulnerabilities

Time to remediate vulnerabilities

High

Medium

Low

ClosedPendingOpen

Time to resolve incidents

% of ICF/non-ICF servers missing sev 4/5patches

% of ICF/non-ICF Servers with AV

and CSP installed

CSP

Time to remediate security events

% of endpoints missing critical

security patches

% of endpoints with Anti-Virus

installed

High, Medium, and Low Risk Vendors

% of

Average vendor

risk score

8.8

# of resources with

certifications

On Track Delayed

Security projects% of vendors

completed risk assessments

8© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Reporting by stakeholders

How do I tell the story?Align with business goals

Facts that matter!Which numbers have gone up?

Which numbers have gone down?

Q1

58% 23%

Q2 Q1

39% 45%

Q2 Q1

58% 23%

Q2

High Medium Low

Demonstrate ROI onIT investments

Reduction in compliance failures

Operational Redundancies

Do it again……!

Focused metrics

InvestmentSavings

% customer satisfaction

Provide holistic trends in cyber security risks

Data Leakage

Vendor Risk

Insider threat Malware

5 7 2 9

Vulnerabilities remediated

Metrics Program and Technology Enablement

10© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Common Challenges

People

Process Technology

− Lack of capability to gather, collect or analyze data

− Manually producing metrics is too time consuming

− Not all historical data is usable and requires expensive cleanup

− No business context− Lack of awareness− Poor delivery

− Arbitrary “thresholds”− No clear requirements− Too many metrics

11© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Key components of an ISMP

Scope and Coverage

Extraction and Collection

Measurement and Analysis

Presentation and Reporting

Governance and Ongoing

Maintenance

Areas of measurement within the program. This includes domains(e.g., Endpoint Security, Threat Management) and relevant metrics within each domain

Collecting raw metrics data from identified data sources or source systems to calculate metrics.

Calculating metrics based on raw metrics data and analyzing results using thresholds, weighting, targets, trending, etc.

Organizing metrics results into visually appealing and intuitive reports at each stakeholder level. Examples include management level memo, program level scorecard and operational level dashboard

Roles and responsibilities with supporting processes needed to operationalize the program and keep it relevant over time

12© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Building an information security metrics program

DEFINE STRATEGY

Strategy and Design

DESIGN BUILDROADMAP

DEVELOP METRICS

Implementation (Manual)

PHASEDROLLOUT

OPERATIONALIZE

AUTOMATE

Implementation (Enhanced)

FULLROLLOUT

DATA & ANLAYTICS

Non-existent Mature

13© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Enhancement opportunities

• Metrics will be aggregated into domains (e.g. Incident Management, Mobile Security, etc.)• An aggregated score will be provided for each domain using simple, yet specific formulae

Aggregate Score by Domain

• Metrics will be weighted based on their importance on applied assets (e.g. critical application vs. non-critical application) to help with prioritization of metrics

• Thresholds and tolerance levels will help analyze if the measured or calculated value of each metric is helping track risks as well as performance objectives

Weighted Metrics

• Risks will be mapped to each domain so that the user will be able to decide on appropriate actions to be taken based on the types of risk exposure

• Relevant controls will be mapped to each domain to provide the user with the ability to devise an initial remediation strategy and action

Risk & Control Mapping

• Each metric report can be dimensionalized (filtered), through relationships, so that the user can come in from a different view point (e.g. Segment, Region, Country, Business Unit, Sub BU, Data Center, Data Center Supplier, IT Area, Stakeholder, CISO).

• User will be able to view trends for each metric and compare against other related metricsDimensions

• Users will have the ability to drill down into each domain to see individual metric reports and other detailed information (e.g. server name, stakeholder, etc.)

Drill Down Capability

Do’s and Don’ts

15© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

― Define scope of existing risk reporting activities

― Manage cyber risk within the organizational context

― Align correlations to business objectives and risks

― Focus on key metrics

― Establish a structured cyber risk reporting capability

― Rationalize processes and frameworks to enable prioritization and decision making

― Differentiate governance versus operational roles and responsibilities

― Ensure board level awareness of key cyber risk and compliance issues

– Build a culture of continuous improvement

– Design process and capabilities (process and tools) to mature over time

– Rationalize frameworks (simplify and integrate)

– Leverage automation to support operational enablement

Lessonslearned

Sustainability

Scalability

Ownership & Accountability

Single view of riskLessons learned

16© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

Considerations for implementing an ISMP As with any additional capability added to an organization, there are several cost considerations that need to be accounted for, actual cost will depend on the scope of the ISMP.

– Additional resources need to be hired or current resources need their responsibilities prioritized to support operationalizing the ISMP

– Raw data owners need to allocate time to support collection of metrics data People

– Metrics collection, reporting development, ISMP ongoing maintenance and training processes need to be developed and executed once the ISMP is operational

– Additional processes to extract data may need to be defined

– Gather “contextual data” for metrics (e.g., thresholds, dimensions)Process

– Technical implementation of processes to extract data

– “Big Security Data”

– Initial investments towards a metrics solution for automated aggregation, reporting and analytics. Technology

Thank you

© 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.)

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity and the views presented herein are those of the presenter. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

kpmg.com/socialmedia