HOW CAN WE MAKE THIS HAPPEN IN PRACTICE… · rsa advanced cyber defence summit london, april 2015 tom burton director kpmg llp …while avoiding the biggest cyber risk of 2015 how

RSA ADVANCED CYBER DEFENCE SUMMITLONDON, APRIL 2015

TOM BURTONDIRECTORKPMG LLP

…WHILE AVOIDING THE BIGGEST CYBER RISK OF 2015

HOW CAN WE MAKE THIS HAPPEN IN PRACTICE…

© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.

TOP CYBER RISK IN 2015

WHAT IS THE BIGGEST CYBER RISK OF 2015

SENSATIONALISED MEDIA COVERAGE

This is a “wicked” problem – the biggest risk is that a lack of structure and prioritisation leads to the resources being squandered before the challenge is overcome

EVOLVING THREAT ACTORS

CHANGING ITDELIVERY MODELS

MISLEADINGVENDOR CLAIMS

!

New IT capabilities – from BYOD to cloud to big data – have serious impact on the security controls we need and can use.

A scale market (USD 71bn in 2014 source: Gartner) that is in flux has intensified marketing efforts from many quarters

Media interest is a double edged sword –Greater awareness good; Drumbeat of fear, uncertainty, and doubt bad

New threats emerge with tech enabled criminal opportunity; and existing threats evolve to stay ahead of defence


CYBER THREAT

UNAWARE AWARENESS CRISIS TACTICAL RESPONSE ADAPTIVEEVOLUTION

RISK

CAPABILITY

HIGH

LOW

NATURAL RESOURCES

TRANSPORT & LOGISTICS

OIL & GAS

INVESTMENT BANKING

AEROSPACE

DEFENCE

INSURANCE

RETAIL BANKING

INDUSTRIAL MANUFACTURE

3


WHAT DRAWS YOU INTO THE SPIRAL, AND KEEPS YOU THERE

SECURITY PROGRAMME uncovers issues wherever it looks, that challenge priorities

INSUFFICIENT RISK DEFINITION causes tactical incidents to overtake larger and more strategic mitigations

POOR BUSINESS UNDERSTANDING leads to broken capability when business changes

TACTICAL STICKING PLASTER + New Incident = Requirement for New Sticking Plaster

LACK OF OWNERSHIP and accountability leads to ad hoc and incomplete capability insertion

Incident response and TACTICAL PROJECTS CONSUME ALL RESOURCES

NO OBJECTIVE JUSTIFICATION for plans causes priorities to be reset ‘on the fly’

‘GOLF COURSE’ CONVERSATIONS leads to Board solutioneering directing technology based Interventions

CONFIDENCE IN SECURITY PLANS UNDERMINED by each tactical incident-driven change

LACK OF ONGOING COMPLIANCE CHECKING means capability isn’t sustained

POOR UNDERSTANDING (assets, intelligence, regulatory etc) leads to over controlled low risk assets

INADEQUARE GOVERNANCE STRUCTURE leads to poor decision making


WHAT SHOULD WE ASPIRE TO?

Lost to FrictionStrategicTactical

Cyber Security Risk

Risk of Inappropriate Spend

Increasing Capabilities Over Time

Budg

et

Time

5


INTEGRATING SECURITY WITH OPERATIONS

Assets

External factors

Drivers

ThreatsObjectivesLegislation

RiskOpportunityRegulatory

Current

Planned

Desired

Project portfolio

Capability Requirements

Capability Definition

6


CAPABILITY What is it and why is it important

Complete, and Comprehensive

7


Current state2014 forecast2015 forecast2016 forecast2017 forecastRecommendationsFocus studiesDesired state

Current state2014 forecast2015 forecast2016 forecast2017 forecastRecommendationsFocus studiesDesired state

INTEGRATING SECURITY STRATEGY WITH OPERATIONSThe

coalface

Project definition and managementPortfolio and

capability management

Management reporting

Active risk management

Threats8


MANAGING THE BIGGEST RISK

Start, and finish, with an understanding of the risk (and opportunity)

Ensure you have a complete and

comprehensive way of describing capability

Establish clear linkage from risks and assets through to projects, services and controls

(and vice versa)

9

DRIVEN BY BUSINESS

We work with our clients to move their business forward. Positively managing cyber risk not only helps take control of uncertainty across business; it can be turned into a genuine strategic advantage.

RAZOR SHARP INSIGHTS

In a fast-moving digital world of constantly evolving threats and opportunities, you need both agility and assurance.

Our people are experts in both cyber security and our priority sectors, which means we give our clients leading edge insight, ideas and proven solutions to act with confidence.

SHOULDER TO SHOULDER

We work with our clients as long term partners, giving them advice and challenge to make decisions with confidence. We understand that this area is often clouded by feelings of doubt and vulnerability so we work hand-in-hand with them to turn that into a real sense of security and opportunity.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it w ill continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.


The KPMG name, logo and “ cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).

HELPING CLIENTS SPREAD THEIR

WINGS

Documents

HOW CAN WE MAKE THIS HAPPEN IN PRACTICE… · rsa advanced cyber defence summit london, april 2015 tom burton director kpmg llp …while avoiding the biggest cyber risk of 2015 how