#teissamsterdam19

Information Security Setup in a decentral global organisation: The roles, tools and partner ecosystem

Tom Linckens

Executive Vice President & Chief Information Officer

Bertelsmann

09:30 – 09:50

INFORMATION SECURITY SETUP IN A GLOBAL DECENTRAL ORGANISATION

ROLES, TOOLS, PARTNER ECOSYSTEMTOM LINCKENS

BOARD TECHNOLOGY ADVISORY,

UNTIL RECENTLY GROUP CIO BERTELSMANN SE & CO KGAA

• Education : RWTH Aachen spiced up by: Cranfield, HBS, Insead, LBS, Stanford, Thunderbird

• 1995 – 2014 Henkel Group Düsseldorf, USA and Middle East

• Since 2003 CIO roles and member of Group IT Excecutive Board

• Ballpark #: 17bn € turnover, 50.000 employees / 48.000 seats, 250+ entities in 50+ countries

• … IT Budget 300M€, 1000 internal staff

• Groupwide SAP consolidation, Strategic Outsourcing, Innovation Management, Analytics & Reporting, Infrastructure Consolidation, Cloud (IAAS, PAAS, SAAS), Data Management, Process Consulting, Transformation, Shared Services, Talent Management, Business Relationship Management …

• 2014 – 2019 Group CIO Bertelsmann SE & Co KGaA

• Chairman of Group IT Board, member of Corporate Center Board, Chairman Advisory Board Arvato Systems, member of Group compliance committee

• Ballpark #: 17bn € turnover, 120.000 employees / 80.000 seats, 500+ entities in 50+ countries

• … IT Budget 1 bn+€, 7000 internal staff

• Buildup of IT groupwide Governance, IT security setup across 8 largely independent Divisions, Centralized IT purchasing & sourcing, Digital Transformation / Technology Heatmap, Network consolidation, Cloud (IAAS, PAAS, SAAS), Talent Management, Repositioning of Inhouse Service Provider, …

INFORMATION SECURITY IS MOVING UP ON THE CIO AGENDA

1) In 2017 84% of S&P 500 companies‘ market value tied to intangible assets (incl. Data and intellectual property; up from 17% in 1975); Intangible Asset Market Value Study, 2017, Ocean Tomo, LLC; 2) DataLossDB.org, informationisbeautiful.org; 3) E.g. distributed denial of service (DDOS) attack: $30-70 per day; Email spam: $10 per one million emails; hacking a gmail account: $162; 4) World Economic Forum: 2018 Global Risk Report; 5) Marsh / Microsoft: Global Cyber Risk Perception Survey, February 2018: 62% of survey respondents named cyber security among top five risk management priorities

§ Information Security has been in many companies a quite operational topic – not high on the CIO agenda.

§ Only until recently Information Security has become part of the regular discussions with Executive

and Advisory Boards.

§ Within the last years Customers are increasingly interested in understanding the information and cyber

security strategy of their suppliers and have started to make it part of their Strategic Supplier Management

Dialogue.

Information Security is an important element of your strategy and requires as such CIO attention and ownership as well as regular Management Board involvement.

WHAT’S UP ?

1) In 2017 84% of S&P 500 companies‘ market value tied to intangible assets (incl. Data and intellectual property; up from 17% in 1975); Intangible Asset Market Value Study, 2017, Ocean Tomo, LLC; 2) DataLossDB.org, informationisbeautiful.org; 3) E.g. distributed denial of service (DDOS) attack: $30-70 per day; Email spam: $10 per one million emails; hacking a gmail account: $162; 4) World Economic Forum: 2018 Global Risk Report; 5) Marsh / Microsoft: Global Cyber Risk Perception Survey, February 2018: 62% of survey respondents named cyber security among top five risk management priorities

§ Increasing share of companies’ market value is tied to intangible assets

§ Increasing number of connected devices gather crucial data in digitized business models

§ Massive data breaches and cyber attacks have continued unabated into 2018

§ Cyber attacks commoditize and are for sale on the web

§ The World Economic Forum places cyber attacks and data fraud among top five risks

§ Growing deficit of cyber security talent

Digitization increases cyber attack surface drastically making cyber risk management an even higher priority: Are you moving fast enough?

Support your businesses in striking the right balance between business needs and security requirements

There is nothing but perfect protection

Less digital business, less of a target

Lower risks

Higher costs

More digital business, more of a target

Higher risks

Lower costs

GLOBAL DECENTRAL ORGANIZATIONS REQUIRE A RISK-BASED, ADAPTIVE SECURITY APPROACH

1. FOUNDATION OF YOUR IT SECURITY SETUPEXEMPLARY

Executive Board Guideline on Information Security

Information Security Regulations (ISREGs)

Operating Instructions / Implementations Guides

§ ISREGxx Security Organization§ ISREGxx Asset and Risk Management§ ISREGxx Monitoring and Improvement§ ISREGxx Human Resource Security§ ISREGxx Access Management§ ISREGxx Physical and

Environmental Security§ ISREGxx Communications and Operations

Management§ ISREGxx Information Systems

Acquisition and Development§ ISREGxx Management

of External Parties§ ISREGxx Security Incident Management§ ISREGxx Information Security

Continuity Management § ISREGxx Compliance

§ Operating Instruction Cloud Computing§ Operating Instruction Security Incident

Management & CERT§ Operating Instruction Information Security

Management of Suppliers§ Operating Instruction Mobile Device

Management

§ Operating Instruction Password Management § Operating Instruction Email Security§ Implementation Guide Public Cloud

Governance§ Implementation Guide for PaaS Services

1. FOUNDATION OF YOUR IT SECURITY SETUP

Update your Information Security Management System regularly and never become tired to explainit again and again and again and again and …

Define Minimum Security Standards and make it a ‚moving target‘.

Assess your maturity in Cyber Security and define a multi-year development path. (use common maturity model)

Run regular Information Security Awareness sessions and expose everybody (!) to unannounced security testing.

Sharpen the collaboration model with Data Protection and Audit as well as with your Ops Team.

Implement a yearly collection of all Data assets and let the decentral Business Management be part ofcreating a divisional risk map

a) quantify existing risk (€) and ask the units to decide for ‚accept or mitigate‘b) decide commonly on priorities for the next budget cyclec) review in how far this complies with the existing policies and a defined ‚minimum security standard‘d) discuss overall the risk that will be taken to allow business to maneuver

INDEPENDENT, EXTERNAL EVALUATION OF DIGITAL RISK POSTURE COMPLEMENTS THE INTERNAL VIEW

We can only protect what we know

§ Attackers search for “security blind spots”(not known internet facing assets, abandoned assets etc.)

§ Attackers search for “security weak spots” (path of least resistance) not necessarily the most critical assets

Outside-in view from an attacker’s point of view to identify digital risk exposure

Cyber security ratings to communicate and manage overall digital risk

Outside-in view to complement internal risk evaluationAttack simulation to identify threat landscape for digital assets

Measurement and quantification of digital risk(value-at-risk) and further outside-in solutions

EXAMPLE: BITSIGHT MONITORING OVER TIME PER DIVISION

Improvements in security incident response as well as systems diligence, esp. patch management are key to improve security ratings

RATE YOUR DIVISIONS REGULARLY AND

REPORT IT UP THE MANAGEMENT

BOARD AND AUDIT COMMITTEE

0

1

2

3

4

5Security governance

Planning andbudgeting

Organization

ISMSframework

Securityarchitecture

and engineeringProcess andoperations

Communicationand awareness

Attack handlingand response

Attack andvulnerability

detection

Risk managementprocesses

Make sure your Exec Board and Audit Committee understand where Divisions stand in terms of meeting minimum security standards defined as well as how they compare to peers within their industry sector.

2. ROLES GROUP-WIDE INFORMATION SECURITY ORGANIZATION

2. ROLES GROUP-WIDE INFORMATION SECURITY ORGANIZATION

• Have ISOs report to CIOs plus ‘dotted line’ to CFOson all levels of the organization

• Have CISO in lead to define yearly targets for the ISOs on divisional level jointly with divisional CIO

• Make sure CISO and Head of It Architecture work veryclose together

• Have regular alignment in between CIO, CISO, Legal, Data Protection, Head of It Architecture

2. ROLES: THE CISO TEAM

Information Security

Management System

§ Maintenance of the Group-wide ISMS framework; enactment of new binding policies; minimum security requirements

§ Management & monitoring of group-wide ISMS cycle execution

§ Quantification of information security-related risks in cooperation with Bertelsmann General Risk Management

Group CERT & cyber security technologies

§ Coordination of inter-divisional aspects of severe security incidents (S5, SX)

§ Interface to Group corporate functions, e.g. Data Protection, PR, Legal, Works Council

§ Coordination of vulnerability and leakage information towards divisional SOC teams

§ Lead in case of Advanced Persistent Threat with lateral (inter-divisional) impact

§ Provide divisions state-of-the-art solutions to fulfill security requirements, e.g. Zscaler

§ Security governance for Group-wide shared assets like domains, or certificates

§ Group-wide security initiatives mandates by Bertelsmann Information Security Board, e.g. email security, identity & access management, secure cloud, secure workplace

Security metrics & digital risk Analytics

§ Conceptual design for the measurement, comparison and quantification of Group digital risk exposure, e.g. Cyberhedge

§ Bitsight security ratings to constantly monitor and measure Group’s cyber risk exposure and reporting of divisional ratings towards Executive Board

§ Piloting of outside-in solutions to create a more precise view on digital risk exposure, e.g. Cycognito,

2. ROLES: ISMS - THE MULTI-LEVEL ORGANIZATION

Assess and manage risks

Risk Map

Bus

ines

s U

nit

Div

isio

nG

roup

Decide on risk treatment (mitigate/accept)

Management Review

Aggregate BU Risk Maps, quantify aggregated risks with Risk Management

Divisional Risk Map

Use ISMS tools to identify Information Assets and related risks

Risk identification

Decide on risk treatment (mitigate/accept)

Management Review

Aggregate div. Risk Maps, analyze findings

Group Risk Map

Inform about findings, approve initiatives on group level

Management Review

Aggregation

Aggregation

Create risk report (group level)

Reporting

(Owner: DISO)

(Owner: BISO)

(Owner: CISO)

Divi

siona

l and

loca

l le

vel

Group CERT

Public relations

Legal Data privacy Works council Internal auditCompliance

DISOs Divisional SOC teams

Divisional IT ops

Gro

up-le

vel

Local SOC teams

Local IT operations

Part

ners

Plat

form

s2. ROLES: CERT & TECHNOLOGIES TEAM

§ Coordination of inter-divisional aspects of severe security incidents (S5, SX) as required ISREGxx Security Incident Management

§ Escalation instance and interface to CISO, who acts as interface to Executive Management

§ Receiving instance for security incident reporting from divisions and group-entities

§ Interface to corporate functions, e.g. Data Protection, Public Relations, Legal, Works Council

§ Coordination of vulnerability and leakage information from external platforms (e.g. Bitsight, Cycognito, DCSO Threat Intelligence Platform (TIP) and DCSO Information Leakage Monitoring service (ILM)) towards divisional SOC teams

§ Lead in case of Advanced Persistent Threat with lateral (cross-divisional) impact

…

§ Scouting of state-of-the-art solutions leveraging a network of partners/startups

§ Cyber defense architecture to protect digital infrastructure against threat vectors using modern cyber tech solutions

§ Share knowledge about powerful solutions across Group using a central repository

§ Consulting of Group entities in how to implement effective cyber security solutions

Information Security Board

Leverage partner network and group-internal best-practices to provide state-of-the-art cyber security support to all divisions

CERT & TECHNOLOGIES TEAM SUPPORTS ENTITIES IN EFFECTIVE CLOSING OF SECURITY GAPS

DiV1

DiV2

DiV3

DiV4

DiV5

DiV6

Endpoint security

Secure access

CASB

IAM

PaaS SaaS

On premise datacenter

Traditional perimeter

Cloud

Mobility

IaaS1

Email attack (phishing, fake

president, malware, fraud, scam)

DDoS attack (web, DNS or

email)2

Exploitation ofvulnerabilities (application or

infrastructure/“hacking”)3

Access to malicious resources (web, network, wireless)

4

Information leakage (email, file exchange, portable storage, mobile devices)

Privilege misuse (incl. privilege escalation and malicious insider)

5

6

3. PARTNERS & TOOLS

IT Services / Assets

Security DomainsBest of breed Microsoft

Governance IdentityData +

Documents AccessNetwork + perimeter Workplace

Communi-cations SaaS

Applications + PaaS

Server +IaaS Development

Integrated Risk Management (IRM) + Security Metrics

n

Identity + Access Management (IAM) n n

Vulnerability Management (VM) n n nEndpoint Protection Platform (EPP) -Windows

n

Secure Email Gateway(SEG) nNetwork Traffic Analysis (NTA) n

Secure Web Gateway (SWG) n n n n

Mobile Device Management (MDM) n

Solution Portfolio (exemplary) - Level 1 -

iris

ITIS

Leve

l 1

Recommended Solution

12 34 36 5 4 3 3

Threat Vectors: 1:Email, 2:DDoS, 3:Exploitation of Vulnerabilities, 4:Access to malicious resources, 5:Information Leakage, 6:Privilege Misuse

IT Services / Assets

Security DomainBest of breed Microsoft

Governance IdentityData +

Documents AccessNetwork + perimeter Workplace

Communi-cations

SaaS Application +PaaS

Server +IaaS

Development

Security Information and Event Management (SIEM)

n

Enterprise Digital Rights Management (EDRM) n n

DDoS Protection n n nCloud Access Security Broker (CASB) n n n

Threat Intelligence (TI) nEndpoint Protection Platform (EPP) -Mac + Mobile

nApplication Security Testing (AST) n

Data Security Governance (DSG) n nIdentity Governance Administration (IGA) n n

Solution Portfolio (exemplary)- Level 2 and 3 -

Leve

l 2Le

vel 3

Defender ATP

Recommended Solution

12 34 36 5 4 3 3

Threat Vectors: 1:Email, 2:DDoS, 3:Exploitation of Vulnerabilities, 4:Access to malicious resources, 5:Information Leakage, 6:Privilege Misuse

ITIS

SPECIAL CONSIDERATION: TALENT MANAGEMENT

• The only way to manage scarcity of talent is to have the right partners

• For your internal team: Be aware of their ambitions and actively manage their career path

• Consider a Long Term Incentive

• Manage the attitude: Make your CISO Team act more as enabler than as ‚Defense‘

• Look beyond mere Security but asses also how especially Cloud Security Services can helpaccelerate your Digital Transformation : Thus make a career here more interesting!

THANK YOU FOR YOUR ATTENTION