Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
#teissamsterdam19
Information Security Setup in a decentral global organisation: The roles, tools and partner ecosystem
Tom Linckens
Executive Vice President & Chief Information Officer
Bertelsmann
09:30 – 09:50
INFORMATION SECURITY SETUP IN A GLOBAL DECENTRAL ORGANISATION
ROLES, TOOLS, PARTNER ECOSYSTEMTOM LINCKENS
BOARD TECHNOLOGY ADVISORY,
UNTIL RECENTLY GROUP CIO BERTELSMANN SE & CO KGAA
• Education : RWTH Aachen spiced up by: Cranfield, HBS, Insead, LBS, Stanford, Thunderbird
• 1995 – 2014 Henkel Group Düsseldorf, USA and Middle East
• Since 2003 CIO roles and member of Group IT Excecutive Board
• Ballpark #: 17bn € turnover, 50.000 employees / 48.000 seats, 250+ entities in 50+ countries
• … IT Budget 300M€, 1000 internal staff
• Groupwide SAP consolidation, Strategic Outsourcing, Innovation Management, Analytics & Reporting, Infrastructure Consolidation, Cloud (IAAS, PAAS, SAAS), Data Management, Process Consulting, Transformation, Shared Services, Talent Management, Business Relationship Management …
• 2014 – 2019 Group CIO Bertelsmann SE & Co KGaA
• Chairman of Group IT Board, member of Corporate Center Board, Chairman Advisory Board Arvato Systems, member of Group compliance committee
• Ballpark #: 17bn € turnover, 120.000 employees / 80.000 seats, 500+ entities in 50+ countries
• … IT Budget 1 bn+€, 7000 internal staff
• Buildup of IT groupwide Governance, IT security setup across 8 largely independent Divisions, Centralized IT purchasing & sourcing, Digital Transformation / Technology Heatmap, Network consolidation, Cloud (IAAS, PAAS, SAAS), Talent Management, Repositioning of Inhouse Service Provider, …
INFORMATION SECURITY IS MOVING UP ON THE CIO AGENDA
1) In 2017 84% of S&P 500 companies‘ market value tied to intangible assets (incl. Data and intellectual property; up from 17% in 1975); Intangible Asset Market Value Study, 2017, Ocean Tomo, LLC; 2) DataLossDB.org, informationisbeautiful.org; 3) E.g. distributed denial of service (DDOS) attack: $30-70 per day; Email spam: $10 per one million emails; hacking a gmail account: $162; 4) World Economic Forum: 2018 Global Risk Report; 5) Marsh / Microsoft: Global Cyber Risk Perception Survey, February 2018: 62% of survey respondents named cyber security among top five risk management priorities
§ Information Security has been in many companies a quite operational topic – not high on the CIO agenda.
§ Only until recently Information Security has become part of the regular discussions with Executive
and Advisory Boards.
§ Within the last years Customers are increasingly interested in understanding the information and cyber
security strategy of their suppliers and have started to make it part of their Strategic Supplier Management
Dialogue.
Information Security is an important element of your strategy and requires as such CIO attention and ownership as well as regular Management Board involvement.
WHAT’S UP ?
1) In 2017 84% of S&P 500 companies‘ market value tied to intangible assets (incl. Data and intellectual property; up from 17% in 1975); Intangible Asset Market Value Study, 2017, Ocean Tomo, LLC; 2) DataLossDB.org, informationisbeautiful.org; 3) E.g. distributed denial of service (DDOS) attack: $30-70 per day; Email spam: $10 per one million emails; hacking a gmail account: $162; 4) World Economic Forum: 2018 Global Risk Report; 5) Marsh / Microsoft: Global Cyber Risk Perception Survey, February 2018: 62% of survey respondents named cyber security among top five risk management priorities
§ Increasing share of companies’ market value is tied to intangible assets
§ Increasing number of connected devices gather crucial data in digitized business models
§ Massive data breaches and cyber attacks have continued unabated into 2018
§ Cyber attacks commoditize and are for sale on the web
§ The World Economic Forum places cyber attacks and data fraud among top five risks
§ Growing deficit of cyber security talent
Digitization increases cyber attack surface drastically making cyber risk management an even higher priority: Are you moving fast enough?
Support your businesses in striking the right balance between business needs and security requirements
There is nothing but perfect protection
Less digital business, less of a target
Lower risks
Higher costs
More digital business, more of a target
Higher risks
Lower costs
GLOBAL DECENTRAL ORGANIZATIONS REQUIRE A RISK-BASED, ADAPTIVE SECURITY APPROACH
1. FOUNDATION OF YOUR IT SECURITY SETUPEXEMPLARY
Executive Board Guideline on Information Security
Information Security Regulations (ISREGs)
Operating Instructions / Implementations Guides
§ ISREGxx Security Organization§ ISREGxx Asset and Risk Management§ ISREGxx Monitoring and Improvement§ ISREGxx Human Resource Security§ ISREGxx Access Management§ ISREGxx Physical and
Environmental Security§ ISREGxx Communications and Operations
Management§ ISREGxx Information Systems
Acquisition and Development§ ISREGxx Management
of External Parties§ ISREGxx Security Incident Management§ ISREGxx Information Security
Continuity Management § ISREGxx Compliance
§ Operating Instruction Cloud Computing§ Operating Instruction Security Incident
Management & CERT§ Operating Instruction Information Security
Management of Suppliers§ Operating Instruction Mobile Device
Management
§ Operating Instruction Password Management § Operating Instruction Email Security§ Implementation Guide Public Cloud
Governance§ Implementation Guide for PaaS Services
1. FOUNDATION OF YOUR IT SECURITY SETUP
Update your Information Security Management System regularly and never become tired to explainit again and again and again and again and …
Define Minimum Security Standards and make it a ‚moving target‘.
Assess your maturity in Cyber Security and define a multi-year development path. (use common maturity model)
Run regular Information Security Awareness sessions and expose everybody (!) to unannounced security testing.
Sharpen the collaboration model with Data Protection and Audit as well as with your Ops Team.
Implement a yearly collection of all Data assets and let the decentral Business Management be part ofcreating a divisional risk map
a) quantify existing risk (€) and ask the units to decide for ‚accept or mitigate‘b) decide commonly on priorities for the next budget cyclec) review in how far this complies with the existing policies and a defined ‚minimum security standard‘d) discuss overall the risk that will be taken to allow business to maneuver
INDEPENDENT, EXTERNAL EVALUATION OF DIGITAL RISK POSTURE COMPLEMENTS THE INTERNAL VIEW
We can only protect what we know
§ Attackers search for “security blind spots”(not known internet facing assets, abandoned assets etc.)
§ Attackers search for “security weak spots” (path of least resistance) not necessarily the most critical assets
Outside-in view from an attacker’s point of view to identify digital risk exposure
Cyber security ratings to communicate and manage overall digital risk
Outside-in view to complement internal risk evaluationAttack simulation to identify threat landscape for digital assets
Measurement and quantification of digital risk(value-at-risk) and further outside-in solutions
EXAMPLE: BITSIGHT MONITORING OVER TIME PER DIVISION
Improvements in security incident response as well as systems diligence, esp. patch management are key to improve security ratings
RATE YOUR DIVISIONS REGULARLY AND
REPORT IT UP THE MANAGEMENT
BOARD AND AUDIT COMMITTEE
0
1
2
3
4
5Security governance
Planning andbudgeting
Organization
ISMSframework
Securityarchitecture
and engineeringProcess andoperations
Communicationand awareness
Attack handlingand response
Attack andvulnerability
detection
Risk managementprocesses
Make sure your Exec Board and Audit Committee understand where Divisions stand in terms of meeting minimum security standards defined as well as how they compare to peers within their industry sector.
2. ROLES GROUP-WIDE INFORMATION SECURITY ORGANIZATION
2. ROLES GROUP-WIDE INFORMATION SECURITY ORGANIZATION
• Have ISOs report to CIOs plus ‘dotted line’ to CFOson all levels of the organization
• Have CISO in lead to define yearly targets for the ISOs on divisional level jointly with divisional CIO
• Make sure CISO and Head of It Architecture work veryclose together
• Have regular alignment in between CIO, CISO, Legal, Data Protection, Head of It Architecture
2. ROLES: THE CISO TEAM
Information Security
Management System
§ Maintenance of the Group-wide ISMS framework; enactment of new binding policies; minimum security requirements
§ Management & monitoring of group-wide ISMS cycle execution
§ Quantification of information security-related risks in cooperation with Bertelsmann General Risk Management
Group CERT & cyber security technologies
§ Coordination of inter-divisional aspects of severe security incidents (S5, SX)
§ Interface to Group corporate functions, e.g. Data Protection, PR, Legal, Works Council
§ Coordination of vulnerability and leakage information towards divisional SOC teams
§ Lead in case of Advanced Persistent Threat with lateral (inter-divisional) impact
§ Provide divisions state-of-the-art solutions to fulfill security requirements, e.g. Zscaler
§ Security governance for Group-wide shared assets like domains, or certificates
§ Group-wide security initiatives mandates by Bertelsmann Information Security Board, e.g. email security, identity & access management, secure cloud, secure workplace
Security metrics & digital risk Analytics
§ Conceptual design for the measurement, comparison and quantification of Group digital risk exposure, e.g. Cyberhedge
§ Bitsight security ratings to constantly monitor and measure Group’s cyber risk exposure and reporting of divisional ratings towards Executive Board
§ Piloting of outside-in solutions to create a more precise view on digital risk exposure, e.g. Cycognito,
2. ROLES: ISMS - THE MULTI-LEVEL ORGANIZATION
Assess and manage risks
Risk Map
Bus
ines
s U
nit
Div
isio
nG
roup
Decide on risk treatment (mitigate/accept)
Management Review
Aggregate BU Risk Maps, quantify aggregated risks with Risk Management
Divisional Risk Map
Use ISMS tools to identify Information Assets and related risks
Risk identification
Decide on risk treatment (mitigate/accept)
Management Review
Aggregate div. Risk Maps, analyze findings
Group Risk Map
Inform about findings, approve initiatives on group level
Management Review
Aggregation
Aggregation
Create risk report (group level)
Reporting
(Owner: DISO)
(Owner: BISO)
(Owner: CISO)
Divi
siona
l and
loca
l le
vel
Group CERT
Public relations
Legal Data privacy Works council Internal auditCompliance
DISOs Divisional SOC teams
Divisional IT ops
Gro
up-le
vel
Local SOC teams
Local IT operations
Part
ners
Plat
form
s2. ROLES: CERT & TECHNOLOGIES TEAM
§ Coordination of inter-divisional aspects of severe security incidents (S5, SX) as required ISREGxx Security Incident Management
§ Escalation instance and interface to CISO, who acts as interface to Executive Management
§ Receiving instance for security incident reporting from divisions and group-entities
§ Interface to corporate functions, e.g. Data Protection, Public Relations, Legal, Works Council
§ Coordination of vulnerability and leakage information from external platforms (e.g. Bitsight, Cycognito, DCSO Threat Intelligence Platform (TIP) and DCSO Information Leakage Monitoring service (ILM)) towards divisional SOC teams
§ Lead in case of Advanced Persistent Threat with lateral (cross-divisional) impact
…
§ Scouting of state-of-the-art solutions leveraging a network of partners/startups
§ Cyber defense architecture to protect digital infrastructure against threat vectors using modern cyber tech solutions
§ Share knowledge about powerful solutions across Group using a central repository
§ Consulting of Group entities in how to implement effective cyber security solutions
Information Security Board
Leverage partner network and group-internal best-practices to provide state-of-the-art cyber security support to all divisions
CERT & TECHNOLOGIES TEAM SUPPORTS ENTITIES IN EFFECTIVE CLOSING OF SECURITY GAPS
DiV1
DiV2
DiV3
DiV4
DiV5
DiV6
Endpoint security
Secure access
CASB
IAM
PaaS SaaS
On premise datacenter
Traditional perimeter
Cloud
Mobility
IaaS1
Email attack (phishing, fake
president, malware, fraud, scam)
DDoS attack (web, DNS or
email)2
Exploitation ofvulnerabilities (application or
infrastructure/“hacking”)3
Access to malicious resources (web, network, wireless)
4
Information leakage (email, file exchange, portable storage, mobile devices)
Privilege misuse (incl. privilege escalation and malicious insider)
5
6
3. PARTNERS & TOOLS
IT Services / Assets
Security DomainsBest of breed Microsoft
Governance IdentityData +
Documents AccessNetwork + perimeter Workplace
Communi-cations SaaS
Applications + PaaS
Server +IaaS Development
Integrated Risk Management (IRM) + Security Metrics
n
Identity + Access Management (IAM) n n
Vulnerability Management (VM) n n nEndpoint Protection Platform (EPP) -Windows
n
Secure Email Gateway(SEG) nNetwork Traffic Analysis (NTA) n
Secure Web Gateway (SWG) n n n n
Mobile Device Management (MDM) n
Solution Portfolio (exemplary) - Level 1 -
iris
ITIS
Leve
l 1
Recommended Solution
12 34 36 5 4 3 3
Threat Vectors: 1:Email, 2:DDoS, 3:Exploitation of Vulnerabilities, 4:Access to malicious resources, 5:Information Leakage, 6:Privilege Misuse
IT Services / Assets
Security DomainBest of breed Microsoft
Governance IdentityData +
Documents AccessNetwork + perimeter Workplace
Communi-cations
SaaS Application +PaaS
Server +IaaS
Development
Security Information and Event Management (SIEM)
n
Enterprise Digital Rights Management (EDRM) n n
DDoS Protection n n nCloud Access Security Broker (CASB) n n n
Threat Intelligence (TI) nEndpoint Protection Platform (EPP) -Mac + Mobile
nApplication Security Testing (AST) n
Data Security Governance (DSG) n nIdentity Governance Administration (IGA) n n
Solution Portfolio (exemplary)- Level 2 and 3 -
Leve
l 2Le
vel 3
Defender ATP
Recommended Solution
12 34 36 5 4 3 3
Threat Vectors: 1:Email, 2:DDoS, 3:Exploitation of Vulnerabilities, 4:Access to malicious resources, 5:Information Leakage, 6:Privilege Misuse
ITIS
SPECIAL CONSIDERATION: TALENT MANAGEMENT
• The only way to manage scarcity of talent is to have the right partners
• For your internal team: Be aware of their ambitions and actively manage their career path
• Consider a Long Term Incentive
• Manage the attitude: Make your CISO Team act more as enabler than as ‚Defense‘
• Look beyond mere Security but asses also how especially Cloud Security Services can helpaccelerate your Digital Transformation : Thus make a career here more interesting!
THANK YOU FOR YOUR ATTENTION