RSA ADVANCED CYBER DEFENCE SUMMITLONDON, APRIL 2015
TOM BURTONDIRECTORKPMG LLP
…WHILE AVOIDING THE BIGGEST CYBER RISK OF 2015
HOW CAN WE MAKE THIS HAPPEN IN PRACTICE…
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
TOP CYBER RISK IN 2015
WHAT IS THE BIGGEST CYBER RISK OF 2015
SENSATIONALISED MEDIA COVERAGE
This is a “wicked” problem – the biggest risk is that a lack of structure and prioritisation leads to the resources being squandered before the challenge is overcome
EVOLVING THREAT ACTORS
CHANGING ITDELIVERY MODELS
MISLEADINGVENDOR CLAIMS
!
New IT capabilities – from BYOD to cloud to big data – have serious impact on the security controls we need and can use.
A scale market (USD 71bn in 2014 source: Gartner) that is in flux has intensified marketing efforts from many quarters
Media interest is a double edged sword –Greater awareness good; Drumbeat of fear, uncertainty, and doubt bad
New threats emerge with tech enabled criminal opportunity; and existing threats evolve to stay ahead of defence
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
CYBER THREAT
UNAWARE AWARENESS CRISIS TACTICAL RESPONSE ADAPTIVEEVOLUTION
RISK
CAPABILITY
HIGH
LOW
NATURAL RESOURCES
TRANSPORT & LOGISTICS
OIL & GAS
INVESTMENT BANKING
AEROSPACE
DEFENCE
INSURANCE
RETAIL BANKING
INDUSTRIAL MANUFACTURE
3
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
WHAT DRAWS YOU INTO THE SPIRAL, AND KEEPS YOU THERE
SECURITY PROGRAMME uncovers issues wherever it looks, that challenge priorities
INSUFFICIENT RISK DEFINITION causes tactical incidents to overtake larger and more strategic mitigations
POOR BUSINESS UNDERSTANDING leads to broken capability when business changes
TACTICAL STICKING PLASTER + New Incident = Requirement for New Sticking Plaster
LACK OF OWNERSHIP and accountability leads to ad hoc and incomplete capability insertion
Incident response and TACTICAL PROJECTS CONSUME ALL RESOURCES
NO OBJECTIVE JUSTIFICATION for plans causes priorities to be reset ‘on the fly’
‘GOLF COURSE’ CONVERSATIONS leads to Board solutioneering directing technology based Interventions
CONFIDENCE IN SECURITY PLANS UNDERMINED by each tactical incident-driven change
LACK OF ONGOING COMPLIANCE CHECKING means capability isn’t sustained
POOR UNDERSTANDING (assets, intelligence, regulatory etc) leads to over controlled low risk assets
INADEQUARE GOVERNANCE STRUCTURE leads to poor decision making
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
WHAT SHOULD WE ASPIRE TO?
Lost to FrictionStrategicTactical
Cyber Security Risk
Risk of Inappropriate Spend
Increasing Capabilities Over Time
Budg
et
Time
5
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
INTEGRATING SECURITY WITH OPERATIONS
Assets
External factors
Drivers
ThreatsObjectivesLegislation
RiskOpportunityRegulatory
Current
Planned
Desired
Project portfolio
Capability Requirements
Capability Definition
6
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
CAPABILITY What is it and why is it important
Complete, and Comprehensive
7
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
Current state2014 forecast2015 forecast2016 forecast2017 forecastRecommendationsFocus studiesDesired state
Current state2014 forecast2015 forecast2016 forecast2017 forecastRecommendationsFocus studiesDesired state
INTEGRATING SECURITY STRATEGY WITH OPERATIONSThe
coalface
Project definition and managementPortfolio and
capability management
Management reporting
Active risk management
Threats8
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
MANAGING THE BIGGEST RISK
Start, and finish, with an understanding of the risk (and opportunity)
Ensure you have a complete and
comprehensive way of describing capability
Establish clear linkage from risks and assets through to projects, services and controls
(and vice versa)
9
DRIVEN BY BUSINESS
We work with our clients to move their business forward. Positively managing cyber risk not only helps take control of uncertainty across business; it can be turned into a genuine strategic advantage.
RAZOR SHARP INSIGHTS
In a fast-moving digital world of constantly evolving threats and opportunities, you need both agility and assurance.
Our people are experts in both cyber security and our priority sectors, which means we give our clients leading edge insight, ideas and proven solutions to act with confidence.
SHOULDER TO SHOULDER
We work with our clients as long term partners, giving them advice and challenge to make decisions with confidence. We understand that this area is often clouded by feelings of doubt and vulnerability so we work hand-in-hand with them to turn that into a real sense of security and opportunity.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it w ill continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2015 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“ KPMG International” ), a Swiss entity. All rights reserved.
The KPMG name, logo and “ cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).
HELPING CLIENTS SPREAD THEIR
WINGS