improving the effectiveness of cyber security controlling people process and technology n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Improving the effectiveness of cyber security – controlling people, process and technology PowerPoint Presentation
Download Presentation
Improving the effectiveness of cyber security – controlling people, process and technology

Loading in 2 Seconds...

play fullscreen
1 / 16

Improving the effectiveness of cyber security – controlling people, process and technology - PowerPoint PPT Presentation


  • 167 Views
  • Uploaded on

Improving the effectiveness of cyber security – controlling people, process and technology. 10 April 2014. You could be under cyber attack — now ! Today’s cyber threats. Under cyber attack EY’s Global Information Security Survey. Awareness.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Improving the effectiveness of cyber security – controlling people, process and technology' - emmet


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
improving the effectiveness of cyber security controlling people process and technology

Improving the effectiveness of cyber security – controlling people, process and technology

10 April 2014

you could be under cyber attack now today s cyber threats
You could be under cyber attack — now!Today’s cyber threats

Improving the effectiveness of cyber security

under cyber attack ey s global information security survey
Under cyber attack EY’s Global Information Security Survey

Awareness

EY’s Global Information Security Survey was structured to explores 3 areas:

  • Improve
  • Expand
  • Innovate

Know

  • Don’t know
  • Proactive

Innovate

Expand

Behavior

  • Reactive

Improve

Improving the effectiveness of cyber security

improve expand innovate today s cyber threats
Improve. Expand. Innovate.Today’s cyber threats

Improve

For many organizations, this is the current state. Over the past year, organizations have made substantial progress in improving their defences against cyber attacks. Yet their position remains reactive, addressing the threats they know, but not seeking to understand the threats that may be just around the corner.

Expand

Leading organizations are taking bolder steps to combat cyber threats. They are more proactive in determining both the known and unknown risks within their security programs. However, there remains room to expand security measures.

Innovate

Organizations aspiring to be information security innovators need to set their sights on new frontiers. These organizations need to continuously review, rethink and potentially redesign their entire information security framework in order to be better prepared. In many cases, innovating may require a fundamental transformation of the information security program to proactively fortify against both the known and the unknown risks in the cyber risk environment.

Improving the effectiveness of cyber security

everyone and every organization is a target
Everyone and every organization is a target

Certain circumstances can further significantly challenge data security and privacy:

  • M&A
  • Entering new markets
  • New product launch
  • Front page news
  • Major organizational change
  • Audit responsibility

Improving the effectiveness of cyber security

under cyber attack ey s global information security survey1
Under cyber attack EY’s Global Information Security Survey

Knowing that an attack will inevitably occur sparks improvements.

Our survey indicates that many organizations recognize the extent and depth of the threats they face — from the top of the organization to the shop floor. For nearly three quarters of organizations surveyed, information security policies are now owned at the highest organizational level.

Improving the effectiveness of cyber security

under cyber attack ey s global information security survey2
Under cyber attack EY’s Global Information Security Survey

Improving the effectiveness of cyber security

under cyber attack ey s global information security survey3
Under cyber attackEY’s Global Information Security Survey

Improving the effectiveness of cyber security

beating cybercrime by transforming security program and improving business performance
Beating cybercrime by transforming security program and improving business performance

Five questions forthe C-suite

  • Do you know how much damage a security breach can do to your reputation or brand?
  • Are internal and external threats considered when aligning your security strategy to your risk management efforts?
  • How do you align key risk priorities in relation to your spending?
  • Do you understand your risk appetite and how it allows you to take controlled risks?
  • How does your IT risk management strategy support your overall business strategy?

Improving the effectiveness of cyber security

identify the real risks
Identify the real risks

Questions to ask

  • Define the organization’s overall risk appetite and how information risk fits
  • Identify the most important information and applications, where they reside and who has/needs access
  • Assess the threat landscape and develop predictive models highlighting your real exposures
  • What is your organization’s risk culture?
  • Are you detecting and monitoring threats inside and outside the organization?
  • Have you anticipated new technology risks, such as mobile devices, social media and cloud computing?

Conventional thinking

Leading thinking

Improving the effectiveness of cyber security

  • Budget and organize a security program focused primarily on meeting immediate compliance needs
  • Protect the perimeter and keep external threats out
  • Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident
protect what matters most
Protect what matters most

Questions to ask

  • Develop a security strategy focused on business drivers and protecting high-value data
  • Assume breaches will occur — improve processes that plan, protect, detect and respond
  • Balance fundamentals with emerging threat management
  • Establish and rationalize access control models for applications and information
  • Have you considered automating security controls?
  • Are you using predictive indicators to analyze seemingly legitimate network activity?
  • Are your resources focused on emerging threats?

Conventional thinking

Leading thinking

Improving the effectiveness of cyber security

  • Security program budget and organization focused primarily on meeting immediate compliance needs
  • Set goal and expectation to stop all attacks and threats
  • Disproportionate focus on maintaining lower-risk/lower-value security activities
  • User access and roles are set up based on last employee hired
optimize business performance
Optimize business performance

Questions to ask

  • Align all aspects of security (information, privacy, physical and business continuity) with the business
  • Spend wisely in controls and technology — invest more in people and processes
  • Consider selectively outsourcing operational security program areas
  • Are you balancing spending money among key risk priorities?
  • Have you investigated the latent functionality of your existing tools?
  • Are you outsourcing any of your information security?

Conventional thinking

Leading thinking

Improving the effectiveness of cyber security

  • Various security aspects exist in silos and are driven by compliance only
  • Largest portion of security budget goes to technology solutions
  • Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives
sustain an enterprise program
Sustain an enterprise program

Questions to ask

  • Get governance right — make security a board-level priority
  • Allow good security to drive compliance, not vice versa
  • Measure leading indicators to catch problems while they are still small
  • Accept manageable risks that improve performance
  • Are you taking controlled risks rather than striving to eliminate risks altogether?
  • Are your key indicators trailing or leading?

Conventional thinking

Leading thinking

Improving the effectiveness of cyber security

  • Security viewed as sub-function of IT with little top management visibility
  • Security program budget and organization focused on meeting immediate compliance needs
  • Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents
  • Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite
enable business performance
Enable business performance

Questions to ask

  • Make security everyone’s responsibility
  • Don’t restrict newer technologies; use the forces of change to enable them
  • Broaden program to adopt enterprise-wide information risk management concepts
  • Set security program goals/metrics that impact business performance
  • Do all of the organization’s stakeholders understand the importance of information security?
  • Is your organization up-to-date with the new technologies hitting the workforce?
  • Does your organization have the right measures to create a scorecard on information security at the enterprise level?

Conventional thinking

Leading thinking

Improving the effectiveness of cyber security

  • Security viewed as merely a function of the security team
  • Ban emerging technologies (social media, mobile) until they are mature
  • Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)
  • Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers
framework to enable your security program to address business needs
Framework to enable your security programto address business needs

Improving the effectiveness of cyber security

c ontact details
Contact details:
  • Arial 24 point
    • Arial 20 point
      • Arial 18 point
        • Arial 16 point
          • Arial 16 point

Georgi Dimitrov, CISA, CISM, MCSE, MCSA

georgi.dimitrov@bg.ey.com

Improving the effectiveness of cyber security