1 / 40

Managing Operational Risk Responding to the Challenges of Cloud, Mobile and IOT

Managing Operational Risk Responding to the Challenges of Cloud, Mobile and IOT. Dr , Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC. The Challenges. Where is Operational Risk Management Today ?.

floria
Download Presentation

Managing Operational Risk Responding to the Challenges of Cloud, Mobile and IOT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Operational Risk RespondingtotheChallengesof Cloud, Mobile and IOT Dr, Robert W. Griffin Chief Security Architect RSA, the Security Division of EMC

  2. The Challenges

  3. Where is Operational Risk Management Today? Most companies have ORM programs, but they are not positioned to keep up with the increasing number and impact of disruptions constantly affecting global and local organizations. Frequency Cost Complexity Damage

  4. Global, Technology and Organisational factors have created significant incremental risk management challenges for organisations. Today’s ORM Challenge Multiple Views of Risk Incomplete Picture Velocity of Risk

  5. Disruption and Transformation ExtendedWorkforce NetworkedValueChains Infrastructure Transformation BigData Mobile SophisticatedFraud Less control over access device and back-end infrastructure Cloud Business and Legal Transformation Threat LandscapeTransformation APTs http://www.emc.com/collateral/industry-overview/h11391-rpt-information-security-shake-up.pdf?pid=sbiclandingpage-sbicspecialreport-122112 Fundamentallydifferent tactics, more formidable than ever More hyper-extended, more digital

  6. The Cloud

  7. The Software-Defined Datacenter AdvancedCyberDefence

  8. Mobile

  9. IOT

  10. IT and OT Convergence IT and Data Center • CIO office and IT operations • CSO and security operations • Customer and marketing services • Information asset and resource management • Grid Operations • Power delivery • Transmission services • Meter management • Engineering and system performance • Grid asset management

  11. Disruptive Events are increasing Disruptive events are increasing making it difficult for traditional Operational Risk Management approaches..

  12. The Miami Substation Explosion (1993) Power surgedestroyedcapacitorbank Trippedbreakermalfunctioncausedarc fault Emergency responsesystemdid not activatetonotifygriddispatcher Coolant in primarytransformeroverheatedandblewseals. Escapingmineraloilvaporignitedatarc fault Vaporexposionignitedoil tank forprimarytransformer Explosion ofsubstationcausedmeltdownof all transformers

  13. Event Analysis • Failureconditions • Capacitorbankfailure due tosurge • Arcing due to open breaker • Componentfailures • Arcsuppressionsystem (toextinguisharc) • Emergency Response System • Componentfailurecauses • Implementation error: arcsuppressionsystemand Emergency Response System on same circuitbreaker • Hardware failure: breaker was faulty Dr. Nancy Leveson http://sunnyday.mit.edu/STAMP-publications.html

  14. SPARKS Project Smart Grid Protection against Cyber Attacks Increased use of ICT systems, e.g., to support prosumer communities and advanced energy services Greater use of COTS systems to implement parts of a more open grid www.project-sparks.eu A greater degree of monitoring and automatic control at electricity network edge Privacy concerns emerging from smart meters & increased risks associated with tampering

  15. Attacks

  16. Arkansas Substation Fire (2013) • Jason Woodring arrested October 2013 • Alleged to have cut his way into an Entergy substation • Used mixture of ethanol and motor oil to burn up a control house • «Youshouldhaveexpected U.S.» • Oneofseveralrelatedattacks • Cutting power poles • Dragging power lineacrossrailroadtrack • Nooutage • Estimated $2 million in damage

  17. RSA Cybersecurity Survey

  18. ISACA 2015 Global Cybersecurity Status Report • Companies and government organizations worldwide are focusing on cybersecurity as a critical priority in 2015. • ISACA conducted a global survey of 3,439 business and IT professionals in 129 countries to capture their insights on cybersecurity attacks, skills shortages and proposals from US President Barack Obama, who addressed cybersecurity issues such as data breach notification laws in January 2015. • The survey was conducted online from 13-15 January 2015. • At a 95 percent confidence level, the margin of error is +/- 1.7 percent. http://www.isaca.org/pages/cybersecurity-global-status-report.aspx

  19. Cyberattacks Do you think cyberattacks are among the three biggest threats facing organizations today? 86% 5% 11% 83% • 46% expect their organization to face a cyberattack in 2015 • Only 38% of all respondents feel prepared to fend off a sophisticated attack

  20. Cybersecurity Skills Shortage 86% • Does your organization plan to hire more cybersecurity professionals in 2015? • 37% … Yes • 32% … No • 30% … Unsure believe there is a shortage of skilled cybersecurity professionals 92% of those hiring expect it will be difficult to find a skilled candidate

  21. Cybersecurity Awareness Does your organization plan to increase cybersecurity awareness training for staff this year in light of recent breaches? 53% 12% 9% 54% of respondents agree it is difficult to identify who has an adequate level of skills and knowledge when hiring new graduates for entry-level cybersecurity positions

  22. WHAT IS THE BIGGEST CYBER RISK OF 2015? New threats emerge with tech enabled criminal opportunity; and existing threats evolve to stay ahead of defence Media interest is a double edged sword – Greater awareness good; Drumbeat of fear, uncertainty, and doubt bad EVOLVING THREAT ACTORS A scale market (USD 71bn in 2014 source: Gartner) that is in flux has intensified marketing efforts from many quarters TOP CYBER RISK IN 2015 CHANGING ITDELIVERY MODELS New IT capabilities – from BYOD to cloud to big data – have serious impact on the security controls we need and can use. • SENSATIONALISED MEDIA COVERAGE This is a “wicked” problem – the biggest risk is that a lack of structure and prioritisation leads to the resources being squandered before the challenge is overcome • MISLEADINGVENDOR CLAIMS !

  23. (Re-) Defining ORM

  24. Operational Risk The risk of direct or indirect loss resulting from: • Human factors • Inadequate or failed internal processes • Inadequate or failed systems • External events

  25. Three Lines of Defence Board/Audit Committee Senior Management • 2nd Line of Defence • Risk Mgmt • Compliance • Security • Assesses and Aggregates • 3rd Line of Defence • Internal Audit • Independent Review • 1st Line of Defence • Business • Owns and Manages External Audit Regulators

  26. Your approach should change the organisation’s focus from reacting to surprises to proactive management based on risk intelligence Intelligence Driven Operational Risk Management Risk Visibility Visibility + Analysis =Priority Action Analysis Priority + Action =Results Results + Metrics =Progress Metrics

  27. What is the mission, scope, and authority to mitigate the risk? Envisioning ORM How do I analyze, attribute, and predict the threat and refocus the mission? • Cloud • Network • Endpoint • Identity Define the visibility required to achieve mission readiness. • Aggregation • Analysis • Dissemination • Attribution Build enablement for detection (use cases, situational awareness, and baseline) How do I respond, contain, and hunt to achieve the mission identifying known and unknown threats?

  28. Extending ORM Audit Enterprise Risk Management Board Operational Risk Management External Audit LOB Executives Security Resiliency Regulatory Compliance Third Party Management CXO Protect against disruptions Manage regulatory obligations Manage inherited risks Third Line of Defence CISO Business Operations Protect business assets Operations

  29. (Re-) Implementing ORM

  30. The Keys to a Successful Program Minimise implementation risk Foster culture of adoption Reduce time to incremental value

  31. Minimize Implementation Risk • Executives do not like Surprises • A Digestible Strategy • Understand your Audience

  32. Mission, Scope, Authority • Governance • Operating Model • Organizational Design • Risk Analysis • Security Metrics Drilling Down • Aggregation • Analysis • Dissemination • Attribution • Data Science • Cloud • Network • Endpoint • Identity • Incident Triage & Response • Hunt • Malware Analysis • Steady State Ops • Management • Use Case Framework • Baseline • Situational Awareness

  33. Foster Culture of Adoption • Understand the power of Frustration • Make it Personal • Know where technology is an answer and where it isn’t

  34. Establish clear linkage from risks and assets through to projects, services and controls (and vice versa) Start, and finish, with an understanding of the risk (and opportunity) How do we make it real Ensure you have a complete and comprehensive way of describing capability

  35. Take Command of the Journey • Keep end game constantly in mind • Address the Pain • Don’t GRC (ORM) to just GRC

  36. Case Study: T-Systems (UK) Achieving Risk Discipline • Requirements: • Create a consolidated enterprise-wide view of operational and functionalrisksforseniormanagement • Address all classes of risk • Engagebusinessusers in riskgovernance • Solution: • Used ISO 31000 asframework • Definedriskownership • Established enterprise-wide riskcommunity • Deployedsinglesoftwaresolutionacrossenterprise http://www.emc.com/collateral/customer-profiles/h11661-rsa-archer-cp.pdf

  37. Risk Discipline Across the Organization LOB Executives Board CIO & CISO Business IT Business Operations Managers IT Security Risk Regulatory & Corporate Compliance Operational & Enterprise Risk Business Resiliency Audit Third Party & Vendor Risk Common Foundation Silos Managed Advantaged Maturity

  38. Aligning with Business Resiliency Opportunities Missed Competition Litigation Poor internal controls & governance Supply Chain Interruption 3rd party non-performance or disruption Human errors Employee Health & Welfare Regulatory violations, fines and sanctions Product liability claims Environmental damage Information Security breaches Inefficient processes & technologies Business interruption Unknown, unidentified risks Internal and external fraud

  39. Re-defining Operational Risk Management Exploit Harness Opportunity Transform Results Risk Compliance The Maturity Journey Reach

  40. Thank you! robert.griffin@rsa.com blogs.rsa.com/ thoughtfeast.co.uk/ project-sparks.eu/blog/ @RobtWesGriffin www.linkedin.com/pub/robert-griffin/0/4a1/608

More Related