www.bermudacaptive.bm. JUN 2 - 4, 2014. Cyber Security It’s not just about technology. Cyber Security – It’s not just about technology. Moderator: Fred Oberholzer , Senior Manager, KPMG Speaker : Dennis Van Ham, Director, KPMG. Agenda. Impact of Evolving Cyber Threats
(Cyber) Security Concern Is The “New Normal” Cyber Insurance The next frontier ? “There are only two types of companies, those that have been hacked and those that will be” Robert Mueller, Head of the FBI In October 2012, the insurance industry saw firsthand how intent hackers were on accessing this information when Nationwide suffered a major data breach. Hackers stole names, Social Security numbers, driver's license numbers and dates of birth for more than 1 million individuals – including policyholders as well as individuals seeking quotes.
Key (Security) Trends 1 External Threats Organized crime, nation-states, cyber espionage, hactivism, insider threats. 2 Change in the way business is conducted Cloud computing, big data, social media, consumerization, BYOD, mobile banking. 3 Rapid technology change Critical national infrastructure, smart/metering, internet of all things. 4 Regulatory compliance Data loss, privacy, records management. 5 Changing market and client need Strategic shift, situational awareness, intelligence sharing, cyber response.
We are in the midst of a digital and mobile revolution DIGITAL and MOBILEtechnologies are transforming the waywe live and work. of companies are in some phase of Changing their business model* The #1 and #2 drivers of business transformation* CUSTOMER EXPECTATIONS NEW TECHNOLOGY * 2013 KPMG Technology Innovation & Business Transformation Surveys
Did you know? More than 90 percent of the world’s data has been created in the past two years, and clients are telling us they need help getting actionable insights from their data so they can make better business decisions
Quality of Information Please rate the quality of the information you receive about cyber security—including data privacy and the protection of intellectual property: Source: “KPMG 2014 Audit Committee Member Survey”.
The Five Most Common Cyber Security Myths Myth #1: “We have to achieve 100 percent security.” Reality: 100 percent security is neither feasible nor the appropriate goal.
The Five Most Common Cyber Security Myths (continued) Myth #2: “When we invest in best-in-class technical tools, we are safe.” Reality: Effective Cyber Security is less dependant on technology than you think.
The Five Most Common Cyber Security Myths (continued) Myth #3: “Our weapons have to be better than those of our attackers.” Reality: The security policy should primarily be determined by your goals, not those of your attackers.
The Five Most Common Cyber Security Myths (continued) Myth #4: “Cyber Security compliance is all about effective monitoring.” Reality: The ability to learn is just as important as the ability to monitor.
The Five Most Common Cyber Security Myths (continued) Myth #5: “We need to recruit the best professionals to defend ourselves against cyber crime.” Reality: Cyber Security is not a department, but an attitude.
New “Vectors” of Threats are Accelerating the Concern YESTERDAY… Bad “Actors” Isolated criminals “Script Kiddies” “Target of Opportunity” Targets Identity Theft Self Promotion Opportunities Theft of Services TODAY… Bad “Actors” Organized criminals Foreign States Hactivists “Target of Choice” Targets Intellectual Property Financial Information Strategic Access
How often are risk management considerations factored into your organization’s strategic planning decisions? Source: Expectations of Risk Management Outpacing Capabilities, KPMG International, 2013.
Key Stakeholder Analysis
Who is responsible for cyber security?
Key Stakeholder AnalysisBoard/CEO The Board/CEO should ask: “Are we organized appropriately?”
Key Stakeholder AnalysisBoard/CEO (cont’d) Boards often say they lack proper security metrics and have difficulty measuring the value of security
Key Stakeholder AnalysisCIO/CISO Security function and CISO role need to quickly evolve, focusing more on business and less on technology Key Considerations for CIO/CISO
Key Stakeholder AnalysisCIO/CISO (cont’d) How do I determine whether I’m subject to sophisticated attacks? 1 Are there malicious insiders in my organization, abusing their position and system access? 2 What events should we track and how should we prioritize large volumes of events of interest? 3 How do I determine and prove the course of events of an attack? 4 How do I prove the integrity of electronic data being used in investigative or litigation proceedings? 5
Focus Shift 2014 focus Old focus
Key Stakeholder AnalysisCIO/CISO (cont’d) With the evolving cyber threat landscape, many CISOs face a variety of challenges; CISOs cite gaps in skill sets on their teams, lack of bandwidth and inadequate budgets as some of the biggest issues Emerging Risks Targeted Malware Attacks/Spearphishing Intellectual Property Protection BYOD/Consumerization Foreign National Threats Increased Data Leakage and Portability “Zero Day” Attacks Insider Threats Diverse Compliance Challenges Critical Infrastructure Protection Integration with ERM Initiatives Business Enablement Rapidly Changing Business Needs Increased Value Chain Integration Globalization Expanding New Revenue Streams Mergers, Sourcing and Workforce Changes Need for Improved Business Intelligence E-Discovery and Investigations Social Media Platforms Technical Architecture Security Analytics & Threat Intelligence Public/Private “Cloud” Computing Incident Response & Logging GRC Solutions and Integration Application and Code Review Data Loss Prevention IAM Governance and Process (Role Optimization, Privileged Management) Increased Encryption (Data Level and Mobile) Endpoint Protection & Validation Security Management Better Integration with Risk Management Security Organization Model and Structure Awareness and Training Crisis Management “Doing More with Less” Vendor and 3rd Party Management Asset and Configuration Management Executive Reporting and Metrics Managed Security Services
Assessing Cyber Maturity/Readiness
Cyber Readiness: Six Key Maturity Areas To Focus On Leadership and governance Legal and compliance Operations and technology Human factors Information risk management Business continuity
“From Data Center To Boardroom” - How Do Risk Management Considerations Relate To Cyber Security? Point in Cyber transformation process we see most of our clients being in right now = “Initial” / “Reactive” = “Established” / “Proactive” = “Business Enabling” / “Resilient” 2 1 3
Is leadership enabling appropriate measures?
How effectively are you operating your toolset?
Risk and Compliance Insights
“Hot Topics” Deep-dive
Lack of threat intelligence impact on organizations $10M is the average amount spent in the past 12 mos to resolve the impact of exploits… Actionable intelligence about cyber attacks within 60 sec of a compromise could reduce cost by 40%... 53% believe live intelligence is essential or very important to achieve a strong cybersecurity defense 57% say the intelligence currently available to their enterprises is often too stale to enable them to grasp Only 10% know with absolute certainty that a material exploit or breach to networks or enterprise systems occurred 23% said it can take as long as a day to identify a compromise 49% said it can take within a week to more than a month to identify a compromise Source: Ponemon Institute 2013 Live Threat Intelligence Impact Report
Detection and response - Building the program Activities per phase Asset management AND criticality (HVAI) Build the incident model Gap analysis of sources, tech, and people Authority for the mission Implement program to close gaps Fulfill advanced use cases Create threat intel process and team Increase coordination with teams outside of SOC, cyber, IR , etc. Automated IR Define measures and measure success Further development of cyber threat intel Implement intel and knowledge sharing Implement improvements based on real or modeled “lessons learned” Build your hunting team Feedback loop established
Really Understanding Sensitive Data
Cloud Visibility and Risk
3rd Party Risk The use of third parties increases the need for oversight of the process from start to finish … Risk assessment Due Diligence Contract structuring and review Oversight
Line of Defense Model First Line of Defense Second Line of Defense Third Line of Defense Business Line (IT) is responsible for taking and managing risk within risk appetite Risk Management (RM) Units provide effective challenge to make sure that risks are controlled and managed Assurance Units independently test and evaluate overall risk and control performance Risk Activities Identify Risks Identify and manage risks Identify and aggregate risks Identify risks thru assurance work Develop/Monitor Risk Appetite Set LOB risk appetite w/in corporate guardrails. Consult 2nd line to adapt / change appetite thresholds Set appetite / secure approval, monitor performance Challenge and validate appropriateness of appetite Policies, Procedures Understand spirit of requirements; write and maintain procedures, business policies, and risk documentation that adhere to requirements Write and maintain corporate policies, risk appetites, and risk framework expectations Review/approve business unit control documents for adherence to policy requirements Challenge and evaluate overall policy and governance framework Governance & Accountability Develop & manage committees, approvals, escalations Define authority and accountability; committee structure, escalations Provide effective challenge: approve certain new risk exposures and plans to control them Challenge and evaluate overall governance effectiveness Implement andMaintain Controls Design, Implement, and maintain controls Consult on controls Design & implement enterprise controls Evaluate effectiveness of controls in business units Monitor & Test Controls Monitor controls Test and evaluate control effectiveness and completeness Challenge and evaluate sufficiency of LOB monitoring and 2nd line independent testing Resolve Issuesand Control Weaknesses Resolve issues and control weaknesses Consult on changes to control design and ensure adequate urgency is applied Challenge and evaluate sufficiency of management’s ability to address issues and control weaknesses Reporting Report risk results Report consolidated risk position against appetite/limits Assess adequacy of reporting for transparency of decision making by management and the Board