Cyber Security & GRC Metrics That Tell a Story! Presented by: Swarnika Mehta Manager, KPMG Cyber Security Services Eva Benn Senior Associate, KPMG Cyber Security Services
Contents 2
Introduction
In the news Hackers Stole Credit Card Information From Thousands of Arby s Customers Jonathan Vanian Feb 09, 2017 Hackers have stolen customer credit card information from an unknown number of Arby s restaurants, according to a report on Thursday. Read more at: http://fortune.com/2017/02/09/arbys-restaurantshackers-data-breach/ Military personnel data leaked in Dun & Bradstreet database By James Rogers, Published March 16, 2017 The huge leak of a Dun & Bradstreet database containing the details of almost 33.7 million people includes over 100,000 military personnel, according to the security researcher who reported the leak. Read more at: http://www.foxnews.com/tech/2017/03/16/mil itary-personnel-data-leaked-in-dunbradstreet-database.html 4
The hard questions How do we distill the important information and complex metrics in a way that can be consumed by senior executives and the board? Information Security Metrics Program (ISMP) 5
Key Metrics
Key reporting metrics Application Security Server Security Endpoint Security Incident Management Vendor Security Operations Low % of % Applications scanned % Vulnerabilities % of ICF/non-ICF servers missing sev 4/5patches Time to remediate security events % of endpoints missing critical security patches Medium High Closed Pending Open High, Medium, and Low Risk Vendors 8.8 Average vendor risk score # of resources with certifications Time to remediate vulnerabilities CSP % of ICF/non-ICF Servers with AV and CSP installed % of endpoints with Anti-Virus installed Time to resolve incidents % of vendors completed risk assessments On Track Delayed Security projects 7
How do I tell the story? Align with business goals Q1 Q2 Q1 Q2 Q1 Q2 % customer satisfaction Provide holistic trends in cyber security risks 5 7 2 9 58% 23% Reporting by stakeholders Vulnerabilities remediated Reduction in compliance failures 39% 45% 58% 23% High Medium Low Facts that matter! Which numbers have gone up? Which numbers have gone down? Operational Redundancies Data Leakage Vendor Risk Insider threat Malware Demonstrate ROI on IT investments Focused metrics Investment Savings Do it again! 8
Metrics Program and Technology Enablement
Common Challenges People No business context Lack of awareness Poor delivery Process Technology Arbitrary thresholds No clear requirements Too many metrics Lack of capability to gather, collect or analyze data Manually producing metrics is too time consuming Not all historical data is usable and requires expensive cleanup 10
Key components of an ISMP Roles and responsibilities with supporting processes needed to operationalize the program and keep it relevant over time Organizing metrics results into visually appealing and intuitive reports at each stakeholder level. Examples include management level memo, program level scorecard and operational level dashboard Governance and Ongoing Maintenance Presentation and Reporting Scope and Coverage Measurement and Analysis Areas of measurement within the program. This includes domains (e.g., Endpoint Security, Threat Management) and relevant metrics within each domain Extraction and Collection Collecting raw metrics data from identified data sources or source systems to calculate metrics. Calculating metrics based on raw metrics data and analyzing results using thresholds, weighting, targets, trending, etc. 11
Building an information security metrics program Strategy and Design DEFINE STRATEGY DESIGN BUILD ROADMAP Implementation (Manual) DEVELOP METRICS PHASED ROLLOUT OPERATIONALIZE Implementation (Enhanced) AUTOMATE FULL ROLLOUT DATA & ANLAYTICS Non-existent Mature 12
Enhancement opportunities Aggregate Score by Domain Metrics will be aggregated into domains (e.g. Incident Management, Mobile Security, etc.) An aggregated score will be provided for each domain using simple, yet specific formulae Weighted Metrics Metrics will be weighted based on their importance on applied assets (e.g. critical application vs. non-critical application) to help with prioritization of metrics Thresholds and tolerance levels will help analyze if the measured or calculated value of each metric is helping track risks as well as performance objectives Risk & Control Mapping Risks will be mapped to each domain so that the user will be able to decide on appropriate actions to be taken based on the types of risk exposure Relevant controls will be mapped to each domain to provide the user with the ability to devise an initial remediation strategy and action Dimensions Each metric report can be dimensionalized (filtered), through relationships, so that the user can come in from a different view point (e.g. Segment, Region, Country, Business Unit, Sub BU, Data Center, Data Center Supplier, IT Area, Stakeholder, CISO). User will be able to view trends for each metric and compare against other related metrics Drill Down Capability Users will have the ability to drill down into each domain to see individual metric reports and other detailed information (e.g. server name, stakeholder, etc.) 13
Do s and Don ts
Lessons learned Sustainability Rationalize frameworks (simplify and integrate) Leverage automation to support operational enablement Lessons learned Single view of risk Define scope of existing risk reporting activities Manage cyber risk within the organizational context Align correlations to business objectives and risks Focus on key metrics Scalability Build a culture of continuous improvement Design process and capabilities (process and tools) to mature over time Ownership & Accountability Establish a structured cyber risk reporting capability Rationalize processes and frameworks to enable prioritization and decision making Differentiate governance versus operational roles and responsibilities Ensure board level awareness of key cyber risk and compliance issues 15
Considerations for implementing an ISMP As with any additional capability added to an organization, there are several cost considerations that need to be accounted for, actual cost will depend on the scope of the ISMP. People Additional resources need to be hired or current resources need their responsibilities prioritized to support operationalizing the ISMP Raw data owners need to allocate time to support collection of metrics data Process Metrics collection, reporting development, ISMP ongoing maintenance and training processes need to be developed and executed once the ISMP is operational Additional processes to extract data may need to be defined Gather contextual data for metrics (e.g., thresholds, dimensions) Technical implementation of processes to extract data Big Security Data Technology Initial investments towards a metrics solution for automated aggregation, reporting and analytics. 16
Thank you
kpmg.com/socialmedia The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity and the views presented herein are those of the presenter. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2017 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. (On printed materials, add: Printed in the U.S.A.) The KPMG name and logo are registered trademarks or trademarks of KPMG International.