Insurance Accounting & Systems Association (IASA): NY/NJ Chapter Spring 2014 State of Information Security by Deloitte & Touche LLP May 20, 2014 As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Introductions Najeh Adib Manager, Cyber Risk Services, Deloitte & Touche LLP Phone: +1 203 274 2014 E-Mail: nadib@deloitte.com Tushar Srivastava Manager, Cyber Risk Services, Deloitte & Touche LLP Phone: +1 212 436 3779 E-Mail: tsrivastava@deloitte.com 1
How did we get here? Technology has given rise to a new kind of consumer and a new kind of worker causing organizations to fundamentally rethink almost every aspect of their operations. Socially connected Consumers are constantly connected to their social networks, resulting in increasingly collaborative experiences in which they are both influenced by and influencers of their peers Behaviorally connected Companies are gaining more detailed information about individuals, enabling more compelling consumer engagement through marketing and product/service offerings that are tightly linked to past patterns of behavior Technically connected Consumers are constantly connected to the Internet through smart, portable, and highly usable devices, enabling real-time analysis, price comparisons, and product/service transparency The enterprise has evolved over the past two decades from Industrial to Digital to Postdigital. Industrial Digital Postdigital Organization Specialization Processes-focused Functional model IT-focused Interdisciplinary Collaboration-focused Channel Single channel Multichannel Omnichannel Market Approach Plan-based replenishment Transaction-based replenishment Interest-based replenishment 2
Disrupt or be disrupted Organizations must evolve to stay relevant as behaviors and needs within the post-digital ecosystem change rapidly. A slow response invites disruption Evolve now and you can disrupt and grow A movie rental company failed to heed to customers changing appetite for direct, instant digital fulfillment Online shoe retailer disrupted the industry by using mobile and social technology to provide the flexibility that customers desire Consumer electronics retailer failed to transform workforce from traditional salesmen to engaging customer service advocates Static businesses will be unable to meet desires and expectations in two years Home improvement retailer empowers employees with collaboration tools to share ideas and leading practices Innovative car rental service channeled social technologies to provide customers the desired high-touch merchant experience at a low cost Postdigital Enterprises will evolve to harness disruptive technologies 3
Deloitte Tech Trends 2013: Elements of Post-digital Interested in more, the full report can be downloaded at http://www.deloitte.com/view/en_us/us/services/consulting/technology-consulting/technology-2013/index.htm 4
The impact on today s Information and Cyber Security Officers Expectations are evolving as executives grapple with the impact of the post-digital environment on information and technology. Customer focus Consumerization of technology Value-driven allocation of resources to maximize results Emphasis on partnering to deliver business capabilities Extendible & flexible enterprise architecture to support broader eco-system & new technologies Cost reduction Corporate / BU CIO Shift from fixed to variable cost models to address fluctuating business requirements Global resource management enterprise & third party; onshore & off-shore Smart sourcing of development / infrastructure / services Create efficiencies by leveraging big data Chief / BU Information Security Officers Understand the real risk associated with data and the associated security implications Strike a balance between information security, the evolving business model and end user expectations that are primarily formed through use of consumer technology Secure data that transcends the four walls of the company especially in cloud, mobile and unstructured environments Manage software vulnerabilities as development cycles shorten and applications are introduced into new environments Understand regulatory and legal expectations and determine how to address them without hindering the IT organization and the business 5
Key cyber security focus areas Below are some of the key focus areas for today s cyber risk executives. Agile Risk Management Integrating risk management into existing IT management processes rather than bolting it on (e.g., SDLC) Rationalizing control processes and tempering them based on risk tolerance Cyber Security Mobile Security Third Party Security Cloud Computing Regulatory Requirements Understanding cyber criminal networks and their potential impact on the company (and it s clients) Preventing cyber attacks and advanced persistent threats Keeping up with cyber criminals as they innovate at a faster pace than industry Mobile technology and social networking provide an ecosystem that is complex and rapidly evolving Adoption of mobile devices (and BYOD) is growing at a staggering rate across industries and markets Powerful communication tools are opening new communication channels and risks Operating cost pressures drive an increased focus on outsourcing business functions Companies are dependent on third parties for core operations and key business functions Regulatory requirements of third party suppliers are complex and difficult to manage Ease of acquisition and use drives an increased business demand for cloud capabilities ( Rogue IT ) Difficulty in addressing responsibility for information security in the cloud Records management, data privacy and disclosure risks complicated by international jurisdictions Changes to the regulatory environment must filter through to information security programs Global organizations must constantly monitor for changes to international regulatory requirements Failure to meet regulatory requirements in information security can have real business impact 6
Agile risk management The Challenge Many organizations believe that appropriate information security can still be achieved by simply purchasing various security products and services"¹ while burdening the IT organization with additional check the box exercises. Overview One size does not fit all existing risk management processes often do not account for the organization s risk tolerance Integrated vs. bolted on risk processes are often bolted on as separate processes instead of integrated into existing processes (e.g., SDLC) Adaptability existing risk processes and libraries often times do not account for the evolving threat landscape and are not agile enough to quickly adapt Key Considerations Engage the business earlier Get a seat decision making table by demonstrating value and flexibility Look for opportunities to adjust the rigor of risk management processes based on tolerance ¹ A Systematic, Comprehensive Approach to Information Security Gartner, Published: 24 June 2010 7
Cyber security The Challenge Cyber crime has taken a chilling turn it is now serious, more widespread, aggressive, growing, and increasingly sophisticated, posing major implications for national and economic security. Overview Velocity and volume frequent cyber attacks and breaches with discovery usually occurring only after the fact, if at all Innovation and sophistication cyber criminals are innovating at a pace which many organizations and technology vendors cannot match It s not just the hacker many organizations have not yet recognized organized cyber criminal networks as a potential threat Current deterrents aren t working effective deterrents are not known, available, or accessible to many practitioners 288 83M 360K Number of publicly disclosed data breaches in the last 6+ years Number of customer records exposed in data breaches in the last 6+ years Number of credit card accounts compromised in a single data breach Key Considerations Understand how your organization is viewed by cyber criminals Consider risk when determining where to focus resources Balance impact of an incident with ability to acquire intel 8
Mobile security The Challenge With rapid and increased adoption of mobile devices, CISOs are often faced with the challenge on how to adopt enterprise mobility while protecting organization s assets. Overview Mobile ecosystem a complex, rapidly developing environment where new risks are introduced everyday Adoption growing at a staggering rate and will continue to do so for foreseeable future Powerful tools mobility has the potential to deliver powerful tools and open new communication channels Enterprise mobility challenges include, bring your own device (BYOD), Management of diverse mobile devices, secure mobile asset deployment, and mobile data loss Key Considerations Balance mobile security with usability Understand the true threats Consider training and awareness to compensate for reduced control 9
Third party security The Challenge Reliance on third party relationships can significantly increase a organization's risk profile. Increased risk most often arises from poor planning, oversight, and control on the part of the organization and/or inferior performance or service on the part of the supplier. Overview Core functions many organizations are depending on third parties for their core operations and key business functions Competitive advantage looking to third-party relationships as a way to gain a competitive edge without regard for risks Nature of relationship third party risk isn t a risk unto itself; rather, it is a combination of other risks with various degrees of severity based on the nature of the relationship with the third party Regulatory requirements continue to increase and evolve with changes in outsourcing trends Key Considerations Tailor practices based on complexity of third party activities Tier outsourced third party relationships based on risk Consider ongoing operational performance reviews of critical vendors 10
Cloud computing The Challenge Cloud computing is changing how businesses purchase, deploy, and support IT services, and most organizations now are responding to the new opportunities. Security concerns rank as the most challenging to resolve, and act as a barrier to cloud adoption across all industries. Overview Increased business demand business pursuing cloud deployment for agility and cost savings before security maturation Responsibility and governance lack of appropriate governance and oversight are as critical as security concerns Inherent risks exacerbated when data in the cloud resides in a foreign country or moves across international borders Regulatory and compliance requirements not optional in cloud computing Key Considerations Build a holistic risk profile to support adoption Know boundaries of the cloud deployment model Understand time to market business drivers 11
Regulatory requirements The Challenge The evolving information security threat landscape has been recognized by industry regulators. Information security must understand the impacts of new regulations, changes to existing regulations and be early adopters of these changes. Overview Regulations change changes to regulations must analyzed and where necessary adopted into the information security program Regulations are global organizations with a global footprint must constantly monitor for changes to regulations in each operating jurisdiction Regulatory and compliance requirements are not optional and failure of information security to meet regulations can have a real impact to the business (fines, sanctions etc.) Key Considerations Know which regulatory jurisdictions to monitor Monitor for regulatory changes and determine impact Be a regulatory consultant to the business 12
In conclusion, here is what to watch out for. Information security as a compliance driven exercise The technical value proposition not a vision of the future Bolt-on security tools and controls for the sake of tools and controls Security at the end Not a trusted advisor A barrier to business progress and innovation Security that is only compliance driven, promoting a check-the-box mentality A program that cannot articulate how information security adds value to the organization Prioritizing bolt-on security controls and tools and not necessarily the needs of the business Mentality to involve information security at the end of a project or process only drives down information security program value Acting as a policy cop or paranoid custodian of security rather than an enabler to the business¹ 13
and what to consider focusing on Be resilient build program immune to a la mode security priorities Predict it takes more than good technology to prevent breaches Adapt understand and adjust current risk appetite Improve seek continuous improvement Evolve to a trusted advisor Understand current maturity & capabilities. Align with the business to reduce flavor of the month approach to security Proactive risk based approach to keep pace with evolving threat landscape A risk appetite that adjusts by aligning with the security priorities of the business Develop processes to build a security program based on continual improvement Grow an information security program that plays an active role in supporting the business strategy and that is a valued trusted adviser 14
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.