http://www.alvarezandmarsal.com

2

The Corporate Blind Spot: Why the Traditional Approach to Cyber Security is no Longer Fit for Purpose 3

Compliance with Cyber Security Standards is Only the First Step 6

Uniting Technology and Business: the New Role for the CEO, COO, CFO, CLO, and the Chief Information Security Officer (CISO) 8

How a Solid, Holistic Cyber Strategy Can Drive EBITDA and Protect Business Value 10

Conclusion: Some Questions to Focus Smarter Investment 12

A Checklist of Key Questions 12

Contact Information 12

CONTENTS

3

THE CORPORATE BLIND SPOT: WHY THE TRADITIONAL APPROACH TO CYBER SECURITY IS NO LONGER FIT FOR PURPOSE

The need for reinvention

In turn, we believe that these two implications for organizations point to a wider requirement: an urgent need for today’s widely-accepted approach to cyber security to undergo radical change. Such a reinvention is imperative if cyber security is to remain effective, relevant, and capable of ensuring that organizations have all-around, 20/20 vision of their cyber risks.

Why does cyber security need to be transformed? Put simply, business has evolved and the threats have evolved. But cyber security has not kept pace with the risks. And the gap is widening.

This issue transcends boundaries between functions, organizations, industries, geographies and levels of management. Easily-identifiable targets such as critical infrastructure companies – banks, telcos and the like – tend to be further up the maturity curve for effective cyber security. But in all organizations, whatever their level of sophistication, protecting against cyber threats remains a thorny executive and board-level challenge.

A&M QUICKPOLLA&M conducted an online QuickPoll with a broad range of global clients. We refer to the findings at relevant points throughout this document.

Respondents are senior decision makers in business or in cyber security roles, representing a mixture of public and private sector organizations. The findings provide a snapshot of current perceptions among experts responsible for defending their organizations against cyberattacks.

For any organization with online interactions, which effectively means all organizations today, the upside business opportunities presented by operating in cyber space are clear, present and growing. Unfortunately, so are the downside threats.

The continuing escalation in cyberattacks has two key implications for businesses and governments.

First, at some stage every organization will encounter a crisis. The question is how it manages it. So it is imperative to have an explicit crisis management plan in place, detailing the steps that will be taken in response to each specific type of attack or breach and that evolves as the nature of the threats changes.

The second implication is that all corporate leaders must own the company’s cyber risks. It is no longer enough for the CEO or COO to tell the CIO or IT function to go and “fix” cyber threats. Today’s leaders need to understand business risks and cyber risks. Otherwise he or she is simply not up to the job of running the business day-to-day.

4

A clear and present danger …

The size of the challenge is underscored by the fact that many public and private sector entities worldwide are finally beginning to acknowledge cyber threats as one of their most pressing and critical risks. Nations need to know that their critical infrastructure and citizens’ data are under threat. Corporations need to know that a single cyber breach can significantly drive down their earnings per share – and multiple hits could cause their EPS to collapse. Credit ratings also may be impacted.

These risks won’t go away. In fact, they’re demonstrably escalating. The World Economic Forum’s Global Risks 20131 ranks cyberattacks as the most likely technology risk to occur, and the second most impactful after a critical systems failure. The Lloyds of London Risk Index 20132 shows that cyber risk has risen from position 12 (malicious) and 19 (non-malicious) in 2011, to the world’s No. 3 risk overall.

This upward re-rating of cyber threats provides a much-needed reality check. But there are still signs of complacency: the Lloyds of London Risk Index also finds that most companies continue to score their preparedness for cyberattacks at a higher rate than the risk itself, suggesting they believe they’ve got it covered.

That’s a dangerous assumption, especially at a time when the scope of the problem is widening, when no organization is safe. China – often accused by Western governments of being responsible for many attacks – announced in August 2013 that a large number of Chinese websites had suffered their “biggest ever” distributed denial of service (DDoS) attack, bringing many businesses to a halt.

… to which no organization – small or large – is immune.

The message is clear: nobody is immune. Yet organizations of all types are still struggling to target the right level of protection through the right level of investment. And with so many large and well-prepared targets being hit, companies are asking what chance smaller and less well-funded entities have of protecting themselves effectively.

Given such questions, it is important to accept that in an interconnected and e-commerce world, complete immunity against cyber risks is unachievable. In the modern world, every individual is now connected electronically to every other individual. The same is true of organizations: employees can access anyone from anywhere. At the opposite end of the spectrum is North Korea, a government protected by being disconnected – and a nation that suffers the consequences of ignorance and poverty.

No organization can afford to follow the North Korean model and seek cyber immunity by becoming a hermit. Doing business would immediately become impossible. So we must all embrace cyber, which means we must understand and manage cyber risks.

1 World Economic Forum, Global Risks 2013, 8th Edition, accessed at http://reports.weforum.org/global-risks-2013/2 Lloyds of London and Ipsos MORI, Risk Index 2013, accessed at http://www.lloyds.com/news-and-insight/risk-insight/reports/risk/risk-index-2013

OUR A&M QUICKPOLL: THE ABILITY TO RESPOND TO A CRISISOf the A&M clients interviewed, 38 percent have little confidence in their abilities to respond when an attack occurs and a further 21 percent are only moderately confident.

5

The economics of cyber

security investment …

This need throws the spotlight squarely onto the cyber security industry, an industry facing an aggressive and global cybercrime community that clearly dwarfs its own capabilities and resources. Yet for businesses, the economics of investing in cyber security remain unclear. Why? One reason is that the value of averting an attack is so difficult to quantify. Another equally important economic consideration is a misalignment between the entities that face cyber threats and the ones that suffer the effects of breaches. As Tyler Moore of Harvard University has highlighted, the impacts and costs resulting from a successful cyberattack generally affect other organizations in the value chain far more strongly than the original target.3 This means each organization has an incentive to under-invest in its own cyber security because the main benefits of its expenditure will be felt elsewhere.

Importantly, an organization’s greatest risk of succumbing to attacks is often through its suppliers and value chain partners. For example, a bank may pass its most sensitive digital data to external business partners, including its legal advisers. No matter how strong the bank’s own internal cyber security may be, its data is only secured at the lowest level of protection practiced among its third-party suppliers. The chain is only as strong as its weakest member!

… point to spending smarter

before spending more.

The value chain dynamics of investments in cyber security, and the misalignment in returns from this expenditure, have some major ripple effects.

One of these is that individual organizations, and their boards, are unlikely to approve large increases in their cyber security investments until they actually experience an attack. Instead, executives and boards will continue to spend the amount they feel is proportionate to safeguard against the downside risks they anticipate. Indeed, some companies we meet are spending nothing on cyber protection. They have no chief information security officer (CISO), no cyber strategy, and no monitoring of the network. In today’s world, this approach is reckless.

Such a situation points to a clear imperative: that before organizations consider spending more on cyber security, they first need to ensure that their existing investment is targeting the right resources, to address the right risks, at the right time. In other words, companies need to ensure they’re spending smarter before they even think about spending more.

Only when an organization has a bedrock of smart and cost-effective cyber security in place, across its operations and supply chain, is it in a position to assess the incremental benefits that would flow from additional investment.

Alvarez & Marsal believes that, for many organizations, spending smarter demands a radical change of approach – by both their external cyber security suppliers and their internal leadership and teams. In the rest of this paper, we’ll examine what this new approach should encompass.

3 Moore, T. 2010. Introducing the Economics of Cybersecurity: Principles and Policy Options, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy, Washington, D.C., accessed at http://cs.brown.edu/courses/csci1800/sources/lec27/Moore.pdf

6

COMPLIANCE WITH CYBER SECURITY STANDARDS IS ONLY THE FIRST STEP

At the same time, organizations that have sophisticated and risk-oriented security standards are battling to keep pace with changes, such as the rise of cloud computing, bring your own device (BYOD), and social media. In some cases, it is these very industry standards that serve as a roadmap for attackers, identifying security gaps that could permit unauthorized access to systems and distracting the company’s security team from more strategic tasks.

A routine approach based on regulation and standards may give an illusion of control, but it gives little more than that. As a recent paper from the Information Security Forum (ISF) summed up: “Compliance is not good security; good security results in compliance.”4

Rather than relying on compliance, an organization needs to build a cyber protection process that flexes and responds continually to changes in its own organization, its customer interface, its supply chain, and in the wider universes of cyber threats. Such a process is illustrated in Figure 1.

4 Information Security Forum, The Modern CISO: Managing Risk and Delivering Value, ISF Briefing No. 23, April 2013. Available at https://www.securityforum.org/ (membership required)

DYNAMICCYBER PROTECTION

Training Implementation

Monitoring

PolicyResponding

Figure 1: An iterative continuous improvement process for cyber security

The scope and scale of the potential impacts from cyber threats represent a social and business problem as well as a technological one. Given the uncertainties around the returns from current investments in cyber security, the obvious question is where those investments should be targeted to deliver more “bang for your buck.” In our view, a key part of the answer is that organizations should formulate their security programs around the risks presented. This is an approach that often results in companies going beyond compliance with the applicable standards.

An approach that is driven only by standards and frameworks has a number of drawbacks. One is that standards, such as those from the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), should be taken as bare minimums, but not as a guarantee that the organization is secure. For smart organizations, compliance with standards and frameworks is not the endpoint. It is an underpinning and threshold for a higher degree of security.

Another drawback to a standard-driven approach is that standards are fragmented globally. Countries worldwide are focusing on developing national-level standards and regulations, while cyberattackers routinely transcend borders and thrive on gaps and disconnects between different security regimes. So defending against cyber risks demands an international approach that mirrors the Internet’s ability to transport disruptive ideas across national borders. This point was highlighted in a recent speech at the United Nations by the president of Estonia, the country ranked the global No. 1 in Internet freedom by Freedom House for three years in a row (see panel).

7

THE NEED FOR AN INTERNATIONAL APPROACH TO CYBERSPACE

“Up to the Internet age, the Westphalian system and the principle of the inviolability of borders protected regimes. A ruler could do as he wished, so long as he stayed in his own borders. Cyberspace has no borders. Countries face the import of potentially disruptive liberal ideas of open societies. We must choose between two paths: either we can change the nature of the Internet by acceding to a Westphalian regulatory structure of Internet governance, or we can change the world.”

Keynote Address by President Toomas Hendrik Ilves of Estonia at Panel Discussion “A Secure and Free Internet,“ UN Dag Hammarskjöld Library Auditorium, September 23, 2013.Source: http://www.un.estemb.org/statements_articles/aid-930

Rather than embodying a one-shot journey from policy, via training, implementation, monitoring and responding, a modern cyber protection process is designed as an iterative loop, feeding information back into the process and continuously improving and helping the organization move from a fire-fighting mode to a more proactive stance.

Recognizing blind spots

While some companies have grasped the shortcomings of compliance for managing cyber risks, many still have a blind spot around this issue. For example, the thinking in some organizations, especially at board level, is that effective security is all about applying the right technology controls and that it should be led by the IT organization. There is also a widespread tendency to focus primarily on external risks, while overlooking threats that originate from employees within the business as well as customers and supply chain partners that it deals and exchanges information with.

However, in the cyber world, the distinction between insider and external threats is now largely irrelevant. The “perimeter” that traditional IT security used to defend has disappeared. With customers, suppliers, employees and other stakeholders now able to access the organization’s core systems locally and/or remotely, everyone is effectively an insider. The move to self-service is a further driver of cyber risk: when a public mass transit operator proudly announces that it effectively has 3 million kiosks for buying tickets, it might also mention that it has created 3 million ingress points to its systems. By focusing purely on keeping attackers out, businesses may be overlooking threats that have already gained entry to the organization and its systems.

8

UNITING TECHNOLOGY AND BUSINESS: THE NEW ROLE FOR THE CEO, COO, CFO, CLO, AND THE CHIEF INFORMATION SECURITY OFFICER (CISO)

Figure 2: The new CISO – at the intersection of technology, business and risk

NEWCISO

Technology

Business

Customers

Risk

To fulfill this new role effectively, executive leaders also need the right support. Just as a successful Formula One team needs to combine the right driver, mechanics and machine, executive leaders and the board need a Chief Information Security Officer (CISO) who can help bridge the traditional gap between business and IT, to keep critical business systems and data secure.

Change in the CISO’s role was mapped out by the Information Security Forum (ISF) in its 2013 paper, The Modern CISO: Managing risk and delivering value.5 As shown in Figure 3, drawn from that paper, the CISO’s role has evolved considerably since 2000, gaining board-level engagement.

To play this new role, the CISO must understand the vocabulary and challenges of the business and IT, by developing wider and deeper business knowledge and relationships with its customers, middle management and external suppliers – all blended with a more public, outward-facing charge.

OUR A&M QUICKPOLL: LACK OF SKILLED RESOURCES IS IMPACTING THE BUSINESS

Of the A&M clients interviewed, 47 percent claim that they do not have sufficient cyber security resources to adequately protect their businesses.

5 Ibid.

As well as looking beyond traditional “outsider” threats, effective cyber security demands a focus on much more than technology. Truly protecting organizations against cyber threats requires deep business and operational understanding and a pervasive risk-aware culture across and between organizations.

As we highlighted at the start of this paper, the need to unite business and technology demands that the executive team play a new role at the intersection of technology, business and risk. To manage and pilot the organization effectively, today’s executive leaders must be equipped to own technology risks and business risks, rather than hand off the cyber security “problem” to the CIO.

9

Unfortunately, across many organizations there is still little clarity and consistency regarding the CISO’s responsibilities and, above all, the CISO’s reporting lines. However one thing is clear: having the CISO report to the IT organization is an inappropriate segregation of duties.

Smaller and medium-sized enterprises (SMEs) may not yet have the budget or need for a new-style CISO. But they may well create a hybrid role that bundles these responsibilities into a wider technology or security position.

Is a decision maker(a leader)

Has a good understandingof an organisation

Talks business language (a translator)

Aligns security strategy with business strategy

Is sensitive to theorganisation’s risk appetite

Is willing to take responsibility

Gets fundamentals dealt with first

Talks information risk

Is an island

Has little understanding of how to tie security into the needs of the business

Has under-developed leadership/management/ judgement skills

Is usually fire fighting

Does not network with peers

Talks technology

2000Has C- level type skills

Engages with the board(s)

Recruits from the business

Operational risk activities

Enhances the value of the company and brand

Takes responsibility for a deeper and broader set of interrelated tasks in risk and governance

Talks business risk

20132006Has a good understandingof business principles

To protect the organization effectively, the team of the executive leaders and CISO must have in place a comprehensive yet dynamic cyber strategy that unites the previously distinct worlds of IT and business. We’ll now examine such a strategy.

Figure 3: The changing role of the Chief Information Security Officer (CISO) Source: Information Security Forum

“Compliance is not good security;good security results in compliance.”

-Information Security Forum (ISF)

10

HOW A SOLID, HOLISTIC CYBER STRATEGY CAN DRIVE EBITDA AND PROTECT BUSINESS VALUE

OUR A&M QUICKPOLL: THE STRUGGLE TO SUPPORT THE BUSINESS

Of the A&M clients we interviewed, only 24 percent of security leaders claim to have robust dialogue with the business but even more disturbing is that 16 percent of clients do not even have a dedicated security team.

A cyber security strategy that is robust and responsive validates this trust across the ecosystem. And, within the business, the effective execution of the strategy feeds back into the reputation and credibility of the cyber security function, allowing it to be perceived as an enabler of business value and growth rather than a blocker.

Core components for an effective strategy

A core principle of an effective cyber strategy – and one that many organizations are struggling to accept – is the inevitability that some attacks will get through. Having removed the traditional perimeter of IT by participating in the cyber environment, businesses must now accept that breaches will occur. They also need to be aware that the prior indicators and warning bells for cyberattacks may not be triggered by their existing protection systems.

By accepting that systems and data will be compromised and by taking a wider perspective on threat indicators, organizations can create the basis for a smarter and more effective cyber security strategy, in turn ensuring a smarter and more effective investment.

Like the new-style executive leaders and CISO, an effective cyber strategy bridges technology and business in a holistic way, enabling and ensuring the integration, analysis and monitoring of business insights and data from across the organization to support activities including controls monitoring, threat detection and reporting.

The right strategy will not just reduce cyber risk. It will have a broader scope and impact, providing a platform for value creation and growth by underpinning confidence in the security of online activities. The right strategy will enable the business to take calculated risks, invest in new ideas and realize the true potential of e-commerce – with the ability to transact business with anyone anywhere in the world and with full trust and credibility.

Building trust and credibility

Trust between an organization and the other entities with which it routinely deals is a vital business enabler. In any online ecosystem, secure collaboration helps to secure the entire value/supply chain against attack. However, as we highlighted earlier, the costs of a cyber breach fall disproportionately on the other entities that the original target deals with. It follows that any organization should be very wary of doing business with an entity that it cannot trust to protect data effectively.

11

• Cyber insurance – As the volume and costs of data breaches continue to rise, more businesses are examining cyber insurance as an option for protecting themselves. To date, it has proved especially effective as a way of transferring risk in countries where companies are legally required to notify the authorities about data breaches. However cyber insurance can also cover several other risks, including post-breach crisis management costs and third-party damages as a result of denial-of-access attacks.

• Third-party risk – Most organizations do not yet have a thorough understanding of the level of risk posed by associates/partners/vendors with whom business is routinely or occasionally conducted. A clear understating of exactly what information is shared outside the organization, where the information is sent, and how the recipient will protect it is essential.

While the strategy will vary depending on an organization’s business goals, operating model and risk profile, our view is that a handful of key building blocks will add value in all cases. These include:

• Send the cyber team to business school – While a “lack of skilled technical resources” is a recurrent complaint from cyber security functions, a bigger challenge is that today’s cyber security teams need to engage with the business using the right language. So they need educating to understand how the business runs. New skills required to protect the organization have also broadened beyond IT to include actuaries, economists, lawyers, process optimization and other specialists, and even historians and mathematicians.

• Threat intelligence – To be prepared for emerging cyber threats and to respond proactively and precisely, companies must develop threat intelligence that is grounded in “situational awareness” (see panel). Gaining it demands the ability to blend, analyze and make sense of a vast array of “big data” to identify, assess, prioritize and manage existing and emerging threats. Furthermore, in the right hands, threat intelligence can form the basis of new strategies and ensure that budgets and investments are set correctly.

• 24/7 monitoring and crisis management – When attacks and/or breaches do occur, it is key that the organization is fully prepared – meaning that it is aware of the incident immediately and can respond in an effective and proportionate way. This demands that 24/7 monitoring and incident response be formally integrated with wider crisis management planning and processes across functions such as finance, operations and physical security. These processes should also include external communication with the press and external stakeholders such as law enforcement and regulators.

SITUATIONAL AWARENESS: UNDERSTANDING THE LANDSCAPE

Originally a military term used on the battlefield, situational awareness is an organization’s understanding of the surrounding landscape, including enemy positions, geographical features, environmental conditions, and relative strengths and weaknesses. In the cyber domain, the goal is to develop 360-degree situational awareness, enabling the organization to respond to existing developments and anticipate forthcoming ones.

12

CONCLUSION: SOME QUESTIONS TO FOCUS SMARTER INVESTMENT

A checklist of key questions

To help you assess and tackle your cyber risks, here is a checklist of five key questions to ask:

1. Is the threat of cyberattacks on your corporate risk register and covered in your annual report?

2. Do you have a cyber security strategy that is aligned with your business strategy, and is it updated according to evolving needs?

3. Do you know how many security incidents you have suffered in the past year and the cause of these incidents?

4. How much would a cyber security breach impact the organization, and can management demonstrate the rationale behind its assessment?

5. Where and what are the most critical assets? How does management determine which assets are critical?

For more information about this topic, or if you would like to discuss any of the issues raised in this paper with a cyber security expert at Alvarez & Marsal please give us a call or send an e-mail.

Contact information for Alvarez & Marsal regional cyber security leaders is provided at:http://www.alvarezandmarsal.com/cyber

As we have highlighted in this paper, the first step toward effective and robust cyber security is not to spend more, but to spend smarter. We believe that the strategy and approach we’ve outlined provides a roadmap to do this.

At root, the thinking and approach around cyber security needs to shift from the traditional, narrow terrain of “Are we protected?” to the new and broader landscape of “Have we detected and are we aware of our security threats; and have we planned accordingly?”

Once the organization has a sound and holistic understanding of the cyber risks it faces, then, and only then, can it develop the right cyber strategy that will generate demonstrable and measurable business benefits. This in turn puts the organization in a position to assess the relative returns from any increase in spending.

13

Alvarez & Marsal sets the standard for delivering results on critical matters. With an increase in the complexity of corporate investigations, regulatory enforcement actions, and high stakes litigation, that ability is more important than ever. From the boardroom to the court room, A&M professionals draw on their deep skills and experience in business investigations, litigation consulting, forensic technology, and expert testimony to provide clients with the solutions they

seek to achieve their goals.

www.alvarezandmarsal.com

Follow us on:

ALVAREZ & MARSAL®, ® and A&M® are registered trademarks of Alvarez & Marsal Holdings, LLC. © Copyright 2014 Alvarez & Marsal Holdings, LLC. All Rights Reserved.

On the cover may be trademarks or registered trademarks of Facebook, Google+, LinkedIn, Tumblr, Twitter, Wordpress, and YouTube. Any trademarks that appear on this document are the property of their respective owners. The owners are not affiliated in any way with this document or its content. Alvarez & Marsal Holdings, LLC and the use of the

Alvarez & Marsal logo do not constitute any endorsement of any kind by the owners.