cybersecurity @ capgemini consulting · pdf fileanalysis business & it s ies e ... outline...

Transform to the power of digital

Cybersecurity @ Capgemini Consulting

Capgemini Consulting Cybersecurity Service Portfolio

July 2015

Growing requirements and recent trends continue to pose new challenges to Cybersecurity and endanger the success of Digital Transformation for today’s companies

Cybersecurity challenges

Copyright © 2015 Capgemini Consulting. All rights reserved.

2

Organized cybercrime with sophisticated attacks

New requirements and trends Slowly growing Cybersecurity budgets

Trends from Digital Transformation

Mobility

Regulatory pressure and new

laws

Business demanding higher

flexibility

Complex ecosystem

Low awareness level of employees due to lack of

holistic programs

DIGITAL TRANSFORMATION

Constrained security resources

Cloud Big Data Social

Industrialization of hacking, professional attack software “as a

service”

National intelligence agencies with unlimited

resources

Employees attacked by phishing, social engineering …

Capgemini Consulting Cybersecurity Framework

Capgemini supports a successful transformation of the Cybersecurity function into an integrated, strategic and risk-focused business partner

3

Organization Transformation & Professionalization

ORGANIZATION & PEOPLE

PROCESSES TECHNOLOGY

STRATEGY & GOVERNANCE

Program Management Change & Communication Management

Cybersecurity Ecosystem

CYBERSECURITY & INFORMATION PROTECTION MATURITY ASSESSMENT

CYBERSECURITY RISK MANAGEMENT

CYBERSECURITY TARGET OPERATING MODEL (ISMS)

AWARENESS 2.0

SECURITY EXPERT TRAINING

3

CRISIS MANAGEMENT

IDENTITY AND ACCESS MANAGEMENT

MOBILE SECURE

Deep Dive - Cybersecurity Offerings

2


END-POINT SECURITY

DATA CENTER SECURITY/ SOC SERVICES

APPLICATION AND OT SECURITY

1

CySIP Maturity Assessment approach

Capgemini performs its Cybersecurity & Information Protection (CySIP) Maturity Assessment based on a proven approach and standardized tools


4

Conduct focus interviews with business and IT to assess maturity

Identify vulnerabilities and gaps Benchmark with best practices Define pain points, quick wins and

long-term measures

Prioritize measures Define high-level business case Define transformation plan Align results with stakeholders Prepare decision documents

Define scope of assessment Derive strategic guidelines Determine client-specific threats Identify business-critical

information and systems

MATURITY ASSESSMENT TRANSFORMATION ROADMAP SCOPING & VISIONING

Overview of evaluated vulnerabilities and gaps

Assessed CySIP maturity Measurement catalogue

Aligned and prioritized measures High-level business case Transformation plan Final decision documents

Aligned questionnaires Defined strategic guidelines Overview of business-critical

information and systems

Imp

lem

enta

ito

n

Res

ult

s A

ctiv

itie

s

Man

age

me

nt &

Go

vern

ance

Int.

Org

aniz

atio

n &

Cli

en

t

Applications & Operating System Network & Hardware

Q4 2014 2015 2016

Analyze data privacy organization

Design IS policy framework

Outline governance principles for data

Describe governance profiles and roles

Transform to new organization

Analysis business & IT requirements

Develop security architecture model

Design technical solutions

Build and customize designed solution

Test and deploy services

Conduct risk and stakeholder analysis

Perform survey to assess awareness level

Develop awareness concept

Design awareness objects

Define business continuity strategy

Develop decision structures

Develop organization plan

Implement awareness objects

Perform 2. survey to measure effectiveness

Define business impact analysis (BIA)

Conduct business impact analysis

Formulate SLAs

Define business continuity plans

Define business continuity plans

CE v6.3 © 2007 Capgemini - All rights reserved

071217_IT ORGANIZATION AS-IS AND TO-BE_V11_TW-JW.PPT2424

The to-be organization features an org-line for functional business interaction as well as for supply management to enhance the capabilities

Org structure – To-be IT demand organization

Organization chart

Global Supply R&D

External Supply (EDM)

Business Information Manager (BIM)

HR

Controlling

Contract Management

Architect

Project Port-folio Mgmt

TechnologyInnovation

QualityMgmt

IT Strategy

Business Consulting (SAP,EDM)

Business (Key user)

Germany

France

Netherlands

R.o.W

Local ITMgmt

R&D RES-QS

Manufact.

… Global Functional Information

Management

Service Mgmt

Com.

Com. line

Communication line

Communication line R&D

RESQS

Manufact.

S&M

Global IT Management

Internal Supply (SAP, IM)

USCRIS SM EDM

Global Supply Management

• Vacant positions in Gl obal Functi onal Information Management (GFIMs) ar e re-staffed and enhanced by business consulting capabilities for SAP and EDM

• New organizational line manages Pharma-specific suppl y as well as i nternal and external provi ders

0

1

2

3

41.1 Strategy

1.2 Governance Structure

1.3 IT Compliance Management

1.4 IT Risk Management

1.5 BCM/DRM

1.6 Audits

1.7 Data Privacy

1.8 Security Incident Reporting

Bundesministerium für Finanzen Public Sector

Top Performer in Peer Group Total Average (All Participants)

C-LEVEL AND BUSINESS-ORIENTED, STRUCTURED APPROACH FOR AN ACCELERATED

INCREASE OF CLIENT’S MATURITY AND DEFINITION OF A CYBERSECURITY STRATEGY

Ph

ase

Why Capgemini Consulting?

C-Level and business-oriented for alignment with business/IT strategy Toolkit of proven questionnaires for accelerated maturity assessment

Extensive benchmark database for peer comparison Collaborative approach to define clear strategy

Technology Processes

1

http://ciaoitalia.com/images/thermometer.gif

Cybersecurity Risk Management

Capgemini helps organizations to protect their critical information assets using optimal investment strategies that minimize operational risk


5

Describe procedures & interfaces Define roles & responsibilities and

KRIs Develop reporting Profile threats and vulnerabilities Develop questionnaires

Conduct risk assessments with business and IT to identify and evaluate risks

Create a holistic risk register Define risk mitigation measures Implement process

Define scope of risk assessment Identify critical information assets Assess business impact (business

impact analysis) Perform gap analysis and define

measures

TO-BE DESIGN RISK ASSESSMENT &

IMPLEMENTATION VISIONING &

AS-IS ANALYSIS

Policy and process description Role descriptions/ RACI Reporting templates Risk assessment templates

Validated risk assessment results Consolidated risk register Measurement catalogue Training material & reporting

Assessment scope Realistic and worst-case inherent

business impact ratings Overview gaps/ measures

BUSINESS-FOCUSED, STRUCTURED AND PRACTICAL RISK MANAGEMENT METHODOLOGY

BASED ON RIGOROUS ASSESSMENT TO CREATE A HOLISTIC PROFILE OF DIGITAL RISKS


Proven best practices approach to create a holistic risk profile Focus on business perspective (“Digital Risk”)

Practical methodology with rigorous assessment process Best practice templates to focus on key risks


2

Pro

bab

ilit

y HIGH

MEDIUM

LOW

LOW MEDIUM HIGH

Impact

7

2

3

1

4

6

511

9a

9c9b9d

8

12

10

13

14b

14a

Aktuelle Themen

Bewertung

Maßnahmen

Themenbereich Anz. Grün Gelb Orange Rot Veränderung

zur Vorperiode

Thema 1 2 0 0 2 0 #DIV/0!

Thema 2 0 0 0 0 0 #DIV/0!

Thema 3 0 0 0 0 0 #DIV/0!

Thema 4 1 0 0 1 0 #DIV/0!

Management Summary

Darstellung des Umsetzungsstands von risikobehandelnden Maßnahmen zu wesentlichen Risiken

Überblick über aktuelle, gruppenweite Themen, z.B. IT-Projekte, Veränderungen beim IT-

Outsourcing

Zusammenfassung der Bewertung der gruppenweiten Risiken und dem Status der Risikoindikatoren

(Early Warning System)

Kommentierung

Res

ult

s A

ctiv

itie

s P

has

e

Cybersecurity Awareness 2.0

Awareness initiatives offered by Capgemini leverage broad communication campaigns and targeted training for roles with high risk profiles


6

CONTENT ADAPTION PLANNING QUICK SCAN

Ph

ase

REVIEW RISKS, EXISTING AWARENESS INITIATIVES AND ANALYZE STAKEHOLDER AND

TARGET GROUPS

PRAGMATIC ADOPTION AND CREATION OF AWARENESS

CONTENT, OUTLINE OF KPIs AND MULTIPLIERS

DEFINE TRANSFORMATION

ROADMAP FOR PRIORITIZED MEASURES

Ob

ject

ives

Store Front

Timesheet

Workforce Management

Mobile CRM

Mobile

Worker

Approvals

InteractiveDashboards

Mobile Executive Reports

Employee Tracking

Self-Service Operations

Support

Mobile Sales

Training

Documentation

Collaboration Tools

Mobile Service

Customer Factsheets

Customer Interaction

Tracker

Pushed Information

AutomatedServices

Product Information

Assistance Services

Short Term

MidTerm

LongTerm

StrategicGoal

Leadership team*

• Global

• Europe

Joint project team

• Other projects within Company

Employees Europe

• Unit A

• Unit B

• Unit C

B

C

Retailers

Other distributors H

Consumers

I

K

Europe Leadership team

(first line leaders)

• Unit A

• Unit B

• Unit C

Manufactures

External Stakeholders Internal Stakeholders = target audience

G

Corporate Functions

• Communications

• HR

DRest of Europe

Organisation

• Employees other units

A

E

F

Workerscouncil

Change Program

J

The “Dark hotel” attack is targeting high-profile business travelers

48

Please remember:

Hackers use fake update notifications to get you to install malware on your computer.

“Dark hotel” attack – Step by step

2

You connect to the already

infected hotel Wi-Fi with your laptop

or Smartphone

You receive a fake software

update notification on your device

An update is ready to install!

You install the faked update which is a

spy software that gives hackers

access to the PC

Hackers steal data, record

keystrokes and infiltrate

the o network

4

Tips for using foreign Wi-Fis

1. Always use the Company VPN

connection for any transmission of

confidential data

2. Do not download or apply any updates in

foreign Wi-Fis

3. Turn off the wireless functions (Wi-Fi,

Bluetooth, GPS and NFC) of your mobile

devices when you don’t need them

4. Always check if websites use the HTTPS

standard in the address bar

5. Always keep your antivirus software up-to-

date (update at Company or at home)

6. If you are unsure, use the roaming

package of your phone or your UMTS laptop

adapter instead

3

1

Possible threats

while on tour

Secure usage of

wireless services

Remote access

capabilities Copyright © 2015 Capgemini Consulting. All rights reserved.


Strategy &

Governance 3


Structured, proven approach to optimize ongoing campaigns Flexible and easy-to-adopt solutions

Extensive knowledge in change and communication mgmt Measurable impact based on implemented KPIs

PROACTIVELY TACKLE SECURITY THREATS BY INTRODUCING POSITIVE SECURITY

BEHAVIORS THROUGH A HOLISTIC CYBERSECURITY AWARENESS CAMPAIGN

Capgemini Consulting relies on a strong and global Cybersecurity capability network within the Capgemini Group

Capgemini Group offers and capabilities


7

2,500+ Capgemini

resources with Cybersecurity skills

Canada

United States

Mexico

Brazil

Argentina

All over Europe

Morocco

Australia

People’s Republicof China

India

Chile

Guatemala

Singapore

Philippines

Taiwan

Vietnam

UnitedArab Emirates

Malaysia

New Zealand

Japan

South Africa

Colombia

Cybersecurity Awareness

Security transformation program management

Design and implementation of security solutions

Digital security assessment & strategy and

risk management

Management

Security technical assessment

Transformation

Build

Thank you.


8

Dr. Guido Kamann Head CIO Advisory Services DACH

Capgemini Suisse S.A. Leutschenbachstrasse 95 CH-8050 Zürich

Phone: +41 44 5602 400 E-Mail: [email protected]

Dr. Paul Lokuciejewski Lead of Cybersecurity Consulting

Capgemini Deutschland GmbH Berliner Str. 76 D-63065 Offenbach

Phone: +49 151 4025 0855 E-Mail: [email protected]

cybersecurity @ capgemini consulting · pdf fileanalysis business & it s ies e ... outline...

Documents