insurance accounting & systems association (iasa): ny/nj ... · competitive advantage –...

Copyright © 2014 Deloitte Development LLC. All rights reserved.

Insurance Accounting & Systems Association (IASA): NY/NJ Chapter Spring 2014 State of Information Security by Deloitte & Touche LLP May 20, 2014

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/us/about


Introductions

1

Najeh Adib Manager, Cyber Risk Services, Deloitte & Touche LLP Phone: +1 203 274 2014 E-Mail: [email protected]

Tushar Srivastava Manager, Cyber Risk Services, Deloitte & Touche LLP Phone: +1 212 436 3779 E-Mail: [email protected]

mailto:[email protected]

mailto:[email protected]


How did we get here?

The enterprise has evolved over the past two decades from Industrial to Digital to Postdigital.

Specialization Processes-focused

Functional model IT-focused

Interdisciplinary Collaboration-focused

Omnichannel Multichannel Single channel

Organization

Channel

Digital Postdigital Industrial

Plan-based replenishment Transaction-based replenishment Interest-based replenishment Market Approach

Technology has given rise to a new kind of consumer and a new kind of worker causing organizations to fundamentally rethink almost every aspect of their operations.

Socially connected Consumers are constantly connected to their social networks, resulting in increasingly collaborative experiences in which they are both influenced by and influencers of their peers

Technically connected Consumers are constantly connected to the Internet through smart, portable, and highly usable devices, enabling real-time analysis, price comparisons, and product/service transparency

Behaviorally connected Companies are gaining more detailed information about individuals, enabling more compelling consumer engagement through marketing and product/service offerings that are tightly linked to past patterns of behavior

2


Disrupt or be disrupted Organizations must evolve to stay relevant as behaviors and needs within the post-digital ecosystem change rapidly.

A slow response invites disruption

Static businesses will be unable to meet desires and expectations in two years

A movie rental company failed to heed to customers’ changing appetite for

direct, instant digital fulfillment

Consumer electronics retailer failed to transform workforce from traditional salesmen to engaging customer service advocates

Evolve now and you can disrupt and grow

Postdigital Enterprises will evolve to harness disruptive technologies

Home improvement retailer empowers employees with collaboration tools to

share ideas and leading practices

Innovative car rental service channeled social technologies to provide customers the desired high-touch merchant experience at a low cost

Online shoe retailer disrupted the industry by using mobile and social technology to provide the flexibility that customers desire

3


Deloitte Tech Trends 2013: Elements of Post-digital

Interested in more, the full report can be downloaded at http://www.deloitte.com/view/en_US/us/Services/consulting/technology-consulting/technology-2013/index.htm

4

http://www.deloitte.com/view/en_US/us/Services/consulting/technology-consulting/technology-2013/index.htm


The impact on today’s Information and Cyber Security Officers Expectations are evolving as executives grapple with the impact of the post-digital environment on information and technology.

5

Understand the ‘real’ risk associated with data and the associated security implications

Strike a balance between information security, the evolving business model and end user expectations that are primarily formed through use of consumer technology

Secure data that transcends the four walls of the company – especially in cloud, mobile and unstructured environments

Manage software vulnerabilities as development cycles shorten and applications are introduced into new environments

Understand regulatory and legal expectations and determine how to address them without hindering the IT organization and the business

Customer focus Consumerization of technology

Value-driven allocation of resources to maximize results

Emphasis on partnering to deliver business capabilities

Extendible & flexible enterprise architecture to support broader eco-system & new technologies

Cost reduction Shift from fixed to variable cost models to address

fluctuating business requirements

Global resource management – enterprise & third party; onshore & off-shore

Smart sourcing of development / infrastructure / services

Create efficiencies by leveraging ‘big data’

Corporate / BU CIO Chief / BU Information Security Officers


Key cyber security focus areas Below are some of the key focus areas for today’s cyber risk executives.

6

Agile Risk Management

Integrating risk management into existing IT management processes rather than bolting it on (e.g., SDLC) Rationalizing control processes and tempering them based on risk tolerance

Cyber Security

Understanding cyber criminal networks and their potential impact on the company (and it’s clients) Preventing cyber attacks and advanced persistent threats Keeping up with cyber criminals as they innovate at a faster pace than industry

Mobile Security

Mobile technology and social networking provide an ecosystem that is complex and rapidly evolving Adoption of mobile devices (and BYOD) is growing at a staggering rate across industries and markets Powerful communication tools are opening new communication channels… and risks

Third Party Security

Operating cost pressures drive an increased focus on outsourcing business functions Companies are dependent on third parties for core operations and key business functions Regulatory requirements of third party suppliers are complex and difficult to manage

Cloud Computing

Ease of acquisition and use drives an increased business demand for cloud capabilities (“Rogue IT”) Difficulty in addressing responsibility for information security in the cloud Records management, data privacy and disclosure risks complicated by international jurisdictions

Regulatory Requirements

Changes to the regulatory environment must filter through to information security programs Global organizations must constantly monitor for changes to international regulatory requirements Failure to meet regulatory requirements in information security can have real business impact


Agile risk management

7

Engage the business earlier

Key Considerations

Get a seat ‘decision making’ table by demonstrating value and flexibility

Look for opportunities to adjust the rigor of risk management processes

based on tolerance

Many organizations believe that “appropriate information security can still be achieved by simply purchasing various security products and services"¹ while burdening the IT organization with additional “check the box” exercises.

The Challenge

¹ “A Systematic, Comprehensive Approach to Information Security” Gartner, Published: 24 June 2010

Overview One size does not fit all – existing risk management processes often

do not account for the organization’s risk tolerance

Integrated vs. bolted on – risk processes are often bolted on as separate processes instead of integrated into existing processes (e.g., SDLC)

Adaptability – existing risk processes and libraries often times do not account for the evolving threat landscape and are not agile enough to quickly adapt


Cyber security

8

Understand how your organization is viewed by cyber criminals

Key Considerations

Consider risk when determining where to focus resources

Balance impact of an incident with ability to acquire intel

Cyber crime has taken a chilling turn – it is now serious, more widespread, aggressive, growing, and increasingly sophisticated, posing major implications for national and economic security.

The Challenge

Overview Velocity and volume – frequent cyber attacks and breaches with

discovery usually occurring only after the fact, if at all

Innovation and sophistication – cyber criminals are innovating at a pace which many organizations and technology vendors cannot match

It’s not just the ‘hacker’ – many organizations have not yet recognized organized cyber criminal networks as a potential threat

Current deterrents aren’t working – effective deterrents are not known, available, or accessible to many practitioners

• Number of customer records exposed in data breaches in the last 6+ years 83M

• Number of credit card accounts compromised in a single data breach 360K

• Number of publicly disclosed data breaches in the last 6+ years 288


Mobile security

9

Balance mobile security with usability

Key Considerations

Understand the true threats Consider training and awareness to compensate for reduced control

With rapid and increased adoption of mobile devices, CISOs are often faced with the challenge on how to “adopt” enterprise mobility while protecting organization’s assets.

The Challenge

Overview Mobile ecosystem – a complex, rapidly developing environment

where new risks are introduced everyday

Adoption – growing at a staggering rate and will continue to do so for foreseeable future

Powerful tools – mobility has the potential to deliver powerful tools and open new communication channels

Enterprise mobility challenges – include, bring your own device (BYOD), Management of diverse mobile devices, secure mobile asset deployment, and mobile data loss


Third party security

10

Reliance on third party relationships can significantly increase a organization's risk profile. Increased risk most often arises from poor planning, oversight, and control on the part of the organization and/or inferior performance or service on the part of the supplier.

The Challenge

Tailor practices based on complexity of third party activities

Key Considerations

Tier outsourced third party relationships based on risk

Consider ongoing operational performance reviews of critical

vendors

Overview Core functions – many organizations are depending on third parties

for their core operations and key business functions

Competitive advantage – looking to third-party relationships as a way to gain a competitive edge without regard for risks

Nature of relationship – third party risk isn’t a risk unto itself; rather, it is a combination of other risks with various degrees of severity based on the nature of the relationship with the third party

Regulatory requirements – continue to increase and evolve with changes in outsourcing trends


Cloud computing

11

Cloud computing is changing how businesses purchase, deploy, and support IT services, and most organizations now are responding to the new opportunities. Security concerns rank as the most challenging to resolve, and act as a barrier to cloud adoption across all industries.

The Challenge

Build a holistic ‘risk profile’ to support adoption

Key Considerations

Know boundaries of the cloud deployment model

Understand time to market business drivers

Overview Increased business demand – business pursuing cloud deployment

for agility and cost savings before security ‘maturation’

Responsibility and governance – lack of appropriate governance and oversight are ‘as critical’ as security concerns

Inherent risks – exacerbated when data in the cloud resides in a foreign country or moves across international borders

Regulatory and compliance requirements – not optional in cloud computing


Regulatory requirements

12

The evolving information security threat landscape has been recognized by industry regulators. Information security must understand the impacts of new regulations, changes to existing regulations and be early adopters of these changes.

The Challenge

Know which regulatory jurisdictions to monitor

Key Considerations

Monitor for regulatory changes and determine impact

Be a regulatory consultant to the business

Overview Regulations change – changes to regulations must analyzed and

where necessary adopted into the information security program

Regulations are global – organizations with a global footprint must constantly monitor for changes to regulations in each operating jurisdiction

Regulatory and compliance requirements – are not optional and failure of information security to meet regulations can have a real impact to the business (fines, sanctions etc.)


In conclusion, here is what to watch out for….

13

● Information security – as a compliance driven exercise

Security that is only compliance driven, promoting a “check-the-box” mentality

● The ‘technical’ value proposition – not a vision of the future

A program that cannot articulate how information security adds value to the organization

● Bolt-on security – tools and controls for the sake of ‘tools and controls’

Prioritizing bolt-on security controls and tools and not necessarily the needs of the business

● Security at the ‘end’– Not a trusted advisor

Mentality to involve information security at the ‘end’ of a project or process only drives down information security program value

● A barrier – to business progress and innovation

Acting as a ‘policy cop’ or paranoid custodian of security rather than an enabler to the business¹


…and what to consider focusing on

14

● Be resilient – build program immune to ‘a la mode’ security priorities

Understand current maturity & capabilities. Align with the business to reduce ‘flavor of the month’ approach to security

● Predict – it takes more than good technology to prevent breaches

Proactive ‘risk based’ approach to keep pace with evolving threat landscape

● Adapt – understand and adjust current risk appetite

A risk appetite that adjusts by aligning with the security priorities of the business

● Improve – seek continuous improvement

Develop processes to build a security program based on continual improvement

● Evolve – to a trusted advisor

Grow an information security program that plays an active role in supporting the business strategy and that is a valued trusted adviser

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

http://www.deloitte.com/about

http://www.deloitte.com/us/about

insurance accounting & systems association (iasa): ny/nj ... · competitive advantage –...

Documents