insurance accounting & systems association (iasa): ny/nj ... · competitive advantage –...
TRANSCRIPT
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Insurance Accounting & Systems Association (IASA): NY/NJ Chapter Spring 2014 State of Information Security by Deloitte & Touche LLP May 20, 2014
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Introductions
1
Najeh Adib Manager, Cyber Risk Services, Deloitte & Touche LLP Phone: +1 203 274 2014 E-Mail: [email protected]
Tushar Srivastava Manager, Cyber Risk Services, Deloitte & Touche LLP Phone: +1 212 436 3779 E-Mail: [email protected]
Copyright © 2014 Deloitte Development LLC. All rights reserved.
How did we get here?
The enterprise has evolved over the past two decades from Industrial to Digital to Postdigital.
Specialization Processes-focused
Functional model IT-focused
Interdisciplinary Collaboration-focused
Omnichannel Multichannel Single channel
Organization
Channel
Digital Postdigital Industrial
Plan-based replenishment Transaction-based replenishment Interest-based replenishment Market Approach
Technology has given rise to a new kind of consumer and a new kind of worker causing organizations to fundamentally rethink almost every aspect of their operations.
Socially connected Consumers are constantly connected to their social networks, resulting in increasingly collaborative experiences in which they are both influenced by and influencers of their peers
Technically connected Consumers are constantly connected to the Internet through smart, portable, and highly usable devices, enabling real-time analysis, price comparisons, and product/service transparency
Behaviorally connected Companies are gaining more detailed information about individuals, enabling more compelling consumer engagement through marketing and product/service offerings that are tightly linked to past patterns of behavior
2
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Disrupt or be disrupted Organizations must evolve to stay relevant as behaviors and needs within the post-digital ecosystem change rapidly.
A slow response invites disruption
Static businesses will be unable to meet desires and expectations in two years
A movie rental company failed to heed to customers’ changing appetite for
direct, instant digital fulfillment
Consumer electronics retailer failed to transform workforce from traditional salesmen to engaging customer service advocates
Evolve now and you can disrupt and grow
Postdigital Enterprises will evolve to harness disruptive technologies
Home improvement retailer empowers employees with collaboration tools to
share ideas and leading practices
Innovative car rental service channeled social technologies to provide customers the desired high-touch merchant experience at a low cost
Online shoe retailer disrupted the industry by using mobile and social technology to provide the flexibility that customers desire
3
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Deloitte Tech Trends 2013: Elements of Post-digital
Interested in more, the full report can be downloaded at http://www.deloitte.com/view/en_US/us/Services/consulting/technology-consulting/technology-2013/index.htm
4
Copyright © 2014 Deloitte Development LLC. All rights reserved.
The impact on today’s Information and Cyber Security Officers Expectations are evolving as executives grapple with the impact of the post-digital environment on information and technology.
5
Understand the ‘real’ risk associated with data and the associated security implications
Strike a balance between information security, the evolving business model and end user expectations that are primarily formed through use of consumer technology
Secure data that transcends the four walls of the company – especially in cloud, mobile and unstructured environments
Manage software vulnerabilities as development cycles shorten and applications are introduced into new environments
Understand regulatory and legal expectations and determine how to address them without hindering the IT organization and the business
Customer focus Consumerization of technology
Value-driven allocation of resources to maximize results
Emphasis on partnering to deliver business capabilities
Extendible & flexible enterprise architecture to support broader eco-system & new technologies
Cost reduction Shift from fixed to variable cost models to address
fluctuating business requirements
Global resource management – enterprise & third party; onshore & off-shore
Smart sourcing of development / infrastructure / services
Create efficiencies by leveraging ‘big data’
Corporate / BU CIO Chief / BU Information Security Officers
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Key cyber security focus areas Below are some of the key focus areas for today’s cyber risk executives.
6
Agile Risk Management
Integrating risk management into existing IT management processes rather than bolting it on (e.g., SDLC) Rationalizing control processes and tempering them based on risk tolerance
Cyber Security
Understanding cyber criminal networks and their potential impact on the company (and it’s clients) Preventing cyber attacks and advanced persistent threats Keeping up with cyber criminals as they innovate at a faster pace than industry
Mobile Security
Mobile technology and social networking provide an ecosystem that is complex and rapidly evolving Adoption of mobile devices (and BYOD) is growing at a staggering rate across industries and markets Powerful communication tools are opening new communication channels… and risks
Third Party Security
Operating cost pressures drive an increased focus on outsourcing business functions Companies are dependent on third parties for core operations and key business functions Regulatory requirements of third party suppliers are complex and difficult to manage
Cloud Computing
Ease of acquisition and use drives an increased business demand for cloud capabilities (“Rogue IT”) Difficulty in addressing responsibility for information security in the cloud Records management, data privacy and disclosure risks complicated by international jurisdictions
Regulatory Requirements
Changes to the regulatory environment must filter through to information security programs Global organizations must constantly monitor for changes to international regulatory requirements Failure to meet regulatory requirements in information security can have real business impact
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Agile risk management
7
Engage the business earlier
Key Considerations
Get a seat ‘decision making’ table by demonstrating value and flexibility
Look for opportunities to adjust the rigor of risk management processes
based on tolerance
Many organizations believe that “appropriate information security can still be achieved by simply purchasing various security products and services"¹ while burdening the IT organization with additional “check the box” exercises.
The Challenge
¹ “A Systematic, Comprehensive Approach to Information Security” Gartner, Published: 24 June 2010
Overview One size does not fit all – existing risk management processes often
do not account for the organization’s risk tolerance
Integrated vs. bolted on – risk processes are often bolted on as separate processes instead of integrated into existing processes (e.g., SDLC)
Adaptability – existing risk processes and libraries often times do not account for the evolving threat landscape and are not agile enough to quickly adapt
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Cyber security
8
Understand how your organization is viewed by cyber criminals
Key Considerations
Consider risk when determining where to focus resources
Balance impact of an incident with ability to acquire intel
Cyber crime has taken a chilling turn – it is now serious, more widespread, aggressive, growing, and increasingly sophisticated, posing major implications for national and economic security.
The Challenge
Overview Velocity and volume – frequent cyber attacks and breaches with
discovery usually occurring only after the fact, if at all
Innovation and sophistication – cyber criminals are innovating at a pace which many organizations and technology vendors cannot match
It’s not just the ‘hacker’ – many organizations have not yet recognized organized cyber criminal networks as a potential threat
Current deterrents aren’t working – effective deterrents are not known, available, or accessible to many practitioners
• Number of customer records exposed in data breaches in the last 6+ years 83M
• Number of credit card accounts compromised in a single data breach 360K
• Number of publicly disclosed data breaches in the last 6+ years 288
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Mobile security
9
Balance mobile security with usability
Key Considerations
Understand the true threats Consider training and awareness to compensate for reduced control
With rapid and increased adoption of mobile devices, CISOs are often faced with the challenge on how to “adopt” enterprise mobility while protecting organization’s assets.
The Challenge
Overview Mobile ecosystem – a complex, rapidly developing environment
where new risks are introduced everyday
Adoption – growing at a staggering rate and will continue to do so for foreseeable future
Powerful tools – mobility has the potential to deliver powerful tools and open new communication channels
Enterprise mobility challenges – include, bring your own device (BYOD), Management of diverse mobile devices, secure mobile asset deployment, and mobile data loss
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Third party security
10
Reliance on third party relationships can significantly increase a organization's risk profile. Increased risk most often arises from poor planning, oversight, and control on the part of the organization and/or inferior performance or service on the part of the supplier.
The Challenge
Tailor practices based on complexity of third party activities
Key Considerations
Tier outsourced third party relationships based on risk
Consider ongoing operational performance reviews of critical
vendors
Overview Core functions – many organizations are depending on third parties
for their core operations and key business functions
Competitive advantage – looking to third-party relationships as a way to gain a competitive edge without regard for risks
Nature of relationship – third party risk isn’t a risk unto itself; rather, it is a combination of other risks with various degrees of severity based on the nature of the relationship with the third party
Regulatory requirements – continue to increase and evolve with changes in outsourcing trends
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Cloud computing
11
Cloud computing is changing how businesses purchase, deploy, and support IT services, and most organizations now are responding to the new opportunities. Security concerns rank as the most challenging to resolve, and act as a barrier to cloud adoption across all industries.
The Challenge
Build a holistic ‘risk profile’ to support adoption
Key Considerations
Know boundaries of the cloud deployment model
Understand time to market business drivers
Overview Increased business demand – business pursuing cloud deployment
for agility and cost savings before security ‘maturation’
Responsibility and governance – lack of appropriate governance and oversight are ‘as critical’ as security concerns
Inherent risks – exacerbated when data in the cloud resides in a foreign country or moves across international borders
Regulatory and compliance requirements – not optional in cloud computing
Copyright © 2014 Deloitte Development LLC. All rights reserved.
Regulatory requirements
12
The evolving information security threat landscape has been recognized by industry regulators. Information security must understand the impacts of new regulations, changes to existing regulations and be early adopters of these changes.
The Challenge
Know which regulatory jurisdictions to monitor
Key Considerations
Monitor for regulatory changes and determine impact
Be a regulatory consultant to the business
Overview Regulations change – changes to regulations must analyzed and
where necessary adopted into the information security program
Regulations are global – organizations with a global footprint must constantly monitor for changes to regulations in each operating jurisdiction
Regulatory and compliance requirements – are not optional and failure of information security to meet regulations can have a real impact to the business (fines, sanctions etc.)
Copyright © 2014 Deloitte Development LLC. All rights reserved.
In conclusion, here is what to watch out for….
13
● Information security – as a compliance driven exercise
Security that is only compliance driven, promoting a “check-the-box” mentality
● The ‘technical’ value proposition – not a vision of the future
A program that cannot articulate how information security adds value to the organization
● Bolt-on security – tools and controls for the sake of ‘tools and controls’
Prioritizing bolt-on security controls and tools and not necessarily the needs of the business
● Security at the ‘end’– Not a trusted advisor
Mentality to involve information security at the ‘end’ of a project or process only drives down information security program value
● A barrier – to business progress and innovation
Acting as a ‘policy cop’ or paranoid custodian of security rather than an enabler to the business¹
Copyright © 2014 Deloitte Development LLC. All rights reserved.
…and what to consider focusing on
14
● Be resilient – build program immune to ‘a la mode’ security priorities
Understand current maturity & capabilities. Align with the business to reduce ‘flavor of the month’ approach to security
● Predict – it takes more than good technology to prevent breaches
Proactive ‘risk based’ approach to keep pace with evolving threat landscape
● Adapt – understand and adjust current risk appetite
A risk appetite that adjusts by aligning with the security priorities of the business
● Improve – seek continuous improvement
Develop processes to build a security program based on continual improvement
● Evolve – to a trusted advisor
Grow an information security program that plays an active role in supporting the business strategy and that is a valued trusted adviser
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.