GX Gra Take The Lead On Cyber Risk
GX Gra Take The Lead On Cyber Risk
GX Gra Take The Lead On Cyber Risk
Cyber risk is already a huge challenge and it's growing rapidly. According to a
recent report, by the year 2020 the world will need to cyber-defend 50 times more
data than it does today.1 And with new risks emerging daily, organizations must
constantly devise new cyber strategies and defenses as attackers figure out how to
get past the cybersecurity that is currently in place.
Regards,
Sam Balaji
Global Risk Advisory Business Leader
Table of contents
Introduction...........................................................................................................................1
Secure.....................................................................................................................................7
Vigilant...................................................................................................................................11
Resilient................................................................................................................................ 15
Introduction
For organizations of every shape and size, it’s no longer
a question of if you will be attacked, but when (and how).
The digital revolution is happening and to understand the opportunities and
there is nothing you can do to stop it. Nor risks associated with digital innovation,
should you try. In the months and years and then strike a balance between the
ahead, digital innovations and exponential need to protect the organization from
technologies will be key drivers of growth cyberthreats and the need to adopt new
and success, providing unprecedented business models and new strategies that
opportunities for your organization to capitalize on digital technology and lay the
create value and competitive advantage. groundwork for future success.
But to thrive in a digital future, you need a The good news is that while digital
robust cyber strategy that can help your disruption and cybersecurity present
organization become secure, vigilant, and serious challenges, those challenges are
resilient. Hope is not a strategy. not insurmountable. By understanding
what needs to be done—and mustering
Cyber capabilities must do more than the courage and foresight to tackle the
address the threats that exist now. As challenges head-on—you can take charge
exponential technologies drive digital of your cyber fate and become a digital
disruption, they introduce entirely new disrupter, instead of getting disrupted by
kinds of cyberthreats and amplify existing the competition.
ones—requiring additional next-level
capabilities that companies must start
building now.
1
Take the lead on cyber risk | How to move from now to next-level security
2
Take the lead on cyber risk | How to move from now to next-level security
The changing
landscape of
cyber risk
In the World Economic Forum’s Global Risk 2017 report,2
cyber risk is recognized as one of the top commercial
risks, alongside the economy, the environment, and
geopolitics. Digital technologies and innovation are
growing exponentially, accelerating cyber risks, creating
new attack vectors, and greatly expanding the attack
surface that organizations must patrol and defend.
2. World Economic Forum, The Global Risks Report 2017, 12th Edition,
http://www3.weforum.org/docs/GRR17_Report_web.pdf
Accessed 9 May 2017
3
Take the lead on cyber risk | How to move from now to next-level security
Mobile networks: Mobile isn’t just a new feature that organizations must
offer to their customers. For a growing number of consumers—particularly
millennials—mobile is a way of life. For them, it’s not just another channel;
it’s the only channel that matters. As such, mobile is creating fundamentally
new buying behaviors. It also greatly increases the attack surface for
cyberthreats, since mobile networks are by nature geographically vast and
fluid.
These factors will change our world, creating market opportunities beyond the
imagination. Yet they will also give rise to new kinds of cyberthreats that are impossible
to fully anticipate.
4
Take the lead on cyber risk | How to move from now to next-level security
5
Take the lead on cyber risk | How to move from now to next-level security
Moving from
now to next-level
cybersecurity
Even threats an organization thinks it has under control today
could threaten it again in the future as those threats evolve and
grow in sophistication and complexity. For example, distributed
denial of service attacks have been around for many years,
yet they are now more prevalent, deceptive, and sophisticated
than ever—often being used as a ploy to divert attention from
secondary attacks such as data exfiltration, physical attacks, or
the implanting of ransomware.
To protect itself from both evolving and emerging the same time investing in next-level capabilities
cyberthreats, an organization needs to ensure it that can protect it from whatever threats might
has established basic cyber capabilities that can emerge in the future. These now and next-level
protect it from today’s threats right now, while at capabilities fall into three broad categories:
The pages that follow take a closer look at each level capabilities your organization needs to keep
of these categories, discussing the now and next- itself safe—today and in the future.
6
Take the lead on cyber risk | How to move from now to next-level security
Secure
Enhancing risk-prioritized controls to protect against
known and emerging threats, and to comply with
industry cybersecurity standards and regulations
Where you should be now and brilliant business strategy in the world
is worthless if an organization can’t figure
Integrate cyber strategy with business out how to secure the required operations
strategy from cyberattacks.
In a digital world, cyber strategy and The time for an organization to consider
business strategy go hand-in-hand. the impact and mitigation of cyberthreats
Although business objectives are is in the beginning, when developing
paramount, it is no longer possible to its strategy—not months or years later
develop effective business strategies and when the organization has already begun
business models without thinking about implementing the required systems
how they will be affected—and in many and processes and has committed vast
cases enabled—by digital technologies, resources to pursuing a particular course
and how the organization will protect itself of action.
from cyberthreats. Even the most creative
7
Take the lead on cyber risk | How to move from now to next-level security
8
Take the lead on cyber risk | How to move from now to next-level security
9
Take the lead on cyber risk | How to move from now to next-level security
10
Take the lead on cyber risk | How to move from now to next-level security
Vigilant
Sensing, detecting, and predicting violations and
anomalies through better situational awareness
11
Take the lead on cyber risk | How to move from now to next-level security
Pay attention to your entire ecosystem attackers are using it, and what entry points
are being targeted. These technologies also
Suppliers, vendors, partners, and even enable predictive threat detection, helping
customers can all be points of entry for to anticipate and mitigate future threats
an attack—which means that even if an that may evolve from current threats as
organization itself is highly secure, it could attackers find ways to circumvent existing
still be vulnerable. After all, a chain is only security mechanisms.
as strong as its weakest link.
Threat intelligence is the province of
To stay aware, conduct ongoing trained CTI (cyberthreat intelligence)
cybersecurity assessments of your professionals, who monitor a wide variety
ecosystem to ensure outsiders are not of information sources—including the
creating unacceptable risk exposure. Also, dark web, malware reports, and online
be part of the solution, sharing information activity—to find risks specific to your
with ecosystem partners and fostering organization. These professionals monitor
collaboration to fight common adversaries. and learn from attacks perpetrated against
other organizations, and then apply that
It is also essential to constantly monitor for
accumulated intelligence to help you
suspicious or atypical activities, wherever
protect the areas at greatest risk within
they might occur. Although external attacks
your organization.
get most of the headlines, the fact is many
of the biggest cyberthreats are internal— In addition to monitoring, mature
originating from within an organization or intelligence teams actively hunt for new
its extended enterprise. These internal threats. If, for example, a team uncovers
incidents can be even more damaging than a new malware stream, it can build an
attacks from the outside, yet they tend analytical model to detect new instances
to be kept quiet. Also, in some cases, the and iterations of the malware. From there,
damage is done without malicious intent, it can create algorithms and automated
but is simply the result of carelessness or processes to hunt down the emerging
poor controls and procedures. threats before they can do harm.
12
Take the lead on cyber risk | How to move from now to next-level security
13
Take the lead on cyber risk | How to move from now to next-level security
14
Take the lead on cyber risk | How to move from now to next-level security
Resilient
Being able to quickly return to normal operations and
repair damage to the business
No matter how much money and effort you in reactive mode when it comes to
spend strengthening your cyber defenses, managing cyber incidents and the
at some point an attack will get through. resulting repercussions. In fact, according
When that happens, what will you do? to a recent survey by Nasdaq and Tanium,
more than 90 percent of corporate
In the middle of an attack, there is no time executives say their organizations are
to lose; each passing minute leads to more not prepared to handle a major
and more damage (see diagram below). cyberattack.3
Yet many businesses remain largely
Anatomy of a cyberattack
3. Tom DiChristopher, “Execs: We’re Not Responsible for Cybersecurity” (April 2016), CNBC,
15 http://www.cnbc.com/2016/04/01/many-executives-say-theyre-not-responsible-for-cybersecurity-survey.html
Accessed 9 May 2017
Take the lead on cyber risk | How to move from now to next-level security
To be resilient, you need a plan. You also 3. Technology: Understand the technical how decisions are made. In many countries,
need to establish effective governance and elements of incident response and such as throughout Europe and in Canada,
oversight to coordinate plans and response breach documentation. (What forensics this includes decisions about informing the
activities across all stakeholders—including will be conducted? Does the team have privacy commissioner, a recently established
board members and business leaders processes in place to log incidents regulatory post created by new laws
outside of IT. For most organizations, this and perform incident analysis with the requiring organizations to report any data
comprehensive approach will require support of IT operations?) breaches that cause “significant harm” to
a mindset shift from thinking of cyber individuals.
breaches as an IT risk to understanding 4. Business operations: Create
that cybersecurity is a strategic business integrated business continuity and Red-teaming involves sanctioned covert
issue and should be addressed as an disaster recovery processes, which hacking—typically initiated and approved by
integral part of the organization’s disaster include proactive communications. an organization’s executives or board—to
recovery planning. (What is the plan for operational test defenses and uncover weaknesses.
resilience during a cyber incident?) Many organizations don’t realize how
The preparation process is continuous— easily their cyber environment can be
develop, test, evolve, repeat—with the goal 5. Risk and compliance: Ensure the
compromised, and won’t really believe it
of having a response plan that constantly resiliency plan includes involvement
unless presented with proof. A strong red
matures and improves to keep pace with with risk and compliance management,
team attack can provide such evidence—
emerging threats and changes to the such as dealing with regulators, legal
often stealing client data without even
organization’s threat landscape. counsel, and law enforcement.
breaching the core network. Once the
Put yourself to the test red team has breached security, they can
Where you should be now
then assess how quickly and effectively
Start with a resiliency plan Once an organization has a solid plan in the organization’s defensive team (the
place, it needs to conduct ongoing drills and blue team) identifies and responds to the
The middle of a crisis is no time to be simulations in a controlled environment so attack. Traditionally, red and blue teams
figuring out things from scratch. An everyone can be 100 percent confident that have operated completely separate from
effective resiliency plan needs to be the plan works. These tests and practice one another. However, a growing number
developed well in advance, and should be sessions include wargaming, red-teaming, of organizations are now also using purple
clear and concise enough that people can and compromise assessments. teaming, in which red and blue teams
quickly understand it when the bullets collaborate to share information and
are flying, yet detailed enough to be Wargaming involves simulating the moves learnings.
immediately actionable. Typical elements and countermoves that would be involved
include: in an ongoing cyber incident. This enables Compromise assessments are another
an organization to see its response plan in valuable tool, typically used when an
1. Governance: Establish cross-functional action and to identify gaps that need to be organization suspects it has been breached
coordination, documentation, and closed. Business leaders are assigned to but isn’t sure, and needs to know if there is
stakeholder communication. manage various components of a simulated still a criminal presence in its system.
breach to test how well they would respond
2. Strategy: Create a strong and aligned in a live situation. Often, participants don’t All of these tests, individually and
organizational strategy for dealing with know the situation is only a simulation, giving collectively, provide critical insights about
cyber incidents, including executive, organizations the opportunity to honestly an organization’s resiliency strengths and
board, and customer communications. and accurately assess how quickly teams gaps, which can help drive improvements
respond, whether the board is engaged, and in governance, cyber incident escalation,
16
Take the lead on cyber risk | How to move from now to next-level security
17
Take the lead on cyber risk | How to move from now to next-level security
18
Take the lead on cyber risk | How to move from now to next-level security
The human
element
Despite the focus on technology and innovation,
effective security still requires individuals who can bring
deep expertise and a strategic perspective to the cyber
fight. Tools are important, but attackers are masters
at circumventing them. To be effective, cybersecurity
requires a combination of people, processes, and
technology.
19
Take the lead on cyber risk | How to move from now to next-level security
4. Deloitte University Press, Navigating Legacy: Charting the Course to Business Value—2016–2017 Global CIO Survey (2016),
https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/risk/deloitte-nl-cio-survey-2016-2017-full-report.pdf 20
Accessed 9 May 2017
Take the lead on cyber risk | How to move from now to next-level security
To succeed, you need to tackle cyber risk predict, and mitigate risks, while at the
head-on—developing and implementing a same time recognizing that cybersecurity
robust cyber strategy that can make your is both art and science, and that even the
organization secure, vigilant, and resilient. most sophisticated tools cannot replace
Such a strategy must not only address the the creativity, insight, and judgment of
threats that exist now, but also the next- human experts.
level threats that have yet to emerge.
Cyber risk is not an IT issue, it’s a business
The good news is that while cyber risk is issue. As such, risk, security, and business
a serious and growing challenge, it is not leaders must constantly strive to balance
insurmountable. Although hope is not a the need for strong cybersecurity and the
strategy, the situation is far from hopeless. strategic needs of the business.
In fact, we are already seeing positive
changes in the way leading organizations By understanding what needs to be done—
are responding to the cyber imperative. and gathering the courage and foresight
to take the lead on cyber risk—your
In addition to improving their overall organization can take charge of its own
capabilities for managing cyber risk—which cyber fate and position itself as a digital
includes expanded roles and scope for disrupter, rather becoming one of the
the CISO and risk function—cyber-mature disrupted.
organizations are working to embed cyber
awareness into the very fabric of their
organizations. Also, they are beginning
to leverage smart technologies to detect,
21
Take the lead on cyber risk | How to move from now to next-level security
22
Take the lead on cyber risk | How to move from now to next-level security
Appendix A:
Key takeaways
to move from
now to next-level
security
23
Take the lead on cyber risk | How to move from now to next-level security
Secure
Now Next-level
•• Identify and protect your crown jewels •• Develop better ways to manage data
Vigilant
Now Next-level
Resilient
Now Next-level
24
Take the lead on cyber risk | How to move from now to next-level security
Appendix B:
Key elements of
a cyber strategy
Tomorrow’s challenges are different than today’s. How can
you stay ahead?
25
Take the lead on cyber risk | How to move from now to next-level security
Technical defenses and other protective Most organizations make use of external
controls often represent an organization’s vendors to deliver services or provide
first line of defense against cyberthreats. inputs. A close partnership with these
There are numerous technical solutions vendors is often necessary, but this also
that can be leveraged to protect the exposes the organization to additional
organization from threats, from firewalls cyberthreats. For example, an organization
and basic malware protection to specific buying software from an external vendor
solutions for identifying and nullifying is dependent on the strength of the
insider attacks. Whatever solutions an vendor’s security controls to ensure
organization chooses to leverage, it that the software contains no malicious
must have a clear understanding of its code. Understanding the role of external
cyberthreat landscape to determine where vendors in an organization’s cybersecurity
the most effective investments should be ecosystem enables the organization
made. Also, an organization’s technical to apply the appropriate technical and
defenses should be continuously reviewed contractual controls to limit its exposure.
to ensure that they remain appropriate in
an evolving threat environment.
6. Employee awareness
26
Take the lead on cyber risk | How to move from now to next-level security
Contacts
Authors
Global contacts
Global and Americas Cyber Risk Leader EMEA Cyber Risk Leader
[email protected] [email protected]
James Nunn-Price
Deloitte has been widely recognized as a market leader, including these recent
independent analyst reports:
Deloitte ranked #1 globally in Security Consulting Services, based on 2016 Market Share revenue by Gartner
Source: Gartner, Market Share Analysis: Security Consulting, Worldwide, 2016, Elizabeth Kim, June 2017.
28
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private
company limited by guarantee (“DTTL”), its network of member firms, and their
related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not provide
services to clients. Please see www.deloitte.com/about to learn more about our
global network of member firms.
Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related
services to public and private clients spanning multiple industries. Deloitte serves
four out of five Fortune Global 500® companies through a globally connected
network of member firms in more than 150 countries and territories bringing
world-class capabilities, insights, and high-quality service to address clients’ most
complex business challenges. To learn more about how Deloitte’s approximately
245,000 professionals make an impact that matters, please connect with us on
Facebook, LinkedIn, or Twitter.