cybersec infohub benchmarking your cyber security infohub... · 2020-02-05 ·...
TRANSCRIPT
Cybersec Infohub – Benchmarking your cyber security 2018
1
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Contacts:
Today Agenda:
01 Digital Trends that add more cyber challenges for the industry
02 Benchmarking your IT control processes – NIST maturity assessment
03 Benchmarking your IT resources – How much should you spend on IT security?
Felix Kan
Director, Cybersecurity
2
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Contacts:
Today Agenda:
01 Digital Trends that add more cyber challenges for the industry
02 Benchmarking your IT control processes – NIST maturity assessment
03 Benchmarking your IT resources – How much should you spend on IT security?
Felix Kan
Director, Cybersecurity
3
Sep 2018Cybersec Infohub – Benchmarking your cyber security
TIME magazine “Person of the Year 2016”
No 1. Donald Trump
No 2. Hillary Clinton
No 3. ???
(hint: our enemies in cyber world)
4
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Cyber black market is bigger the “cocaine” market
Market size of cyber crime market
$114 billion,
cybercrime in 2011
Market size of cocaine
$85 billion
Source: PwC’s The Global State of Information Security Survey 2015
Source: The United Nations Office on Drugs and Crime, World Drug Report 2011
Cyber crime damage to global market
$8 trillion,
in 5 years time
Source: Juniper Research
5
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Comparing the cybercrime market
Cybercrime market
$450 billion - $1 trillion
Illicit Drugs
$321 billion
Human Trafficking
$150 billion
$186 billion
Cybersecurity
$75 billion
Source: multiple sources from the Internet
6
Sep 2018Cybersec Infohub – Benchmarking your cyber security
* Source: The Global State of Information Security® Survey 2016 - Question 18: “What is the number of security incidents detected in the past 12 months?”
Number of Detected Security Incidents in China/Hong Kong
+969%
2,577
1,254
241
201620152014All respondents globally 2014 2015 2016
Number of Detected Security Incidents Globally
6853-3%
4,948
6,853
4,782
201620152014
The mindset that explains why we see more cyber attacks in China and Hong Kong
7
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Contacts:
Today Agenda:
01 Digital Trends that add more cyber challenges for the industry
02 Benchmarking your IT control processes – NIST maturity assessment
03 Benchmarking your IT resources – How much should you spend on IT security?
Felix Kan
Director, Cybersecurity
8
Sep 2018Cybersec Infohub – Benchmarking your cyber security
1
2
4
5
3
Security Maturity & Benchmark (by Capability Area)
The diagram below shows the consolidated maturity ratings from 0 (low) to 5 (high) for each of the four top level capability areas in the PwC Information & Cyber Security Framework.
IDENTIFY
PROTECTDETECT
RESPOND
Assesses the organisation’s ability to detect external and internal attacks of varying sophistication against its systems and data.
Large Bank Current State (X.x): Explanation of score provided
Peer Comparison (X.x): Explanation of score provided
Assesses the organisation’s ability to understanding the threats and appropriately manage the associated security risk to systems, assets, data and capabilities.
Large Bank Current State (X.x): Explanation of score provided
Peer Comparison (X.x): Explanation of score provided
Assesses the organisations ability to implement security controls to reduce the risk of threats being realised (e.g. loss of data or system outage).
Large Bank Current State (X.x): Explanation of score provided
Peer Comparison (X.x): Explanation of score provided
Assesses the organisation’s ability to respond and recover from external and internal attacks against its systems and data.
Large Bank Current State (X.x): Explanation of score provided
Peer Comparison (X.x): Explanation of score provided
9
Sep 2018Cybersec Infohub – Benchmarking your cyber security
*The maturity axis scale reflects the effort and risk reduction benefits required to move between each level (e.g. there is significantly more effort and associated risk reduction moving from managed to defined as compared to initial to managed)
Security Maturity & Benchmark (by Capability)
The graph below shows the maturity ratings from 0 (low) to 5 (high) for each of the 23 capabilities in the PwC Cyber Security Framework.
Control Maturity Rating Scale
The current control maturity definitions are based on CMMI and each capability was scored 1-5 based on defined requirements per capability. In summary the maturity levels are as follows:
1. Controls exists but are largely ad-hoc, there are a material number of implementation gaps or control deficiencies
2. Controls exist and mostly formalised, there are a manageable number of implementation gaps or control deficiencies
3. Controls are formalised, there are a few implementation gaps or control deficiencies, and metrics are defined but not always measured
4. In addition to 4 metrics are measured and reported on to management
5. Regular cycles of improvement are applied based on a continuous improvement programme
Key: PeersLarge Bank
Maximum Value
Upper Quartile
10
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Our Client Current in-flight Security Improvement Initiatives
The diagram below highlights the identified current key in-flight improvement initiatives across the InfoSec team, IT Security and IT, and which capability maturities they are expected to impact.
Improvementprogramme
Description
Improvement programme
Description
Improvementprogramme
Description
Improvementprogramme
Description
Improvement programme
DescriptionImprovementprogramme
Description
Improvement programme
Description
Improvementprogramme
Description
Improvementprogramme
Description
Improvementprogramme
Description
11
Sep 2018Cybersec Infohub – Benchmarking your cyber security
# WorkstreamImmediate priorities
(0-6 months)Next level of maturity
(6-18 months)
A Improvement Area 1
B Improvement Area 2
C Improvement Area 3
D Improvement Area 4
E Improvement Area 5
Consolidated Improvement Opportunities
B2. Action B5. ActionB3. Action
A1. Action A3. Action
D1. Action D2. Action D4. Action
E1. Action
Activity Key:
B1. Action
E2. Action
C2. Action
E3. Action
Identify Protect Detect RespondCurrent in-flight initiative O
wn
er
A2. Action
Ow
ne
r
B4. Action
Ow
ne
r
B6. Action
Ow
ne
r
C1. Action
Ow
ne
r
D3. Action
Ow
ne
r
The following diagram depicts high level groupings of our consolidated improvement opportunities and indicative workstreams and timescales. It is provided to support the definition of an overall security improvement programme. The combination of workstreams aims to impact all 23 capabilities of the framework. We have highlighted several immediate priorities to consider implementing in the next 6 months to help manage risk. Further detail on each of the workstreams and activities A-J are also provided in this section.
12
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Contacts:
Today Agenda:
01 Digital Trends that add more cyber challenges for the industry
02 Benchmarking your IT control processes – NIST maturity assessment
03 Benchmarking your IT maturity: People, Process & Technology
Felix Kan
Director, Cybersecurity
13
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Percentage of IT budget on security
Defeatists Denialists Realists Egoists
Their IT security is weak and underfunded
Their IT security is weak but they lack full
awareness of this reality
Their IT security is fair and they strive to be
better
Their IT security is good but they risk over-
confidence
Breaches compared to average
23% 37% 23% 17%
Breaches compared to average
More More Fewer Fewer
Percentage of IT budget on security
6% 8% 14% 12%
Confidence in security defences
Low High Fewer Fewer
Focus areasTrial and error/ little risk
processTechnology over people/process
Employee training/benchmarking
with outside peers
Formal risk process/hiring topnotch
staff
Level of maturity out of 5 1-2 2-3 3-4 4-5
Industry profile ManufacturingPublic
sector/infrastructure/telco
Retail/distribution Finance
Current spend of IT security
9.8% of IT budget
IDEAL spend of IT Security
13.7% of IT budget
Source: International Data Corporation (IDC) Determining How Much to Spend on Your IT Security 2015
14
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Benchmarking with peers: how good we should be, in reality?
Capability to detect/ prevent lateral movement of active APT within internal network
Threat/ exception reporting and forensic
• Sustainability of endpoint agent (e.g., resist user interference)
• Protection of roaming PCs
• Sandbox analysis for links and attachments
• Decryption of attachment
• Exception/ unscanned documents management
• Custom signature generation for new malware
• Behavior/ attack pattern recognition
• C2 call back detection and blocking
Preventive control
Detective control
Attack path
15
Sep 2018Cybersec Infohub – Benchmarking your cyber security
Benchmarking with peers: how good we should be, in reality?Measuring both the impact and likelihood of malware attacks
Your capability to defend against real-life hacking
After the exercise, within 24 hours, you will be able to have an overview of how you well have performed.
You will know, at each layer, whether or not your security tools are operating effectively.
Next steps to bring your security posture to the next level
The assessment will provide you some insights in what you have done well, and more importantly what could be improved. You will be able to focus on the most critical weaknesses in your environment to tackle against hackers in the wild.
Your position among your peers in the industry
With the data we collected from many other companies in the industry, you will also be able to visualize how you performed compared to the industry average.
SAMPLE
16
Sep 2018Cybersec Infohub – Benchmarking your cyber security
To summarise
- Hacking trend: target the low hanging fruits
- Defence trend: under-invest
- Benchmarking areas:
Resource (people, budget)
Process maturity (including security orchestration)
Technology defence
17
Sep 2018Cybersec Infohub – Benchmarking your cyber security
I am just one email / whatsapp away from you
© 2018 PwC. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers
LLP, a Delaware limited liability partnership, which is a member firm of
PricewaterhouseCoopers International Limited, each member firm of which is a separate legal
entity. This document is for general information purposes only, and should not be used as a
substitute for consultation with professional advisors.
Felix Kan
Exco Member, Cyber Security Specialist Group (CSSG)
Hong Kong Computer Society
Mobile: 9302 1051
Thank you for participating
© 2018 PwC. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers
LLP, a Delaware limited liability partnership, which is a member firm of
PricewaterhouseCoopers International Limited, each member firm of which is a separate legal
entity. This document is for general information purposes only, and should not be used as a
substitute for consultation with professional advisors.