cybersec infohub benchmarking your cyber security infohub... · 2020-02-05 ·...

Cybersec Infohub – Benchmarking your cyber security 2018

1

Sep 2018Cybersec Infohub – Benchmarking your cyber security

Contacts:

Today Agenda:

01 Digital Trends that add more cyber challenges for the industry

02 Benchmarking your IT control processes – NIST maturity assessment

03 Benchmarking your IT resources – How much should you spend on IT security?

Felix Kan

Director, Cybersecurity

2


Contacts:

Today Agenda:




Felix Kan


3


TIME magazine “Person of the Year 2016”

No 1. Donald Trump

No 2. Hillary Clinton

No 3. ???

(hint: our enemies in cyber world)

4


Cyber black market is bigger the “cocaine” market

Market size of cyber crime market

$114 billion,

cybercrime in 2011

Market size of cocaine

$85 billion

Source: PwC’s The Global State of Information Security Survey 2015

Source: The United Nations Office on Drugs and Crime, World Drug Report 2011

Cyber crime damage to global market

$8 trillion,

in 5 years time

Source: Juniper Research

5


Comparing the cybercrime market

Cybercrime market

$450 billion - $1 trillion

Illicit Drugs

$321 billion

Human Trafficking

$150 billion

$186 billion

Cybersecurity

$75 billion

Source: multiple sources from the Internet

6


* Source: The Global State of Information Security® Survey 2016 - Question 18: “What is the number of security incidents detected in the past 12 months?”

Number of Detected Security Incidents in China/Hong Kong

+969%

2,577

1,254

241

201620152014All respondents globally 2014 2015 2016

Number of Detected Security Incidents Globally

6853-3%

4,948

6,853

4,782

201620152014

The mindset that explains why we see more cyber attacks in China and Hong Kong

7


Contacts:

Today Agenda:




Felix Kan


8


1

2

4

5

3

Security Maturity & Benchmark (by Capability Area)

The diagram below shows the consolidated maturity ratings from 0 (low) to 5 (high) for each of the four top level capability areas in the PwC Information & Cyber Security Framework.

IDENTIFY

PROTECTDETECT

RESPOND

Assesses the organisation’s ability to detect external and internal attacks of varying sophistication against its systems and data.

Large Bank Current State (X.x): Explanation of score provided

Peer Comparison (X.x): Explanation of score provided

Assesses the organisation’s ability to understanding the threats and appropriately manage the associated security risk to systems, assets, data and capabilities.



Assesses the organisations ability to implement security controls to reduce the risk of threats being realised (e.g. loss of data or system outage).



Assesses the organisation’s ability to respond and recover from external and internal attacks against its systems and data.



9


*The maturity axis scale reflects the effort and risk reduction benefits required to move between each level (e.g. there is significantly more effort and associated risk reduction moving from managed to defined as compared to initial to managed)

Security Maturity & Benchmark (by Capability)

The graph below shows the maturity ratings from 0 (low) to 5 (high) for each of the 23 capabilities in the PwC Cyber Security Framework.

Control Maturity Rating Scale

The current control maturity definitions are based on CMMI and each capability was scored 1-5 based on defined requirements per capability. In summary the maturity levels are as follows:

1. Controls exists but are largely ad-hoc, there are a material number of implementation gaps or control deficiencies

2. Controls exist and mostly formalised, there are a manageable number of implementation gaps or control deficiencies

3. Controls are formalised, there are a few implementation gaps or control deficiencies, and metrics are defined but not always measured

4. In addition to 4 metrics are measured and reported on to management

5. Regular cycles of improvement are applied based on a continuous improvement programme

Key: PeersLarge Bank

Maximum Value

Upper Quartile

10


Our Client Current in-flight Security Improvement Initiatives

The diagram below highlights the identified current key in-flight improvement initiatives across the InfoSec team, IT Security and IT, and which capability maturities they are expected to impact.

Improvementprogramme

Description

Improvement programme

Description


Description


Description


DescriptionImprovementprogramme

Description


Description


Description


Description


Description

11


# WorkstreamImmediate priorities

(0-6 months)Next level of maturity

(6-18 months)

A Improvement Area 1

B Improvement Area 2

C Improvement Area 3

D Improvement Area 4

E Improvement Area 5

Consolidated Improvement Opportunities

B2. Action B5. ActionB3. Action

A1. Action A3. Action

D1. Action D2. Action D4. Action

E1. Action

Activity Key:

B1. Action

E2. Action

C2. Action

E3. Action

Identify Protect Detect RespondCurrent in-flight initiative O

wn

er

A2. Action

Ow

ne

r

B4. Action

Ow

ne

r

B6. Action

Ow

ne

r

C1. Action

Ow

ne

r

D3. Action

Ow

ne

r

The following diagram depicts high level groupings of our consolidated improvement opportunities and indicative workstreams and timescales. It is provided to support the definition of an overall security improvement programme. The combination of workstreams aims to impact all 23 capabilities of the framework. We have highlighted several immediate priorities to consider implementing in the next 6 months to help manage risk. Further detail on each of the workstreams and activities A-J are also provided in this section.

12


Contacts:

Today Agenda:



03 Benchmarking your IT maturity: People, Process & Technology

Felix Kan


13


Percentage of IT budget on security

Defeatists Denialists Realists Egoists

Their IT security is weak and underfunded

Their IT security is weak but they lack full

awareness of this reality

Their IT security is fair and they strive to be

better

Their IT security is good but they risk over-

confidence

Breaches compared to average

23% 37% 23% 17%

Breaches compared to average

More More Fewer Fewer

Percentage of IT budget on security

6% 8% 14% 12%

Confidence in security defences

Low High Fewer Fewer

Focus areasTrial and error/ little risk

processTechnology over people/process

Employee training/benchmarking

with outside peers

Formal risk process/hiring topnotch

staff

Level of maturity out of 5 1-2 2-3 3-4 4-5

Industry profile ManufacturingPublic

sector/infrastructure/telco

Retail/distribution Finance

Current spend of IT security

9.8% of IT budget

IDEAL spend of IT Security

13.7% of IT budget

Source: International Data Corporation (IDC) Determining How Much to Spend on Your IT Security 2015

14


Benchmarking with peers: how good we should be, in reality?

Capability to detect/ prevent lateral movement of active APT within internal network

Threat/ exception reporting and forensic

• Sustainability of endpoint agent (e.g., resist user interference)

• Protection of roaming PCs

• Sandbox analysis for links and attachments

• Decryption of attachment

• Exception/ unscanned documents management

• Custom signature generation for new malware

• Behavior/ attack pattern recognition

• C2 call back detection and blocking

Preventive control

Detective control

Attack path

15


Benchmarking with peers: how good we should be, in reality?Measuring both the impact and likelihood of malware attacks

Your capability to defend against real-life hacking

After the exercise, within 24 hours, you will be able to have an overview of how you well have performed.

You will know, at each layer, whether or not your security tools are operating effectively.

Next steps to bring your security posture to the next level

The assessment will provide you some insights in what you have done well, and more importantly what could be improved. You will be able to focus on the most critical weaknesses in your environment to tackle against hackers in the wild.

Your position among your peers in the industry

With the data we collected from many other companies in the industry, you will also be able to visualize how you performed compared to the industry average.

SAMPLE

16


To summarise

- Hacking trend: target the low hanging fruits

- Defence trend: under-invest

- Benchmarking areas:

Resource (people, budget)

Process maturity (including security orchestration)

Technology defence

17


I am just one email / whatsapp away from you

© 2018 PwC. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers

LLP, a Delaware limited liability partnership, which is a member firm of

PricewaterhouseCoopers International Limited, each member firm of which is a separate legal

entity. This document is for general information purposes only, and should not be used as a

substitute for consultation with professional advisors.

Felix Kan

Exco Member, Cyber Security Specialist Group (CSSG)

Hong Kong Computer Society

[email protected]

Mobile: 9302 1051

mailto:[email protected]

Thank you for participating

© 2018 PwC. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers

LLP, a Delaware limited liability partnership, which is a member firm of

PricewaterhouseCoopers International Limited, each member firm of which is a separate legal

entity. This document is for general information purposes only, and should not be used as a

substitute for consultation with professional advisors.

cybersec infohub benchmarking your cyber security infohub... · 2020-02-05 ·...

Documents