Tech Trends for Consumer Products 2013 Elements of postdigital

Preface

Welcome to Deloitte’s annual report examining trends in technology put to business use. Once again, we’ve selected ten topics that have the potential to impact businesses over the next 18 to 24 months.

Developing the list of trends is an ongoing process of primary and secondary research. The process includes:• Feedbackfromclientexecutivesoncurrentandfuturepriorities• InputfromDeloitteindustryandpracticeleaders• Perspectivesfromindustryandacademicluminaries• Researchfromalliancepartners,industryanalysts,andcompetitorpositioning• Crowd-sourcedideasandexamplesfromourglobalnetworkofpractitioners

This year’s theme, Elements of postdigital, examines the convergence and controlled collision of five forces – Analytics, Mobile,Social,Cloud,andCyber–asbusinessesmoveclosertoachievingthepossibilitiesofthePostdigitalEnterpriseTM,whereallfiveforcesaremature,implemented,integrated,andbaked-ininsteadofbolted-on.Thesefiveforcesofferanewsetoftoolsforbusiness,openingthedoortoanewsetofrulesforoperations,performance,andcompetition.ITcandeliver engagement and empowerment to business customers, both innovating and industrializing.

ThePostdigitalera,likethepost-industrialera,reflectsa“newnormal”forbusinessandanewbasisforcompetition.Inpost-industrialtimes,wedidn’tforegoindustrialization,weembracedit.ThePostdigitaleraissimilar,butwithdigitaliza-tion as its core.

It’sanuncommontimetohavefiveforces–allnewlyemerged,allevolving,alltechnology-centric–alreadyimpactingbusinesssostrongly.ItisanopportunityforITtodeliverextraordinaryvalueviamodestinvestmentsontopofastronglegacy technology footprint.

Our 2013 report shares ten trends grouped into two categories. Disruptors are opportunities that can create sustainable positivedisruptioninITcapabilities,businessoperations,andsometimesevenbusinessmodels.Enablers are technologies inwhichmanyCIOshavealreadyinvestedtimeandeffort,butwhichwarrantanotherlookbecauseofnewdevelopmentsoropportunities.Enablersmaybemoreevolutionarythanrevolutionary,butthepotentialisoftentherenonethelesstoelevate the business game.

For2013wehavealsoattemptedtopersonalizeourgeneralTechTrendsarticletoincludetopicsandexamplesspecificallyrelevanttotheConsumerProductindustry.Whilewehavemaintainedmuchoftherichcontentcontainedintheoriginalversionofthisarticle,we’vespecificallyincludedexamplesfromleadingConsumerProductscompaniessuchasSchwan’s(Mobile Only and Beyond) and OfficeMax (Design as a Discipline), and have also featured our collaboration on Big Data with the Grocery Manufacturers Association (GMA).

Eachtopicalsoincludesanexternalpoint-of-viewintheMy Take. This year, you’ll also find a new section called Flying Car Future,whichtakesaprovocativeviewintowherethetrendmaybeheadedinHorizon3–andbeyond.Lastbutnotleast,wherewedeemapplicable,we’veincludedourConsumerProductsperspectivetoshareourindustryinsightontheimplications of the respective trend.

Eachofthe2013trendsisrelevanttoday.Eachhassignificantmomentumandpotentialtomakeanimpact.Andeachwarrantstimelyconsideration.Forward-thinkingConsumerProductsorganizationsshouldconsiderdevelopinganexplicitstrategyineacharea–evenifthatstrategyistowaitandsee.Butwhateveryoudo,stepup.Provokeandharvest disruption. Don’t get caught unaware or unprepared.

Thankyouforyourinterestinthisyear’sreport.Wewelcomeyourfeedbackandquestions.TothemanyexecutiveswhohaveprovidedinputintoTechTrendsforConsumerProducts2013,thankyouforyourtimeandinsight.WelookforwardtohavingmoreoftheessentialdialogbetweenbusinessandIT.

2013 Technology Trends

AlanLanghalsPrincipalDeloitteConsultingLLP

SuketuGandhiPrincipalDeloitteConsultingLLP

MattLawPrincipalDeloitteConsultingLLP

Darwin DeanoSenior ManagerDeloitteConsultingLLP

94

At a Glance

CIO as the Postdigital CatalystCatalyzing value from the elements of mobile, social, analytics, cloud and cyber CIOscanleadthemovetotomorrow–reshapingbusinessasusual,anddrivinginnovation.They are faced with unprecedented opportunity for innovation such as the potential to enable CustomerIntimacyatscaleforConsumerProductsOrganizations.Howshouldbusiness respond?WhenCIOsharnesstheconvergenceofthefivepostdigitalforces,theycanchange the conversation from systems to capabilities and from technical issues to business impact. Planbig,startsmall,failfast,scaleappropriately.

Mobile Only (and beyond) The enterprise potential of mobile is greater than today’s smartphone and tablet apps Mobileshouldbetopofmindfororganizations.Butdon’tlimityourideastoMobileFirst. ThinkMobile Only, imagining an untethered, connected enterprise. The next wave of mobile mayfundamentallyreshapeoperations,businessesandmarketplaces–deliveringinformation and services to where decisions are made and transactions occur. The very definition of mobile ischanging–asevidencedbyourfeaturedConsumerProductsorganizationthatalreadyimprovedcustomerserviceefficiencyandqualitythroughtheMobileOnlyparadigm.

Social Reengineering by DesignHow work gets done is no longer constrained by 19th century platforms Businesses are no longer building technologies just to enable interaction – they are now engineering social platforms for specific context – platforms that can relieve rather than serve traditionalorganizationalconstraintssuchasdeephierarchies,command-and-controlcultures,physical proximity and resource concentration. Social reengineering can fundamentally transformhowworkgetsdone,butitisn’tjusta“project.”It’sastrategy.It’stimetouncovertheopportunitiesforConsumerProductorganizationstoharnessthepowerofthecrowdtoaugment business operations through external communities.

Design as a DisciplineInherent, pervasive and persistent design opens the path to enterprise value Drivenbyconsumerexperience,intuitivenessandsimplicityaremovingfromITaspirationstoenterprisemandates.Designisnotaphase;it’sawayofthinking.Beyondlookandfeel,beyonduserinterfaces.Isolatedinsilosofuserexperience(UX),marketingandproductdevelopment,individual design functions may be reaching their limits. What’s needed is a collaborative, immersiveenvironmenttoworktogether.Designisnotjustan“ITthing”ora“marketingthing”ora“productengineeringthing.”It’sanenterprisethingasevidencedbyourfeaturedConsumerProductsorganizationthatdramaticallyimproveduserproductivityandcustomerexperience.

IPv6 (and this time we mean it)Ubiquitous connected computing is straining the underlying foundation of the InternetInternetProtocolisthefoundationofnetworking,butwe’verunoutofaddressablespace for addressable items. The more important it is for your business to connect with the outside world,themoreimportantIPv6isforyourfuture–andthemoreurgentthisissueisforyoutoday.IPaddressesarewovendeepintoapplicationsandinfrastructure,andmigrationcan bringchallenges.Whilethere’snodropdeaddateforIPv6,thefinalIPv4addressblockshavealreadybeenallocated.Carefulandproperadoptionwilltaketimeforplanning,execution and verification. The time to start is now.

DisruptorsOpportunitiesthatcancreatesustainablepositivedisruptioninITcapabilities,businessoperations, and sometimes even business models.

95

Finding the Face of Your Data Fuse people and technology to discover new answers in data – and new questions, too Humansdosomethingsreallywell,whilecomputersarebetteratotherthings.Itisthisparticular combination that enables the identification of new patterns and relationships across dimensions of data – structured and unstructured, internal or external, big or otherwise.Bycombininghumaninsightandintuitionwithmachinenumber-crunchingandvisualization,companiescananswerquestionsthey’veneveransweredbefore.ForConsumerProductsorganizations,Deloitte’scollaborationwiththeGroceryManufacturer’sAssociation is raising awareness of the business value of data visualization.

Gamification Goes to Work Driving engagement by embedding gaming in day-to-day business processes Gamification can encourage engagement and change employee, customer and supplier behavior, creating new ways to meet business objectives. The goal is to recognize and encouragebehaviorsthatdriveperformance–sometimesinunlikelyplaces.Thistrendhas moved beyond hype and is already demonstrating business value. More specifically, Deloitte’s collaboration with the Grocery Manufacturer’s Association is exposing the significantpotentialforconsumer-targetedapplications(suchasin-storegamification).

Reinventing the ERP Engine Revving up data, hardware, deployment and business model architectures at the core IfyoucouldreallygetERPcheaperandfaster,whatwouldyoudodifferently?Runmaterialsrequirementplanning(MRP)manytimeseachday?Closethebooksinamatterofminutes?Optimizedeliveryrouteson-the-flyinresponsetoneworders,trafficorcustomerpreferences?Whatwoulditmeanforbusinessagility,capabilityandcompetitiveness?Ifapproachedwithafocusonreinventingbusinesscapabilities,theevolutionoftheERPengine can yield significant competitive edge.

No Such Thing as Hacker-proof If you build it, they will hack it. How do you deal with that? You’veeitherbeenbreached–oryousoonwillbe.Yourbossknowsit,yourbusinessknowsit,yourboardknowsit,yourcustomersknowit,andhackersknowit.It’syourjobtodealwithit.Thatmeanschangingthewayyouthinkaboutdefendingyourself.Bemoreproactive about the threat – and react more rapidly when breaches do occur. Detect them quickly,respond,cleanupandadjustyourtactics.Beoutward-facing,preparedandreadyin advance. Anticipate and prevent when possible, but be ready to isolate and encapsulate intrusionstominimizeimpact.It’sbettertoloseafingerthantoloseanarm.

The Business of ITAfter reengineering the rest of the business, IT’s children deserve some shoes FragmentedprocessesandsystemscanpreventITfromeffectivelydeliveringonthechangingdemandsofthebusiness.ITmayneedtotransformitsownmanagementsystemstokeepup.IsthisERPforIT?Maybesomeday.Today,CIOsarecraftingsolutionsfromindustry-leadingproductsandtestingbusinesscasesateachstep.Andthepotentialbenefits are worth the investment – not only in driving down costs and better managing risks,butinpositioningITasthebusinesspartnerinprovokingandharvestingdisruption inthePostdigitalera.

Enablers TechnologiesinwhichmanyCIOshavealreadyinvestedtimeandeffort,butwhichwarrantanotherlookbecauseofnewdevelopmentsoropportunities.

Contents

CIO as the Postdigital Catalyst ...............................................................1

Finding the Face of Your Data .............................................................46

Mobile Only (and beyond) ...................................................................10

Gamification Goes to Work .................................................................55

Social Reengineering by Design ........................................................... 19

Reinventing the ERP Engine .................................................................64

Design as a Discipline ..........................................................................29

No Such Thing as Hacker-proof ...........................................................72

The Business of IT................................................................................80

IPv6 (and this time we mean it) ...........................................................38

Conclusion ...........................................................................................85

Contributors ........................................................................................86

En Enablers

72

No Such Thing as Hacker-proof9

You’ve been breached, or you soon will be. Now what?Who can forget that great line from the movie Field of Dreams?“Ifyoubuildit,theywillcome.”It’saninspiringincentive of future rewards to be reaped for challenging worktoday.Butintherealmofcyber-threatdefense,itisalsoanunfortunatelikelihood.Ifyoubuildsomethingofvalue,otherswilllikelycometostealit.Nomatterhowyousecure your environment. No matter how many redundant walls or how many futile moats you have.

Cybercriminalsareoftenwell-resourcedandpotentiallyevennation-statesponsored.Theycanbehighlycapable,methodical,andpatient–andtheirtacticskeep shifting.Tobesure,“smashandgrab”attacksstilloccur,withhackerscompromisingasystemtostealsomethinglikecreditcarddata,andthenmovingon.Now,though,thereisgrowingoccurrenceofthe“long-termdwell.”Adversaries can gain undetected access and maintain a persistent,long-termpresenceincriticalITenvironments,operating below the radar of the victim organization’s cyber team.

Themotivation?Therearesophisticated,lucrativemarketsfor monetizing a wide range of stolen intellectual property. SymantecplacedthecostofIPthefttoUnitedStatescompanies at $250 billion a year, with global cybercrime costing $114 billion annually – $388 billion after factoring in downtime. McAfee estimates that $1 trillion was spent globally for remediation.1 Before he retired as the ExecutiveAssistantDirectoroftheFBI(anditsleadagentoncybercrime),ShawnHenrytoldcongressofone situation in which an American company had all the data associatedwitha10-year,$1billionresearchprogramcopiedbyhackersinonenight.GeneralKeithAlexander,head of the military’s cyber command and Director of the National Security Agency, called the continuing, rampant theft of intellectual property and trade secrets “thegreatesttransferofwealthinhistory.”2Cybercriminalsare often targeting research and development data, marketingandproductstrategies,intellectualproperty,andotherbusiness-sensitiveinformationforfinancialgainandcompetitiveadvantage.Infederalandcriticalinfrastructureindustries, their ultimate goal is often to disadvantage our national security.

Meanwhile, many organizations may have a false sense of security, perhaps even complacency, resulting from their investmentsinnon-agilesecuritytoolsandprocessestheyhave relied on for years. Yet firewalls, antivirus, intrusion detectionsystems(IDS),andintrusionpreventionsystems(IPS)areincreasinglylesseffectiveasattackersleverageencryptionandotherinnovativetechniquestoevadethem.Manycompaniesarefailingtodetectlong-dwell cybercrimesintheirITenvironmentsandmisallocating limited resources to lesser, more generic threats. Basic securityblockingandtacklingisvaluable,butisinnoway sufficient.RichardClarke,formercybersecurityadvisor totheWhiteHouse,believes“everymajorcompanyintheUnitedStateshasalreadybeenpenetrated3.”

Organizations across many industries need to up their games.Thatcanrequirechangingthelensthroughwhichtheyviewcyberrisk–notrelyingupontraditionalsecuritycontrolsrevealingtell-talesignsofaneffectiveattack–butleveragingintelligenceandadvancedtechniquestoidentify the coming threat and proactively respond.

Movefromreactivetoproactive.Leverageintelligencefrombothinternalandexternalsources.Useforensicandanalytictechniquestodrivetimelydecision-makingandproactive responsiveness to hostile activities in the network.Mineintelligenceforimprovedincident attribution to develop a deeper understanding of the origin oftheattacksandtrackspecificadversariestoenhancefutureriskanalysis.Quicklydetect,isolate,andcontainanevent when it occurs.

And remember: there is no such thing as hacker-proof.

Does that mean we should surrender the fight? Of course not.Therehavebeenandwilllikelybebreaches.Moveforward boldly, advance your tactics to meet those of the adversary,andcontaintheriskagainstyourvaluableassets.

732013TechnologyTrends–Enablers

History repeating itself? Networksecurityanddataprotectionhavebeenthefocusofinformationsecurityprogramsformanyyears. Additionally,complianceinitiativessuchasSOX,PCIDSS,GLBA,andHIPAA4 have further stressed the need for access controls,vulnerabilitymanagement,securitypatching,andmore.Inresponse,manycompanieshavedeployedawiderangeoftechnologiestoprotectthemselvesandmeetcompliancerequirements.Manystartedbyhardeningtheperimeterdefense.Thatwasn’tsufficient,soinvestmentswerebegun–thoughnotalwayscompleted–tobuilddefense-in-depth.Many companies have more recently started to address issues of insider threats and advanced persistent threats. Again, not always with the rigor needed.

Today the cybercrime landscape represents a set of highly specialized criminal products and services that are often able to target specific organizations using sophisticated malware exploits and anonymization systems, which routinely evade many of the security controls established over the last several years.

NoSuchThingasHacker-proof

What were the challenges? What’s different in 2013?

Threat detection and intelligence

• Hardeninganddetectioneffortswerefocusedon the perimeter – expecting threats to emerge from external forces.

• Breachresponsewasevent-based,triggeredwhen systems or people detected the effective exploit of an identified vulnerability.

• Standing budgets for security remained small, in some cases dwarfed by the sum of costs for fire-drillresponsestoincidents.

• Companiesdidn’tfocusonunderstandingtheirinformation assets, collecting and correlating threat intelligence, and devising solutions commensuratewithrisk.Toomanysecurityagendas were (and in many cases still are) based ongeneric,non-specificthreats.

• Securitytechnologyfocusedonbroadsignature-basednetworksecurityandendpointprotectionsolutionstoidentifyattacks,combatvirusesandworms, and protect against incidents.

• Detectionsystemsarelikelyinsufficient–asarepreventionsystems.Tacticalskillsshouldchange.The focus now should be on understanding internal and external activities – integrating today’s threat detection into an event management systemandintelligence-drivenapproach.

• Itisnotenoughtoprotecttomorrowfrom yesterday’s threats. Solutions should be put in placetounderstandandmitigaterisks–notjustascompliancechecks.Cyberattacksandsecuritybreachesareincreasinginfrequencyand sophistication, with discovery usually occurring well after the fact, if at all.

• Security should now be viewed as a smokedetectorinsteadofafiretruck,with proactiveagendasbasedonriskandvalue. Incidentresponseshouldberequired,butisnotlikelytheprimaryobjectiveoftheChiefSecurity Officer(CSO).

• Manyorganizationsareinitiating“cyber-threatintelligence”assessmentstounderstandhowinformation is managed internally – and valued externally. They are also deploying continuous sense-and-adaptapproachesthatleverage next-generationnetworksecuritytechnologies.

• Tools and processes should move from managing incidents to recognizing patterns, allowing automated identification, prevention, andclosureofrisks.

• Currentperimeter-intrusiondetection,signature-basedanti-malware,andantivirussolutionsoftenprovide little defense and are becoming obsolete. Forexample,cybercriminalsnowoftenuseencryption technology and malware production toolkitstoavoiddetection.

Cyber criminals • Driversforsecurityattackswerefairlystraightforward (notoriety, financial gain, etc.), widely dispersed (targets of opportunity), and often quitenoisy–thedigitalequivalentofthe “smashandgrab.”

• Increasinglythereappearstobeanexus between cybercrime and a variety of other threats including hactivism, terrorism, industrial espionage,andcyberwarfare.Commercialandfederalorganizationsarelikelytargetsofchoice,not chance.

74

NoSuchThingasHacker-proof

Technology implicationsBuildingtomorrow’sintelligence-driven,proactivecyberprogramrequiresasystematicenterprise-wideapproach–equalparts governance, change management, process redesign, and technology. The people and operational impacts can be significant.Butsoaretherequiredunderlyingtechnologiesneeded.Organizationsshouldbuildoutcapabilitiestodefend,detect, model, predict, respond, isolate, and recover in order to prepare for today’s advanced threats. What does a modernized,battle-readycyber-threatprogramlooklike?

Topic Description

Identity, Credential, and Access Management (ICAM)

Coresecurityrequirementscontinuetobecriticallyimportant,buildingfromtraditionalenterpriseidentity, credential, and access management solutions. Authenticating users, assets, and systems; managingentitlements;andencryptingdataatrest,inflight,andinuse.Theserequirements(andothers such as vulnerability, asset and patch management, etc.) help form the foundation of technical riskmanagementandaretablestakesindevelopinganadvancedcyber-intelligencecapability.Manyleading organizations are also integrating logical and physical security – another step towards one unifying view of authorization and entitlements for individuals, and a more holistic treatment of the threat landscape.

Threat awareness Automatednetworkandmalwareforensicanalysisareneeded,aswellasintelligencecollectionfromhoneypotsorother‘baiting’operations.Thiscanrequiredynamicandcontinuouslyevolvingthreatregistries, as well as dedicated security analysts that can correlate external threat intelligence with internalthreatanalysisbasedonknowledgeofthebusiness.

Security Information & Event Management (SIEM) solutions

DetailedloggingandSIEMarealsotablestakeswhenitcomestobuildingadvancedcyber-threatmanagement capabilities. The stream of event data, when combined with internal and external intelligence,canallowcorrelation,analysis,andsubsequentdetectionofthreatsthatwouldotherwisego unnoticed.

Additionally,aSIEMsolutioncanserveasafundamentalbuildingblockindevelopingathreatdefensearchitectureandrelatedautomationtomonitortheevolvingthreatlandscape,andtakeprecautionarymeasures before incidents occur.

When incidents do occur, event data is critical in order to triage what has transpired and respond in a timely manner.

Unstructured and semi-structured inputs and intelligence

Developsourcesforintelligenceinternallyandexternally.Leverageopensourceandcommercial intelligenceregardingknownbotnetsignatures,maliciousIPs,hostiledomains,malicioushashvalues,etc.HarvestdatafrominternalsystemsviaSIEM,aswellasdirectlyfrominfrastructurecomponents(e.g.,DNSlookupdata,DHCPleaseinformation,andproxylogs).

Investindatacollectionandanalysissolutions–allowingautomatedcrawlingandinformationparsingfromweblogs,email,RSSreaders,socialnetworks,andtransactionalsystemactivity.Usecyber analytics–linkedtothreatrostersandknownbusinessrisksandfraudissues–toidentifypotentialareasofescalatingrisk.

Cyber intelligence Rendertheintelligenceactionable–addcyberforensicsandanalyticstodevelopacyber-threat intelligencedatabaseandanalystportalwithintegratedthreatresponseplaybooks.Improvethequalityoftheintelligencethroughanalystcontributionandintelligencetagging.Cultivatestrongrelationshipswithsecurityresearchers,lawenforcement,andCERTteamstoshareinformationandextendyournetwork–whichcanbecriticalduringinvestigationandtakedown.Finally,addresscyberlogistics–secure supply chain, operational security, personnel security, and facility security – as the fourth leg of thecyber-intelligenceapproach.

Asset protection Acombinationofchange,device,rights,andcontentmanagementisneeded.Forphysicalassets, focus on the need to maintain inventory, monitor usage, and promote firmware and operating environmentupdatestoservers,desktops,mobiledevices,andequipment.Fordigitalassets,classify,encrypt,andprotectstructured,semi-structured,andunstructuredcontentfrombeingaccessed or manipulated.

752013TechnologyTrends–Enablers

NoSuchThingasHacker-proof

Lessons from the frontlinesTo the thief go the spoilsTheoilandgasindustryintheU.S.hasfounditselfthetargetofseveralmulti-yearcyber-attackcampaignsthattargeted business leaders in order to compromise field exploration and bid data, as well as field production information. The tactics have varied in small ways but appear to follow the same general approach:

• ConductdirectattacksagainstInternet-facingsystems,aswellasspearphishing(targetedemailattacks)ofmanagers and officers in the company, in an effort to gain access to systems that open the door to the broadernetwork

• Onceaccessisgained,theattackdeploysadditionaltools to harvest user credentials and identify sensitive dataonnetworkdrivesandinemail.Thiscanbedone in ways that avoids detection and remains in the networkformonthsorevenyears

• Oncesensitiveinformationisobtained,thedatais extractedfromtheorganization’snetworkwithout raising alarms or suspicion

The weakest linkAnumberofeffectiverecentattacksoftenstartednot withthevictimorganizationitself,buta‘trusted’partner or service provider. Adversaries will often profile an organization, including its business partners and service providersuponwhomthecompanyrelies,lookingforthepathofleastresistance.Forexample,theeasiestwayintoacorporatenetworkmaybethroughapartner’sVPNconnection. Though a partner is often seen by the victim as a trusted source, such partners may not have the same degreeofprotectioninplaceandlittle‘realworld’visibilityinto their partner’s security posture.

Additionally, cyber security companies themselves are now comingunderattack,asadversariesseektocompromisethe products that organizations use for protection. Without transparency into the broader ecosystem, organizations may be missing important parts of the security picture.

“Free” IPThere’s no shortage of examples of advanced persistent threat(APT)breachesattechnologyproductcompanies,where intellectual property is a recognized asset – and aprimaryhackerobjective.In2009,OperationAuroravictimized more than 30 companies, including some of the largesttechnologybrandsknowntoday5. What were the adversariesafter?Productsourcecode–arichtargetformultiple reasons:

• Stealingthetime,talent,andmoneyinvestedin requirementsgathering,design,development,andrefinement of a commercial software product

• Preparingacompetitortogettomarketfirst,leveragingwhat you already built, without the time or cost associatedwithIPdevelopment

• Embeddinghostilecodewithintheapplicationandthenpushingthecode‘intothewild’tocompromisealargernumber of companies

Forasoftwareproductthatiswidelyused,accesstosource code may allow the adversary to identify generally unknownvulnerabilitiesandleveragethatknowledgetoattackabroaderarrayofcompanies.

7676

NoSuchThingasHacker-proof

Gary WarzalaChiefInformationSecurityOfficerVisa

My take

When it comes to information security, our adversaries have become much more sophisticated andgreaterinnumber,fromnation-states exercising rogue diplomacy across thousands of miles,to“hacktivists”infiltratingsystemsinthename of political demonstration. Moreover, many havemovedawayfrom“smashandgrab”tacticsandnowtrytoembedthemselvesinnetworksindefinitely, leading information security professionals to put a focus not only on preventing breaches before they happen, but on detecting them–asquicklyaspossible,notinweeksormonths or even years after the fact.

Despitethisever-changinglandscape,wecontinueto hear about new technologies purporting to “hacker-proof”corporatesystems,evokingthecentury-oldclaim–tragicallydebunked–thattheTitanicwasunsinkable.Soratherthanmeasureourselves against what is an elusive goal, it is incumbent on each of us in the security professiontoraisethelevelofskillswithinourorganizations on a daily basis – by strengthening the technological and cultural infrastructure to thwart our adversaries, anticipating threats on the horizon, and empowering our team to decisively address breaches in security as they happen.

The first step is strengthening barriers to entry into our organizations – not by deploying whatever newsecuritytechnologyistheflavoroftheday,but by focusing on the basics and doing them well. The initial compromise in 90% of breaches requiresalow-to-mediumskilllevel,which demonstrates the importance of having the security fundamentals firmly in place – such as a secure network,timelypatching,robustloggingandmonitoring,strongaccesscontrols,andend-usereducation and training designed to enhance the culture of security within your organization.

Second, with a stronger culture and security infrastructure in place, protecting an enterprise requiresaclearunderstandingofwhotheadversaries are, their methods and objectives, and what assets they may target. Since there is no way to spend your way to total security, this “threatprofile”canhelporganizationsmakerisk-baseddecisionsaboutwheretheycaninvestin security programs and where to introduce controlstomitigatethemostlikelythreats.Periodicallyupdatethisthreatprofiletokeepupwith new innovations and processes throughout your organization, which often introduce new risksthatshouldbeconsideredandmanaged.

Finally,butmostimportantly,surroundyourselfwith a team of security professionals that are asskilledandpassionateasyourorganization’sadversaries–ateamof“digitalfirstresponders.”Time and time again organizations often deploy security technologies assuming that, on their own, the technologies will somehow protect their enterprises. But without capable security professionals who can articulate the threats and risks,identifythedetectiveandpreventativecontrols,andworktooperationalizeeffectivesolutions, these technological investments are often in vain.

Whilethereisno“hacker-proof”silverbullet,ifhistory is any indicator, the ingredients for success likelylieintheday-in,day-outfocusonimprovedsecurityskillswithinourorganizations.Byhavinga dedicated focus on the fundamentals of information security, anticipating threats on the horizon, and developing the best talent possible, enterprises can be prepared for the worst.

77

NoSuchThingasHacker-proof

Flying car future Today’scyber-threatsolutionsarereminiscentofclinicalmedicine.UndertheHippocraticoathof“donoharm,”much attention is placed on identifying symptoms, triaging to root cause, and judiciously prescribing treatment based on the specific diagnosis.

Butdefendingdigitalassetswilllikelyonlybecomemorechallenging.Enterprisenetworksareexpandingtoincludepartners, customers, suppliers, and mobile employees. Agrowingnumberofmobiledevicesareinplay.Cybersecurity teams are challenged with funding, talent, and resource constraints. And with the coming explosion of sensors, biometric, and nanotechnologies, the threat landscapewilllikelyonlybecomemorecomplexandincreasingly difficult to understand and control.

As a result, cyber intelligence of tomorrow should operatemorelikethehumanimmunesystem.Whenaforeign agent is detected, antibodies are produced, with whitebloodcellsattackingtheintruder.Thebody acceleratesbloodflowandincreasestemperaturesto create an inhospitable environment for the threat. The identityofthethreatisnotalwaysknown–norits source, intent, or potential ultimate effect. The body isolatesandattackstheintruder,destroyingtheforeignparty, and extends its own protections to be prepared if the threat reemerges.

A similar approach can be envisioned in our cyber landscapes, with systems that won’t need to identify somethinginabsolutetermstoknowthatitshouldnotbethere.Detectedincidentswouldbequarantined,allowingthe threat to be understood and traced – cyber forensics fromacontrolledenvironmentwherebusinessriskhasalready been contained. More extreme measures may becomemainstream–shuttingdownnetworksegmentsorpurgingafflictedsystems.Fingersmaybelosttosavethearm–whichmayrequireavastlydifferentmindsetthantoday’s perimeter defense approach to security and privacy, wherethe“answer”issometimesstillhighercastlewallsand deeper moats.

This more aggressive posturing may lead to more aggressivecounter-attacks.Withincidentsources attributed,cyber-offensivetechniquesmayemergefurther– retaliatory measures in response to verified malicious actions.Thiswilllikelyrequiresomecross-nationalbody toadjudicatedisputesandkeepthecyberpeace.

With the blurring of national and economic concerns, a more sophisticated, aggressive posture towards cyber assets suddenly becomes a global concern – and,unfortunately,onewhoseimportwilllikelyonly grow over time.

2013TechnologyTrends–Enablers

78

NoSuchThingasHacker-proof

Where do you start?SecretaryofDefenseLeonPanettasaysthatAmerica’s critical infrastructure systems have been breached already6. Thisisnotdefeatism–itisacatalysttosparkthe recognition that the world has changed. Organizations should view cyber intelligence as a strategic priority. The threatisreal.Weareunderattack.Yettheimpactcan belessenedbyasystematicresponse.Potentialplacestostart include:

• Identifythejewels.Understandtheexternalcyber-threatbeaconofyourorganization–themarketvalue of stolen intellectual property in your industry and, specifically, in your company. Tap into external intelligence to understand the broader threat landscape. Thenlookinwardandcatalogyourhigh-riskassets– either because of high potential for monetization if stolen, or critical business impact if breached.

• Knowyourbaseline.Assessyourcurrentcyber-threatmanagement program across specific dimensions in ordertoidentifystrengthsandgaps.Includeintelligencecapabilities, emerging threat research and modeling, brandprotection,andnetworkandmalwareforensics.

• Firstthingsfirst. Develop a roadmap for enhancing your target threat defense architecture, prioritized based on perceivedriskofhigh-valuebusinessassets.Updateyourthreat assessment process to focus on the select business riskstotheorganization,andthenmodelhowthosebusinessrisksmaybeaffectedbyspecificcyberthreats.All too often organizations group a series of threats togetherintoasingle‘cyberbucket’–focusedonthegeneral security threats various companies deal with, not those use cases that could impact their own business in a material fashion. This approach typically doesn’t allow for targeted mitigation, often resulting in important threats to the business that are not addressed.

• Don’tforgetthebusinesscase.Based on the program assessment and updated threat scenarios, articulate the businesscaseforenhancementofthecyber-threat- managementprogram.Thisseemslikeanobvious step,butmanyinformationsecurityteamslookat theirmissionasapre-ordainedmandate.Clearly articulating the reasoning, justification, and business impact can breathe new life into the security organization,andincreaselikelihoodoffundingtoexpand capabilities.

• Think“extend,”not“replace.”Seektogainthemostleverage out of the technologies and processes already in place beforebuildingorimplementingnewones.It islikelythatthereareanumberofexistingSIEM capabilities that can be enhanced, as well as the ability to dig additional functionality and intelligence out of tools including endpoint protection, vulnerability assessment and patch management, content monitoring, data loss protection, intrusion prevention, andcorenetworkservices.Determinewhichpiecesofthe target threat defense architecture are in place today – or could be with additional tuning and integration, versusnet-newtechnologyandprocessneeds.

79

Bottom lineCyber security may sound technical in nature, but at its core it is a business issue. Any company’s competitive position and financial health may be at stake.

Business and technology leaders need to engage in effective dialog about what the business values most, how the company drives competitive advantage, and which information and other digital assets are the most sensitive. Brand, customer trust, and strategic positioning are at risk.

Thisnewrealityrequiresanewattitudearoundsecurityandprivacy.Anticipateandpreventwhen possible, but be ready to isolate and encapsulate intrusions to reduce impact. There may be No Such Thing as Hacker-proof, but there’s a chance to reduce your cyber beacon, be less inviting to attack, and proactively establish outward- and inward-facing measures around your most valued assets.

2013TechnologyTrends–Enablers

NoSuchThingasHacker-proof

AuthorsKelly BissellPrincipal,Deloitte&ToucheLLP kbissell@deloitte.comKellyBissellleadsDeloitte’sInformation&TechnologyRiskManagementandGlobalIncidentResponsepractices.Inhis25-yearcareer,hehaslednumerousprojectsrangingfromBreachForensics,CyberSecurity,andIdentityManagement,toPrivacyandDataProtection,andITRiskManagement.

Kieran NortonPrincipal,Deloitte&ToucheLLP kinorton@deloitte.comAstheU.S.CyberThreatManagementleader,KieranNortonassistsclientsintransformingtheir current efforts into advanced cyber threat management programs, building threat defensearchitectures,cultivatingactionablecyber-threatintelligence,andrespondingtocyber incidents.

Endnotes1 EmilProtalinski,NSA: Cybercrime is ‘the greatest transfer of wealth in history’,http://www.zdnet.com/nsa-cybercrime-is-the-greatest-transfer-of-wealth-in-history-7000000598/(July10,2012).

2 RichardA.Clarke,How China Steals Our Secrets,http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html?_r=0(April2,2012).3 RonRosenbaum,Richard Clarke on Who Was Behind the Stuxnet Attack,http://www.smithsonianmag.com/history-archaeology/Richard-Clarke-on-Who-Was-Behind-the-Stuxnet-Attack.html(April2012).

4 SOX:Sarbanes-Oxley PCIDSS:PaymentCardIndustryDataSecurityStandard GLBA:Gramm-Leach-BlileyAct HIPAA:HealthInsurancePortabilityandAccountabilityAct

5 Kim Zetter, Google Hack Attack Was Ultra Sophisticated, New Details Show,http://www.wired.com/threatlevel/2010/01/operation-aurora/(January14,2010).

6 J.NicholasHoover,DOD: Hackers Breached U.S. Critical Infrastructure Control Systems,http://www.informationweek.com/government/security/dod-hackers-breached-us-critical-infrast/240008972(October12,2012).

892013 Technology Trends

ConclusionFaithfulreadersofourTechTrendsreportswillfindsome familiar topics in these pages. The postdigital forces have seen extraordinary attention in the past four years – and each is still in the early stages of adoption.Thebookonhoweachcanfundamentallyreshape business is still being written.

Although the topics are familiar, the underlying trends continuetoevolveatanastoundingpace.Takemobile,forexample.In2010thestorywasaboutubiquitousconnectivityanddevice(i.e.,smartphone)advances.In2011,thefocuswasonthe“app”–andtheadventofthetablet.In2012,wecoveredenterpriseimplicationsfor prioritization of opportunities, as well as the operational realities of governing, managing, and delivering mobile solutions. And now in 2013, we consider mobile’s place as an utmost strategic priority. The very notionof“devices”isexplodingintonear-ubiquitousconnectivity of many physical objects. The fundamental element of mobile still applies – the innovative idea of removing limitations based on physical location, and of a truly untethered enterprise. But the supporting nuanceanddetailsaremovingatarapidclip,makingitparamountforITexecutivestokeeppacewithchange.

Postdigital’spotentialcanspurbothoffensiveanddefensive responses. On one side lies opportunity for innovation. On the other, the existential threat ofdisruption.Everyindustrymaybeaffectedbytheunderlyingdigitalforces.Everymarketmaybe reshaped by their controlled collision.

Whowillleadthecharge?ThereportsofIT’sdemisemay be exaggerated, but there is often truth behind therhetoric.HowwillCIOsreimaginetheirrolesinbusinessstrategy?WhatwillthecorrespondingITdepartmentlooklike?Onethingisforcertain:theelements of postdigital will play a foundational role.

Weclosethisyear’sreportwiththefamiliarquotefromfuturistWilliamGibson:“Thefutureisalreadyhere…itisjustnotevenlydistributed.”Ourhopeisthat the Tech Trends reports will help you discover the elements of postdigital in your enterprise.

90

JeffAnderson,RajeswariChandrasekaran,IanClasbey,GregComline,TeresaDannemiller,AlexDea,LeeDittmar,RafeDyer,ChrisGaribaldi,MichelleHernandez,JonHoehler,DanHousman,KristiLamar,NicoleLeung,AndrewLuedke,ChrisMartin,TaimurMohammad,BlairNicodemus,IzzyPark,AaronPatton,AaronReabow,FarhanSaeed,GordonSandford,TerryStuart,TammySwartz,VikashTiwari,EmadToukan.

Research Leads:ChrisChang,JustinFranks,TomGleason,NickJohnson,AbhishekMishra,JoseMunoz,ParidhiNadarajan,SamSoneja,JeremyYoung.

Team Members: JacobArtz,FelixChang,JennaChen,JosiahDavis,PhilipDavis,KevinDowns,JeffEiden,JasonFebery,AndrewFisher,RamyaGaneshan,DwijGarg,LeksiGawor,AnilGopala,TaylorHedberg,SamJamison,CoreyKe,KanishaKhaitan,RebeccaKim,AdrianKosciak,KarthikKumar,JoyLi,RyanMalone,SimyMatharu,EstefiMedina,SeanMullins,HollyMusemeche,AbhishekNarula,AudreyNguyen,DanNieves,Chinyelu Offodile,AkshaiPrakash,NathanRabold,AdamRe,TalalRojas,BradShivley,DilysSun, YairTon,JennyZheng.

Consumer Products ContributorsAlLanghals,SuketuGandhi,MarcusShingles,MattLaw,KarlRupilius,DarwinDeano,OliverPage,JarrodPhipps,MaratSurenovichMamedov,DavidTobin,AprilAsico.

Special ThanksHeidiBoyer,CyndiSwitzer,andStuartFano–theveteranheartandsoulofourTechnologyTrendsteam.Youcontinuetoamazewithboundlessenergy,selflessteamspirit,and pushingustoconstantlyraisethebar(andhitdeadlines).MariahnaMoore,JillGramolini,andKellyGanis–formakingahugeimpactinyourfirstyearTechTrending.Thisyear’sreport would not have been possible without your drive, enthusiasm, and willingness to takeon(anddeliver)meatycontent.

Contributors

91

Authors

2013 Technology Trends

CIO as the Postdigital CatalystSuketuGandhi Principal,DeloitteConsultingLLP sugandhi@deloitte.com

Bill Briggs Director,DeloitteConsultingLLP wbriggs@deloitte.com

Mobile Only (and beyond)Shehryar Khan Principal,DeloitteConsultingLLP khans@deloitte.com

MikeBrinker Principal,DeloitteConsultingLLP mbrinker@deloitte.com

Social Reengineering by Design

StephenRedwood Principal,DeloitteConsultingLLP sredwood@deloitte.com

ChrisHeuer SpecialistLeader,DeloitteConsultingLLP cheuer@deloitte.com

Design as a DisciplineJRReagan Principal,Deloitte&ToucheLLP jreagan@deloitte.com

NelsonKunkel Director,DeloitteConsultingLLP nkunkel@deloitte.com

IPv6 (and this time we mean it)Bruce Short Director,DeloitteConsultingLLP bshort@deloitte.com

EdwardReddick Director,DeloitteConsultingLLP ereddick@deloitte.com

Finding the Face of Your DataDavid Steier Director,DeloitteConsultingLLP dsteier@deloitte.com

VikramMahidhar Director,DeloitteLLP vmahidhar@deloitte.com

Gamification Goes to WorkAndreHugo Director,DeloitteDigitalRSA anhugo@deloitte.co.za

DougPalmer Principal,DeloitteConsultingLLP dpalmer@deloitte.com

Reinventing the ERP EngineBill Allison Principal,DeloitteConsultingLLP wallison@deloitte.com

RickKupcunas Director,DeloitteConsultingLLP rkupcunas@deloitte.com

No Such Thing as Hacker-proofKelly Bissell Principal,Deloitte&ToucheLLP kbissell@deloitte.com

Kieran Norton Principal,Deloitte&ToucheLLP kinorton@deloitte.com

The Business of ITPeterVanderslice Principal,DeloitteConsultingLLP pvanderslice@deloitte.com

BryanFunkhouser Principal,DeloitteConsultingLLP bfunkhouser@deloitte.com

MarkWhiteChiefTechnologyOfficerPrincipal,DeloitteConsultingLLPmawhite@deloitte.com

Bill BriggsDeputyCTODirector,DeloitteConsultingLLPwbriggs@deloitte.com

Disruptors Enablers

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professionaladviceorservices,norshoulditbeusedasabasisforanydecisionoractionthatmayaffectyourbusiness.Beforemakinganydecisionortakinganyactionthatmayaffectyourbusiness,youshouldconsultaqualifiedprofessionaladvisor.Deloitte,itsaffiliates,andrelatedentitiesshallnot be responsible for any loss sustained by any person who relies on this publication.

Asusedinthisdocument,“Deloitte”meansDeloitte&ToucheLLPandDeloitteConsultingLLP,whichareseparatesubsidiariesofDeloitteLLP. Pleaseseewww.deloitte.com/us/aboutforadetaileddescriptionofthelegalstructureofDeloitteLLPanditssubsidiaries.Certainservicesmaynotbe available to attest clients under the rules and regulations of public accounting.

Copyright©2013DeloitteDevelopmentLLC.Allrightsreserved.MemberofDeloitteToucheTohmatsuLimited

www.deloitte.com/us/techtrends2013ScantheQRcodetodownloadthereportoraccessadditionalon-linecontent.