cybersecurity-5

7/31/2019 cybersecurity-5

1/14

Issue 15 Cybersecurity Beyond the

BRICS

Interview with P&Gs

Deb Henretta

24 34 46

Designing yourfiercest competitorMastering change bymaking it realpage 12

view


2/14

24 PwC ViewIssue 15

CybersecurityThe new business priority

In todays global, digital world, data rule. Safeguardingintellectual property, nancial information, and yourcompanys reputation is a crucial part of business strategy.Yet with the number of threats and the sophistication ofattacks increasing, its a formidable challenge. PwCs USSecurity Leader Gary Loveland and Security Principal

Mark Lobel reveal how company leaders can protectand strengthenthe business with the right approach toinformation security.

By Gary Loveland and Mark Lobel

Gary Loveland is the US Leader and Mark Lobel

is Principal in PwCs Security practice. They also

oversee the annual Global State of Information

Security Survey, which PwC has conducted or

14 years. For a detailed look at the survey, visit

www.pwc.com/giss2012.

Managing risk


3/14

PwC View Issue 1525

Information security probably isnt some-

thing that gets a lot of executive attention.

Its the CIOs job or the responsibility of his

lieutenants. Yet every so often when scan-

ning the headlines, news about the latest

high-prole cyberattacks elevates your

blood pressure as you wonder: Could that

happen to us? What would be the impact

on our business? How would we respond

to customers and shareholders?

But then its often back to the more press-ing issues of the day, and the state of your

companys information security recedes

to the background. You wont likely give it

another thoughtuntil theres an incident.

Then its damage-control mode, as the

company deals with stolen customer data,

disclosure of condential nancial informa-

tion, a disabled Web storefront, or worse.

This reactive approach is all too common,

even though the question is not ifa company

will suffer an incident but when. In the

annual PwC, CIO, andCSO survey of more

than 9,600 global executives, 41 percent

of US respondents had experienced one

or more security incidents during the past

year.1 And that number is rising. Respon-

dents reported nancial losses, intellectual

property theft, reputational damage, fraud,

and legal exposure, among other effects.

(See Figure 1.) With such high stakes, mostwould agree that information security

deserves full attention at the highest levels

of the company.

Figure 1: US business impact of

security incidents

Financial losses

Intellectual property theft

Brand/reputation compromised

Fraud

Legal exposure/lawsuit

Loss of shareholder value

Extortion

37.5%

31.8%

31.2%

15.8%

12.2%

11.3%

7.1%

Source: PwC, CIO, and CSO 2012 Global State of Information

Security Survey

1 PwC, CIO, and CSO 2012 Global State of Information

Security Survey.


4/14

26 PwC ViewIssue 15

Government leaders, at least, are taking

notice: Lawmakers, the Securities and

Exchange Commission (SEC), and the

Administration have been highlighting

increased security risks and the need for

both the private and public sectors to stepup their security game. In October 2011,

the SEC issued guidance on the disclosure

of cybersecurity risks and incidents.2 While

the guidance didnt propose new require-

ments, it reminded company leadersand

boards of directorsof their obligations

under current rules. That same month, in

the aftermath of disclosures by WikiLeaks,

President Obama issued an Executive Order

calling for measures to enhance national se-

curity in order to reduce the risk of a similar

breach in the future.3 These developments

follow ongoing efforts to move cybersecurity

legislation through Congress and into law.

perceion versus realiy

Back in the corporate world, is cyberse-

curity still considered a purely technical

matter? Or do businesses understand that

it is the lynchpin for safeguarding their

most precious assetsintellectual prop-

erty, customer information, nancial data,

employee records, and much more?

It depends upon whom you ask. The PwC,CIO, andCSO survey revealed that executives

may say and believe one thing, but the data

and expert analysis indicate that they do an-

other. First, the survey asked, How condent

are you that your organizations information

security activities are effective? Seventy-two

percent of respondents answered that they

were very condent or somewhat condent.4

However, when executives were asked to

characterize their companys approach to in-

formation security, identifying whether they

possess an information security strategy and

have proactively implemented it, the positive

results took a nosedive.

Just 43 percent of respondents self-identied

as Front-runners; that is, those who felt

they have an effective information

security strategy in place and are proactive

in executing the plan. Those who saw

themselves as Strategists (27 percent) felt

they have the big picture right but fall down

on execution, while Tacticians (15 percent)

said they are better at getting things done

than in dening a broader strategy. Finally,the Fireghters (14 percent globally but

22 percent in the US) admitted to lacking

a strategy and to being reactive regarding

information security.5

But when it came time to let the data do the

talking, the companies that were walking

the walk and not merely talking the talk

were signicantly fewer: just 13 percent of

respondents. (See Figure 2.) These leading

companies not only have an information

security strategy in place, but they demon-

strate a number of other leading practices,

including having a high-level security chief,

regularly measuring and reviewing the

effectiveness of their policies and proce-

dures each year, and possessing a deep

understanding of the types of security events

that have occurred in their organizations.

Source: PwC, CIO, and CSO 2012 Global State of Information Security Surve

2 http://sec.gov/divisions/corpfn/guidance/cguidance-topic2.htm.

3 http://www.whitehouse.gov/the-press-ofce/2011/10/07/act-sheet-saeguarding-us-governments-classifed-inormation-and-networ.

4 PwC, CIO, and CSO 2012 Global State of Information Security Survey.

5 Numbers reported do not total up to 100 due to rounding.

All companies:

100%

True Leaders:

13%

Confdent:

72%

Front-runners:

43%

Figure 2: Differing views of information security effectiveness and leadership

The majority o executives in the survey72%reported being very confdent or somewhat confdent that

their organizations inormation security activities were eective. Yet just 43% described themselves as

Front-runners, meaning they had a strategy in place and proactively executed it. But when we analyzed

their inormation security practices, only 13% o companies could be considered True Leaders.


5/14

PwC View Issue 1527

14%of executives surveyed admitted to lacking a strategy andbeing reactive when it came to information security.

Figure 3: Primary obstacles to information security,

by senior executive

27%

23%

29%

Insufficient funding for capital expenditures

25%

27%

25%

Leadership CEO

23%

19%

25%

Absence or shortage of in-house technical expertise

23%16%

23%

Insufficient funding for operating expenditures

18%

25%

25%

Lack of an effective information security strategy

17%

25%

30%

Lack of an actionable vision or understanding

14%

23%

18%

Leadership CIO

13%

14%

19%

Poorly integrated or overly complex information/IT systems

12%

22%

16%

Leadership Security chief

CEO

CFO

CIO

Addressing information security can be especially challenging because execu-

tives do not always agree about company issues and goals. In the survey, we

asked respondents what the greatest obstacles were to improving their organi-

zations information security. While the number one response predictably was

about resourcesinsufcient funding for capital expendituresthe answers

often changed when we looked more specically at who was answering.CEOs agreed that lack of capital funding was the problem, but CFOs indicated

a lack of leadership from the CEO was the reason. Meanwhile, CIOs and secu-

rity executives pointed to a lack of actionable vision or understanding within

the organization.

Barriers to effective cybersecurity

Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey


6/14

28 PwC ViewIssue 15

four groing cyberhreas

The companies in this top tierwhom we

refer to as security leadersunderstand

that they are up against different types of

cyberthreats. There essentially are four

types of attacks, each of which has a differ-ent motive. Its helpful to think of these as

storm waves, swirling around your busi-

ness. At any given time, it is impossible to

know which wave will hit and what type of

damage it will wreak.

The rst and oldest wave is nuisance hack-

ing, in which there is little material impact

to the company. A classic example is hack-

ers defacing your companys website. More

serious and widespread is the second wave,

which is hacking for nancial gain.

As business has migrated to the digital

world, criminals have, too. What has

emerged is a sophisticated criminal ecosys-

tem that has matured to the point that it

functions much like any businessmanage-

ment structure, quality control, offshoring,and so on. This type of hacking now goes

beyond blindly stealing customer credit card

information or employee passwords. For

example, hackers might target a companys

nancial function in order to obtain its

earnings report before it is publicly released.

With such advance knowledge, they can

prot by acquiring or dumping stock.

Protecting the business from cybercrime is

one thing, but companies also must worry

about a new type of riskthe advanced per-

sistent threat. If you think the term sounds

of US executives surveyed had experiencedone or more security incidents in the past yea41%


7/14

PwC View Issue 1529

like its out of a spy movie, youre not far off.

This type of hacking is predominantly about

stealing intellectual property and typically

is associated with state-sponsored espio-

nage. The motives go beyond nancial gain.

Experts may quibble about the specics ofthis type of attack and whether it always

has involved use of advanced techniques,

but this is a serious and growing threat. It is

not an understatement to say that whats at

risk is not only your intellectual property but

possibly national security.

The high-prole Stuxnet worm case dem-

onstrates how specialized and sophisticated

these attacks can be. The Stuxnet worm that

was discovered in 2010 was designed to inl-

trate industrial control systems, such as those

that manage water or power plants. But it

wasnt an infrastructure system that was hit;

hackers inltrated and potentially sabotaged

the Iranian systems that manage uranium. As

the chilling details emerge, whats notewor-

thy is that the attack was planned (and the

worm developed and placed) as many asfour years ahead of the incident.

This foresight echoes a trend we have seen

in our work with companies such as defense

contractors. When they announce plans to

acquire another company, perpetrators go

after the potential acquisition. Their hope is

to embed malicious software on the systems

of the acquisition target so that when the

companies ultimately are integrated, hack-

ers will have access to the parent companys

systemseven if it means biding time for 18

to 24 months or longer.

And its not only specialized industries

like defense that are at risk for advanced

persistent threats. We have seen consider-

able activity in the nancial services and

technology industries. In some cases, the

perpetrators inltrate a bank or serviceprovider in order to get access to the orga-

nizations customers systems.

Finally, theres one more type of threat

that is on the rise: hacktivism. WikiLeaks

immediately comes to mind, but, for the

private sector, think of this as the digital

equivalent to Occupy Wall Street. The goal

of perpetrators is to change or create a pub-

lic perception of your brand. For example,

hackers might obtain sensitive information

and disclose it to the public.


8/14

30 PwC ViewIssue 15

Keeing ace ih ne echnologies

Not only do companies face a myriad of

threats, their exposure grows as they invest

in technologies like mobile, social, and

cloud. In the survey, only a minority of US

companies had strategies in place to protect

against the risks that these new technolo-

gies bring.6 (See Figure 4.)

Mobile, in particular, challenges the busi-

ness because suddenly corporate data can

be widely accessed outside of the enter-

prise. And employees often dont realize

the risks being introduced when sharing,

sending, or receiving corporate information

on a smartphone or tablet, especially if it is

a personal device.

Likewise, with social media, where the line

between personal and professional can be-

come blurry, employees inadvertently may

be disclosing sensitive information. Called

data leakage, it can happen when employ-

ees share seemingly innocuous details,

such as the airport they are in or the coffeeshop they are frequenting every morning.

Others within their social networks can use

these clues, along with prole information

about their jobs (bankruptcy attorney, M&A

specialist), to ferret out potentially sensi-

tive information, such as the identity of a

nancially troubled company or a potential

acquisition target.

Figure 4: Companies addressing security risks from new technologies

Sraegies or srenghening

he business

With so many risks, business leaders may be

unsure of where to focus. In our experience,

it is crucial to elevate the role of information

security in the organization and emphasize

the fact that it is not just a technology func-

tion. As a make-or-break business issue, it

requires a leader who reports directly to a

senior executive. The title of the person

chief security ofcer, chief information

security ofcer, security directorisnt what

matters. Instead, its the ability of that indi-

vidual to bring security issues to the C-suite

and help the management team think and

talk about how security affects every other

business decision.

Effective security leaders consistently dem-

onstrate the linkages between security and

the companys goals. They remind the rest

of the management team that security is

a strategic issue. In the survey, the

Front-runner group emphasized this

approach by citing client requirements

as the driving force behind the companys

information security investments. The

other respondents pointed to legal and

regulatory requirements as the main justi-

cation for information security spending

in their organizations.

21.1%

Cloud security strategy

33.7%

Mobile device security strategy

37.4%

Security strategy for employee use of personal devices

31.5%

Social media security strategy

6 PwC, CIO, and CSO 2012 Global State of Information

Security Survey.

Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey


9/14

PwC View Issue 1531

An organization that embraces this mindset,

for example, might engage the security lead-

er and the sales leader, together, to consider

how better information security can help

close or speed sales. They might determine

that having well-documented information

security controls, processes, or certications

in place enables them to anticipate and ad-

dress customer concerns immediately when

or before the issue rst is raised.

Some companies we work with nd it ef-

fective to have security leaders embedded

within each business unit. These individuals

report to line-of-business heads and work

directly with them to evaluate how security

can support each groups business goals.

wheres he daa?

Companies that understand the value that

security brings to the business also ensure

that they have a comprehensive strategy

in placeand that they have the processes

and procedures to back up their vision. The

guiding principles for strategy are driven,

in large part, by their data. Companies will

want to ask a seemingly simple question:

Whats our most sensitive data?

Surprisingly, many companies cant begin

to answer that question. Company leaders

will need to identify their most sensitive

data. Theyll consider business assets like

intellectual property, as well as information

that they have a duciary responsibility

to protect, including customer, business

partner, or employee data.

As companies undertake this foundational

exercise, they will ask: What data do we

have? Where are they located? What laws

and regulations apply to them? What

controls do we have around them? Are

we sending data to third parties? If so, is

it being handled securely? Theres much

work to be done here: In the survey, only

29 percent of companies have an accurate

inventory of dataa decline of 10 percent

from just two years ago.

What concerns security experts most?

Like the very nature of business itself, information security challenges are evolving. This

topic came up continually as we discussed the survey ndings with companies in all elds.

What are the security chiefs at leading organizations most worried about? Here are some

of the top concerns:

Mobile devices The power of employee and customer mobile devices makes companies

increasingly vulnerable. Consider just a few scary possibilities: Hackers mobilizing

smartphone users to bring down a company network by organizing a computational ash

mob. Or banking apps available from popular online stores that are not afliated with

the banks they claim to represent; instead, they are designed to steal data. What is the

best thing companies can do? Come to terms with the fact that mobile is here to stay and

address it head-on in your strategy and policies. Begin thinking of mobile devices not as

phones or adjunct devices but on par with laptop computers that have their own powerful

peer-to-peer networks.

Increasing sohisicaion o he aacks Whatever you call these attacksand

security experts have been known to go round and round about just what constitutes

an advanced persistent threat and whether the term is usefulsome perpetrators are

changing the rules of the game. They are locking on a specic target and formulating

long-range plans to accomplish their goals. In the last year, we have seen several industry-

leading companies in the technology and nancial services industries that have been

victimized. If it could happen to them, it could happen to anyone.

proosed legislaion Experts seem to agree that its only a matter of time before

information security is mandated by law. Over the past few years, various incarnations of

bills have been proposed. While security chiefs understand the scrutiny, they have concerns

about security becoming a compliance burden. They worry that this will cause businesses to

lose sight of what really matters: focusing on their strategy and thinking about next threats.


10/14

32 PwC ViewIssue 15

For companies that have grown through

mergers and acquisitions, theres the

additional hurdle of getting a handle on

disparate data sourcesnot to mention

different policies, processes, and systems

that were inherited with each mergeror acquisition.

In the process of evaluating whats cur-

rently in place and where the companys

attention needs better focus, some organi-

zations nd it helpful to conduct an outside

assessment of their current operations.

Often, when companies get a glimpse into

what really is going on, they are surprised.

They discover that the biggest problems

may be caused by their employees.

For example, companies may nd that

workers lack even a basic awareness of the

information security risks to which em-

ployees are subjecting the business when

they dont follow policyfor example, they

fail to change default passwords or they leave

their computers on when they go home.

Some companies bring in outside security ex-

perts to conduct an assessment, particularly

if an organization wants to test the security

of its networks. This so-called ethical hacking

attempts to penetrate a companys networkto pinpoint vulnerabilities.

In our work as security specialists, the

trend weve observed is that companies

have become much better about protecting

the organization from the outside. But once

a perpetrator is able to gain access to an in-

ternal networkwhether by walking in the

door and plugging into a network jack or

via malware that is dormant on a USB drive

that an employee picks up in the parking lot

and plugs into his networked computer

we always have been able to gain levels of

unauthorized access.

A security assessment also might reveal

that the company has not kept up with a

changing IT environment, especially one

in which business units or employees have

independently added their own devices

or applications to the mix. All too often,

businesses maintain the status quo but

dont adequately address how these latest

technologies and new ways of working putthem at risk.

tesing, esing, esing

Recognizing that organizations are

dynamicand that criminals always are

innovatingits especially important for

companies to consistently monitor and test

what they have in place. In the survey, the

companies that we dened as True Lead-

ers measure and review the effectiveness

of their security policies and procedures

annually (compared with just 54 percent

of other respondents). These organiza-

tions also know where they are vulnerable

and need to shore up their defenses. This

is signicant because just a few years ago,

almost half of the surveys respondents

couldnt answer the most basic questions

100%

50%

of the companies we dened as security leaders measureand review the effectiveness of their security policies andprocedures annually.

fewer information security incidents were experienced bythe security leaders, compared with the rest of the surveyrespondents.


11/14

PwC View Issue 1533

they need to disclose an event. This issue is

gaining more attention in light of the SECs

recent guidance on the matter, remind-

ing public companies that the following

impacts must be included: remediation

costs to customers or partners, increasedinformation security investments required

to remedy the situation, lost revenues

due to breach, litigation resulting from

breach, and reputational damage affecting

customer or investor condence. Company

management and boards will want to

consider the balancing act required to fulll

these responsibilities to investors and cus-

tomers while ensuring that leadership does

not disclose information that would make

the company further vulnerable to hackers.

follo he leaders

Leading companies today are rethink-

ing the role of information security in

their organizations. They realize that

in a digital world, cybersecurity is the

key to safeguarding their most precious

assetsintellectual property, customer

information, nancial data, and employee

records, among others. But far more than

a defensive measure, companies also know

that cybersecurity can better position their

organization with business partners, cus-tomers, investors, and other stakeholders.

Additionally, a sustained approach to

security enables companies to better take

advantage of newer technologiesmo-

bile, social media, and cloudthat are

driving business growth for many organi-

zations. Company executives are leading

the charge, working across the business

to assess the current environment, dene

their most sensitive data, assign account-

ability, devise a strategy, and measure their

progress. With strong leadership and a

comprehensive approach that continually

links information security back to business

strategy, top managers will better position

their organizations for success.

about the nature of security-related

breaches; now approximately 80 percent or

more of respondents can provide specic

information about the frequency, type, and

source of security breaches their organiza-

tions faced. And they are seeing results:The leaders reported half as many informa-

tion security incidents per year, compared

with the rest of survey respondents.

Companies that are proactive about infor-

mation security also consider the impact of

breachesespecially given that these events

are on the rise. Of those, risks associated

with customers, partners, or suppliers are a

major concern, having nearly doubled in the

past two years. This situation is compound-

ed by the fact that given recent economic

uncertainty, security has not been a priority.

The levels of investment, awareness, and

training all have declined.

In thinking about potential breaches,

organizations will determine to whom


12/14

52

PwC ViewIssue 15

eitrial

Editorial Director

Tom Craren

Managing Editor

Gene Zasadinski

Assistant Managing Editor

Christine Wendin

View points Editor

Angela Pham

Contributing Editors

Mike Brewster

Emily Church

Cecily Dixon

Susan Eggleton

Benjamin Isgur

Sandy Lutz

Susan Poole

Anand RaoBill Sand

Jamie Yoder

onlin

Jeffrey Dreiblatt

Adiba Khan

Scott Schmidt

Jack Teuber

dsign

Odgis + Company

Creative Director

Janet Odgis

Senior Designer

Banu Berker

Designers

Rhian Swierat

T. Chlo Bartholomew

Cntributrs

We thank the following individuals for

their contributions to this issue ofView:

Caroline Calkins-Heine

Steve Lechner

Alfred Peguero

Daryl Walcroft

phtgrahy

AP Images

Brian Bielmann

Corbis Images

Bill Gallery

Getty Images

Andreas Herzau/Laif/Redux

iStockphoto

Vincent Laforet

Chen Ming/Xinhua/Eyevine/Redux

Tommaso Rada/4See/Redux

Reuters Pictures

Brian Smale

Stephen Wilkes

viewIssue 15


13/14

To request additional copies o View or to comment: www.pwc.com/view.

PwC rms help organisations and individuals create the value theyre looking or. Were a

network o rms with 169,000 people in more than 158 countries who are committed to

deliver quality in assurance, tax and advisory services. Tell us what matters to you and nd

out more by visiting us at http://www.pwc.com/.

2012 PwC. All rights reserved. PwC reers to the PwC network and/or one or more o its

member rms, each o which is a separate legal entity. Please see www.pwc.com/structure

or urther details. This content is or general inormation purposes only, and should not be

used as a substitute or consultation with proessional advisors.

The inormation contained in this document is or general guidance on matters o interest

only. The application and impact o laws can vary widely based on the specic acts

involved. Given the changing nature o laws, rules, and regulations, there may be omissions

or inaccuracies in inormation contained in this document. Beore making any decision

or taking any action, you should consult a competent proessional adviser. Although we

believe that the inormation contained in this document has been obtained rom reliable

sources, PricewaterhouseCoopers is not responsible or any errors or omissions contained

herein or or the results obtained rom the use o this inormation.

View magazine is printed at an ISO 14001:2004 certied plant with Forest Stewardship

Council (FSC) Chain o Custody certication (BVCOC-080903). It was printed with the use o

renewable wind power resulting in nearly zero volatile organic compound (VOC) emissions.

The paper used is 10 percent recycled minimum with postconsumer waste.

By printing at a acility that uses wind-generated electricity:

6,440 lbs o greenhouse gases were prevented

equivalent to 5,588 miles not driven in a year

equivalent to planting 438 trees

By using postconsumer recycled ber in lieu o virgin ber:

105,932 gallons o wastewater fow was saved

12,070 lbs o solid waste was not generated

32,676 lbs net o greenhouse gases was prevented

158,000,000 BTUs o energy was not consumed

Source: Environmental Deense Fund paper calculator


14/14

www.pwc.com/view

Rear view

Are you designing a disruptive business modelto keep your fercest competitor at bay?

Alter your mental model Apply insights gainedImagine scenarios involving

disruptive, greeneld competitors

cybersecurity-5

Documents

Transcript of cybersecurity-5