cybersecurity-5
-
Upload
brazil-offshore-jobs -
Category
Documents
-
view
221 -
download
0
Transcript of cybersecurity-5
-
7/31/2019 cybersecurity-5
1/14
Issue 15 Cybersecurity Beyond the
BRICS
Interview with P&Gs
Deb Henretta
24 34 46
Designing yourfiercest competitorMastering change bymaking it realpage 12
view
-
7/31/2019 cybersecurity-5
2/14
24 PwC ViewIssue 15
CybersecurityThe new business priority
In todays global, digital world, data rule. Safeguardingintellectual property, nancial information, and yourcompanys reputation is a crucial part of business strategy.Yet with the number of threats and the sophistication ofattacks increasing, its a formidable challenge. PwCs USSecurity Leader Gary Loveland and Security Principal
Mark Lobel reveal how company leaders can protectand strengthenthe business with the right approach toinformation security.
By Gary Loveland and Mark Lobel
Gary Loveland is the US Leader and Mark Lobel
is Principal in PwCs Security practice. They also
oversee the annual Global State of Information
Security Survey, which PwC has conducted or
14 years. For a detailed look at the survey, visit
www.pwc.com/giss2012.
Managing risk
-
7/31/2019 cybersecurity-5
3/14
PwC View Issue 1525
Information security probably isnt some-
thing that gets a lot of executive attention.
Its the CIOs job or the responsibility of his
lieutenants. Yet every so often when scan-
ning the headlines, news about the latest
high-prole cyberattacks elevates your
blood pressure as you wonder: Could that
happen to us? What would be the impact
on our business? How would we respond
to customers and shareholders?
But then its often back to the more press-ing issues of the day, and the state of your
companys information security recedes
to the background. You wont likely give it
another thoughtuntil theres an incident.
Then its damage-control mode, as the
company deals with stolen customer data,
disclosure of condential nancial informa-
tion, a disabled Web storefront, or worse.
This reactive approach is all too common,
even though the question is not ifa company
will suffer an incident but when. In the
annual PwC, CIO, andCSO survey of more
than 9,600 global executives, 41 percent
of US respondents had experienced one
or more security incidents during the past
year.1 And that number is rising. Respon-
dents reported nancial losses, intellectual
property theft, reputational damage, fraud,
and legal exposure, among other effects.
(See Figure 1.) With such high stakes, mostwould agree that information security
deserves full attention at the highest levels
of the company.
Figure 1: US business impact of
security incidents
Financial losses
Intellectual property theft
Brand/reputation compromised
Fraud
Legal exposure/lawsuit
Loss of shareholder value
Extortion
37.5%
31.8%
31.2%
15.8%
12.2%
11.3%
7.1%
Source: PwC, CIO, and CSO 2012 Global State of Information
Security Survey
1 PwC, CIO, and CSO 2012 Global State of Information
Security Survey.
-
7/31/2019 cybersecurity-5
4/14
26 PwC ViewIssue 15
Government leaders, at least, are taking
notice: Lawmakers, the Securities and
Exchange Commission (SEC), and the
Administration have been highlighting
increased security risks and the need for
both the private and public sectors to stepup their security game. In October 2011,
the SEC issued guidance on the disclosure
of cybersecurity risks and incidents.2 While
the guidance didnt propose new require-
ments, it reminded company leadersand
boards of directorsof their obligations
under current rules. That same month, in
the aftermath of disclosures by WikiLeaks,
President Obama issued an Executive Order
calling for measures to enhance national se-
curity in order to reduce the risk of a similar
breach in the future.3 These developments
follow ongoing efforts to move cybersecurity
legislation through Congress and into law.
perceion versus realiy
Back in the corporate world, is cyberse-
curity still considered a purely technical
matter? Or do businesses understand that
it is the lynchpin for safeguarding their
most precious assetsintellectual prop-
erty, customer information, nancial data,
employee records, and much more?
It depends upon whom you ask. The PwC,CIO, andCSO survey revealed that executives
may say and believe one thing, but the data
and expert analysis indicate that they do an-
other. First, the survey asked, How condent
are you that your organizations information
security activities are effective? Seventy-two
percent of respondents answered that they
were very condent or somewhat condent.4
However, when executives were asked to
characterize their companys approach to in-
formation security, identifying whether they
possess an information security strategy and
have proactively implemented it, the positive
results took a nosedive.
Just 43 percent of respondents self-identied
as Front-runners; that is, those who felt
they have an effective information
security strategy in place and are proactive
in executing the plan. Those who saw
themselves as Strategists (27 percent) felt
they have the big picture right but fall down
on execution, while Tacticians (15 percent)
said they are better at getting things done
than in dening a broader strategy. Finally,the Fireghters (14 percent globally but
22 percent in the US) admitted to lacking
a strategy and to being reactive regarding
information security.5
But when it came time to let the data do the
talking, the companies that were walking
the walk and not merely talking the talk
were signicantly fewer: just 13 percent of
respondents. (See Figure 2.) These leading
companies not only have an information
security strategy in place, but they demon-
strate a number of other leading practices,
including having a high-level security chief,
regularly measuring and reviewing the
effectiveness of their policies and proce-
dures each year, and possessing a deep
understanding of the types of security events
that have occurred in their organizations.
Source: PwC, CIO, and CSO 2012 Global State of Information Security Surve
2 http://sec.gov/divisions/corpfn/guidance/cguidance-topic2.htm.
3 http://www.whitehouse.gov/the-press-ofce/2011/10/07/act-sheet-saeguarding-us-governments-classifed-inormation-and-networ.
4 PwC, CIO, and CSO 2012 Global State of Information Security Survey.
5 Numbers reported do not total up to 100 due to rounding.
All companies:
100%
True Leaders:
13%
Confdent:
72%
Front-runners:
43%
Figure 2: Differing views of information security effectiveness and leadership
The majority o executives in the survey72%reported being very confdent or somewhat confdent that
their organizations inormation security activities were eective. Yet just 43% described themselves as
Front-runners, meaning they had a strategy in place and proactively executed it. But when we analyzed
their inormation security practices, only 13% o companies could be considered True Leaders.
-
7/31/2019 cybersecurity-5
5/14
PwC View Issue 1527
14%of executives surveyed admitted to lacking a strategy andbeing reactive when it came to information security.
Figure 3: Primary obstacles to information security,
by senior executive
27%
23%
29%
Insufficient funding for capital expenditures
25%
27%
25%
Leadership CEO
23%
19%
25%
Absence or shortage of in-house technical expertise
23%16%
23%
Insufficient funding for operating expenditures
18%
25%
25%
Lack of an effective information security strategy
17%
25%
30%
Lack of an actionable vision or understanding
14%
23%
18%
Leadership CIO
13%
14%
19%
Poorly integrated or overly complex information/IT systems
12%
22%
16%
Leadership Security chief
CEO
CFO
CIO
Addressing information security can be especially challenging because execu-
tives do not always agree about company issues and goals. In the survey, we
asked respondents what the greatest obstacles were to improving their organi-
zations information security. While the number one response predictably was
about resourcesinsufcient funding for capital expendituresthe answers
often changed when we looked more specically at who was answering.CEOs agreed that lack of capital funding was the problem, but CFOs indicated
a lack of leadership from the CEO was the reason. Meanwhile, CIOs and secu-
rity executives pointed to a lack of actionable vision or understanding within
the organization.
Barriers to effective cybersecurity
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
-
7/31/2019 cybersecurity-5
6/14
28 PwC ViewIssue 15
four groing cyberhreas
The companies in this top tierwhom we
refer to as security leadersunderstand
that they are up against different types of
cyberthreats. There essentially are four
types of attacks, each of which has a differ-ent motive. Its helpful to think of these as
storm waves, swirling around your busi-
ness. At any given time, it is impossible to
know which wave will hit and what type of
damage it will wreak.
The rst and oldest wave is nuisance hack-
ing, in which there is little material impact
to the company. A classic example is hack-
ers defacing your companys website. More
serious and widespread is the second wave,
which is hacking for nancial gain.
As business has migrated to the digital
world, criminals have, too. What has
emerged is a sophisticated criminal ecosys-
tem that has matured to the point that it
functions much like any businessmanage-
ment structure, quality control, offshoring,and so on. This type of hacking now goes
beyond blindly stealing customer credit card
information or employee passwords. For
example, hackers might target a companys
nancial function in order to obtain its
earnings report before it is publicly released.
With such advance knowledge, they can
prot by acquiring or dumping stock.
Protecting the business from cybercrime is
one thing, but companies also must worry
about a new type of riskthe advanced per-
sistent threat. If you think the term sounds
of US executives surveyed had experiencedone or more security incidents in the past yea41%
-
7/31/2019 cybersecurity-5
7/14
PwC View Issue 1529
like its out of a spy movie, youre not far off.
This type of hacking is predominantly about
stealing intellectual property and typically
is associated with state-sponsored espio-
nage. The motives go beyond nancial gain.
Experts may quibble about the specics ofthis type of attack and whether it always
has involved use of advanced techniques,
but this is a serious and growing threat. It is
not an understatement to say that whats at
risk is not only your intellectual property but
possibly national security.
The high-prole Stuxnet worm case dem-
onstrates how specialized and sophisticated
these attacks can be. The Stuxnet worm that
was discovered in 2010 was designed to inl-
trate industrial control systems, such as those
that manage water or power plants. But it
wasnt an infrastructure system that was hit;
hackers inltrated and potentially sabotaged
the Iranian systems that manage uranium. As
the chilling details emerge, whats notewor-
thy is that the attack was planned (and the
worm developed and placed) as many asfour years ahead of the incident.
This foresight echoes a trend we have seen
in our work with companies such as defense
contractors. When they announce plans to
acquire another company, perpetrators go
after the potential acquisition. Their hope is
to embed malicious software on the systems
of the acquisition target so that when the
companies ultimately are integrated, hack-
ers will have access to the parent companys
systemseven if it means biding time for 18
to 24 months or longer.
And its not only specialized industries
like defense that are at risk for advanced
persistent threats. We have seen consider-
able activity in the nancial services and
technology industries. In some cases, the
perpetrators inltrate a bank or serviceprovider in order to get access to the orga-
nizations customers systems.
Finally, theres one more type of threat
that is on the rise: hacktivism. WikiLeaks
immediately comes to mind, but, for the
private sector, think of this as the digital
equivalent to Occupy Wall Street. The goal
of perpetrators is to change or create a pub-
lic perception of your brand. For example,
hackers might obtain sensitive information
and disclose it to the public.
-
7/31/2019 cybersecurity-5
8/14
30 PwC ViewIssue 15
Keeing ace ih ne echnologies
Not only do companies face a myriad of
threats, their exposure grows as they invest
in technologies like mobile, social, and
cloud. In the survey, only a minority of US
companies had strategies in place to protect
against the risks that these new technolo-
gies bring.6 (See Figure 4.)
Mobile, in particular, challenges the busi-
ness because suddenly corporate data can
be widely accessed outside of the enter-
prise. And employees often dont realize
the risks being introduced when sharing,
sending, or receiving corporate information
on a smartphone or tablet, especially if it is
a personal device.
Likewise, with social media, where the line
between personal and professional can be-
come blurry, employees inadvertently may
be disclosing sensitive information. Called
data leakage, it can happen when employ-
ees share seemingly innocuous details,
such as the airport they are in or the coffeeshop they are frequenting every morning.
Others within their social networks can use
these clues, along with prole information
about their jobs (bankruptcy attorney, M&A
specialist), to ferret out potentially sensi-
tive information, such as the identity of a
nancially troubled company or a potential
acquisition target.
Figure 4: Companies addressing security risks from new technologies
Sraegies or srenghening
he business
With so many risks, business leaders may be
unsure of where to focus. In our experience,
it is crucial to elevate the role of information
security in the organization and emphasize
the fact that it is not just a technology func-
tion. As a make-or-break business issue, it
requires a leader who reports directly to a
senior executive. The title of the person
chief security ofcer, chief information
security ofcer, security directorisnt what
matters. Instead, its the ability of that indi-
vidual to bring security issues to the C-suite
and help the management team think and
talk about how security affects every other
business decision.
Effective security leaders consistently dem-
onstrate the linkages between security and
the companys goals. They remind the rest
of the management team that security is
a strategic issue. In the survey, the
Front-runner group emphasized this
approach by citing client requirements
as the driving force behind the companys
information security investments. The
other respondents pointed to legal and
regulatory requirements as the main justi-
cation for information security spending
in their organizations.
21.1%
Cloud security strategy
33.7%
Mobile device security strategy
37.4%
Security strategy for employee use of personal devices
31.5%
Social media security strategy
6 PwC, CIO, and CSO 2012 Global State of Information
Security Survey.
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
-
7/31/2019 cybersecurity-5
9/14
PwC View Issue 1531
An organization that embraces this mindset,
for example, might engage the security lead-
er and the sales leader, together, to consider
how better information security can help
close or speed sales. They might determine
that having well-documented information
security controls, processes, or certications
in place enables them to anticipate and ad-
dress customer concerns immediately when
or before the issue rst is raised.
Some companies we work with nd it ef-
fective to have security leaders embedded
within each business unit. These individuals
report to line-of-business heads and work
directly with them to evaluate how security
can support each groups business goals.
wheres he daa?
Companies that understand the value that
security brings to the business also ensure
that they have a comprehensive strategy
in placeand that they have the processes
and procedures to back up their vision. The
guiding principles for strategy are driven,
in large part, by their data. Companies will
want to ask a seemingly simple question:
Whats our most sensitive data?
Surprisingly, many companies cant begin
to answer that question. Company leaders
will need to identify their most sensitive
data. Theyll consider business assets like
intellectual property, as well as information
that they have a duciary responsibility
to protect, including customer, business
partner, or employee data.
As companies undertake this foundational
exercise, they will ask: What data do we
have? Where are they located? What laws
and regulations apply to them? What
controls do we have around them? Are
we sending data to third parties? If so, is
it being handled securely? Theres much
work to be done here: In the survey, only
29 percent of companies have an accurate
inventory of dataa decline of 10 percent
from just two years ago.
What concerns security experts most?
Like the very nature of business itself, information security challenges are evolving. This
topic came up continually as we discussed the survey ndings with companies in all elds.
What are the security chiefs at leading organizations most worried about? Here are some
of the top concerns:
Mobile devices The power of employee and customer mobile devices makes companies
increasingly vulnerable. Consider just a few scary possibilities: Hackers mobilizing
smartphone users to bring down a company network by organizing a computational ash
mob. Or banking apps available from popular online stores that are not afliated with
the banks they claim to represent; instead, they are designed to steal data. What is the
best thing companies can do? Come to terms with the fact that mobile is here to stay and
address it head-on in your strategy and policies. Begin thinking of mobile devices not as
phones or adjunct devices but on par with laptop computers that have their own powerful
peer-to-peer networks.
Increasing sohisicaion o he aacks Whatever you call these attacksand
security experts have been known to go round and round about just what constitutes
an advanced persistent threat and whether the term is usefulsome perpetrators are
changing the rules of the game. They are locking on a specic target and formulating
long-range plans to accomplish their goals. In the last year, we have seen several industry-
leading companies in the technology and nancial services industries that have been
victimized. If it could happen to them, it could happen to anyone.
proosed legislaion Experts seem to agree that its only a matter of time before
information security is mandated by law. Over the past few years, various incarnations of
bills have been proposed. While security chiefs understand the scrutiny, they have concerns
about security becoming a compliance burden. They worry that this will cause businesses to
lose sight of what really matters: focusing on their strategy and thinking about next threats.
-
7/31/2019 cybersecurity-5
10/14
32 PwC ViewIssue 15
For companies that have grown through
mergers and acquisitions, theres the
additional hurdle of getting a handle on
disparate data sourcesnot to mention
different policies, processes, and systems
that were inherited with each mergeror acquisition.
In the process of evaluating whats cur-
rently in place and where the companys
attention needs better focus, some organi-
zations nd it helpful to conduct an outside
assessment of their current operations.
Often, when companies get a glimpse into
what really is going on, they are surprised.
They discover that the biggest problems
may be caused by their employees.
For example, companies may nd that
workers lack even a basic awareness of the
information security risks to which em-
ployees are subjecting the business when
they dont follow policyfor example, they
fail to change default passwords or they leave
their computers on when they go home.
Some companies bring in outside security ex-
perts to conduct an assessment, particularly
if an organization wants to test the security
of its networks. This so-called ethical hacking
attempts to penetrate a companys networkto pinpoint vulnerabilities.
In our work as security specialists, the
trend weve observed is that companies
have become much better about protecting
the organization from the outside. But once
a perpetrator is able to gain access to an in-
ternal networkwhether by walking in the
door and plugging into a network jack or
via malware that is dormant on a USB drive
that an employee picks up in the parking lot
and plugs into his networked computer
we always have been able to gain levels of
unauthorized access.
A security assessment also might reveal
that the company has not kept up with a
changing IT environment, especially one
in which business units or employees have
independently added their own devices
or applications to the mix. All too often,
businesses maintain the status quo but
dont adequately address how these latest
technologies and new ways of working putthem at risk.
tesing, esing, esing
Recognizing that organizations are
dynamicand that criminals always are
innovatingits especially important for
companies to consistently monitor and test
what they have in place. In the survey, the
companies that we dened as True Lead-
ers measure and review the effectiveness
of their security policies and procedures
annually (compared with just 54 percent
of other respondents). These organiza-
tions also know where they are vulnerable
and need to shore up their defenses. This
is signicant because just a few years ago,
almost half of the surveys respondents
couldnt answer the most basic questions
100%
50%
of the companies we dened as security leaders measureand review the effectiveness of their security policies andprocedures annually.
fewer information security incidents were experienced bythe security leaders, compared with the rest of the surveyrespondents.
-
7/31/2019 cybersecurity-5
11/14
PwC View Issue 1533
they need to disclose an event. This issue is
gaining more attention in light of the SECs
recent guidance on the matter, remind-
ing public companies that the following
impacts must be included: remediation
costs to customers or partners, increasedinformation security investments required
to remedy the situation, lost revenues
due to breach, litigation resulting from
breach, and reputational damage affecting
customer or investor condence. Company
management and boards will want to
consider the balancing act required to fulll
these responsibilities to investors and cus-
tomers while ensuring that leadership does
not disclose information that would make
the company further vulnerable to hackers.
follo he leaders
Leading companies today are rethink-
ing the role of information security in
their organizations. They realize that
in a digital world, cybersecurity is the
key to safeguarding their most precious
assetsintellectual property, customer
information, nancial data, and employee
records, among others. But far more than
a defensive measure, companies also know
that cybersecurity can better position their
organization with business partners, cus-tomers, investors, and other stakeholders.
Additionally, a sustained approach to
security enables companies to better take
advantage of newer technologiesmo-
bile, social media, and cloudthat are
driving business growth for many organi-
zations. Company executives are leading
the charge, working across the business
to assess the current environment, dene
their most sensitive data, assign account-
ability, devise a strategy, and measure their
progress. With strong leadership and a
comprehensive approach that continually
links information security back to business
strategy, top managers will better position
their organizations for success.
about the nature of security-related
breaches; now approximately 80 percent or
more of respondents can provide specic
information about the frequency, type, and
source of security breaches their organiza-
tions faced. And they are seeing results:The leaders reported half as many informa-
tion security incidents per year, compared
with the rest of survey respondents.
Companies that are proactive about infor-
mation security also consider the impact of
breachesespecially given that these events
are on the rise. Of those, risks associated
with customers, partners, or suppliers are a
major concern, having nearly doubled in the
past two years. This situation is compound-
ed by the fact that given recent economic
uncertainty, security has not been a priority.
The levels of investment, awareness, and
training all have declined.
In thinking about potential breaches,
organizations will determine to whom
-
7/31/2019 cybersecurity-5
12/14
52
PwC ViewIssue 15
eitrial
Editorial Director
Tom Craren
Managing Editor
Gene Zasadinski
Assistant Managing Editor
Christine Wendin
View points Editor
Angela Pham
Contributing Editors
Mike Brewster
Emily Church
Cecily Dixon
Susan Eggleton
Benjamin Isgur
Sandy Lutz
Susan Poole
Anand RaoBill Sand
Jamie Yoder
onlin
Jeffrey Dreiblatt
Adiba Khan
Scott Schmidt
Jack Teuber
dsign
Odgis + Company
Creative Director
Janet Odgis
Senior Designer
Banu Berker
Designers
Rhian Swierat
T. Chlo Bartholomew
Cntributrs
We thank the following individuals for
their contributions to this issue ofView:
Caroline Calkins-Heine
Steve Lechner
Alfred Peguero
Daryl Walcroft
phtgrahy
AP Images
Brian Bielmann
Corbis Images
Bill Gallery
Getty Images
Andreas Herzau/Laif/Redux
iStockphoto
Vincent Laforet
Chen Ming/Xinhua/Eyevine/Redux
Tommaso Rada/4See/Redux
Reuters Pictures
Brian Smale
Stephen Wilkes
viewIssue 15
-
7/31/2019 cybersecurity-5
13/14
To request additional copies o View or to comment: www.pwc.com/view.
PwC rms help organisations and individuals create the value theyre looking or. Were a
network o rms with 169,000 people in more than 158 countries who are committed to
deliver quality in assurance, tax and advisory services. Tell us what matters to you and nd
out more by visiting us at http://www.pwc.com/.
2012 PwC. All rights reserved. PwC reers to the PwC network and/or one or more o its
member rms, each o which is a separate legal entity. Please see www.pwc.com/structure
or urther details. This content is or general inormation purposes only, and should not be
used as a substitute or consultation with proessional advisors.
The inormation contained in this document is or general guidance on matters o interest
only. The application and impact o laws can vary widely based on the specic acts
involved. Given the changing nature o laws, rules, and regulations, there may be omissions
or inaccuracies in inormation contained in this document. Beore making any decision
or taking any action, you should consult a competent proessional adviser. Although we
believe that the inormation contained in this document has been obtained rom reliable
sources, PricewaterhouseCoopers is not responsible or any errors or omissions contained
herein or or the results obtained rom the use o this inormation.
View magazine is printed at an ISO 14001:2004 certied plant with Forest Stewardship
Council (FSC) Chain o Custody certication (BVCOC-080903). It was printed with the use o
renewable wind power resulting in nearly zero volatile organic compound (VOC) emissions.
The paper used is 10 percent recycled minimum with postconsumer waste.
By printing at a acility that uses wind-generated electricity:
6,440 lbs o greenhouse gases were prevented
equivalent to 5,588 miles not driven in a year
equivalent to planting 438 trees
By using postconsumer recycled ber in lieu o virgin ber:
105,932 gallons o wastewater fow was saved
12,070 lbs o solid waste was not generated
32,676 lbs net o greenhouse gases was prevented
158,000,000 BTUs o energy was not consumed
Source: Environmental Deense Fund paper calculator
-
7/31/2019 cybersecurity-5
14/14
www.pwc.com/view
Rear view
Are you designing a disruptive business modelto keep your fercest competitor at bay?
Alter your mental model Apply insights gainedImagine scenarios involving
disruptive, greeneld competitors