www.pwc.

com/cybersecurity

Cybersecurity and
Cloud Briefing
December 3, 2015
Wendy L. Frank, principal, PwC,
Advisory, Cybersecurity, Privacy and Risk
wendy.l.frank@pwc.com Office (213) 217-3615
•  Former Chief Security Officer and Leader of Content Security Program for Motion
Picture Association of America:
-  Redesigned third party/vendor security assessment program
-  Revised and greatly expanded Content Security Best Practices Common Guidelines
-  Created Cloud and Application Security Best Practices Common Guidelines
•  Leading authority on cybersecurity and technology for over 20 years with relevant
security and technology certifications including:
-  Certified Information Systems Security Professional (CISSP), Certified Information
Systems Auditor (CISA), and Certified Information Systems Manager (CISM), and
Certified Information Privacy Professional/United States (CIPP/US) credentials, to
name a few
-  Multiple certifications from Microsoft (MCSE, MCT), IBM/Lotus, etc.
•  BSc Computer Science and BSc Accounting from Alvernia University

December 3, 2015
PwC 2
Methodology

The Global State of Information Security® Survey 2016, a worldwide study by PwC and
CIO and CSO, was conducted online from May 7, 2015 to June 12, 2015.
•  PwC’s 18th year conducting the online survey, 13th with CIO and CSO
•  Readers of CSO and CIO and clients of PwC from 127 countries
•  Responses from more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors
of IT and security practices
•  More than 40 questions on topics related to privacy and information security
safeguards and their alignment with the business
•  The margin of error is less than 1%; numbers may not add to 100% due to rounding
•  Figures in this report are based on respondents from all industries

December 3, 2015
PwC 3
PwC 2016 global state of information security
survey highlights

Have adopted a risk-based

91% cybersecurity framework

Use cloud-based cybersecurity

69% services

Leverage big data analytics for

59% security

Collaborate and partner with

65% others to sharpen security
intelligence

Boards participate in the overall

45% security strategy

December 3, 2015
PwC 4
What is Cybersecurity?

•  Cybersecurity represents many things to many different people

•  Key characteristics and attributes of cybersecurity:
-  Broader than just information technology and extends beyond the enterprise
-  Increasingly vulnerable due to technology connectivity and dependency
-  An ‘outside-in view’ of the threats and business impact facing an organization
-  Shared responsibility that requires cross functional disciplines in order to plan, protect,
defend, react and respond

It is no longer just an IT challenge – it is a business imperative!

December 3, 2015
PwC 5
The Cyber challenge now extends beyond the
enterprise
Global Business Ecosystem
Economic The Evolution:
•  Technology-led innovation has
enabled business models to
Industry/
evolve
•  The extended enterprise has
Competitors

moved beyond supply chain and

Customer Suppliers
consumer integration
•  Connectivity and collaboration
Environmental

now extends to all facets of

Legal
Enterprise
business
Leading to:
Consumer
Service
Providers •  A dynamic environment that is
increasingly interconnected,
integrated, and interdependent
JV/
Partners •  Where changing business drivers
create opportunity and risk
Pressures and changes which
create opportunity and risk Technology
December 3, 2015
PwC 6
Cloud trends

Cloud Social Networks Information Mobility Industry Verticals as

Explosion the 3rd Cloud
Platform

21% 82% 100% 66% 35%

Estimated CAGR of in of Sales teams will adopt growth every two years, of mobile apps developed High value industry
SaaS market public social networks reaching 44 zettabytes in the next 3 years will be solutions will become the
through 2018 by 2014 by 2020 integrated with 3rd platform for cloud
Enterprise Apps (SAP, expansion. (Health,
Oracle, Microsft) Energy, Govt.)

35% of enterprises IT dollars will be spent outside of IT by 2015 - Gartner

$1 of every $4 spent on applications will be consumed via the cloud by 2018 - IDC

30% of all new business software purchases will be service-enabled by 2018- IDC

70% of the G2000 will still have 75% of IT resources running onsite by 2018 - IDC

December 3, 2015
PwC 7
SaaS adoption accelerates

75%
$ $ $ $ $

Integration takes center stage

81% of business By 2016, 35% of large

81% Managers say 35% and mid-size organizations
Integration is key will use an IPaaS solution
to achieving full
benefits of cloud
Enterprise Database
systems Customs
Apps
$3.7b
Organizations will continue to By 2018, Cloud based
have mixed IT environments Integration platforms will
for a long time reach $3.7b (31% CAGR)

December 3, 2015
PwC 8
SaaS view of how organizations are
adopting Cloud

Sanctioned IT Connected Home Grown

CLOUD

force.com

CyberSecurity
Fabric

HR &
Skills
Messaging & Collaboration Sharepoint App Server
ON - PREMISE

Apps
Legacy Security Finance Database
Solutions
Sales & marketing

December 3, 2015
PwC 9
Scope of Cybersecurity – Technology domain convergence

Information Technology Computing resources and connectivity for processing and

managing data to support organizational functions
and transactions
Operational Technology Systems and related automation assets for the purpose of
monitoring and controlling physical processes and events or
supporting the creation and delivery of products and services
Consumer (Products and Computing resources and connectivity integrated with or
Services) Technology supporting external end-user focused products and services

Cybersecurity encompasses all three technology types

December 3, 2015
PwC 10
Profiles of threat actors

Adversary Motives Targets Impact

•  Economic, political, and/or •  Trade secrets •  Loss of competitive advantage

military advantage •  Sensitive business information •  Disruption to critical
Nation State infrastructure
•  Emerging technologies
•  Critical infrastructure

•  Immediate financial gain
•  Collect information for future
Organized Crime financial gains
•  Financial / Payment Systems
•  Personally Identifiable
Information
•  Payment Card
•  Information Protected Health
Information
•  Costly regulatory inquiries and
penalties
•  Consumer and shareholder
lawsuits
•  Loss of consumer confidence

•  Influence political and /or •  Corporate secrets •  Disruption of business activities

social change •  Sensitive business information •  Brand and reputation
Hacktivists •  Pressure business to change •  Information related to key •  Loss of consumer confidence
their practices executives, employees, customers
& business partners

•  Personal advantage, monetary •  Sales, deals, market strategies •  Trade secret disclosure
gain •  Corporate secrets, IP, R&D •  Operational disruption
Insiders •  Professional revenge •  Business operations •  Brand and reputation
•  Patriotism •  Personnel information •  National security impact

December 3, 2015
PwC 11
New and evolving threats

Unpatched systems remain the primary vector of successful exploits.

Vulnerabilities 99.9% of the exploited vulnerabilities were compromised more than a
year after they were published.

Human element and lack of cybersecurity awareness are the most

exploited weaknesses in enterprise-level attacks.
Social engineering
Targeted Spear-phishing is still effective despite continued training,
with 50% of users opening emails and 11% clicking on attachments.

Unpublished vulnerabilities in vendor software are a hot commodity on

the dark-net.
Zero-day attacks
Four of the most prolific attacks of 2015 were launched using zero-
day exploits.

Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report

December 3, 2015
PwC 12
New and evolving threats

Companies cannot cope with the volume and velocity of malware attacks
occurring daily.
Malware
In 2015, an estimated 170 Million of malware events were reported
across the industry.

Mostly a nuisance of the past, hacktivists target US law enforcement

following police-related incidents.
Hacktivists
New data suggests that hacktivists are turning their resources for good
in attempt to fight ISIS and other terrorist groups.

Increase in Cybercrime due to monetization of PII and PHI on global

black market.
Cybercrime
79% of global companies experienced a cybercrime related incident in
the past 12 months.

Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report

December 3, 2015
PwC 13
New and evolving threats

Employee, customer and internal company data are primary targets of

Data Loss/Breach external and internal attacks.
Top industries affected are public sector and financial services.

Controls and management are handed off to third-parties and cloud

Cloud presence increases the potential attack surface.
Attacks against cloud providers have increased 40% in 2015.

Insider threat posed by current employees remains the second most

Insider Threat frequently reported type of security incident.
55% of insider-related incidents were due to privilege abuse.

Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report

December 3, 2015
PwC 14
New and evolving threats

Distributed Denial of Service (DDoS) attacks can disrupt business

resulting in immediate loss of revenue and long-term damage
DDoS Attacks
to reputation.
Top industries affected are public sector, retail and financial services.

Organized crime used Web App attacks as the primary attack vector. Bad
coding habits provide an easy way in.
Web App Attacks
95% of web-based attacks used harvested user credentials stolen from
user devices.

Use of personal file sharing services (e.g., Dropbox, Box, Google Drive)
allows for sensitive data to leave the company unchecked.
Data Traversal
User error is responsible for half of all sensitive data losses with policy
violations accounting for 25%.

Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report

December 3, 2015
PwC 15
New and evolving threats

Availability of automated identity theft and social engineering tools

focusing on theft of bank information or PII has put hacking abilities in
Crimeware the hands of criminal element.
Preconfigured rootkits, keyloggers, Trojans and bots can be
downloaded in abundance from many websites.

Physical access to restricted company areas is the simplest and usually

most effective way to penetrate their network defenses.
Physical Theft The most effective way to prevent physical access breach is to train
employees to report unusual activity and challenge visitors.

A tool for petty cyber-thieves, Ransomware is expected to be on the rise

in 2015/2016 and even harder to defend against.
Ransomware Practicing good cyber-hygiene is the most effective way of preventing
ransomware (e.g., AV, safe browsing, anti-malware).

Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report

December 3, 2015
PwC 16
Evolving perspectives
Considerations for businesses adapting to the new reality

Historical IT Security Today’s Leading

Perspectives Cybersecurity Insights
Scope of the challenge •  Limited to your “four walls” and the •  Spans your interconnected global
extended enterprise business ecosystem
Ownership and •  IT led and operated •  Business-aligned and owned; CEO
accountability and board accountable
Adversaries’ •  One-off and opportunistic; motivated •  Organized, funded and targeted;
characteristics by notoriety, technical challenge, motivated by economic, monetary
and individual gain and political gain
Information asset •  One-size-fits-all approach •  Prioritize and protect your
protection “crown jewels”
Defense posture •  Protect the perimeter; respond if •  Plan, monitor, and rapidly respond
attacked when attacked
Security intelligence and •  Keep to yourself •  Public/private partnerships;
information sharing collaboration with industry
working groups

December 3, 2015
PwC 17
Top 5 Cloud Cybersecurity Use Cases - Where You
Should Focus

Compromised Cloud
Accounts 1 2 Malware
(Apps Firewall)
(UBA) Accounts Apps

4 5
Compliance SecOps & Forensics
(Reporting/Policy) (Security Admin)

Data

3
Data Breach
(Cloud DLP)

December 3, 2015
PwC 18
CISO priorities in the new Cloud stack

Is the user who we What’s going on with

think they are? Off-the-shelf & Homegrown
Applications and Data in the
Identity Cloud cloud?

Device

Which device is being used

by which identity and for
what purpose?

December 3, 2015
PwC 19
Keeping pace with the new reality –
Key considerations
Operating in the global business ecosystem requires you to think differently about your security
program and investments.

Board, Audit Committee, and Executive Leadership

Engage and commit with the business
Business Alignment and Enablement •  Leadership, ownership, awareness and accountability for
addressing the cyber-risks that threaten the business
•  Alignment and enablement of business objectives
Risk and Impact Evaluation

Resource Prioritization
Rationalize and prioritize investments
•  Critical assets are constantly evaluated given they are
Investment Activities fundamental to the brand, business growth and
Projects and Initiatives competitive advantage
Functions and Services •  Threats and impact to the business are considered as
investment activities are contemplated

Transform and execute the security program

•  New and enhanced capabilities are needed to meet the ever
changing cybersecurity challenges
•  A comprehensive program must be built on a strong foundation
Security Strategy and Roadmap and include proactive coordination and collaboration with
the business
Security Program, Resources and Capabilities •  The security implications related to the convergence of
Information Technology, Operational Technology and Company
Products and Services are addressed

December 3, 2015
PwC 20
Incorporating industry – Leading components
into your cybersecurity program
Solutions to enhance the effectiveness of your cybersecurity program
•  Threat modeling •  Board & C-suit engagement
•  Critical asset protection •  M&A cyber diligence
•  Privacy and •  Operational technology security
regulatory compliance •  Secure product &
•  Insider and third party risk service development
•  Emerging technology •  Customer experience & trust

•  Threat scenario planning •  Strategy development

•  Breach identification & analysis •  Capability maturity
•  Incident & crisis readiness •  Portfolio &
•  Forensic investigation investment rationalization
•  Active defense & response •  Organization redesign
•  Advanced analytics
detection & response

•  Secure asset management

•  Security architecture & operations
•  Threat & vulnerability management
•  Identity and access management
•  Culture and communication

December 3, 2015
PwC 21
PwC Cloud Security Architecture Framework

•  Objective, Strategy (Business Case, Risk & Compliance)

Cybersecurity •  Sponsorship (Organizational posture, Ownership, Investment & ROI)
Governance •  Governance

•  Organization, Competencies, People & Skills Management

•  Business & IT Policies, Standards & Guidelines
Cybersecurity Program •  Business & Technical Architecture, Training & Awareness
•  Data Privacy & Security (3rd Party Operations)

•  Internal Organization (Roles & Responsibilities, Compliance)

•  Risk, Operations & Incident Management Processes
Operating Policies •  Third party management
•  External Organization (3rd Party Risks & Contracts)

•  SLA Monitoring
•  Change Management
Cybersecurity Management •  Security Audit Logging & Monitoring
•  Incident & End Point Protection Management

•  User Lifecycle Management (Registration, Access Provisioning),

User Management •  Access Management (Authentication, Authorization, SSO, Federation)
•  Secure Gateway (API security, XML base d Firewall protection)

•  Asset Inventory (Business, Systems and Applications)

•  Sensitive Data Ownership & Classification (Data flows &Contextual Attributes)
Critical Asset Protection •  Acceptable Use, Internal &External Collaboration
•  Data at rest/in transit Protection

•  Encryption and Key Management

•  Virtualization Security, Application Security
Technology Protection & Resiliency •  API Management, Security model (SaaS, Public/Private/Hybrid Cloud),
•  Threat & Vulnerability Management
•  Cyber Response, and Business Continuity Planning

December 3, 2015
PwC 22
Questions Boards and CEO’s should be asking

Enhancing their 1.  Is our cybersecurity program aligned with our business strategy?
cybersecurity 2.  Do we have the capabilities to identify and advise on strategic threats
strategy and and adversaries targeting us?
capability
3.  Can we explain our cybersecurity strategy to our stakeholders? Our
investors? Our regulators? Our ecosystem partners?
Understanding and 1.  Do we know what information is most valuable to the business?
adapting to changes 2.  Do we know what our adversaries are after/what would they target?
in the security risk
3.  Do we have an insider threat program? Is it inter-departmental?
environment
4.  Are we actively involved in relevant public-private partnerships?
Advance their 1.  How was our last security crisis identified; in-house or government
security posture identified?
through a shared 2.  Who leads our incident and crisis management program? Is our
vision and culture program cross functional/inter-departmental?
3.  How often are we briefed on our cyber initiatives? Do we understand
the cyber risks associated with certain business decisions and related
activities?

December 3, 2015
PwC 23
Lessons learned from recent retail and consumer events
The recent retail and consumer industry challenges apply to a broader
set of companies and industry sectors
•  Attack Method - organized and coordinated efforts to exploit a known technical
vulnerability in the core infrastructure
•  Awareness - adversaries tested and enhanced their approach over the course of
months before executing their campaign; intelligence sources communicated threat
elements
•  Detection - technical indicators were undetected during the attack sequence;
additionally, as is often the case, third parties (e.g. law enforcement or the banks)
detect the compromise, not the company
•  Security Posture - known companies compromised were assumed to be compliant
with industry standards (e.g. PCI DSS) -- compliance does not equal security
•  Industry Exposure – attacks are often not limited to a single company; many
companies within an industry sector share the same/similar profile and it is highly
likely there are other targets and victims

December 3, 2015
PwC 24
Steps organizations can take to address
Cybersecurity risks

Organizations can’t eliminate the risk of cyber attacks, but they can minimize their
consequences. Here are 5 things leading organizations do to combat cybersecurity risks.
1
Own the Risk
•  Cyber risk is owned by leadership and is not relegated to the IT function.
•  Periodic cybersecurity briefings are provided to the Board and C-Suite.

2
Prioritize Initiatives
•  Leadership prioritizes and monitors cybersecurity investments.
•  Investments are made in new capability, not just technology.
•  Crown jewels have been identified and their protection prioritized.

3
Learn and Incorporate
•  Leading organizations work with various external parties, share information on current threats and incorporate
learnings into their own cybersecurity strategy and tactics.

4 Enhance Culture
•  A security culture and mindset is established through training, measurement and evaluation.
•  Behaviors and capabilities of the organization are established and reinforce the importance of cybersecurity.

5
Secure the Business
•  Security of the business value chain including suppliers, third party providers and high-risk interconnection points
has been considered.
•  Adapt to the challenges of new and emerging digital business models.

December 3, 2015
PwC 25
For more information, please contact

Wendy Frank
Principal, Advisory, Cybersecurity, Privacy & Risk
wendy.l.frank@pwc.com
Office (213) 217-3615

Visit www.pwc.com/gsiss to explore the data further.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

© 2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers
to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a
separate legal entity. Please see www.pwc.com/structure for further details. This content is for general
information purposes only, and should not be used as a substitute for consultation with professional advisors.