Académique Documents
Professionnel Documents
Culture Documents
com/cybersecurity
Cybersecurity and
Cloud Briefing
December 3, 2015
Wendy L. Frank, principal, PwC,
Advisory, Cybersecurity, Privacy and Risk
wendy.l.frank@pwc.com Office (213) 217-3615
• Former Chief Security Officer and Leader of Content Security Program for Motion
Picture Association of America:
- Redesigned third party/vendor security assessment program
- Revised and greatly expanded Content Security Best Practices Common Guidelines
- Created Cloud and Application Security Best Practices Common Guidelines
• Leading authority on cybersecurity and technology for over 20 years with relevant
security and technology certifications including:
- Certified Information Systems Security Professional (CISSP), Certified Information
Systems Auditor (CISA), and Certified Information Systems Manager (CISM), and
Certified Information Privacy Professional/United States (CIPP/US) credentials, to
name a few
- Multiple certifications from Microsoft (MCSE, MCT), IBM/Lotus, etc.
• BSc Computer Science and BSc Accounting from Alvernia University
December 3, 2015
PwC 2
Methodology
The Global State of Information Security® Survey 2016, a worldwide study by PwC and
CIO and CSO, was conducted online from May 7, 2015 to June 12, 2015.
• PwC’s 18th year conducting the online survey, 13th with CIO and CSO
• Readers of CSO and CIO and clients of PwC from 127 countries
• Responses from more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors
of IT and security practices
• More than 40 questions on topics related to privacy and information security
safeguards and their alignment with the business
• The margin of error is less than 1%; numbers may not add to 100% due to rounding
• Figures in this report are based on respondents from all industries
December 3, 2015
PwC 3
PwC 2016 global state of information security
survey highlights
December 3, 2015
PwC 4
What is Cybersecurity?
December 3, 2015
PwC 5
The Cyber challenge now extends beyond the
enterprise
Global Business Ecosystem
Economic The Evolution:
• Technology-led innovation has
enabled business models to
Industry/
evolve
• The extended enterprise has
Competitors
Legal
Enterprise
business
Leading to:
Consumer
Service
Providers • A dynamic environment that is
increasingly interconnected,
integrated, and interdependent
JV/
Partners • Where changing business drivers
create opportunity and risk
Pressures and changes which
create opportunity and risk Technology
December 3, 2015
PwC 6
Cloud trends
$1 of every $4 spent on applications will be consumed via the cloud by 2018 - IDC
30% of all new business software purchases will be service-enabled by 2018- IDC
70% of the G2000 will still have 75% of IT resources running onsite by 2018 - IDC
December 3, 2015
PwC 7
SaaS adoption accelerates
75%
$ $ $ $ $
December 3, 2015
PwC 8
SaaS view of how organizations are
adopting Cloud
force.com
CyberSecurity
Fabric
HR &
Skills
Messaging & Collaboration Sharepoint App Server
ON - PREMISE
Apps
Legacy Security Finance Database
Solutions
Sales & marketing
December 3, 2015
PwC 9
Scope of Cybersecurity – Technology domain convergence
December 3, 2015
PwC 10
Profiles of threat actors
• Immediate financial gain • Financial / Payment Systems • Costly regulatory inquiries and
• Collect information for future • Personally Identifiable penalties
Organized Crime financial gains Information • Consumer and shareholder
• Payment Card lawsuits
• Information Protected Health
• Loss of consumer confidence
Information
• Personal advantage, monetary • Sales, deals, market strategies • Trade secret disclosure
gain • Corporate secrets, IP, R&D • Operational disruption
Insiders • Professional revenge • Business operations • Brand and reputation
• Patriotism • Personnel information • National security impact
December 3, 2015
PwC 11
New and evolving threats
Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report
December 3, 2015
PwC 12
New and evolving threats
Companies cannot cope with the volume and velocity of malware attacks
occurring daily.
Malware
In 2015, an estimated 170 Million of malware events were reported
across the industry.
Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report
December 3, 2015
PwC 13
New and evolving threats
Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report
December 3, 2015
PwC 14
New and evolving threats
Organized crime used Web App attacks as the primary attack vector. Bad
coding habits provide an easy way in.
Web App Attacks
95% of web-based attacks used harvested user credentials stolen from
user devices.
Use of personal file sharing services (e.g., Dropbox, Box, Google Drive)
allows for sensitive data to leave the company unchecked.
Data Traversal
User error is responsible for half of all sensitive data losses with policy
violations accounting for 25%.
Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report
December 3, 2015
PwC 15
New and evolving threats
Source: PwC/CIO & CSO Magazine Global State of Information Security Survey 2016 & Verizon 2015 Data Breach Investigations Report
December 3, 2015
PwC 16
Evolving perspectives
Considerations for businesses adapting to the new reality
December 3, 2015
PwC 17
Top 5 Cloud Cybersecurity Use Cases - Where You
Should Focus
Compromised Cloud
Accounts 1 2 Malware
(Apps Firewall)
(UBA) Accounts Apps
4 5
Compliance SecOps & Forensics
(Reporting/Policy) (Security Admin)
Data
3
Data Breach
(Cloud DLP)
December 3, 2015
PwC 18
CISO priorities in the new Cloud stack
Device
December 3, 2015
PwC 19
Keeping pace with the new reality –
Key considerations
Operating in the global business ecosystem requires you to think differently about your security
program and investments.
Resource Prioritization
Rationalize and prioritize investments
• Critical assets are constantly evaluated given they are
Investment Activities fundamental to the brand, business growth and
Projects and Initiatives competitive advantage
Functions and Services • Threats and impact to the business are considered as
investment activities are contemplated
December 3, 2015
PwC 20
Incorporating industry – Leading components
into your cybersecurity program
Solutions to enhance the effectiveness of your cybersecurity program
• Threat modeling • Board & C-suit engagement
• Critical asset protection • M&A cyber diligence
• Privacy and • Operational technology security
regulatory compliance • Secure product &
• Insider and third party risk service development
• Emerging technology • Customer experience & trust
December 3, 2015
PwC 21
PwC Cloud Security Architecture Framework
• SLA Monitoring
• Change Management
Cybersecurity Management • Security Audit Logging & Monitoring
• Incident & End Point Protection Management
December 3, 2015
PwC 22
Questions Boards and CEO’s should be asking
Enhancing their 1. Is our cybersecurity program aligned with our business strategy?
cybersecurity 2. Do we have the capabilities to identify and advise on strategic threats
strategy and and adversaries targeting us?
capability
3. Can we explain our cybersecurity strategy to our stakeholders? Our
investors? Our regulators? Our ecosystem partners?
Understanding and 1. Do we know what information is most valuable to the business?
adapting to changes 2. Do we know what our adversaries are after/what would they target?
in the security risk
3. Do we have an insider threat program? Is it inter-departmental?
environment
4. Are we actively involved in relevant public-private partnerships?
Advance their 1. How was our last security crisis identified; in-house or government
security posture identified?
through a shared 2. Who leads our incident and crisis management program? Is our
vision and culture program cross functional/inter-departmental?
3. How often are we briefed on our cyber initiatives? Do we understand
the cyber risks associated with certain business decisions and related
activities?
December 3, 2015
PwC 23
Lessons learned from recent retail and consumer events
The recent retail and consumer industry challenges apply to a broader
set of companies and industry sectors
• Attack Method - organized and coordinated efforts to exploit a known technical
vulnerability in the core infrastructure
• Awareness - adversaries tested and enhanced their approach over the course of
months before executing their campaign; intelligence sources communicated threat
elements
• Detection - technical indicators were undetected during the attack sequence;
additionally, as is often the case, third parties (e.g. law enforcement or the banks)
detect the compromise, not the company
• Security Posture - known companies compromised were assumed to be compliant
with industry standards (e.g. PCI DSS) -- compliance does not equal security
• Industry Exposure – attacks are often not limited to a single company; many
companies within an industry sector share the same/similar profile and it is highly
likely there are other targets and victims
December 3, 2015
PwC 24
Steps organizations can take to address
Cybersecurity risks
Organizations can’t eliminate the risk of cyber attacks, but they can minimize their
consequences. Here are 5 things leading organizations do to combat cybersecurity risks.
1
Own the Risk
• Cyber risk is owned by leadership and is not relegated to the IT function.
• Periodic cybersecurity briefings are provided to the Board and C-Suite.
2
Prioritize Initiatives
• Leadership prioritizes and monitors cybersecurity investments.
• Investments are made in new capability, not just technology.
• Crown jewels have been identified and their protection prioritized.
3
Learn and Incorporate
• Leading organizations work with various external parties, share information on current threats and incorporate
learnings into their own cybersecurity strategy and tactics.
4 Enhance Culture
• A security culture and mindset is established through training, measurement and evaluation.
• Behaviors and capabilities of the organization are established and reinforce the importance of cybersecurity.
5
Secure the Business
• Security of the business value chain including suppliers, third party providers and high-risk interconnection points
has been considered.
• Adapt to the challenges of new and emerging digital business models.
December 3, 2015
PwC 25
For more information, please contact
Wendy Frank
Principal, Advisory, Cybersecurity, Privacy & Risk
wendy.l.frank@pwc.com
Office (213) 217-3615
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
© 2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers
to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a
separate legal entity. Please see www.pwc.com/structure for further details. This content is for general
information purposes only, and should not be used as a substitute for consultation with professional advisors.