Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CYBERSECURITY NEXT: MANAGING DIGITAL RISK IN THE NEW ERARohit Ghai
President, RSA
30,000+Customers
50+ millionIdentities
1 billionConsumers
400+Global Technology
Partners
RSA KEY STATS
94%
DIGITAL TRANSFORMATION
T R A D I T I O N A L B U S I N E S S R I S K D I G I TA L R I S K
WITH DIGITAL TRANSFORMATION,DIGITAL RISK IS THE GREATEST FACET OF RISK THAT BUSINESSES FACE
D I G I TA L A D O P T I O N
RIS
K
LOW
HIGH
MEDIUM
In a 2016 study of non-IT
executives, 71% said that
concerns over cybersecurity
are impeding innovation in
their organizations.
– Gartner
Survey data from March
2017 indicates that risk data
regularly influences the
decisions of 78% of
organizations' boards of
directors.
– Gartner
53% of CISO’s said they
provide reports to BODs on
cyber-investment initiatives.
Yet only 18% of directors
said they receive such info.
- Marsh-Microsoft Global Cyber
Risk Perception Survey, 2/18
78%
By 2020, 60% of digital
businesses will suffer major
service failures, due to the
inability of IT security teams
to manage digital risk.
– Gartner
53%
71%
60%
G R CI T S E C U R I T Y
? ??
C E O /
B O A R D
M A L I C E M A N D AT E SM O D E R N I Z AT I O N
G R CI T S E C U R I T Y
D I G I TA L R I S K
? ??
C E O /
B O A R D
VISIBILITY
VINSIGHTS
IACTION
A
DIGITAL RISK MATURITYM
AT
UR
IT
Y
INFORMATION
TECHNOLOGY
SECURITY
OFFICE
RISK MGT /
COMPLIANCE
OFFICE
BOD /
EXECS
▪Siloed
▪Ad Hoc, Reactive
▪Trigger Events
▪Tactical POV
▪Managed
▪Platform Approach
▪Pervasive Visibility
▪ Leverage Technology
▪ Integrate Silos
▪Optimized
▪Sharing and Collaborating Across Silos
▪ Integrated business & risk context
▪Priorities and resources aligned with risk and business objectives
MATURITY IN FOUR KEY AREAS
* Sourced from ARMA International Generally Accepted Recordkeeping Principles
RSA Risk and Cybersecurity Practice
Ability to identify sophisticated attacks & breaches, lateral movement, initial impact
and effectively respond with a cross functional response
Risk is considered from perspective of loss events, opportunity costs and enhancing
likelihood of achieving objectives and executing strategy. Risk taking decisions
are proactive
Business context is completely infused into compliance processes and technology.
Monitoring capabilities alert stakeholders to impactful regulatory changes
Integrated information governance into corporate infrastructure and business
processes to such an extent that compliance with program requirements and legal, regulatory, and other responsibilities
are routine
Ability to identify commodity malware, some breaches, some lateral movement, basic
initial impact and respond with a somewhat coordinated cross functional response
Management has information needed to understand complete context of risk. More
informed decisions made and accountability established but decision process is still
manual
System of record in place to manage full lifecycle of compliance activities.
Stakeholders collaboratively define processes and policies; remediation
activities are consistently monitored and reported
Established proactive information governance program with continuous improvement. Information governance
issues and considerations routinely integrated into business decisions
Limited ability to identify commodity malware, some breaches, some lateral
movement, basic initial impact and limited ability to respond
Agreement on risk management terminology, rating scales and assessment
approach is established. Little business context is available and responsibility for each risk and control is not always clear
Operational standards and a comprehensive compliance catalog are developed. Some
activity focused on improving effectiveness and stabilize processes with limited scope
Developing recognition that information governance has impact on organization and
benefits from more defined program. Still vulnerable to scrutiny of legal or business
requirements
No ability to detect threats against the organization and no ability to respond when
attacked
Baseline activities are in place to manage risk but are isolated and fragmented.
Beginning to obtain visibility into assessed level of inherent and residual risk but
accountability is ad hoc
Organization understands broad compliance obligations but each area manages separately. Control performance is
assessed ad hoc or as part of external audit
Information governance and recordkeeping concerns are not addressed at all, minimally or ad hoc. Will not meet legal or regulatory scrutiny or effectively server the business
CYBER INCIDENT RISK MGT 3RD PARTY GOVERNANCE DATA PRIVACY RISK DIGITAL BUSINESS RESILIENCY
MA
TU
RIT
Y
MA
TU
RIT
Y
RSA MATURITY BLUEPRINT:
Cyber-Breach Risk Reduction Maturity Model
Operational effectiveness to execute on cross functional
recurring tabletop exercises, tested IR Plan (red/blue), IR
resource alignment, CIA Asset System Categorization
and compliance/privacy alignment, base breach risk
assessment
Operational effectiveness to continually test enterprise
breach risk tolerance (enterprise wide and system
specific) and ability to adapt to threats, process, IT and
security operational issues to reduce risk and impact of a
breach
Operational effectiveness to an identify breaches and
lateral movement, understand impact, and effectively
respond with a cross functional response
Operational effectiveness to understand impact and
impacted systems and effectively remediate breaches
with automated assistance from technology
Operationalize feedback loop to improve breach
response (into Pre-Breach planning) and continually
reduce risk based on operational feedback/inputs
Ability to execute on cross functional recurring testing of
IR Plan via staged process exercises, IR resource
alignment, CIA Asset System Categorization of critical
assets and compliance alignment
Ability to periodically test enterprise breach risk tolerance
(system specific) and adapt to threats, process, IT and
security operational issues to reduce risk of a breach and
optimize Incident Response (IR) to reduce breach impact
Ability to identify breaches and lateral movement, impact
and effectively respond with a cross functional response
Ability to understand impact and impacted systems and
remediate breaches with automated assistance from
technology
Operationalize feedback loop to improve breach
response but limited project creation to continually
reduce risk based on operational feedback/inputs
Good cybersecurity awareness and foundational
preparation including IR Plan and identified IR resources
to respond to breach
Ability to periodically test enterprise breach risk tolerance
(system specific) but limited follow-through to adapt to
threats, process, IT and security operational issues to
reduce risk of a breach and optimize Incident Response
(IR) to reduce impact
Ability to identify breaches, estimate impact, and ad hoc
response from organization
Ability to understand which systems were impacted and
ad hoc, manual remediation of breach
Ad hoc Feedback loop to improve breach response (into
Pre-Breach planning)
Foundational cybersecurity awareness and basic
foundational preparation (understand what may need to
be done) to respond to breach
Limited testing of enterprise breach risk tolerance
(system specific) and limited follow-through to adapt to
threats, process, IT and security operational issues to
reduce risk of a breach and optimize Incident Response
(IR) to reduce impact
Ability to identify breaches, estimate impact, and ad hoc
response from organization
Ability to understand which systems were impacted and
ad hoc, manual remediation of breach
Ad hoc Feedback loop to improve breach response (into
Pre-Breach planning)
Foundational cybersecurity awareness but poor
preparation to respond to breach
Minimal compliance only testing of enterprise breach risk
tolerance (system specific) and minimal follow-through
to adapt to threats, process, IT and security operational
issues
Minimal ability to identify breaches with no ability to
measure impact. Ad hoc response capabilities.
Minimal ability to understand which systems were
impacted and ad hoc, manual and limited remediation of
breach
Minimal defined processes for feedback loop to improve
breach response (into Pre-Breach planning)
Minimal cybersecurity awareness and poor preparation to
respond to breach
Minimal cybersecurity awareness, failure to perform
basic breach risk management, and poor preparation to
respond to breach
Minimal ability to identify breaches with no ability to
measure impact. No respond capabilities.
No or minimal cybersecurity awareness and poor
preparation to respond to breach
No follow-up post breach to improve capabilities on pre-
breach based on GAP and learnings from breach.
No cybersecurity awareness and poor preparation to
respond to breach
No cybersecurity awareness, failure to perform basic
breach risk management, and poor preparation to
respond to breach
No cybersecurity awareness and poor preparation to
respond to breach
No cybersecurity awareness and poor preparation to
respond to breach
No follow-up post breach plans or capabilities to improve
capabilities on pre-breach based on GAP and learnings
from breach.
LEFT OF BREACH (PRE-
BREACH) PREPAREDNESS
BREACH RISK REDUCTION
(BREACH DEFLECTION)
BREACH AND INITIAL
INCIDENT RESPONSE
BREACH REMEDIATION RIGHT OF BREACH (POST
BREACH) ADAPTATION
Adapt and optimize operational IT and Security Awareness
Impact Analysis
Remediate and Prevention Lessons Learned and adapt to Reduce RiskRisk and Dwell Time Reduction Actions
Prepare for Breach to Reduce Risk of Breach and Breach Impact
Dwell Time
POST-INCIDENT HANDLINGPREPARE DETECT ANALYZE CONTAIN ERADICATE RECOVER
MA
TU
RIT
Y
RSA MATURITY BLUEPRINT:
Cyber-Breach Risk Reduction Maturity Model
Operational effectiveness to execute on cross functional
recurring tabletop exercises, tested IR Plan (red/blue), IR
resource alignment, CIA Asset System Categorization
and compliance/privacy alignment, base breach risk
assessment
Operational effectiveness to continually test enterprise
breach risk tolerance (enterprise wide and system
specific) and ability to adapt to threats, process, IT and
security operational issues to reduce risk and impact of a
breach
Operational effectiveness to an identify breaches and
lateral movement, understand impact, and effectively
respond with a cross functional response
Operational effectiveness to understand impact and
impacted systems and effectively remediate breaches
with automated assistance from technology
Operationalize feedback loop to improve breach
response (into Pre-Breach planning) and continually
reduce risk based on operational feedback/inputs
Ability to execute on cross functional recurring testing of
IR Plan via staged process exercises, IR resource
alignment, CIA Asset System Categorization of critical
assets and compliance alignment
Ability to periodically test enterprise breach risk tolerance
(system specific) and adapt to threats, process, IT and
security operational issues to reduce risk of a breach and
optimize Incident Response (IR) to reduce breach impact
Ability to identify breaches and lateral movement, impact
and effectively respond with a cross functional response
Ability to understand impact and impacted systems and
remediate breaches with automated assistance from
technology
Operationalize feedback loop to improve breach
response but limited project creation to continually
reduce risk based on operational feedback/inputs
Good cybersecurity awareness and foundational
preparation including IR Plan and identified IR resources
to respond to breach
Ability to periodically test enterprise breach risk tolerance
(system specific) but limited follow-through to adapt to
threats, process, IT and security operational issues to
reduce risk of a breach and optimize Incident Response
(IR) to reduce impact
Ability to identify breaches, estimate impact, and ad hoc
response from organization
Ability to understand which systems were impacted and
ad hoc, manual remediation of breach
Ad hoc Feedback loop to improve breach response (into
Pre-Breach planning)
Foundational cybersecurity awareness and basic
foundational preparation (understand what may need to
be done) to respond to breach
Limited testing of enterprise breach risk tolerance
(system specific) and limited follow-through to adapt to
threats, process, IT and security operational issues to
reduce risk of a breach and optimize Incident Response
(IR) to reduce impact
Ability to identify breaches, estimate impact, and ad hoc
response from organization
Ability to understand which systems were impacted and
ad hoc, manual remediation of breach
Ad hoc Feedback loop to improve breach response (into
Pre-Breach planning)
Foundational cybersecurity awareness but poor
preparation to respond to breach
Minimal compliance only testing of enterprise breach risk
tolerance (system specific) and minimal follow-through
to adapt to threats, process, IT and security operational
issues
Minimal ability to identify breaches with no ability to
measure impact. Ad hoc response capabilities.
Minimal ability to understand which systems were
impacted and ad hoc, manual and limited remediation of
breach
Minimal defined processes for feedback loop to improve
breach response (into Pre-Breach planning)
Minimal cybersecurity awareness and poor preparation to
respond to breach
Minimal cybersecurity awareness, failure to perform
basic breach risk management, and poor preparation to
respond to breach
Minimal ability to identify breaches with no ability to
measure impact. No respond capabilities.
No or minimal cybersecurity awareness and poor
preparation to respond to breach
No follow-up post breach to improve capabilities on pre-
breach based on GAP and learnings from breach.
No cybersecurity awareness and poor preparation to
respond to breach
No cybersecurity awareness, failure to perform basic
breach risk management, and poor preparation to
respond to breach
No cybersecurity awareness and poor preparation to
respond to breach
No cybersecurity awareness and poor preparation to
respond to breach
No follow-up post breach plans or capabilities to improve
capabilities on pre-breach based on GAP and learnings
from breach.
LEFT OF BREACH (PRE-
BREACH) PREPAREDNESS
BREACH RISK REDUCTION
(BREACH DEFLECTION)
BREACH AND INITIAL
INCIDENT RESPONSE
BREACH REMEDIATION RIGHT OF BREACH (POST
BREACH) ADAPTATION
Adapt and optimize operational IT and Security Awareness
Impact Analysis
Remediate and Prevention Lessons Learned and adapt to Reduce RiskRisk and Dwell Time Reduction Actions
Prepare for Breach to Reduce Risk of Breach and Breach Impact
Dwell Time
POST-INCIDENT HANDLINGPREPARE DETECT ANALYZE CONTAIN ERADICATE RECOVER
Pts.
1
2
6
4
5
7
3
2 2
3
4
7
MA
TU
RIT
Y
RSA MATURITY BLUEPRINT:
Cyber-Breach Risk Reduction Maturity Model
Operational effectiveness to execute on cross functional
recurring tabletop exercises, tested IR Plan (red/blue), IR
resource alignment, CIA Asset System Categorization
and compliance/privacy alignment, base breach risk
assessment
Operational effectiveness to continually test enterprise
breach risk tolerance (enterprise wide and system
specific) and ability to adapt to threats, process, IT and
security operational issues to reduce risk and impact of a
breach
Operational effectiveness to an identify breaches and
lateral movement, understand impact, and effectively
respond with a cross functional response
Operational effectiveness to understand impact and
impacted systems and effectively remediate breaches
with automated assistance from technology
Operationalize feedback loop to improve breach
response (into Pre-Breach planning) and continually
reduce risk based on operational feedback/inputs
Ability to execute on cross functional recurring testing of
IR Plan via staged process exercises, IR resource
alignment, CIA Asset System Categorization of critical
assets and compliance alignment
Ability to periodically test enterprise breach risk tolerance
(system specific) and adapt to threats, process, IT and
security operational issues to reduce risk of a breach and
optimize Incident Response (IR) to reduce breach impact
Ability to identify breaches and lateral movement, impact
and effectively respond with a cross functional response
Ability to understand impact and impacted systems and
remediate breaches with automated assistance from
technology
Operationalize feedback loop to improve breach
response but limited project creation to continually
reduce risk based on operational feedback/inputs
Good cybersecurity awareness and foundational
preparation including IR Plan and identified IR resources
to respond to breach
Ability to periodically test enterprise breach risk tolerance
(system specific) but limited follow-through to adapt to
threats, process, IT and security operational issues to
reduce risk of a breach and optimize Incident Response
(IR) to reduce impact
Ability to identify breaches, estimate impact, and ad hoc
response from organization
Ability to understand which systems were impacted and
ad hoc, manual remediation of breach
Ad hoc Feedback loop to improve breach response (into
Pre-Breach planning)
Foundational cybersecurity awareness and basic
foundational preparation (understand what may need to
be done) to respond to breach
Limited testing of enterprise breach risk tolerance
(system specific) and limited follow-through to adapt to
threats, process, IT and security operational issues to
reduce risk of a breach and optimize Incident Response
(IR) to reduce impact
Ability to identify breaches, estimate impact, and ad hoc
response from organization
Ability to understand which systems were impacted and
ad hoc, manual remediation of breach
Ad hoc Feedback loop to improve breach response (into
Pre-Breach planning)
Foundational cybersecurity awareness but poor
preparation to respond to breach
Minimal compliance only testing of enterprise breach risk
tolerance (system specific) and minimal follow-through
to adapt to threats, process, IT and security operational
issues
Minimal ability to identify breaches with no ability to
measure impact. Ad hoc response capabilities.
Minimal ability to understand which systems were
impacted and ad hoc, manual and limited remediation of
breach
Minimal defined processes for feedback loop to improve
breach response (into Pre-Breach planning)
Minimal cybersecurity awareness and poor preparation to
respond to breach
Minimal cybersecurity awareness, failure to perform
basic breach risk management, and poor preparation to
respond to breach
Minimal ability to identify breaches with no ability to
measure impact. No respond capabilities.
No or minimal cybersecurity awareness and poor
preparation to respond to breach
No follow-up post breach to improve capabilities on pre-
breach based on GAP and learnings from breach.
No cybersecurity awareness and poor preparation to
respond to breach
No cybersecurity awareness, failure to perform basic
breach risk management, and poor preparation to
respond to breach
No cybersecurity awareness and poor preparation to
respond to breach
No cybersecurity awareness and poor preparation to
respond to breach
No follow-up post breach plans or capabilities to improve
capabilities on pre-breach based on GAP and learnings
from breach.
LEFT OF BREACH (PRE-
BREACH) PREPAREDNESS
BREACH RISK REDUCTION
(BREACH DEFLECTION)
BREACH AND INITIAL
INCIDENT RESPONSE
BREACH REMEDIATION RIGHT OF BREACH (POST
BREACH) ADAPTATION
Adapt and optimize operational IT and Security Awareness
Impact Analysis
Remediate and Prevention Lessons Learned and adapt to Reduce RiskRisk and Dwell Time Reduction Actions
Prepare for Breach to Reduce Risk of Breach and Breach Impact
Dwell Time
POST-INCIDENT HANDLINGPREPARE DETECT ANALYZE CONTAIN ERADICATE RECOVER
Minimal
cybersecurity
awareness and poor
preparation to
respond to breach
Limited testing of
enterprise breach
risk tolerance
(system specific) and
limited follow-
through to adapt to
threats, process, IT
and security
operational issues to
reduce risk of a
breach and optimize
Incident Response
(IR) to reduce impact
Operational
effectiveness to an
identify breaches
and lateral
movement,
understand impact,
and effectively
respond with a cross
functional response
Minimal ability to
understand which
systems were
impacted and ad
hoc, manual and
limited remediation
of breach
No follow-up post
breach plans or
capabilities to
improve capabilities
on pre-breach based
on GAP and
learnings from
breach.
NEW REQUIREMENTS
A unified, phased approach to providevisibility, insights, and action to manage digital risk
3
4
5
2
1
KEY TAKEAWAYS
The Rise of Digital Risk
Managing Digital Risk is a Team Sport
Pervasive Visibility, Continuous Insight,
Automated Action
Need for Business-Driven Security and Risk
Orientation
Manage Risk don’t avoid it
THANKSRohit Ghai
President, RSA