CYBERSECURITY NEXT: MANAGING DIGITAL RISK IN THE NEW … · DIGITAL RISK IN THE NEW ERA Rohit Ghai President, RSA. 30,000+ Customers 50+ million Identities 1 billion ... security

CYBERSECURITY NEXT: MANAGING DIGITAL RISK IN THE NEW ERARohit Ghai

President, RSA

30,000+Customers

50+ millionIdentities

1 billionConsumers

400+Global Technology

Partners

RSA KEY STATS

94%

DIGITAL TRANSFORMATION

T R A D I T I O N A L B U S I N E S S R I S K D I G I TA L R I S K

WITH DIGITAL TRANSFORMATION,DIGITAL RISK IS THE GREATEST FACET OF RISK THAT BUSINESSES FACE

D I G I TA L A D O P T I O N

RIS

K

LOW

HIGH

MEDIUM

In a 2016 study of non-IT

executives, 71% said that

concerns over cybersecurity

are impeding innovation in

their organizations.

– Gartner

Survey data from March

2017 indicates that risk data

regularly influences the

decisions of 78% of

organizations' boards of

directors.

– Gartner

53% of CISO’s said they

provide reports to BODs on

cyber-investment initiatives.

Yet only 18% of directors

said they receive such info.

- Marsh-Microsoft Global Cyber

Risk Perception Survey, 2/18

78%

By 2020, 60% of digital

businesses will suffer major

service failures, due to the

inability of IT security teams

to manage digital risk.

– Gartner

53%

71%

60%

G R CI T S E C U R I T Y

? ??

C E O /

B O A R D

M A L I C E M A N D AT E SM O D E R N I Z AT I O N

G R CI T S E C U R I T Y

D I G I TA L R I S K

? ??

C E O /

B O A R D

VISIBILITY

VINSIGHTS

IACTION

A

DIGITAL RISK MATURITYM

AT

UR

IT

Y

INFORMATION

TECHNOLOGY

SECURITY

OFFICE

RISK MGT /

COMPLIANCE

OFFICE

BOD /

EXECS

▪Siloed

▪Ad Hoc, Reactive

▪Trigger Events

▪Tactical POV

▪Managed

▪Platform Approach

▪Pervasive Visibility

▪ Leverage Technology

▪ Integrate Silos

▪Optimized

▪Sharing and Collaborating Across Silos

▪ Integrated business & risk context

▪Priorities and resources aligned with risk and business objectives

MATURITY IN FOUR KEY AREAS

* Sourced from ARMA International Generally Accepted Recordkeeping Principles

RSA Risk and Cybersecurity Practice

Ability to identify sophisticated attacks & breaches, lateral movement, initial impact

and effectively respond with a cross functional response

Risk is considered from perspective of loss events, opportunity costs and enhancing

likelihood of achieving objectives and executing strategy. Risk taking decisions

are proactive

Business context is completely infused into compliance processes and technology.

Monitoring capabilities alert stakeholders to impactful regulatory changes

Integrated information governance into corporate infrastructure and business

processes to such an extent that compliance with program requirements and legal, regulatory, and other responsibilities

are routine

Ability to identify commodity malware, some breaches, some lateral movement, basic

initial impact and respond with a somewhat coordinated cross functional response

Management has information needed to understand complete context of risk. More

informed decisions made and accountability established but decision process is still

manual

System of record in place to manage full lifecycle of compliance activities.

Stakeholders collaboratively define processes and policies; remediation

activities are consistently monitored and reported

Established proactive information governance program with continuous improvement. Information governance

issues and considerations routinely integrated into business decisions

Limited ability to identify commodity malware, some breaches, some lateral

movement, basic initial impact and limited ability to respond

Agreement on risk management terminology, rating scales and assessment

approach is established. Little business context is available and responsibility for each risk and control is not always clear

Operational standards and a comprehensive compliance catalog are developed. Some

activity focused on improving effectiveness and stabilize processes with limited scope

Developing recognition that information governance has impact on organization and

benefits from more defined program. Still vulnerable to scrutiny of legal or business

requirements

No ability to detect threats against the organization and no ability to respond when

attacked

Baseline activities are in place to manage risk but are isolated and fragmented.

Beginning to obtain visibility into assessed level of inherent and residual risk but

accountability is ad hoc

Organization understands broad compliance obligations but each area manages separately. Control performance is

assessed ad hoc or as part of external audit

Information governance and recordkeeping concerns are not addressed at all, minimally or ad hoc. Will not meet legal or regulatory scrutiny or effectively server the business

CYBER INCIDENT RISK MGT 3RD PARTY GOVERNANCE DATA PRIVACY RISK DIGITAL BUSINESS RESILIENCY

MA

TU

RIT

Y

MA

TU

RIT

Y

RSA MATURITY BLUEPRINT:

Cyber-Breach Risk Reduction Maturity Model

Operational effectiveness to execute on cross functional

recurring tabletop exercises, tested IR Plan (red/blue), IR

resource alignment, CIA Asset System Categorization

and compliance/privacy alignment, base breach risk

assessment

Operational effectiveness to continually test enterprise

breach risk tolerance (enterprise wide and system

specific) and ability to adapt to threats, process, IT and

security operational issues to reduce risk and impact of a

breach

Operational effectiveness to an identify breaches and

lateral movement, understand impact, and effectively

respond with a cross functional response

Operational effectiveness to understand impact and

impacted systems and effectively remediate breaches

with automated assistance from technology

Operationalize feedback loop to improve breach

response (into Pre-Breach planning) and continually

reduce risk based on operational feedback/inputs

Ability to execute on cross functional recurring testing of

IR Plan via staged process exercises, IR resource

alignment, CIA Asset System Categorization of critical

assets and compliance alignment

Ability to periodically test enterprise breach risk tolerance

(system specific) and adapt to threats, process, IT and

security operational issues to reduce risk of a breach and

optimize Incident Response (IR) to reduce breach impact

Ability to identify breaches and lateral movement, impact


Ability to understand impact and impacted systems and

remediate breaches with automated assistance from

technology


response but limited project creation to continually


Good cybersecurity awareness and foundational

preparation including IR Plan and identified IR resources

to respond to breach


(system specific) but limited follow-through to adapt to

threats, process, IT and security operational issues to

reduce risk of a breach and optimize Incident Response

(IR) to reduce impact

Ability to identify breaches, estimate impact, and ad hoc

response from organization

Ability to understand which systems were impacted and

ad hoc, manual remediation of breach

Ad hoc Feedback loop to improve breach response (into

Pre-Breach planning)

Foundational cybersecurity awareness and basic

foundational preparation (understand what may need to

be done) to respond to breach

Limited testing of enterprise breach risk tolerance

(system specific) and limited follow-through to adapt to










Foundational cybersecurity awareness but poor

preparation to respond to breach

Minimal compliance only testing of enterprise breach risk

tolerance (system specific) and minimal follow-through

to adapt to threats, process, IT and security operational

issues

Minimal ability to identify breaches with no ability to

measure impact. Ad hoc response capabilities.

Minimal ability to understand which systems were

impacted and ad hoc, manual and limited remediation of

breach

Minimal defined processes for feedback loop to improve

breach response (into Pre-Breach planning)

Minimal cybersecurity awareness and poor preparation to

respond to breach

Minimal cybersecurity awareness, failure to perform

basic breach risk management, and poor preparation to

respond to breach


measure impact. No respond capabilities.

No or minimal cybersecurity awareness and poor


No follow-up post breach to improve capabilities on pre-

breach based on GAP and learnings from breach.

No cybersecurity awareness and poor preparation to

respond to breach

No cybersecurity awareness, failure to perform basic

breach risk management, and poor preparation to

respond to breach


respond to breach


respond to breach

No follow-up post breach plans or capabilities to improve

capabilities on pre-breach based on GAP and learnings

from breach.

LEFT OF BREACH (PRE-

BREACH) PREPAREDNESS

BREACH RISK REDUCTION

(BREACH DEFLECTION)

BREACH AND INITIAL

INCIDENT RESPONSE

BREACH REMEDIATION RIGHT OF BREACH (POST

BREACH) ADAPTATION

Adapt and optimize operational IT and Security Awareness

Impact Analysis

Remediate and Prevention Lessons Learned and adapt to Reduce RiskRisk and Dwell Time Reduction Actions

Prepare for Breach to Reduce Risk of Breach and Breach Impact

Dwell Time

POST-INCIDENT HANDLINGPREPARE DETECT ANALYZE CONTAIN ERADICATE RECOVER

MA

TU

RIT

Y







assessment





breach






















technology





































issues





breach




respond to breach



respond to breach








respond to breach



respond to breach


respond to breach


respond to breach



from breach.




(BREACH DEFLECTION)

BREACH AND INITIAL

INCIDENT RESPONSE


BREACH) ADAPTATION


Impact Analysis



Dwell Time


Pts.

1

2

6

4

5

7

3

2 2

3

4

7

MA

TU

RIT

Y







assessment





breach






















technology





































issues





breach




respond to breach



respond to breach








respond to breach



respond to breach


respond to breach


respond to breach



from breach.




(BREACH DEFLECTION)

BREACH AND INITIAL

INCIDENT RESPONSE


BREACH) ADAPTATION


Impact Analysis



Dwell Time


Minimal

cybersecurity

awareness and poor

preparation to

respond to breach

Limited testing of

enterprise breach

risk tolerance

(system specific) and

limited follow-

through to adapt to

threats, process, IT

and security

operational issues to

reduce risk of a

breach and optimize

Incident Response


Operational

effectiveness to an

identify breaches

and lateral

movement,

understand impact,

and effectively

respond with a cross

functional response

Minimal ability to

understand which

systems were

impacted and ad

hoc, manual and

limited remediation

of breach

No follow-up post

breach plans or

capabilities to

improve capabilities

on pre-breach based

on GAP and

learnings from

breach.

NEW REQUIREMENTS

A unified, phased approach to providevisibility, insights, and action to manage digital risk

3

4

5

2

1

KEY TAKEAWAYS

The Rise of Digital Risk

Managing Digital Risk is a Team Sport

Pervasive Visibility, Continuous Insight,

Automated Action

Need for Business-Driven Security and Risk

Orientation

Manage Risk don’t avoid it

THANKSRohit Ghai

President, RSA

Documents

CYBERSECURITY NEXT: MANAGING DIGITAL RISK IN THE NEW … · DIGITAL RISK IN THE NEW ERA Rohit Ghai President, RSA. 30,000+ Customers 50+ million Identities 1 billion ... security