2. PwC
Digital Trust
Securing your future in the digital world
2
Peter Malan lead Partner presents ‘ Take control of your future by looking at
risk differently’
Digital Trust
https://takecontrol.pwc.com.au/digital-trust/
4. PwC
2015 Global state of information security survey
PwC and CSO Magazine recently launched the 2015 Global State of Information Security Survey
Key findings:
• 61% of customers would stop using a company’s product if there was a
breach in their security.
• Cyber security came third at 44% , in the top 3 risks categories.
• Reported information security incidents globally rose 48% to
42.8 million.
• Losses of $20 million or more increased 92% from the previous year
• Estimated reported average financial loss from Cyber security
incidents was $2.7 million – a 34% increase over 2013.
• Incidents caused by current employees increased 10%, service
providers, consultants and contractors rose 15% and 17%.
• 75% of CEOs now regard digital security as a serious threat to their
business.
• Only 49% of respondents say their organisation regularly convenes
to discuss, coordinate, and communicate Cyber security issues.
• 34% of respondents do not allocate security spending to their most
profitable lines of business.
• 88% of organisations are spending less than 1% of their revenue
Survey highlights
Cyber risks are a severe and
present danger 1
Incidents and financial impacts
continue to soar 2
Employees are the most cited
culprits of incidents 3
As incidents rise, security
spending is falling 4
There is a lack of involvement at
the Board level 5
There has been a decline in
fundamental security practices 6
4
5. PwC
2015 Global state of information security survey
PwC and CSO Magazine recently launched the 2015 Global State of Information Security Survey
Survey highlights
Cyber risks are a severe and
present danger 1
5
6. PwC
2015 Global state of information security survey
Incidents caused by current employees increased 10%.
Survey highlights
Incidents and financial impacts
continue to soar 2
Employees are the most cited
culprits of incidents 3
As incidents rise, security
spending is falling 4
6
7. PwC
2015 Global state of information security survey
Disconnect between increased level of concern and organisations focus
Survey highlights
There is a lack of involvement at
the Board level 5
7
of respondents review
privacy or cybersecurity
at every board meeting.
Only 8%
of respondents
rated their Board’s
oversight of privacy and
cybersecurity risks as weak,
or sufficient but needing
improvement.
95%
Many organisations have yet to assign specific role to govern privacy and cybersecurity risks,
and still view privacy and cybersecurity risks as a technology or legal / compliance issue.
Concern vs reality:
8. PwC
2015 Global state of information security survey
PwC and CSO Magazine recently launched the 2015 Global State of Information Security Survey
Survey highlights
There has been a decline in
fundamental security practices 6
8
11. PwC
The changing digital world
• Business is becoming ever increasingly interconnected
• The borders of where a business supply/value chain
starts and ends is vague
• Governments around the world are placing
a heightened level of focus and investment
into combatting cyber criminals and cyber espionage
• Corporations are being targeted directly by ‘hackers’
and indirectly via their business partners
• Company Boards need to understand the risks to their
business
- What risks are being inherited via third
party suppliers?
- Is Cloud enhancing or undermining
your business?
- Do only the right people have access to your
systems in a more ‘open’ world?
- Data, availability, integrity and
confidentiality are key to integration as part
of the business supply chain?
• Digital Trust is a key attribute in the new digital
business world.
11
12. PwC
Historical
IT Security
Perspectives
Today’s Leading
Digital security
Insights
Scope of the challenge • Limited to your “four walls”
and the extended enterprise
• Spans your interconnected global
business ecosystem
Ownership and
accountability
• IT led and operated • Business-aligned and owned; CEO
and board accountable
Adversaries’
characteristics
• One-off and opportunistic;
motivated by notoriety,
technical challenge, and
individual gain
• Organized, funded and targeted;
motivated by economic, monetary
and political gain
Information asset
protection
• One-size-fits-all approach • Prioritize and protect your “crown
jewels”
Defense posture • Protect the perimeter;
respond if attacked
• Plan, monitor, and rapidly respond
when attacked
Security intelligence and
information sharing
• Keep to yourself • Public/private partnerships;
collaboration with industry working
groups
12
Evolving perspectives
Considerations for businesses adapting to the new reality
13. PwC
Organisations are facing increasing digital challenges
13
Digital
Trust
“eBay data breach
sparks lawsuit”
Source: www.itnews.com.au
“Microsoft ordered to hand over
overseas email”
Source: www.zdnet.com
“40 million card numbers
and personal data stolen
from Target systems in
Nov/Dec 2013”
Source: www.target.com
“Hackers steal confidential
personal data from Sony
Pictures Entertainment
resulting in lawsuits”
Source: WIKI
“Target shares tumble as
retailer reveals cost of
data breach”
Source: www.forbes.com
“Bank IT ‘glitch’ leaves bank
facing £1bn bill”
Source: www.telegraph.co.uk
“Enterprises hacked after
neglecting third-party risks”
Source: www.csoonline.com
“Bank chief blames lack
of investment for IT
systems failure ”
Source: www.ft.com
Each of these incidents has an
impact on the level of
perceived trust by customers
and other key stakeholders
17. PwC 17
Digital technology is changing customer behaviour and business models at an
exponential rate and creating extraordinary and unforeseen opportunities for
growth and development.
Trust + Opportunity
= Business Growth
Opportunity and Danger
• Looking at digital security through the lens of
trust means you are considering the wider
business context in which you operate.
• In the digital space, your customers rely on you
to protect their information and privacy. If your
systems fail you, they will feel that you have
failed them.
18. PwC 18
Digital Trust, business enablers
• Build Trust –
• Focus on people and process not just technology
• Education and awareness - Raise digital knowledge and
awareness across internal staff.
• Focus on departmental relationships and trust
• Relational business partnership
• Be proactive and present a cooperative and collaborative face
of digital security.
• Being directors of change and thought leaders in the space.
• Present innovation, be solution
• Change how you present Cyber or security, it is all in the
wording…
• Does you organisation have an aversion with “Cyber’’ or
“Security” use Digital/trust?
• Opportunities –
• Mobile, cloud, analytics – technology to enhance
• Be approachable - the business will seek advice and
solutioning, they will come to you.
• The relationship will yield opportunities
Trust + Opportunity
= Business Growth
19. PwC 19
Building trust in the digital age
Managing risk
and building trust
underpins the digital
agenda as digital
platforms become
increasingly central
to the delivery of
business strategy.
To build trust you
will need confidence
in each of these
five areas:
Confidence in your security
.
Confidence in your data
Confidence in your systems
Confidence to take risks
Confidence in your digital transformation
programme
Supplier Security Ongoing Security Identity Management
Privacy and Data
Cloud Assurance Oracle ERP Controls SAP ERP Controls
Continuity and ResilienceIT Risk Diagnostic
Project Assurance
20. PwC 20
Key focus areas we too easily forget
• The majority of organisation has a multitude of
technologies.
• Data indicates that technology is not usually the key
issue, it is the lack of people and business process
that support the technologies and its process:
• People – Roles and responsibilities.
• Education and awareness (training).
• Processes – Lack of policies, standards etc.
• Governance offering the business .
assurance.
1
People, Process &
Technology
21. PwC 21
Key focus areas we too easily forget
• We too easily forget what end–to- end digital security
management is for.
• Availability
• Integrity
• Confidentiality
• We need to help the business through Education and awareness
as to why Digital security supports all 3 areas of the business.
Security is not just about technology.
• We have for too long segregated the business from IS.
• IS needs to become the conduit or integration layer between the
business and the new Digital Enterprise (Trust).
• Trust + Opportunity = Growth
2
Availability, Integrity & Confidentiality
of respondents rated
their Board’s oversight of privacy and
cybersecurity risks as weak, or
sufficient but needing improvement.
95%
of
respondents review privacy or
cybersecurity at every board meeting.
Only 8%
23. PwC
The oil and gas industry has traditionally lagged behind other sectors in
cybersecurity practices.
• 81% of organizations have implemented an overall information security strategy, the basic
foundation for cybersecurity.
• Last year, the US National Institute of Standards and Technology (NIST) compiled a range of
these global standards into a single model for risk-based cybersecurity.
• Among US oil and gas participants,
• 25% say they have adopted the voluntary NIST Cybersecurity Framework; an additional
• 13% say adoption is a future priority.
• Hiring a Chief Information Security Officer (CISO) to lead the information security program, a
tactic that 77% of oil and gas businesses have embraced.
• Over the past two years, the number of respondents who employ a CISO has spiked 57%.
• The majority of oil and gas respondents follow this best practice: Their CISOs are most likely
to report to the COO, legal counsel, the Board, or the CEO.
23
Improvements in key strategic safeguards
Companies are getting serious about business-focused cybersecurity strategies.
24. PwC
Linking information security/digital trust and risk
• As security incidents continue to proliferate, it has become clear that cyber risks can never
be completely eliminated.
• Protective measures remain important, of course, but they cannot reliably be guaranteed
to stop determined and highly skilled adversaries.
• Businesses may need to reposition their security strategy by more closely linking
technologies, processes, and people skills with overall risk management activities.
• While a well-designed cybersecurity program will not deter all risks, it can enable:
- businesses to better manage threats through an informed decision-making process,
- boost efficiencies in security safeguards, and create a more resilient security
program.
24
Improvements in key Strategic Safeguards
25. PwC
How do you become a 'digitally trusted' company?
• Trust is hard won and easily eroded. Ultimately it's about having confidence
that you have the right systems, processes and controls in place.
• Boards and their risk committees have an important role to play by asking
the right questions of management. Too often boards ask 'how strong are
our security controls?', when they should be asking 'do our customers and
other key stakeholders trust us and how do we maintain this trust?'
• Digital trust is as much about opportunity as it is risk. And it's the
companies that are 'trusted' to whom customers will increasingly turn in the
digital economy. How does your organisation stack up?
• Over leaf are some critical questions to determine how digitally trusted your
company is:
25
Are you and your partners digitally trusted?
26. PwC 26
Assess you digital trust profile:
Key Digital questions that you should be asking
Risk management
Have we identified our risk appetite, the key risks and threats to our business
presented by cyber? Are our controls 'right-sized'?
Strategic alignment Is our cyber security program aligned with our business strategy?
Information assets
Do we know where our data is physically held? Do we know where the 'crown
jewels' are (ie our most commercially sensitive and critical data)? What are our key
systems and business processes?
Network & system
architecture
Have we (and our service providers) segregated our systems and networks to
minimise the impact of any potential cyber security breaches? Especially to protect
the ‘crown jewels’.
Third party
management
With the increased reliance on third parties to deliver services, including Cloud
providers, what monitoring controls are in place and what ongoing assurance do
we have to be sure those parties are handling our data appropriately?
27. PwC 27
Assess you digital trust profile:
Key Digital questions that you should be asking
Online and digital
integration
With increasing connectivity (eg cloud, mobile, social networking) how are we
managing the ways members or third parties access our systems and our data?
Identity and access
management
How are we ensuring that the right people have access to our core systems and
data, especially privileged access? How do we know that people (employees,
suppliers or members) really are who they say they are?
Privacy & data
protection
How are you meeting member expectations from a privacy and data protection
perspective, particularly if we are keeping and analysing member data (ie 'big
data')?
Regulation
How are we sure that we are meeting our regulatory requirements in relation to
Cyber security?
Incident response
It's highly likely that we will be subject to a cyber security breach. What's our
incident response plan? How will we rebuild trust?
Do we know how to respond when we have been targeted?
28. PwC
Successful security models have the following characteristics:
• You continually monitor your risk profile. You understand what matters to the success of
your business. You realise this changes as you move forward with your business.
• You understand in real time, the new threats within the digital landscape. You are fully
aware of the risks you’re exposing the organisation to as you execute your strategic plan.
• You understand how digital is changing the fabric of your business, introducing new
threats and changing your risk profile.
• Your eyes are fully open to digital threats.
• You recognise boundaries have shifted: your business architecture has changed, so have
the risks within your digital supply chain. You are aware that threats can come from
within your organisation as well as from outside it.
28
Our point of View
What good looks like, going beyond best practise
29. PwC 29
Our point of View
When is it time to Act
There are logical triggers in your business that prompt action. Here are
some examples.
• Changes to regulation or legislation that will affect your business.
• Change in the form of new suppliers, new technology, acquisitions, new markets or a
change in leadership.
• Trends or developments in your market that are likely to affect your business and
where it’s better to respond proactively.
30. PwC 30
Our point of View
How do you benefit
A well managed digital security program will gain the
trust of your customers and clients. Provide you the
confidence to realise the full potential of the digital
environment for your business.
Below are the six confidences that will help you apply
digital security to the heart of your business.
- Confidence in your people and processes
- Confidence in your technology
- Confidence in your connections
- Confidence to take risks
- Confidence during a crisis
- Confidence in your priorities
31. PwC 31
Our point of View
How we can help
We provide market leading end–to-end solutioning across people, process and technology offering to
help you build trust, capitalise on the opportunities and navigate the risks in the digital age – building
growth.
We bring:
• Access to the largest network of global expertise and insights from helping leading organisations.
• A multidisciplinary offering to address the multifaceted and complex nature of digital risk and
security.
• Innovation in our thinking and our tools to help you manage risk in the rapidly changing digital
landscape.
33. www.pwc.com.au
If there is one question I leave
with you today,
‘Why is the digital world more
dangerous than the old world?
Questions time
34. PwC 34
Contact details
Further question, please forward or just call me
Mourad Khalil
Senior Manager Digital Risk
M: +61 403 980 718
mouradswork@gmail.com