2. Page 2
Introduction
1970s - Mainframes
• Ready for natural
hazards
• Physical response
measures in place
• Call for external
assistance
1980s – Client / Server
• Reliance on new
technologies
• Basic disaster recovery in
response to system
failures
• Virus protection
• Identity and access
management
1990s - Internet
• Enterprise- wide risk
management introduced
• Regulatory compliance
commonplace
• Business continuity in focus
2000 – E-commerce
• Advances in information and
cyber security
• Switch to online
• Third party outsourcing
• Connectivity of devices
Recent Times - Digital
• Global shocks (terrorist, climate, political)
• Business resilience
• Internet of Things
• Critical infrastructure
• State sponsored cyber espionage and cyber
attacks
Times are changing and so are the risks and threats
3. Page 3
Understanding the challenges
Recover Adapt & reshape
Threats
Sense
Risk appetite
Resist Three lines of defense
Critical assets
Intellectual
property (IP)
Revenue Reputation
React
Technology is increasing organization’s vulnerability to be attacked
Increased online presence, Broader use of social media, Mass
adoption of BYOD (Bring Your Own Device), Increased usage of cloud
services
• Collection/analysis of big data
• Inherent connectivity of people, device & organization has enhanced
vulnerability
Ref: Global Information Security Survey 2016
It is the ability of
organizations to predict
and detect cyber threats.
Sense
It starts with how much the
risk an organization is
prepared to take across its
ecosystem.
Resist
If the sense fails and there
is a breakdown in the
resist, organizations need
to be ready to deal with the
disruptions and manage the
crisis.
React
4. Page 4
Survey Assessment – Leaderships' Role
Cybersecurity a board level agenda. The success of any cybersecurity program depends on support
from executive leadership and its alignment with business objectives
Management is also realizing the risks to business, however this is just the start and lot of work
needs to be completed before the management can be sure of gain enough confidence in their
cybersecurity function.
Over 70% organizations
do not have their
cybersecurity strategy
aligned with business
objectives.
58% of our respondents lack
confidence in their
organization’s cybersecurity
program
Over 33% of our
respondents do not
have a cyber security
strategy which
considers next 1-3
years.
Business Alignment
missing
Low confidence Short sightedness
5. Page 5
Budget Is it enough?
75% of respondents have dedicated
budget allocated for cybersecurity.
Moreover, 20% of respondents have a
budget of over USD $2mn.
$$$
49% of the organizations with
a budget of $0.5m - $2m
expect their budget to increase
by 10-20% in the next 12
months.
36%
36% organizations having no
budget allocation for
cybersecurity have
experienced cyberattacks in
last 12 months.
6. Page 6
Identifying Crown- Jewels
Over 39% ranked employee or customer or supplier personally identifiable
information (PII) as the number 1 information most valuable to cyber criminals in the
organization.
Only 18% ranked senior executive / board member personal information as the
number 1 information valuable to cyber criminals in the organization.
19
18
16
21
42
24
16
19
25
22
17
29
30
20
13
17
25
25
20
17
29
18
16
20
12
Senior executive/ Board member
personal information
Company financial information
Corporate strategic plans
Login credentials
Employees or customers or suppliers or
vendors personally identifiable…
P 1 P 2 P 3 P 4 P 5
Contd..
7. Page 7
Identifying Crown- Jewels
Over 30% ranked Phishing / Spam as the number 1 or number 2 source of cyber
attack, followed by Malware attacks which is further followed by external cyber
attacks and Internal employees.
0
12
10
19
19
26
8
7
9
15
24
23
13
10
16
12
22
13
24
15
22
5
8
12
27
16
14
12
12
5
14
26
15
23
1
7
Espionage (e.g., by competitors)
Zero-day attacks
Internal attacks (e.g., by disgruntled
employees)
Cyber-attacks (e.g., to disrupt or deface the
organization, to steal financial information, to…
Malware (e.g., viruses, worms and Trojan
horses)
Phishing/ spam
P 1 P 2 P 3 P 4 P 5 P 6
8. Page 8
Incident Response Framework
Over 70% of our
respondents have a
defined cyber security
incident management
program.
While 84% of organizations with a
cyber security incident management
program have a dedicated Incident
response team set up within their
organization.
Organizations are taking steps to
improve their incident
management posture; have
initiated cyber security incident
programs and trying to include
business teams to assist in cyber
security incident management
program.
84%
61% of organizations have an Incident
response team (IRT) in place without a
cyber security incident management
program.
61%
9. Page 9
Where should organizations focus to better resist
today’s attacks?
The point noted also get further strengthened by the fact
that:
36% of organizations believe that higher professional
staffing and training would help in improved incident
response, this is followed by development of an improved
patch management process.
37% of the organizations
that have a dedicated IRT
believe that the staff is not
adequate and require
additional skills and
trainings.
Incident response team must deliver
14%
8%
18%
24%
36%
Better incident response
capabilities
Threat intelligence
Improved vulnerability audits
and assessments
Improved patch management
process
Higher professional staffing
and training
87% organizations have
a defined process for
communication.
10. Page 10
Collaboration is vital
75
47 50
14
CERT- Computer
Emergency Response
Team
Law enforcement and
government entities
Industry peers We neither receive or
share any information
87% of organizations receive or share information with CERT, Law enforcement
agencies and industry peers.
Potential Collaboration within the ecosystem
11. Page 11
Effective measurement is critical
47% of the respondents who
don’t have defined
indicators have suffered a
cyber attack in the last 12
months.
47%
The indicators shall be evaluated to find out the status of
effectiveness of current cybersecurity framework.
70% respondents have defined
performance indicators to
measure the effectiveness of
the program.
16%
20% 21%
12%
31%
No defined
frequency/
adhoc basis
On a
monthly
basis
On a
quarterly
basis
On an
annual
basis
On an
ongoing
basis
12. Page 12
The board must become more involved in
cybersecurity and understand cyber risk
The board must understand:
► The suitability of the
governance structure
► The appropriateness of the
cyber risk management program
► The appropriateness of the
cyber risk disclosures required
by regulators
► How insider threats should be
managed
13. Page 13
Just protecting your organisation isn’t
enough anymore
Guiding Principles
► Focus on impact
► Enhance cyber
skills and
capabilities
► Benchmark
results
Strategic Goals
► Protect Crown
Jewels
► Determine risk
appetite
► Set up Operating
Model and
Culture
Detect
GovernRespond Protect
Recover Identify
Based on
Cybersecurity
framework
14. “It is going to be a continual and
likely never-ending battle to
stay ahead of [cybercrime] -
and, unfortunately, not every
battle will be won.”
Jamie Dimon, after JP Morgan
Chase’s breach
17. Page 17
Survey methodology
106
respondents
19
industry sectors
2.9%
18.6%
2.0%
1.0%
3.9%
6.9%
2.9%
7.8%
2.9%
9.8%
22.5%
3.9%
2.9%
2.0%
3.9%
2.0%
2.0%
1.0%
1.0%
Automotive
Banking
Building Materials
Business Services
Consulting and advisory…
Telecommunications
Engineering
Finance
Healthcare
Insurance
IT Consulting and Services
Manufacturing
Retailing
Media
Energy and Infrastructure
Law and Legal Outsourcing
Processed Products
Electric Utility
Logistics and supply chain
Respondents by industry sector
18. Page 18
Survey methodology
40%
16%
44%
1000 to 10000
Less than 1000
More than 10000
Respondents by number of employees
8%
35%
57%
1 Million USD
100 Million USD
more than 100 Million USD
Respondents by total annual company
revenue