Post on 22-Dec-2021
Cyber Strategy and Transformation Program
Australian Hospital Company Ltd2021 - 2024
Cyber Strategy and Transformation Program
Cyber Strategy and Transformation Program
Average total cost and frequency of data breaches by initial attack vector
Cyber Resilience Strategy
Cyber Resilience Strategy Roadmap – 2021 to 2024From Basic Security to Organizational (Cyber Resilience)
Phase 2: Foundational Security capability
• Establish Cyber Security Policy
• Architecture & Segmentation
• ERD & Unknown Threats
• SOAR implementation
• 24/7 SOC Team
• Business Partner Risk Assessment
• Asset Management System
• Audit & Risk Register
• Cyber Crisis Simulation
• Data Classification
• Cyber Security Steering Committee
Phase 3: Organizational Security Capability
• Zero Trust
• Security Consolidation
• Primary Mode of Defence: Prevention
• IoT Security Implemented
• ‘End of Support’ & Legacy Systems
• Anti-DDoS Service
• Data Loss Prevention
All High Risks mitigated
All Crown Jewels with High Risks and Extreme Impact mitigated
All Very High risks mitigated
Capabilities delivered
Risk reduction target
Phase 1: Basic Security capability
• Incident Response Retainer
• Cyber Insurance
• Email Anti-Phishing
• Digital Transformation Assessment
• Identify & Protect Crown Jewels
• Cyber Awareness & Education
• Cloud Security Posture Management
• Identity Access Management
• Authentication: MFA & SSO
• Cyber Risk Assessment
• Vulnerability Management
CIS: Basic CIS: FoundationalCIS: Organizational
(70%)CIS: Organizational
(95%)Capability maturity target
Cyber Strategy and Transformation Program
Cyber Transformation Steering Committee
Name Steering Committee Responsibility Decision Maker or Influencer
Position within AHC Business Unit Domain expertise
Ash R Project Manager / Decision Maker Decision Maker Project Manager I.T Project Management
Phil Zongo Strategy owner /Chairperson / Decision Maker Decision Maker CISO AHC executive Cyber Security Strategy
Jan Schreuder Decision Maker Decision Maker Head of Finance AHC executive Budget accountability
Natasha Passley Change Manager Decision Maker External party External Operationalization and change management expertise
Darren Argyle Program Sponsor / Decision Maker Decision Maker CIO AHC executive Information Technology
John Smith Risk Advisor Influencer Risk Advisor Legal/Finance Risk advisory
Person A Responsible for specific security capability, Remediation Focused
Decision Maker (different person based on security capability being delivered)
I.T Ensuring specific capability will deliver security capability and integration
Person B Legal Advisor Influencer (different person based on security capability being delivered)
Legal Contract Negotiation & Legal obligations & Privacy concerns
Person C HR Advisor Influencer Head of H.R HR Human Resources, cultural advisor
Person D Design and Cyber Policy champion Influencer Head of Security Architect I.T Authentication and access management
Person E Operation and SOC champion Influencer Head of Security Operations & SOC I.T Ops, SOC Expert
Person F Business Unit specific insights Influencer Head of XXX Business Unity Multiple Impact on specific Business Unit/s
Cyber Strategy and Transformation Program
Deliverables Key KPIs Accountable Phase 1Status R1
Phase 1Status R2
Phase 1Status R3
Phase 1Status R4
Phase 2 Phase 3
Delivery Date Dec ‘21 Mar ’22 Jun ’22 Dec ’22 Dec 2023 Dec 2024
Identify & Protect Crown Jewels
All crown identified and foundational security applied
CISO >30% completed >60% completed >80 % completed 100% completed
Identify & Protect Crown Jewels
All crown jewel protected with new security capabilities
CISO >20% completed >50% completed >70% completed >90% completed 100% completed
Cyber Awareness & Education
Training attendance and completion
Head of L&D 25% of all employees 50% of all employees 75% of all employees 100% of all employees
Cyber Awareness & Education
Social Engineering and Phishing tests
Steve Smith Pass rate > 75% Pass rate > 80% Pass rate > 90% Pass rate > 95 %
Digital Transformation Assessment
New security capabilitiesare integrated into existing projects
James Dean > 30 % Public Facing systems
80% Public Facing systems > 30% of internalsystems
All public facing systems> 50% of internalsystems
All systems
Cloud Security Posture Management
All configurations inline with Cloud Provider best practice
Head of Cloud Infrastructure
30% environment inlinewith best practice
70% environment inlinewith best practice
100% environment inline with best practice
100% automation of controls to address misconfiguration
Cloud Security Posture Management
Security integration into CI/CD pipeline
Head of Cloud Infrastructure
Scan all cloud application during Build Time
Scan all cloud application during Build Rime & Run Time
Configure capability from Detect to Prevent
Automate SAST and DAST controls
Quarterly Governance Reporting
Cyber Strategy and Transformation Program
Deliverables Key KPIs Accountable Phase 1Status R1
Phase 1Status R2
Phase 1Status R3
Phase 1Status R4
Phase 2 Phase 3
Delivery Date Dec ‘21 Mar ’22 Jun ’22 Dec ’22 Dec 2023 Dec 2024
Identity Access Management
Percentage of users with Privileged access who are monitored
CIO >50% of users with elevated level of access monitored
>60% of users with elevated level of access monitored
>90% of users with elevated level of access monitored
100% of users with elevated level of access monitored
Identity Access Management
PAM integrated with all security solutions and crown jewels security
CIO >30 integration with security tools and crown jewels
> 60 integration with security tools and crown jewels
> 80 integration with security tools and crown jewels
100% integration with security tools and crown jewels
Authentication: MFA & SSO
Roll out of MFA App Security Ops > 50% of crown jewelintegrated
> 70% of crown jewelintegrated
> 90% of crown jewelintegrated
All crown jewel access using MFA or SSO
Authentication: MFA & SSO
Number of Apps and systems using SSO
Security Ops > 35 % crown jewels and web apps
> 50 % crown jewels and web apps
> 75% Crown Jewels &Web Apps
100% Crown Jewels & Web Apps
Cyber Risk Assessment Mean Time to Contain (MTTC)
Head of SOC Time to Contain < 30Days
Time to Contain < 25Days
Time to Contain < 20Days
Time to Contain < 12Days
Cyber Risk Assessment Mean Time to Recovery (MTTR)
Head of SOC < 25 days < 20 days < 15 days < 10 days < 7 days < 3 days
Vulnerability Management
Infrastructure scanned Head of Platform > 50% scanned > 70% scanned > 95% scanned All infrastructurescanned
Vulnerability Management
Critical and high risk Vulnerabilities remediated within target
Head of Platform Less than 14 days Less than 10 days Less than 7 days Less than 5 days Less than 3 days Less than 2 days
Vulnerability Management
Automate vulnerability Head of Platform 75% Critical 100% Critical 100% Critical75% All environment
100% All
Quarterly Governance Reporting
Cyber Strategy and Transformation Program
Program Delivery StructureKey objective: Deliver demonstrable value in every release cycle
Key Metrics
Phase 1 Phase 2 Phase 3 Target
R1 R2 R3 R4
Capability maturity target 0 1.0 1.5 2.5 3.0 4.0 4.0
Key metrics / KPIs• Dataflow mapping• Data owners identified• All Crown Jewel has non-negotiable security
controls
Critical 100%Critical 100%
All 100%All 100%
100%Priority 1
Critical 100%Priority 1,2,3
Critical & High 100%All 100%All 100%
100%100%100%
Capability components to be implemented:
Operating model• SOPs documented• Reporting automated
30% 50%30%
75%50%
100%75% 100%
100%100%
People & Resourcing • Operational FTE 2 2 2 2 2 2 2
Processes implemented• Security Policy Lifecycle Review• Principle of least privilege• 3rd Party access
POC
Review
MVPAuditPolicy
AutomatedImplementImplement
TuningAutomated
Tuning
TuningTuningTuning
TuningTuningTuning
100%100%100%
Technology implemented• Next Gen Firewall (network security)• Document Security• Discovery Engines (MIoT)
POCPOC
Licensed and Configured Deploy
POC
TuningTuningDeploy
TuningTuningTuning
TuningTuningTuning
TuningTuningTuning
YYY
Identify & Protect Crown Jewels
Cyber Strategy and Transformation Program
Program Delivery StructureKey objective: Deliver demonstrable value in every release cycle
Key Metrics
Phase 1 Phase 2 Phase 3 Target
R1 R2 R3 R4
Capability maturity target 0 1.0 1.5 2.5 3.0 4.0 4.0
Key metrics / KPIs• Training attendance and completion • Malicious Document opened• Sensitive Information exposure
Completion 90%80% pass rate80% pass rate
Completion 95%85% pass rate85% pass rate
Completion 95%90% pass rate90% pass rate
Completion 95%95% pass rate95% pass rate
95% completionAbove 95% pass rateAbove 95% pass rate
95% completion98% pass rate98% pass rate
95%98%98%
Capability components to be implemented:
Operating model• Online training• Gamification of training 50%
50%75%
75%100%
100% 100%
People & Resourcing • Operational FTEs 2 2 2 2 1 1 2
Processes implemented• Cyber training at during boarding• Yearly Role specific cyber training• Biannual cyber awareness training• Quarterly phishing tests
Review
MVP
MVPReview
MVPMVP
deployedMVP100%50%
100%100%
Tuning100%
TuningTuningTuningTuning
TuningTuningTuningTuning
100%100%100%100%
Technology implemented• On-demand Learning Platform via L&D• Automated User Awareness: Next Gen FW
URL Filtering
POCPOC
DeployLicense and Configuration
TuningTuning
TuningTuning
TuningTuning
TuningTuning
YY
Cyber Awareness & Education
Cyber Strategy and Transformation Program
Program Delivery StructureKey objective: Deliver demonstrable value in every release cycle
Key Metrics
Phase 1 Phase 2 Phase 3 Target
R1 R2 R3 R4
Capability maturity target 0 1.0 1.5 2.5 3.0 4.0 4.0
Key metrics / KPIs• Cloud native apps scanned• Internal applications scanned• Remediation within target
Critical Apps 100%Critical 100%
All Apps 100%All 100%
100%100%
Priority 1Critical 100%
Priority 1,2,3Critical & High 100%
All 100%All 100%
100%100%100%100%
Capability components to be implemented:
Operating model• SOPs documented• Reporting automated• Holistic Virtual Group
50%50%
75%75%
100%100%
100%100%
100%100%
100%100%
People & Resourcing • Operational FTEs 2 2 2 2 2 2
Processes implemented• On boarding training • CI/CD integration• Code scanning
MVPMVPMVP
100%Manualmanual
TuningFully automatedFully automated
TuningTuningTuning
TuningTuningTuning
100%100%100%
Technology implemented• Cloud Visibility and Posture Management • IAM Security• SAST (Build Time)• DAST (Run Time)• Workload Protection
POCPOC
DeployDeploy
POCPOC
TuningTuningDeployDeploy
POC
TuningTuningTuningTuningDeploy
TuningTuningTuningTuningTuning
TuningTuningTuningTuningTuning
YYYYY
Cloud Security Posture Management
Cyber Strategy and Transformation Program
Project RisksPotential Risks to the successful delivery of key security capabilities
Deliverable Risk scenario Likelihood Impact Rate Impact to capability deliver Risk Mitigation Potential additional Cost
Budgeted allocated
Privileged Access Management
Lack of Internal ResourceLack of skills internally
Low High Capability deliver delay Leverage vendor Professional Services $50,000 Yes
Digital Transformation inline with Security requirement
New attack vectors found
Low Medium Additional Cost and resources required to address risk
Engage external partners to assist with remediation
Unknown Yes$75,000 set aside
Catastrophic event (Pandemic lockdown)
Reprioritization of projects and resources
High Medium Various capability deliver delay Focus on projects that can be delivered remotely (cloud)
Unknown Yes$100,000 set aside
24/7 SOC Team(Security Monitoring)
Skills shortage High Medium Capability deliver delay Outsource to MDR vendor $600,000 Yes
Multiple capabilities Successful cyber attack during deliver phase
Medium Medium Capabilities deliver delay due to key personnel resource allocation changes
Agile project deliver to reprioritize delivery of capabilities where resources are available and possible outsourcing
$500,000 Partial($200,000)
Multiple capabilities Ops and UAT teams not used to agile project delivery
Medium High Capabilities deliver delayed Change Manager working with Ops, SOC and UAT teams to embrace agile approach
N/A N/A
Cyber Strategy and Transformation Program
Tracking Progress Against our GoalsHow do you know that you are on track?
Target state (end of Program)Q1 target
Q1actual
CommentsQ2 target (revised)
Capability components to be delivered
Governance• Governance structure• Monthly reporting
YesYes
YesYes
DoneDone
Operating model• SOPs documented• Reporting automated
50%-
25%-
Delay due to slow onboarding of resources
60%25%
People & resourcing• 2 FTE• Patching contract
2Yes
1No
In process of recruiting second team member
2Yes
Processes implemented• Vulnerability scanning• Prioritisation• Remediation
YesYesYes
YPartialPartial
Delay due to slow onboarding of operational resources
YesYesYes
Technology implemented• Scanning engine• DAST
YesYes
YesNo
Delay in contracting with DAST vendor
YesYes
Vulnerability Management
Target state (end of Program)Q1 target
Q1Actual
CommentsQ2 target (revised)
Financials
Program capex $550kOngoing opex $400k p.a.
$120k$100k
$100k$80k
Underspent due to slow onboarding
$120k$100k
Key metrics / KPIs
Infrastructure scanning• Crown jewels 100%• All systems 100%
100%50%
87%20%
Scanning coverage delayed due to slow onboarding of resources
100%60%
Web applications scanned• Crown jewels 100%• All systems 100%
50%0%
0%0%
Delay in contracting with DAST vendor
50%0%
Remediation within target• Critical – 100%• High - 100%• Moderate – 80%
100%50%0%
100%60%0%
Remediation performance targets achieved (however lower than expected # of vulnerabilities identified due to delays)
100%75%50%
14
Using Cyber Resilience Indices to track and report progress
CRI controls Short Name
1 Crown Jewels
2 Cyber Governance
3 Vendor Supply Chain Risk
4 Secure & Privacy by Design
5 Restrict User Access
6 Data Protection
7 Awareness and Education
8 Logging and Monitoring
9 Multifactor Authentication
10 Online Digital Defense
11 Business Cyber Resilience
12 Vulnerability Management
13 Cyber Threat Intelligence
14 Secure Zones
15 Advanced Malware Control
Sep. 2021 Dec. 2022
30% 80%
20% 50%
40% 50%
70% 90%
20% 50%
10% 10%
20 % 90%
60% 75%
15% 100%
60% 100%
30% 50%
20% 60%
20% 20%
20% 40%
50% 60%
Dec 2024 Dec 2025
Planned
maturity Q4
Target maturity,
subject to additional funding
How will you really know?
Dec. 2022
Actual maturity
achieved Q4
Start of
Program
Dec. 2023
100%
60%
75%
90%
75%
50%
100%
90%
100%
100%
90%
95%
40%
90%
100%
Target Q4
2023
Dec. 2024
100%
80%
75%
90%
75%
50%
100%
100%
100%
100%
90%
95%
50%
90%
100%
Target Q4
2024
Cyber Strategy and Transformation Program