Security strategy in a world of digital transformation · 2 Ponemon Institute: Mega Trends in Cyber...

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security strategy in a world of digital transformation 2nd April 2015

Chris Cooper

Security Strategy & Transformation

Practice Leader (UKI)


1 Current challenges & trends

2 Implications of the New Style of IT 3

3 Security as a business enabler

4 HP Security / Q&A

Security strategy in a world of digital transformation

Agenda

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

HP’s industry-leading scale

Monthly security events

23billion

HP Secured User Accounts

47m HP Security Professionals

5000+

10 out of 10 Top telecoms

9

out

of

10

Major banks

HP managed security customers

1000+

All major branches US Department of Defense

9 out of 10 Top software companies


How HP leverages its own products and solutions for security, big data, mobility &

cloud

HP Internal Systems

Millions of lines of code scanned by

HP Fortify

240M hits per day on HP.com

41K+ servers

Optimized partner

program with real-time

sentiment

analysis

1,300+ enterprise

HPN routers

16K+ HPN switches

Manage

148K+

mobile devices

Analyze data from

100s of millions of active

devices

4PB data replicated per day

Prevented millions of denial of service attacks with

HP TippingPoint

2.5B security events logged per day with HP ArcSight of storage deployed on 3Par,

XP and EVA

73PB

435,000 mailboxes

managed


Agenda




4 HP Security / Q&A



The pressure on IT is high

Enterprise imperatives Mega trends

Increasing demand for a

New Style of IT

Speed innovation

Accelerate services

Improve flexibility

Do more with less

Manage risk

Cloud

Security

Big Data

Mobility


Online Retail Sales

By 2017, Forrester predict that 60% of

retail sales will be conducted on mobile

devices or online

Gartner has forecasted that by 2016,

$22Bn will be transacted by Near Field

Communications (NFC) annually

‘The age of the consumer’

Source: Forrester Research Online Retail Forecast 2011-2017


Industry research shows the scale of the threats

Average fine is

270% of annual

compliance spend3

50% of employees

Use personally-owned

device to access

organization's

business-critical apps4

The size of the blackmarket:

$104B2

1 Lloyd’s 2013 Risk index

2 Ponemon Institute: Mega Trends in Cyber Security Expert Opinion Study, May 2013

3 Ponemon Institute: Total Cost of Compliance Study, May 2012 (Organizations with more than 5,000 employees)

4 Ponemon Institute: Dangerous Insider Study, November 2012

5 McLean’s Magazine, August 19, 2013

Still, 65% of IT security positions remain open for 9 weeks or longer5

Cybercrime is on the rise, moving from 12th to 3rd place in risk factors faced by

businesses1


Security risks and implications

Cyber threat 56% of organizations have been

the target of a cyber attack

Extended supply chain 44% of all data breach involved

third-party mistakes

Financial loss $8.6M average cost associated

with data breach

Cost of protection 8% of total IT budget

spent on security

Reputation damage 30% market capitalisation

reduction due to recent events

Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research

Key Points

• Security leadership is

under immense pressure

• Need for greater visibility

of business risks and to

make sound security

investment choices

Reactive vs. proactive 60% of enterprises spend more time

and money on reactive measures vs.

proactive risk management


average time to detect

breach 243

days


Why enterprises can’t keep up: information risk

Legacy technologies Talent shortage

New style of IT Lack of visibility

Information risk is making our

organisation less agile

Agree: 43%

Disagree (or don’t know): 57%

43%

Lack an end-to-end security

strategy aligned with business

objectives and the new style of IT

Source: Economist Intelligence Unit, August

2013


The security conundrum

Primary challenges

Nature and motivation of attacks

(hacktivist, nation state) 1

Transformation of enterprise IT (delivery and consumption changes) 3

Traditional DC Mobility Big data Cloud

Delivery

Regulatory pressures (increasing risk, cost and complexity) 2

A new type of adversary

Enhanced regulatory environment

NERC • Sarbanes-Oxley •

Basel III • PCI Security Standards Council

Researc

h

Infiltration Exfiltration Discovery Capture


Agenda




4 HP Security / Q&A



Disrupting IT shift

Mainframe Client/serve

r

Internet Mobile, social, big data, cloud

98,000+ tweets

698,445 Google searches

168 million+ emails sent

And every 60 seconds:

217 new mobile web users

• 2/3 of IT decision makers spending

less on traditional services as a result

of moving to the cloud

• Average cost of a security breach

$8.6M USD

• Volume of data by 2020: 35

Zettabytes


The result: a New Style of IT has emerged

Converged cloud Information

optimization

Systems of record (Legacy systems)

Systems of engagement

(Social and mobile)

• IT driven

• Host processes

• Deeply entrenched

• Need modernization, but

will remain in new model

• Driven by

organizational

objectives

• Touch people

• Analytics and cloud

technologies

Security

Mobile Apps Integration

How can security enable the

business?

This is THE question

From a system of record to a system of engagement and constant interaction


Why is the New Style of IT such a big disruption? Economics of Information

Reach

Ric

hn

ess / C

usto

miz

atio

n

Inspired in the 1997 HBR Article “Strategy and the New

Economics of Information” by Philip B. Evans & Thomas S.

Wurster

Since the invention of the Printing Press,

back in the 15th century, the way we

interact follows this near universal trade-

off:

• To reach a large audience, interaction had to be

less customized and generic. e.g.

Advertisement on national television

• In order to maximize content richness,

interaction had to reach a smaller audience -

e.g. face-to-face meeting where we are able to

adapt the interaction to the participants

reactions, nonverbal communication, etc.

What changed with the New Style of IT?

Face-to-Face

TV


Implications of the New Style of IT

More interaction = More network effect = More value - Metcalfe Law (v=n2) e.g. WhatsApp recently acquired by Facebook for $19B, only possible thanks to 450M users/1M new users per day

From a system of record to a system of engagement and constant interaction

Disruption in the Richness/Reach trade-off

Examples of new ways of interaction:

• People interaction – Social Media

• Data interaction – Analytics

• Systems interaction – Internet of Things

Mass scale interaction with high

customization

• This is just the beginning - e.g. 3D printing

• Creative Destruction / New Paradigm

New Style of IT

Reach

Face-to-Face

TV

Ric

hn

ess / C

usto

miz

atio

n

Metcalfe’s Law: the value of a network with n devices is proportional to n2


There is always a dark side Cyber Threats in the New Style of IT

What does it really mean?

Disruption in the Richness/Reach trade-off

also enabled new large scale, highly targeted

attacks:

• Hacktivism and highly interconnect hacker

communities

• Spear Phishing

• Large scale Command and Control

• Botnets

• APTs

Marginal cost to replicate a cyber attack is

zero

Spear Phishing

Reach

Phone Call Social Eng.

Phishing

Ric

hn

ess / C

usto

miz

atio

n


The adversary attack ecosystem

Discover

y

Researc

h

Our enterprise

Their ecosystem

Infiltration

Capture

Exfiltration


Agenda




4 HP Security / Q&A



3 Types of CISOs

Business Risk Leader Information and Board-level Risk

Management – aligned to business

operations, enterprise compliance

Information Security

Leader Information Security Risk and IT

operations, Security compliance and

standards.

Security Manager Information Security Controls and

operational delivery of security.

20%

45%

35%


Business Risk Leader

New CISO roles

• Balance Security Risk with

Business Opportunity

• Identify more interaction

sources and opportunities

• Provide secure ways to

explore new business

opportunities that are aligned

with the organization’s risk

appetite

Opportunity

Security Risk

Identifies new business interaction opportunities with the lowest security risk

How can security be more than just reducing risk or “Brakes on a Car”?


Customer Experience Present call centre experience

We might be able to help.

What is your name?

Can you answer the

following security

questions?

What’s the invoice

number?

The loyalty points from the purchase I

made last Wednesday haven’t been

credited yet

Bob Smith

…

…

Customer experience


Customer Experience Increasing customer interaction and loyalty

Tweet: The loyalty points from the

purchase I did last Wednesday weren’t

credited yet

Tweet: Thank you!

Tweet: Apologies for the

inconvenience. Just credited

the respective 325 points.

Travel and Transportation Retail

Identity Federation allows better customer experience

Examples of how Identity Federation with social media allow better customer

interaction, thus enabling the business.

Customer experience

Tweet: I just missed my flight

Tweet: Perfect!

Tweet: We might be able to help

Mr. Smith. Just rebooked your

flight. Please proceed to gate 9.

Your flight departs in 40

minutes.


ISO 27001

Traditional Standards

ISO 27001:2013 is key but its

roots are 19 years old -

BS7799:1995

ISO 27001:2013 Controls

A.5 Information security policies

A.6 Organization of information security

A.7 Human resource security

A.8 Asset Management

[…]

A.16 Information security incident

management

A.17 Information security aspects of business

continuity management

A.18 Compliance


Traditional Approach

Ultimate

State Impregnable

Messaging Fear, Doubt, Uncertainty

Business

Proximity None

Accountabilit

y &

Leadership

IT / Risk department

Focus Perimeter & Information

Approach Complicate, obstruct, say

no

SOC Focus

Regional. Isolated.

Servers, network &

security devices

Traditional


ISO 27001 & NIST Cybersecurity Framework similar but with different mind-sets

Protect what matters & assume a state of

compromise ISO 27001:2013 is key but its

roots are 19 years old -

BS7799:1995

ISO 27001:2013 Controls

A.5 Information security policies

A.6 Organization of information security

A.7 Human resource security

A.8 Asset Management

[…]

A.16 Information security incident

management

A.17 Information security aspects of business

continuity management

A.18 Compliance

NIST Cyber Security Framework

Functions

Identify

Protect

Detect

Respond

Recover

First Category:

Asset Management

Protect what

matters


New Approach

Ultimate

State Impregnable

Messaging Fear, Doubt, Uncertainty

Business

Proximity None

Accountabilit

y &

Leadership

IT / Risk department

Focus Perimeter & Information

Approach Complicate, obstruct, say

no

SOC Focus

Regional. Isolated.

Servers, network &

security devices

Traditional New Style of IT

Assume a state of compromise. Stop exfiltration and

business disruption. Detect early. Quick and effective

response

Confidence, assurance, visibility, prepared to respond

Enabler. Provider of business outcomes

Board, CEO, business

Protect what matters, using a risk based approach, as we

can’t protect everything. Includes value chain, partner,

industry, etc.

Lean, agile. Maximize interaction opportunities at lowest

risk

Full cyber situational awareness. Global, sharing threat

intelligence. All devices including SCADA & physical

Security


Agenda



3 New Approach

4 HP Security / Q&A

Security as a true business enabler


HP Graduate & Internships

• Hiring!

• Multiple streams & areas: 17 graduate streams, 27 intern streams

• Currently about 400 grads, 150 Interns in UK&I

• Big focus on Cyber Security (20 to 30 new positions to open in the next 2 to 4

weeks)

• Proud supporters of Women in IT

• www8.hp.com/uk/en/campaign/graduate/graduate-programmes.html


Any Questions?

Chris Cooper

Security Strategy & Transformation Practice Leader (UKI)

[email protected]

@infosecuk


Make it matter.

Security strategy in a world of digital transformation · 2 Ponemon Institute: Mega Trends in Cyber...

Documents

Transcript of Security strategy in a world of digital transformation · 2 Ponemon Institute: Mega Trends in Cyber...