Beyond Cybersecurity E-Book

BEYOND CYBERSECURITY

PROTECTING YOUR DIGITAL BUSINESS

Cover image: ©mistery/Shutterstock Cover design: Wiley

Copyright © 2015 by McKinsey & Company, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

ISBN 9781119026846 (Hardcover) ISBN 9781119026914 (ePDF) ISBN 9781119026907 (ePub)

Contents

Foreword

Preface

SETTING THE CONTEXT FOR DIGITAL RESILIENCE

BACKGROUND AND APPROACH

NOTES

Executive Summary

$3 TRILLION AT RISK

DIGITAL RESILIENCE PROTECTS THE BUSINESS AND ENABLES INNOVATION

BUSINESS LEADERS MUST DRIVE CHANGE

THE BROADER ECOSYSTEM MUST ENABLE DIGITAL RESILIENCE

1 Cyber-attacks Jeopardize Companies’ Pace of Innovation

RISK OF CYBER-ATTACKS REDUCES THE VALUE OF TECHNOLOGY FOR BUSINESS

THE RISKS ARE HIGH FOR EVERYONE, EVERYWHERE

DEFENDERS ARE FALLING BEHIND ATTACKERS

NOTES

2 It Could Get Better— or $3 Trillion Worse

SCENARIO PLANNING AND CYBERSECURITY

SCENARIO 1: MUDDLING INTO THE FUTURE

SCENARIO 2: DIGITAL BACKLASH

SCENARIO 3: DIGITAL RESILIENCE

NOTES

3 Prioritize Risks and Target Protections

UNTARGETED SECURITY MEASURES SERVE ONLY ATTACKERS

PRIORITIZE INFORMATION ASSETS AND RISKS IN A WAY THAT ENGAGES BUSINESS LEADERS

PROVIDE DIFFERENTIATED PROTECTION FOR THE MOST IMPORTANT ASSETS

USE FULL RANGE OF CONTROLS BUT ORGANIZE INTO TIERS

DELIVERING TARGETED PROTECTION OF PRIORITY ASSETS IN PRACTICE

NOTE

4 Do Business in a Digitally Resilient Way

BUILD DIGITAL RESILIENCE INTO ALL BUSINESS PROCESSES

ENLIST FRONTLINE PERSONNEL TO PROTECT THE ASSETS THEY USE

NOTES

5 Modernize IT to Secure IT

SIX WAYS TO EMBED CYBERSECURITY INTO THE IT ENVIRONMENT

ENGAGE WITH IT LEADERS TO IMPLEMENT REQUIRED CHANGES

NOTES

6 Engage Attackers with Active Defense

THE LIMITATIONS OF PASSIVE DEFENSE

KNOW THE ENEMY AND ACT ACCORDINGLY

NOTES

7 After the Breach: Improve Incident Response across Business Functions

DRAW UP AN INCIDENT RESPONSE PLAN

TEST THE PLAN USING WAR GAMES

CONDUCT POSTMORTEMS ON REAL BREACHES TO IMPROVE IR PLAN

NOTES

8 Build a Program that Drives toward Digital Resilience

WHAT IT TAKES TO GET TO DIGITAL RESILIENCE

SIX STEPS TO LAUNCH A DIGITAL RESILIENCE PROGRAM

NOTES

9 Creating a Resilient Digital Ecosystem

THE DIGITAL ECOSYSTEM

THE POWER OF A RESILIENT DIGITAL ECOSYSTEM

WHAT’S REQUIRED TO CREATE A RESILIENT DIGITAL ECOSYSTEM

COLLABORATION FOR A RESILIENT ECOSYSTEM

NOTES

Conclusion

NOTE

Acknowledgments

About the Authors

JAMES M. KAPLAN

TUCKER BAILEY

CHRIS REZEK

DEREK O’HALLORAN

ALAN MARCUS

Index

EULA

List of Tables

Preface

TABLE P.1

TABLE P.2

Chapter 3

TABLE 3.1

TABLE 3.2

Chapter 7

TABLE 7.1

Chapter 8

TABLE 8.1

TABLE 8.2

TABLE 8.3

TABLE 8.4

Chapter 9

TABLE 9.1

TABLE 9.2

List of Illustrations

Preface

FIGURE P.1

Companies Face a Wide Range of Cybersecurity Risks

Executive Summary

FIGURE E.1

Existing Cybersecurity Models Become Less Tenable as Threats Increase

Chapter 1

FIGURE 1.1

Cybersecurity’s Share of the Overall IT Budget Can Vary Widely—Even within One Sector

FIGURE 1.2

Cybersecurity Spend Is Less than $100 Billion of Total Business IT Spend of $2 Trillion

FIGURE 1.3

Half of Technology Executives Believe They Spend Enough on Cybersecurity

FIGURE 1.4

Companies Are Most Concerned about Security Implications of Mobile and Cloud Computing

FIGURE 1.5

External Connectivity Is Integral to Most Businesses—Auto Insurance Example

FIGURE 1.6

Cyber-attacks Pose a Greater Risk than Other Technology Risks

FIGURE 1.7

All Companies Are Worried about Customer Data Theft, but Their Next Priority Varies by Sector

FIGURE 1.8

Executives Believe Attackers Will Increase Their Lead

FIGURE 1.9

Cyber Risk Maturity Survey: Fact-Based Questions Lead to Maturity Rating

FIGURE 1.10

Cybersecurity Risk Management Maturity Is Low

FIGURE 1.11

Only One Practice Rates as “Mature” on Average across All Companies

FIGURE 1.12

Higher Maturity in Practices that Require Less Collaboration beyond Cybersecurity

FIGURE 1.13

Spending Big Doesn’t Lead to Risk Management Maturity

Chapter 2

FIGURE 2.1

The Change in Intensity of Threat and Quality of Response Leads to Different Scenarios

FIGURE 2.2

Nine Technologies Could Create $8 Trillion to $18 Trillion in Value by 2020

FIGURE 2.3

Muddling into the Future Scenario Puts $1 Trillion at Risk

FIGURE 2.4

Digital Backlash Scenario Puts More than $3 Trillion at Risk

FIGURE 2.5

Technology Executives Realize They Have Substantial Room for Improvement in Addressing Digital Resilience Levers

Chapter 3

FIGURE 3.1

Rank Types of Risk across the Value Chain to Help Engage Business Leaders

FIGURE 3.2

Plotting Risk Likelihood against Impact Helps Drive Decisions about Cybersecurity Investments

FIGURE 3.3

The Same Controls Can Be Retuned for Optimal Protection

Chapter 4

FIGURE 4.1

Hardwire the Mind-Set and Behavior Changes into the Organization

Chapter 5

FIGURE 5.1

Broad Set of Components in Technology Environment Contribute to Vulnerabilities

FIGURE 5.2

Private Cloud Hosting Will Become Dominant Model by 2019

FIGURE 5.3

How to Assess Public Cloud Services versus Other Options

Chapter 6

FIGURE 6.1

Integrate a Proactive Cyber-Intelligence Function with the Security Operations Team

Chapter 7

FIGURE 7.1

Base War-Game Scenario on High-Risk Events for the Business

Chapter 8

FIGURE 8.1

Phased Rollout Plan to Protect the Most Critical Areas First

Chapter 9

FIGURE 9.1

Executives’ Perspective on Cybersecurity Regulation Varies Widely by Sector, with Banking Most Skeptical

FIGURE 9.2

OECD Countries Are Starting to Put Cybersecurity Strategies in Place

FIGURE 9.3

Maturity Curve for the Pillars of a Digital Resilience Ecosystem

Guide

Cover

Table of Contents

Preface

Pages

vii

viii

ix

xi

xii

xiii

xiv

xv

xvi

xvii

xviii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

178

179

180

181

182

183

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

209

210

211

213

215

216

217

218

219

220

Foreword

We live in a remarkable age of technology innovation. The speed with which we are able to communicate, collaborate, and transform our businesses and organizations is truly astounding. Yet the risk created by our increasing dependence on those technology advancements is equally astounding. The economic, operational, and reputational risks of technology are well known to anyone who has paid even passing attention to the almost daily security breach headlines.

In their research, so effectively laid out in this book, the authors explain why there is so much cyber insecurity today, how it has become such an intractable problem, why it could get worse, and what organizations, industries, and governments must do now to start to address the problem. Importantly, James Kaplan, Tucker Bailey, Chris Rezek, Derek O’Halloran, and Alan Marcus go beyond elucidating today’s risks and how to mitigate them, and extrapolate the downstream economic consequences if organizations don’t change their fundamental approach to cybersecurity.

During the course of the authors’ work, I had an opportunity to preview their methodology and early results. So much of what they were seeing in organizations around the globe mirrored what I had been seeing and hearing from RSA’s customers. As the authors subsequently presented their early findings to national representatives of countries from Europe, Asia, and the Americas at the 2014 RSA Conferences, it was clear that their findings resonated globally and reflected a universal experience. At these sessions, I was encouraged to see such an improved understanding of the need for all nations to cooperate to solve this problem.

It is clear from the research that the advent of cloud, mobile, and social media technologies combined with contemporary digital business practices has so expanded and distorted the attack surface of organizations that it is no longer possible to use the perimeter as an effective defense method. The perimeter that used to serve as a barrier between organizations and the external world has been perforated to the point that even a Swiss cheese metaphor is too charitable. The perimeter has become fragmented, ephemeral, dynamic, and contextual. As such, the security programs and controls on which we have relied are being overwhelmed. A new security model is called for and the authors of this book are recommending a multitiered approach based on the concept of digital resilience—an approach that has been adopted by leading companies around the world and has rapidly become conventional wisdom.

Digital resilience is not just a theory. It is a strategy, yes, but it is also a framework of policies, processes, and controls that promise real security in our increasingly insecure world. It starts with a thorough understanding of risk and the need to view digital risk through the lens of an organization’s business objectives, priorities, and critical assets. It’s about creating a culture of security among business leaders so that digital business decisions are made with security in mind and not just as an afterthought. It’s about being prepared for attacks from any source, including insiders, and having the visibility, analytical tools, and dynamic controls necessary to respond rapidly and with agility to the inevitable intrusions. Most of all, digital resilience is about bringing all of these elements together in a coherent whole to create true defense in depth.

But our organizations are not islands. It’s hard for them to succeed on their own. The authors acknowledge the need for an ecosystem of governments, regulators, vendors, and industry groups in which organizations work together and create policy that will protect the collective whole.

For many, the topic of cybersecurity continues to be unfathomable. A lack of organizational maturity, fear, and a sense of hopelessness permeate many organizations. As the authors explain in their analysis of the economic consequences of continued cyber insecurity, the impact of this lack of clarity goes beyond the current challenges we face, since the adoption of innovative, potentially transformative technologies is being hampered by fear and uncertainty around cyber risks. But, as two-time Nobel Laureate Marie Curie said, “Nothing in life is to be feared. It is only to be understood. We must understand more so that we may fear less.”

The authors do an exceptional job of creating that understanding in this book and are to be commended for providing the research and analysis necessary to distill such a clear and compelling path to a secure future.

I believe this book can be of enormous help to security practitioners and IT executives, not only to benchmark themselves against real-world successes, but as a tool to explain to senior management the importance and relevance of cybersecurity to their organizations’ future and very viability.

Every politician and regulator should use this book as a guide for developing thoughtful, effective policy and practical regulation that can support the private sector in its efforts.

And, finally, for executives and boards of directors, it can be a valuable guide for their fiduciary understanding of a problem that all organizations face and will only grow in import in the future. I am frequently invited to speak to boards of directors about their cybersecurity situations and outlook, and, while I frequently draw upon my own experience and the experiences of our customers around the world in those conversations, I’m thankful to be able now to share the excellent insight and perspective of this book as well.

Arthur W. Coviello, Jr.

Executive Chairman

RSA, The Security Division of EMC

Preface

Progress for the world economy depends on tens of trillions of dollars in value being created from digitization over the next decade. Institutions are moving from having pockets of automation to using pervasive connectivity, massive analytics, and low-cost scalable technology platforms to achieve fundamentally different levels of customer intimacy, operational agility, and decision-making insight. In banking, this means opening accounts and approving mortgages in minutes rather than days or weeks. In insurance, better underwriting and fairer pricing based on massive analytics. In airlines and hotels, it means more transparency and less hassle for travelers.

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!