Information Security Benchmarking 2015

Information Security Benchmarking 2015
Transform to the power of digital Information Security Benchmarking 2015 Information Security assessment of companies in Germany, Austria and Switzerland May 2015
Capgemini Consulting conducted a benchmarking study on Information Security to provide a thorough and balanced view of the current state of security in DACH organizations Management summary – study design and approach Copyright © 2015 Capgemini Consulting. All rights reserved. 2  Information Security is key for today‘s organizations. The increasing number of serious security breaches announced in the press reminds us every day of the financial and non-financial consequences a successful attack exposes business to. New business and regulatory requirements, recent trends and the increasing sophistication of cyberattackers makes this topic an even greater headache - not only for security officers but also the board.  To understand how other peers implement Information Security to protect the confidentiality, integrity and availability of data provides valuable insight for every organization. Such insights are not only helpful in recognizing current trends but also enable the quickly identification of individual strengths, areas of improvement and allow for the benchmarking across the organizations’ peer group.  In Q4 2014, Capgemini Consulting conducted an Information Security benchmarking study among companies and organizations in Germany, Austria and Switzerland. The 45 respondents from 10 different industry sectors provided their views on upcoming trends as well as delivered information on topics such as their security budget and organization structures.  The Information Security assessment was conducted based on a detailed maturity model. Using this model, study participants evaluated their security practice in the domains “Strategy & Governance”, “Organization & People”, “Processes” and “Technology”.  Capgemini evaluated the respondents’ answers and presents the study results from two different points of view: – overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity in DACH – an individual assessment for each participant where individual answers are discussed and compared against their industry peer group
Despite a high top management attention and increasing budgets, Information Security must undergo a deep transformation to improve alignment and cooperation with business Management summary – key insights Copyright © 2015 Capgemini Consulting. All rights reserved. 3  High top management attention for Information Security – 75% of the respondents rated the top management’s priority on Information Security as medium or high, numerous companies even view it as one of their strengths.  Business goals not aligned with Information Security – Protection of data and prevention of system outages are considered key drivers for Information Security, while only 31% of the respondents view support of business goals as a driver for their security practice.  Security risks ignored by business decision makers – 75% of the participating companies stated that business is not involved in their IT risk management and does not consider security risks in their decision making.  Lack of security KPIs and ROI consideration – 96% of the participants rely on the results of internal and external audits to measure effectiveness of their Information Security, but only 7% use specific KPIs and merely 4% consider ROI estimates.  Unstructured security awareness programs – Increasing employee security awareness is the number one area of improvement for many companies. Only 27% of the participants characterized their awareness program as holistic, although 80% of respondents identified employees as the key source for security incidents,  Inconsistent information classification – 50% of the respondents rated their information classification as inconsistent with a lack of clearly defined classification policies and owners for each information asset.  Uncontrolled use of public clouds – 33% use public cloud services without full control of transmitted data, exposing it to potential unauthorized access. 27% of participants do not use public cloud services at all.  Increasing security budgets – More than half of the study participants (56%) expect an increase of their security budget while only 9% expect a budget decrease. The expected increase of the security budget is 10% (median).
Growing requirements and recent trends continue to pose new challenges to Cybersecurity and endanger the success of Digital Transformation for today’s companies Cybersecurity challenges Copyright © 2015 Capgemini Consulting. All rights reserved. 4 Organized cybercrime with sophisticated attacks New requirements and trends Slowly growing Cybersecurity budgets Trends from Digital Transformation Mobility Business demanding higher flexibility Complex ecosystems (e.g. Industry 4.0) New regulations & laws e.g.“IT- Sicherheitsgesetz” Low awareness level of employees due to lack of holistic programs DIGITAL TRANSFORMATION Constrained security resources Cloud Big Data Social Industrialization of hacking, professional attack software “as a service” National intelligence agencies with unlimited resources Employees attacked by phishing, social engineering …
Transform the power of digital Participants and Overview of the Study Overall Study Results Individual Results of Security Maturity Assessment Capgemini Consulting Cybersecurity Offerings About Capgemini Consulting Table of contents Copyright © 2015 Capgemini Consulting. All rights reserved. 5
13% 24% 22% 11% 29% Participants’ industry sectors Energy, Utilities & Chemicals Financial Services Manufacturing Public Sector Other Industries 69% 16% 4% 2% 7% 2% Participants’ role CISO/IT Security Manager CIO IT Service Manager IT Application Manager Other Not Specified Experts from medium- and large-sized companies across multiple industry sectors participated in the study – with a majority of participants from Germany and Austria Participants information Copyright © 2015 Capgemini Consulting. All rights reserved. 6 1 Other industries include Retail, Logistics, Telco/Media/ Entertainment, Automotive 45% 34% 14% 7% Participants’ origin* *Number of participants n=45 Other 4% 9% 31% 18% 36% 2% 1-500 501-1,000 1,001-5,000 5,001-15,000 >15,000 Not Specified Company sizes (number of employees) 1
Leading DAX, ATX and SMI companies, hidden champions from various industries and public sector organizations participated in the Capgemini Consulting benchmarking study Participant peer groups Copyright © 2015 Capgemini Consulting. All rights reserved. 7 Financial Services Major Austrian and Swiss banks, leading insurance companies from Germany, Austria and Switzerland, service providers for financial institutes Manufacturing DAX companies, large international manufacturer and hidden champions from Germany, Austria and Switzerland Public Sector Major German and Austrian federal authorities and ministries, infrastructure operators and competence centers for municipals Energy, Utilities & Chemicals Leading energy and chemical companies from DAX and ATX, international Swiss electric utilities Other Industries Leading international retailer, logistic, telco, media and car supplier companies from Germany, Austria and Switzerland
Information Security Organization & budget Drivers & strengths/ pain points & risks Maturity assessment of all Information Security areas Capgemini Consulting benchmarking study evaluates all relevant areas of an organization’s Information Security practice using proven standards and industry best practices Information Security benchmarking Copyright © 2015 Capgemini Consulting. All rights reserved. 8 Covers all relevant security areas Scope of Benchmarking Study ISO 2700x Based on common Information Security standards and industry best practices INFORMATION SECURITY TechnologyProcesses Strategy & Governance Organization & People Structure of the study
T Y P I C A L C H A R A C T E R I S T I C S M A T U R I T Y L E V E L Maturity model – design principles The benchmark evaluates the participants‘ security based on Capgemini Consulting Information Security maturity model Copyright © 2015 Capgemini Consulting. All rights reserved. 9 1 – AD HOC 2 – DEFINED 3 – MEASURED 4 – OPTIMIZED  To achieve reliable results, the study aims at an objective and repeatable security maturity assessment of all participants  Objectivity is achieved by assessing each Information Security component based on a clearly defined 5-level maturity model Maturity levellow high 0 – NON-EXISTENT  Ad hoc  As needed  Informal  Loosely defined  Inconsistent  Basic  Occasional  Defined process, roles, responsibilities  Documented  Formal  Communicated  Measured to work effectively  Monitored  Use of KPIs  Regular review/ audits  Partially automated  Reactive  Not performed  Non- existent  Not installed  Necessity not understood  Continuous improvement and optimization  Best practice  Risk mitigation  Automated workflow  Business enabler  Proactive
Transform the power of digital Participants and Overview of the Study Overall Study Results – 1. Drivers & risks – 2. Organization & budget – 3. Overall security maturity assessment Individual Results of Security Maturity Assessment Capgemini Consulting Cybersecurity Offerings About Capgemini Consulting Table of contents Copyright © 2015 Capgemini Consulting. All rights reserved. 10
Protection of data is the key driver for Information Security – supporting business goals and enabling Digital Transformation is of less relevance for most companies Drivers for Information Security Copyright © 2015 Capgemini Consulting. All rights reserved. 11 78% 71% 69% 58% 44% 31% 16% 11% 7% 2% 2% 2% Protection of customer data Prevention of system/ process outage Protection of personal data Protection of assets and IP Safeguard for reputation Support for business goals Enabler for Digital Transformtion Strengthening competitiveness Increase of efficiency/cost reduction Critical infrastrcuture protection Compliance Legal requirements 31% of participants only rated support of business goals as a key driver
Information Security is on the boardroom agenda – many participants see top management attention as one of their strengths Strengths and top management attention Copyright © 2015 Capgemini Consulting. All rights reserved. 12 Security expertise & capabilities Management attention & commitment Holistic Target Operating Model/ ISMS1 Security awareness & training Data protection based on requirements 1 ISMS: Information Security Management System 75% of participants rated top management attention as medium to high Ranked top strengths
Although the majority of the participants already identified its importance, several companies still lack the implementation of a holistic security awareness program Improvement fields and awareness programs Copyright © 2015 Capgemini Consulting. All rights reserved. 13 Security awareness & training Communication & collaboration Policies & documentation Security expertise & capabilities Security operation center & monitoring Ranked top improvement fields 73% of participants consider their awareness program as unstructured
Data theft and disclosure of information represent the largest security risk – the resulting incidents are frequently caused by current and former employees Security risks and sources for security incidents Copyright © 2015 Capgemini Consulting. All rights reserved. 14 11% 13% 13% 29% 47% 56% 56% 80% Competitors Terrorists Visitors Foreign nation states/national agencies Third-party partners/suppliers Hackers/Script kiddies Organized crime Current and former employees Top risks Sources for incidents Data theft and disclosure Service outage Phishing & social engineering Unauthorized network access Internal and external fraud 80% of participants consider their employees as the main source for security incidents
Increasing security awareness and training employees are considered as essential elements of Information Security to protect corporate information High priority topics Copyright © 2015 Capgemini Consulting. All rights reserved. 15 44% 28% 23% 15% 13% 13% 10% 10% 10% 8% Security awareness & training Mobile device security Identity & access management Network security Security operations center & monitoring Holistic information security management system Policies & documentation Process optimization Risk & vulnerability management Business continuity/ disaster recovery management 44% of respondents plan to invest into awareness campaigns in the upcoming months
Internal and external audits are by far the most applied methods to measure security effectiveness while security KPIs and ROI estimation are almost neglected Effectiveness measurement Copyright © 2015 Capgemini Consulting. All rights reserved. 16 4% 7% 16% 27% 31% 33% 38% 64% 96% Return on investment (ROI) estimation Special key performance indicators Number of security policies and standards Proportion of system downtime Feedback from management Industry benchmarking Measurement of Information Security Awareness Number of security incidents Results of audits by internal or external auditors 4% of companies consider ROI as an effectiveness measure
ISO 2700x is the de-facto standard for Information Security in all sectors while COBIT is only sparsely implemented among the study participants Security standards and best practices Copyright © 2015 Capgemini Consulting. All rights reserved. 17 100% 64% 55% 27% 18% 100% 33% 33% 17% 0% 80% 60% 80% 0% 0% 71% 71% 14% 57% 14% 73% 45% 55% 36% 0% 0% 20% 40% 60% 80% 100% ISO 27001 ITIL BSI COBIT Other (e.g. PCI DSS) Financial Sector Energy, Utilities, Chemicals Public Sector Manufacturing Other ISO 2700x Other (e.g. PCI DSS)
A lack of Information Security risk consideration during business decisions may result in unsecure solutions with a high potential to security breaches IT risk management Copyright © 2015 Capgemini Consulting. All rights reserved. 18 7% 18% 44% 22% 9% 75% of companies do not consider security risks in their business decisions making   Business decisions with security involvement NON-EXISTENT AD-HOC DEFINED MEASURED OPTIMIZED 0 1 2 3 4 Maturity Levels (4 = optimized … 0 = non-existent)
An essential part of the Information Security governance are steering committees where security-related decisions are met by consensus of relevant stakeholders Information Security governance Copyright © 2015 Capgemini Consulting. All rights reserved. 19 56% of respondents defined a security steering committee with various stakeholders 20% 35%16% 29% 0%   Involvement of relevant stakeholders NON-EXISTENT AD-HOC DEFINED MEASURED OPTIMIZED 0 1 2 3 4 Maturity Levels (4 = optimized … 0 = non-existent)
Information classification has been strongly neglected in recent years – the lack of effective classification solutions is also a key security concern for cloud computing Information classification and cloud computing Copyright © 2015 Capgemini Consulting. All rights reserved. 20 4% 9% 27% 33 % 27% 50% of companies rate their data classification as inconsistent 3% 10% 38%45 % 5% 33% of participants allow an uncontrolled use of public cloud services Classification Cloud computing NON-EXISTENT AD-HOC DEFINED MEASURED OPTIMIZED 0 1 2 3 4 Maturity Levels (4 = optimized … 0 = non-existent) NON-EXISTENT AD-HOC DEFINED MEASURED OPTIMIZED 0 1 2 3 4 Maturity Levels (4 = optimized … 0 = non-existent)
0 20 40 60 80 100 120 Medium-sized companies (<= 5,000 employees) With typically 4 FTEs, large companies have twice as much resources as medium-sized companies who work in the Information Security function Organization – FTEs in Information Security Copyright © 2015 Capgemini Consulting. All rights reserved. 22 Max: 62Min: 0.5 Median: 2 0 20 40 60 80 100 120 Max: 100Min: 1 Median: 4 4 FTEs is the median size of Information Security organizations in large-sized companies Large-sized companies (5,000+ employees)
56% 9% 36% Budget increase Budget decrease No statement Budget changes 56% of the participating companies expect an increase of their security budget compared to the previous year by 10% Information Security budget Copyright © 2015 Capgemini Consulting. All rights reserved. 23 -40 -20 0 20 40 60 80 Median: +10% Max: +67%Min: -25% 56% of participants expect an increase of their security budget Change of security budgets (in %)
2.5 2.2 2.1 2.0 1.7 With a typical maturity level of 2, most participants’ security areas are formally defined but lack an effective measurement and automation Overall security maturity assessment – industry peers Copyright © 2015 Capgemini Consulting. All rights reserved. 25 is the highest average maturity level , achieved by Public Sector low high 2.5 Public Sector Financial Services Manufacturing Energy, Utilities & Chemicals Other industries MaturityLevel
Public Sector Financial Services Manufacturing Energy, Utilities & Chemicals Other Industries 0,00 1,00 2,00 3,00 4,00 Overall security maturity assessment – details Public Sector outperformed in domains “Strategy & Governance” and “Organization & People” while in “Processes” and “Technology” Financial Services showed highest maturity Copyright © 2015 Capgemini Consulting. All rights reserved. 26 1.1 Strategy 1.2 Governance Structure 1.3 Compliance Management 1.4 Risk Management 1.5 BCM/DRM 1.6 Audits 1.7 Data Privacy 1.8 Security Incident Reporting 2.1 Organization Structures 2.3 Employee Training and Awareness 2.4 Security Expert Training 2.5 Security Service Improvement 2.6 Cooperation with Corporate Security 2.7 Relationship with Business Units 2.8 Social Media 3.1 Identity and Access Management 3.2 Threat and Vulnerability Management 3.3 Patch ManagementInformation Classification 3.4 Sourcing and Vendor Management 3.5 Secure Application Development 3.6 Backup 3.7 Mobile Devices 3.8 Retention and Investigation of Data 3.9 Cloud Computing 3.10 Physical User Access Management 3.11 Firewalls 4.1 Remote User Access 4.2 Network Intrusion Protection 4.3 Wireless Network 4.4 Database Security 4.5 Server and System Security 4.6 Endpoint Device Security 4.7 Application Security 4.8 Malicious Content Protection 4.9 Physical Control Systems 4.10 2.2 Roles & Responsibilities
Drivers, incident sources and measurement COMPANY1’s security function is closely aligned to business, defining the support for business goals as a key driver for its investments Copyright © 2015 Capgemini Consulting. All rights reserved. 28  Prevention of system outages  Support for business goals  Organized crime  Visitors  Return on investment (ROI)  Results of audits by internal and external auditors  Industry benchmarking  Measurement of Information Security awareness  Feedback from management DRIVERS FOR INFORMATION SECURITY EXAMPLE 1 The following results represent an example of an anonymized individual assessment. COMPANY is only a placeholder. Drivers for Information Security Sources for incidents Effectiveness measurements A B C SOURCES FOR INCIDENTS A B C EFFECTIVENESS MEASUREMENTS  Prevention of system outages is the key driver for most members (83%) of peer group “Energy, Utilities & Chemicals”  COMPANY is the only participant in the peer group defining support for business goals as a key driver for security  In contrast to COMPANY, 50% of other participants in peer group consider protection of customer data and protection of assets and IP as a key driver for security  Organized crime is seen by COMPANY and most other peer group members as a key source for incidents  In addition, other companies from the peer group consider current/ former employees (67%) and hackers (50%) as a further incident source  COMPANY is the only in the peer group considering ROI as measure  84% of other participants consider the number of security incidents as another effectiveness measure
Strengths, improvement fields, risks and priorities COMPANY’s improvement fields are mainly located in the domain “Processes” - access management and data classification are common improvements fields of the respondents Copyright © 2015 Capgemini Consulting. All rights reserved. 29 Access mgmt Compliance and req. mgmt Data classification Access control Data classification - Top 3 improvement fields Top 3 priorities Vulnerability mgmt Certified infrastructure Integrated mgmt system Top 3 strengths Data leakage Internal threats Complexity Top 3 risks 1 2 3 1 2 3 1 2 3 1 2 3 Capgemini Consulting Information Security Framework Processes Technology Strategy & Governance Organization & People 1 2 3 3 1 2 1 3 1 2 INFORMATION SECURITY 2 COMPANY’s individual answers Domain Mapping EXAMPLE
Security maturity assessment – domain Strategy & Governance With an immature IT risk management COMPANY may miss or underestimate major risks for its organization and become victim of internal and external threats Copyright © 2015 Capgemini Consulting. All rights reserved. 30 “1.2 Governance Structure” is below peer group average (COMPANY: 2 vs. peers: 2.47). Recommendation: Definition of security steering committee with relevant stakeholders, direct report to top management “1.4 IT Risk Management” is significantly below peer group average (COMPANY: 1 vs. peers: 2.45). Recommendation: Definition of processes, roles & responsibilities, regular assessments, mgmt of mitigation measures, reporting, definition of KRIs “1.6 Audits” is below peer group average (COMPANY: 2 vs. peers: 2.91). Recommendation: Definition of data collection methods for auditor support, immediate response to findings by automated process A C EXAMPLE B COMPANY lies in 6 out of 8 areas below the peer group average in the domain “Strategy & Governance” 0 1 2 3 4 1.1 Strategy 1.2 Governance Structure 1.3 IT Compliance Management 1.4 IT Risk Management 1.5 BCM/DRM 1.6 Audits 1.7 Data Privacy 1.8 Security Incident Reporting COMPANY Financial Services Top Performer in Peer Group Total Average (All Participants) A BC Low risk Medium risk High riskNo riskCapgemini’s high-level risk evaluation: TechnologyProcesses Strategy & Governance Organization & People
Security maturity assessment – domain Organization & People A holistic Information Security awareness concept is the most effective solution to tackle the increasing number of attacks on employees Copyright © 2015 Capgemini Consulting. All rights reserved. 31 “2.3 Employee Training & Awareness” is below peer group average. Due to increasing importance, the average is expected to raise. Recommendation: Definition of a holistic concept, measurement of awareness and training success, use of multipliers “2.4 Security Expert Training” is below peer group average (COMPANY: 1 vs. peers: 1.91). Recommendation: Definition of trainings plans, introduction of mandatory trainings/ certifications “2.6 Cooperation with Corp. Sec.” is significantly below peer group average (COMPANY: 1 vs. peers: 2.45). Recommendation: Intensification of collaboration with Corporate Security, use of joint success factors EXAMPLE B COMPANY lies in 7 out of 8 areas below the peer group average in the domain “Organization & People” A B 0 1 2 3 4 2.1 Organization Structures 2.2 Roles & Responsibilities 2.3 Employee Training and Awareness 2.4 Security Expert Training 2.5 Security Service Improvement 2.6 Cooperation with Corporate Security 2.7 Relationship with Business Units 2.8 Social Media COMPANY Manufacturing Top Performer in Peer Group Total Average (All Participants) A B C Low risk Medium risk High riskNo riskCapgemini’s high-level risk evaluation: TechnologyProcesses Strategy & Governance Organization & People
Copyright © 2015 Capgemini Consulting. All rights reserved. 32 If your organization would like to participate in Capgemini’s free Information Security study and join full insights from Capgemini’s extensive benchmarking database, please contact Capgemini Consulting is happy to perform a detailed and individual assessment of your Information Security practice Dr. Paul Lokuciejewski Lead of Cybersecurity Consulting Capgemini Deutschland GmbH Berliner Str. 76 D-63065 Offenbach Phone: +49 69 9515 1439 E-Mail: paul.lokuciejewski@capgemini.com
Trends in Cybersecurity With the increasing complexity of organizations and the ongoing penetration of SMACT1 technologies, a “full perimeter” protection is not feasible anymore Copyright © 2015 Capgemini Consulting. All rights reserved. 34 Control-centric Prevent & protect Perimetric defense Zero-risk dream & compliance People-centric Predict, monitor & respond Data-centric defense Digital risks & info. life cycle Security Strategy People & Awareness Security Operations SOLUTIONS Risk Mgmt & Information Classification Old Paradigm New Paradigm 1 Social, Mobile, Analytics, Cloud and (Internet of) Things
Our Strategic Cybersecurity Consulting guides your organization through a secure Digital Transformation while leveraging the power of modern technologies Capgemini Consulting Cybersecurity Portfolio (excerpt) Copyright © 2015 Capgemini Consulting. All rights reserved. 35 Benchmarking / Maturity Assessment Digital Risk Management Awareness Campaign Security Target Operating Model (ISMS) “gain a profound understanding of your current Cybersecurity situation.” “make risk-based decisions and protect your business with optimal investment strategies.” “establish effective Cybersecurity capabilities for a holistic protection of your data and systems.” “foster a people-centric security culture and protect against the increasing number of employee-focused attacks.” OUR STRATEGIC CYBERSECURITY CONSULTING ADDRESSES C-LEVEL CONCERNS TO ENABLE A SECURE DIGITAL TRANSFORMATION. IT WILL HELP YOU TO 1 4 2 3
CySIP Maturity Assessment approach Capgemini performs its Cybersecurity & Information Protection (CySIP) Maturity Assessment based on a proven approach and standardized tools Copyright © 2015 Capgemini Consulting. All rights reserved. 36  Conduct focus interviews with business and IT to assess maturity  Identify vulnerabilities and gaps  Benchmark with best practices  Define pain points, quick wins and long-term measures  Prioritize measures  Define high-level business case  Define transformation plan  Align results with stakeholders  Prepare decision documents  Define scope of assessment  Derive strategic guidelines  Determine client-specific threats  Identify business-critical information and systems MATURITY ASSESSMENT TRANSFORMATION ROADMAPSCOPING & VISIONING  Overview of evaluated vulnerabilities and gaps  Assessed CySIP maturity  Measurement catalogue  Aligned and prioritized measures  High-level business case  Transformation plan  Final decision documents  Aligned questionnaires  Defined strategic guidelines  Overview of business-critical information and systems Implementaiton ResultsActivities Management&GovernanceInt.Organization&Client Applications& OperatingSystem Network& Hardware Q4 2014 2015 2016 Analyzedata privacy organization Design IS policy framework Outlinegovernance principles for data Describe governance profiles and roles Transform to new organization Analysisbusiness & IT requirements Develop security architecture model Design technical solutions Build and customize designed solution Test and deploy services Conductrisk and stakeholder analysis Perform survey to assess awareness level Develop awareness concept Design awareness objects Define business continuity strategy Develop decision structures Develop organization plan Implement awareness objects Perform 2. survey to measure effectiveness Define business impact analysis(BIA) Conductbusiness impact analysis Formulate SLAs Define business continuity plans Define business continuity plans CE v6.3 © 2007 Capgemini - All rights reserved 071217_IT ORGANIZATION AS-ISAND TO-BE_V11_TW-JW.PPT 2424 The to-be organization features an org-line for functional business interaction as well as for supply management to enhance the capabilities Org structure – To-be IT demand organization Organization chart Global Supply R&D External Supply (EDM) BusinessInformation Manager (BIM) HR Controlling Contract Management Architect ProjectPort- folio Mgmt Technology Innovation Quality Mgmt IT Strategy Business Consulting (SAP,EDM) Business (Keyuser) Germany France Netherlands R.o.W Local IT Mgmt R&D RES- QS Manu fact. … Global Functional Information Management Service Mgmt Com. Com.line Communication line Communication line R&D RESQS Manufact. S&M Global IT Management Internal Supply (SAP, IM) US CRIS SM EDM Global Supply Management • Vacant positions in Global Functional Information Management (GFIMs) ar e re-staffed and enhanced by business consulting capabilities for SAP and EDM • New organizational line manages Pharma-specific supply as well as internal and external providers 0 1 2 3 4 1.1 Strategy 1.2 Governance Structure 1.3 IT Compliance Management 1.4 IT Risk Management 1.5 BCM/DRM 1.6 Audits 1.7 Data Privacy 1.8 Security Incident Reporting Bundesministerium für Finanzen Public Sector Top Performer in Peer Group Total Average (All Participants) C-LEVEL AND BUSINESS-ORIENTED, STRUCTURED APPROACH FOR AN ACCELERATED INCREASE OF CLIENT’S MATURITY AND DEFINITION OF A CYBERSECURITY STRATEGY Phase Why Capgemini Consulting?  C-Level and business-oriented for alignment with business/IT strategy  Toolkit of proven questionnaires for accelerated maturity assessment  Extensive benchmark database for peer comparison  Collaborative approach to define clear strategy 1
Cybersecurity Digital Risk Management Capgemini helps organizations to protect their critical information assets using optimal investment strategies that minimize operational risk Copyright © 2015 Capgemini Consulting. All rights reserved. 37  Describe procedures & interfaces  Define roles & responsibilities and KRIs  Develop reporting  Profile threats and vulnerabilities  Develop questionnaires  Conduct risk assessments with business and IT to identify and evaluate risks  Create a holistic risk register  Define risk mitigation measures  Implement process  Define scope of risk assessment  Identify critical information assets  Assess business impact (business impact analysis)  Perform gap analysis and define measures TO-BE DESIGN RISK ASSESSMENT & IMPLEMENTATION VISIONING & AS-IS ANALYSIS  Policy and process description  Role descriptions/ RACI  Reporting templates  Risk assessment templates  Validated risk assessment results  Consolidated risk register  Measurement catalogue  Training material & reporting  Assessment scope  Realistic and worst-case inherent business impact ratings  Overview gaps/ measures BUSINESS-FOCUSED, STRUCTURED AND PRACTICAL RISK MANAGEMENT METHODOLOGY BASED ON RIGOROUS ASSESSMENT TO CREATE A HOLISTIC PROFILE OF DIGITAL RISKS Why Capgemini Consulting?  Proven best practices approach to create a holistic risk profile  Focus on business perspective (“Digital Risk”)  Practical methodology with rigorous assessment process  Best practice templates to focus on key risks Probability HIGH MEDIUM LOW LOW MEDIUM HIGH Impact 7 2 3 1 4 6 5 11 9a 9c9b 9d 8 12 10 13 14b 14a Aktuelle Themen Bewertung Maßnahmen Themenbereich Anz. Grün Gelb Orange Rot Veränderung zur Vorperiode Thema 1 2 0 0 2 0 #DIV/0! Thema 2 0 0 0 0 0 #DIV/0! Thema 3 0 0 0 0 0 #DIV/0! Thema 4 1 0 0 1 0 #DIV/0! Management Summary Darstellung des Umsetzungsstands von risikobehandelnden Maßnahmen zu wesentlichen Risiken Überblick über aktuelle, gruppenweite Themen, z.B. IT-Projekte, Veränderungen beim IT- Outsourcing Zusammenfassung der Bewertung der gruppenweiten Risiken und dem Status der Risikoindikatoren (Early Warning System) Kommentierung ResultsActivitiesPhase 2
Cybersecurity Target Operating Model (ISMS) We support organizations in establishing an Information Security Management System that ensures an adequate setup and development of their Cybersecurity capabilities Copyright © 2015 Capgemini Consulting. All rights reserved. 38 Why Capgemini Consulting?  Models tailored towards your organization context  Experience from operating client ISMS  Best-practices following industry standards (e.g. ISO 27001)  Fast implementation due to ready-to-use assets (e.g. policies) HOLISTIC AND RISK-BASED METHODOLOGY TO INTEGRATE CYBERSECURITY INTO YOUR BUSINESS AND INCREASE RESILIENCE PROCESSES & INTERFACES TECHNOLOGY & SYSTEMS PERFORMANCE METRIC Information Security Management System – Operating Model ORGANISATIONAL STRUCTURE GOVERNANCE MODEL ROLES & COMPETENCIES 3
Cybersecurity Awareness 2.0 Awareness initiatives offered by Capgemini leverage broad communication campaigns and targeted training for roles with high risk profiles Copyright © 2015 Capgemini Consulting. All rights reserved. 39 CONTENT ADAPTION PLANNINGQUICK SCAN Phase REVIEW RISKS, EXISTING AWARENESS INITIATIVES AND ANALYZE STAKEHOLDER AND TARGET GROUPS PRAGMATIC ADOPTION AND CREATION OF AWARENESS CONTENT, OUTLINE OF KPIs AND MULTIPLIERS DEFINE TRANSFORMATION ROADMAP FOR PRIORITIZED MEASURES Objectives Store Front Timesheet Workforce Management Mobile CRM Mobile Worker Approvals Interactive Dashboards Mobile Executive Reports Employee Tracking Self-Service Operations Support Mobile Sales Training Documentation Collaboration Tools Mobile Service Customer Factsheets Customer Interaction Tracker Pushed Information Automated Services Product Information Assistance Services Short Term Mid Term Long Term Strategic Goal Leadership team* • Global • Europe Joint project team • Other projects within Company Employees Europe • UnitA • Unit B • Unit C B C Retailers Other distributors H Consumers I K Europe Leadership team (first line leaders) • UnitA • Unit B • Unit C Manufactures External Stakeholders Internal Stakeholders = target audience G Corporate Functions • Communications • HR D Rest of Europe Organisation • Employees other units A E F Workers council Change Program J The “Dark hotel” attack is targeting high-profile business travelers 48 Please remember: Hackers use fake update notifications to get you to install malware on your computer. “Dark hotel” attack – Step by step 2 You connect to the already infected hotel Wi-Fi with your laptop or Smartphone You receive a fake software update notification on your device An update is ready to install! You install the faked update which is a spy software that gives hackers access to the PC Hackers steal data, record keystrokes and infiltrate the o network 4 Tips for using foreign Wi-Fis 1. Always use the Company VPN connection for any transmission of confidential data 2. Do not download or apply any updates in foreign Wi-Fis 3. Turn off the wireless functions (Wi-Fi, Bluetooth, GPS and NFC) of your mobile devices when you don’t need them 4. Always check if websites use the HTTPS standard in the address bar 5. Always keep your antivirus software up-to- date (update at Company or at home) 6. If you are unsure, use the roaming package of your phone or your UMTS laptop adapter instead 3 1 Possible threats while on tour Secure usage of wireless services Remote access capabilities Copyright © 2015 Capgemini Consulting. All rights reserved. Why Capgemini Consulting?  Structured, proven approach to optimize ongoing campaigns  Flexible and easy-to-adopt solutions  Extensive knowledge in change and communication mgmt  Measurable impact based on implemented KPIs PROACTIVELY TACKLE SECURITY THREATS BY INTRODUCING POSITIVE SECURITY BEHAVIORS THROUGH A HOLISTIC CYBERSECURITY AWARENESS CAMPAIGN 4
Examples (extract)Communication channelsFormat Cybersecurity Awareness 2.0 - communication channels A best practice mix of different channels is used to effectively communicate key messages of the awareness campaign 40 Copyright © 2015 Capgemini Consulting. All rights reserved. Print Digital Events  Poster  Article in internal newspapers  Information Security Handbook  Booklets  Leaflets  Flyers  Newsletters  Intranet/Web Sites/ banner/ blogs  Flat screen content  Online quizzes  Web-based trainings  Awareness movies  Logon screen messages  Online surveys / feedback polls  Phishing mail tests  Clean desk audits  Classroom trainings incl. train- the-trainer concept  Information Security Days  Security breakfast/ lunch events  Live-hacks  Onboarding training material  Management trainings EXAMPLE 2 4
Case study – Cybersecurity Awareness campaign design and implementation Capgemini Consulting supports a leading energy company in significantly raising the awareness for Cybersecurity of 22,000 employees in 20+ countries 41 Copyright © 2015 Capgemini Consulting. All rights reserved. Issue  Our Client – an international energy company with approx. 28,000 employees in more than 20 countries – faced an increasing number of security breaches caused by employees  Loosely performed awareness initiatives in the past showed little to no positive effects  Unknown level of employee awareness for focused awareness activities  Missing local support for global implementation of security initiatives  No holistic approach for a group wide, target group specific awareness campaign Solution  Conduction of a group-wide, multi-lingual online survey with 22,000+ participants  Development of a holistic awareness concept based on detailed survey evaluation  Design and creation of awareness objects using the right mix of communication channels  Organization and conduction of Cybersecurity Awareness events and trainings  Establishment of a multiplier network for an effective campaign implementation  Program management based on Capgemini’s proven methods and tools Benefits Increase awareness for security risks leading to adaption of positive security behaviors Significantly decreased number of security breaches and human errors Improved acceptance and visibility of Cybersecurity as business partner Enforced compliance with legal and regulatory requirements     4
Cybersecurity Awareness 2.0 - why Capgemini Consulting? Proven, easy-to-adopt solutions and an extensive project experience enable Capgemini to efficiently implement effective Information Security Awareness campaigns 42 Copyright © 2015 Capgemini Consulting. All rights reserved. Structured, proven approach to setup or optimize your ongoing awareness activities Flexible and easy-to-adopt solutions for an accelerated increase of Information Security based on your needs Benchmarking data derived from previous projects to compare with industry peers Measurable impact based on implemented KPIs Extensive knowledge in project, change and communication management Global Capgemini network of security and communication experts 1 2 3 4 5 6 4
Copyright © 2015 Capgemini Consulting. All rights reserved. 44 PEOPLE • 140,000 employees • Offices in 44 countries Paul Hermelin Group Chairman and CEO COMPANY • Listed on the Paris stock exchange (CAC-40) • 10.1 bn € revenues (2013) • Top 5 consultancy worldwide • Two thirds of the world‘s largest companies are our clients Headquarter in Paris from a global point of view CAPGEMINI GROUP
Copyright © 2015 Capgemini Consulting. All rights reserved. 45 Dr. Volkmar Varnhagen CEO CC Germany/Austria/Switzerland CAPGEMINI CONSULTING GERMANY/AUSTRIA/ SWITZERLAND GLOBAL • Strong global network • 10.000 strategy and management consulting experts Cyril Garcia CEO Capgemini Consulting Present on all continents The strategy and transformation brand of the group CAPGEMINI CONSULTING
STRATEGIZE  IT Organizational Transformation  Cybersecurity Transformation  Digital Service Unit  Lean IT/ IT efficiency  IT Portfolio Management  IT Shared Service Center  Project Turn-around and PMO TRANSFORM How do you improve/ transform your IT Organization long-term? OUR MISSION is to SUPPORT CIO's in every aspect of their work from ASSESSMENT to STRATEGY all the way through TRANSFORMATION To increase the Capgemini Consulting client focus and build trusted long-term relation- ships with our clients, we have designed our Service Offerings along the life-cycle of CIO’s CIO Advisory Services Copyright © 2015 Capgemini Consulting. All rights reserved. 46  IT Flash Assessment  Cybersecurity Risk Assessment  IT Project/ Program Audit  Digital Day  IT Due Diligence  Post-Merger Integration IT and IT M&A Assessment ASSESS What is the current state of your IT Operation?  IT Strategy Development  Cybersecurity Strategy  IT Innovation Strategies  IT Digital Strategies  Mobile Strategy  Cloud Strategy How do you position your IT Organization strategically?
Capgemini Consulting relies on a strong and global Cybersecurity capability network within the Capgemini Group Capgemini Group offers and capabilities Copyright © 2015 Capgemini Consulting. All rights reserved. 47 2,500+ Capgemini resources with Cybersecurity skills Canada United States Mexico Brazil Argentina All over Europe Morocco Australia People’s Republic of China India Chile Guatemala Singapore Philippines Taiwan Vietnam United Arab Emirates Malaysia New Zealand Japan South Africa Colombia Cybersecurity Awareness Security transformation program management Design and implementation of security solutions Digital security assessment & strategy and risk management Management Security technical assessment Transformation Build
We constantly search for new customer solutions and provide our customers latest research and point of views on current and future topics Capgemini Surveys and Benchmarks (examples) Copyright © 2015 Capgemini Consulting. All rights reserved. 48 The objective is to understand how the “digital winners” are managing (or have managed) their Digital Transformation, starting from “brick and mortar” and moving to a “digital company”, and to identify some guiding principles and best practices International Information Security studies & POVs IT Strategy & Change Management Digital Transformation in cooperation with MIT Transform to the power of digital Information Security Benchmarking 2015 Information Security assessment of companies in Germany, Austria and Switzerland May 2015 Trends in Security 2014
Copyright © 2015 Capgemini Consulting. All rights reserved. 49 Dr. Guido Kamann Head CIO Advisory Services DACH Capgemini Suisse S.A. Leutschenbachstrasse 95 CH-8050 Zürich Phone: +41 44 5602 400 E-Mail: guido.kamann@capgemini.com Dr. Paul Lokuciejewski Lead of Cybersecurity Consulting Capgemini Deutschland GmbH Berliner Str. 76 D-63065 Offenbach Phone: +49 151 4025 0855 E-Mail: paul.lokuciejewski@capgemini.com Thank you.

Check these out next

Information Security Benchmarking 2015

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a Information Security Benchmarking 2015(20)

Más de Capgemini(20)

Último(20)

Information Security Benchmarking 2015