Weitere ähnliche Inhalte Ähnlich wie Information Security Benchmarking 2015 (20) Kürzlich hochgeladen (20) Information Security Benchmarking 20151. Transform to the power of digital
Information Security Benchmarking 2015
Information Security assessment of companies in Germany, Austria and
Switzerland
May 2015
2. Capgemini Consulting conducted a benchmarking study on Information Security to provide
a thorough and balanced view of the current state of security in DACH organizations
Management summary – study design and approach
Copyright © 2015 Capgemini Consulting. All rights reserved.
2
Information Security is key for today‘s organizations. The increasing number of serious security breaches announced in the
press reminds us every day of the financial and non-financial consequences a successful attack exposes business to. New
business and regulatory requirements, recent trends and the increasing sophistication of cyberattackers makes this topic
an even greater headache - not only for security officers but also the board.
To understand how other peers implement Information Security to protect the confidentiality, integrity and availability of
data provides valuable insight for every organization. Such insights are not only helpful in recognizing current trends but
also enable the quickly identification of individual strengths, areas of improvement and allow for the benchmarking across
the organizations’ peer group.
In Q4 2014, Capgemini Consulting conducted an Information Security benchmarking study among companies and organi-
zations in Germany, Austria and Switzerland. The 45 respondents from 10 different industry sectors provided their views on
upcoming trends as well as delivered information on topics such as their security budget and organization structures.
The Information Security assessment was conducted based on a detailed maturity model. Using this model, study
participants evaluated their security practice in the domains “Strategy & Governance”, “Organization & People”,
“Processes” and “Technology”.
Capgemini evaluated the respondents’ answers and presents the study results from two different points of view:
– overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity in
DACH
– an individual assessment for each participant where individual answers are discussed and compared against their
industry peer group
3. Despite a high top management attention and increasing budgets, Information Security
must undergo a deep transformation to improve alignment and cooperation with business
Management summary – key insights
Copyright © 2015 Capgemini Consulting. All rights reserved.
3
High top management attention for Information Security – 75% of the respondents rated the top management’s priority
on Information Security as medium or high, numerous companies even view it as one of their strengths.
Business goals not aligned with Information Security – Protection of data and prevention of system outages are
considered key drivers for Information Security, while only 31% of the respondents view support of business goals as a
driver for their security practice.
Security risks ignored by business decision makers – 75% of the participating companies stated that business is not
involved in their IT risk management and does not consider security risks in their decision making.
Lack of security KPIs and ROI consideration – 96% of the participants rely on the results of internal and external audits to
measure effectiveness of their Information Security, but only 7% use specific KPIs and merely 4% consider ROI estimates.
Unstructured security awareness programs – Increasing employee security awareness is the number one area of
improvement for many companies. Only 27% of the participants characterized their awareness program as holistic,
although 80% of respondents identified employees as the key source for security incidents,
Inconsistent information classification – 50% of the respondents rated their information classification as inconsistent with
a lack of clearly defined classification policies and owners for each information asset.
Uncontrolled use of public clouds – 33% use public cloud services without full control of transmitted data, exposing it to
potential unauthorized access. 27% of participants do not use public cloud services at all.
Increasing security budgets – More than half of the study participants (56%) expect an increase of their security budget
while only 9% expect a budget decrease. The expected increase of the security budget is 10% (median).
4. Growing requirements and recent trends continue to pose new challenges to
Cybersecurity and endanger the success of Digital Transformation for today’s companies
Cybersecurity challenges
Copyright © 2015 Capgemini Consulting. All rights reserved.
4
Organized cybercrime with sophisticated attacks
New requirements and trends Slowly growing Cybersecurity budgets
Trends from Digital Transformation
Mobility
Business
demanding higher
flexibility
Complex
ecosystems (e.g.
Industry 4.0)
New regulations &
laws e.g.“IT-
Sicherheitsgesetz”
Low awareness level of
employees due to lack of
holistic programs
DIGITAL
TRANSFORMATION
Constrained
security resources
Cloud Big Data Social
Industrialization of
hacking, professional
attack software “as a
service”
National intelligence
agencies with unlimited
resources
Employees attacked by
phishing, social
engineering …
5. Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
5
6. 13%
24%
22%
11%
29%
Participants’ industry sectors
Energy, Utilities &
Chemicals
Financial Services
Manufacturing
Public Sector
Other Industries
69%
16%
4%
2%
7%
2%
Participants’ role
CISO/IT Security Manager
CIO
IT Service Manager
IT Application Manager
Other
Not Specified
Experts from medium- and large-sized companies across multiple industry sectors
participated in the study – with a majority of participants from Germany and Austria
Participants information
Copyright © 2015 Capgemini Consulting. All rights reserved.
6
1 Other industries include Retail, Logistics, Telco/Media/ Entertainment, Automotive
45%
34%
14%
7%
Participants’ origin*
*Number of participants n=45
Other
4%
9%
31%
18%
36%
2%
1-500 501-1,000 1,001-5,000 5,001-15,000 >15,000 Not Specified
Company sizes (number of employees)
1
7. Leading DAX, ATX and SMI companies, hidden champions from various industries and
public sector organizations participated in the Capgemini Consulting benchmarking study
Participant peer groups
Copyright © 2015 Capgemini Consulting. All rights reserved.
7
Financial Services
Major Austrian and Swiss banks, leading insurance companies from
Germany, Austria and Switzerland, service providers for financial institutes
Manufacturing
DAX companies, large international manufacturer and hidden
champions from Germany, Austria and Switzerland
Public Sector
Major German and Austrian federal authorities and ministries,
infrastructure operators and competence centers for municipals
Energy, Utilities & Chemicals
Leading energy and chemical companies from DAX
and ATX, international Swiss electric utilities
Other Industries
Leading international retailer, logistic, telco, media and car
supplier companies from Germany, Austria and Switzerland
8. Information Security
Organization &
budget
Drivers & strengths/
pain points &
risks
Maturity assessment
of all Information
Security areas
Capgemini Consulting benchmarking study evaluates all relevant areas of an organization’s
Information Security practice using proven standards and industry best practices
Information Security benchmarking
Copyright © 2015 Capgemini Consulting. All rights reserved.
8
Covers all relevant security areas
Scope of Benchmarking Study
ISO 2700x
Based on common Information Security standards and
industry best practices
INFORMATION
SECURITY
TechnologyProcesses
Strategy &
Governance
Organization
& People
Structure of the study
9. T Y P I C A L C H A R A C T E R I S T I C S
M A T U R I T Y L E V E L
Maturity model – design principles
The benchmark evaluates the participants‘ security based on Capgemini Consulting
Information Security maturity model
Copyright © 2015 Capgemini Consulting. All rights reserved.
9
1 –
AD HOC
2 –
DEFINED
3 –
MEASURED
4 –
OPTIMIZED
To achieve reliable
results, the study aims
at an objective and
repeatable security
maturity assessment of
all participants
Objectivity is achieved
by assessing each
Information Security
component based on a
clearly defined
5-level maturity model
Maturity levellow high
0 –
NON-EXISTENT
Ad hoc
As needed
Informal
Loosely
defined
Inconsistent
Basic
Occasional
Defined
process,
roles,
responsibilities
Documented
Formal
Communicated
Measured to
work
effectively
Monitored
Use of KPIs
Regular
review/
audits
Partially
automated
Reactive
Not
performed
Non-
existent
Not installed
Necessity
not
understood
Continuous
improvement
and
optimization
Best practice
Risk mitigation
Automated
workflow
Business
enabler
Proactive
10. Transform the power of digital
Participants and Overview of the Study
Overall Study Results
– 1. Drivers & risks
– 2. Organization & budget
– 3. Overall security maturity assessment
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
10
11. Protection of data is the key driver for Information Security – supporting business goals
and enabling Digital Transformation is of less relevance for most companies
Drivers for Information Security
Copyright © 2015 Capgemini Consulting. All rights reserved.
11
78%
71%
69%
58%
44%
31%
16%
11%
7%
2%
2%
2%
Protection of customer data
Prevention of system/ process outage
Protection of personal data
Protection of assets and IP
Safeguard for reputation
Support for business goals
Enabler for Digital Transformtion
Strengthening competitiveness
Increase of efficiency/cost reduction
Critical infrastrcuture protection
Compliance
Legal requirements
31%
of participants only
rated support of
business goals as a
key driver
12. Information Security is on the boardroom agenda – many participants see top
management attention as one of their strengths
Strengths and top management attention
Copyright © 2015 Capgemini Consulting. All rights reserved.
12
Security expertise & capabilities
Management attention & commitment
Holistic Target Operating Model/ ISMS1
Security awareness & training
Data protection based on requirements
1 ISMS: Information Security Management System
75%
of participants rated top
management attention as
medium to high
Ranked top strengths
13. Although the majority of the participants already identified its importance, several
companies still lack the implementation of a holistic security awareness program
Improvement fields and awareness programs
Copyright © 2015 Capgemini Consulting. All rights reserved.
13
Security awareness & training
Communication & collaboration
Policies & documentation
Security expertise & capabilities
Security operation center & monitoring
Ranked top improvement fields
73%
of participants consider
their awareness program
as unstructured
14. Data theft and disclosure of information represent the largest security risk – the resulting
incidents are frequently caused by current and former employees
Security risks and sources for security incidents
Copyright © 2015 Capgemini Consulting. All rights reserved.
14
11%
13%
13%
29%
47%
56%
56%
80%
Competitors
Terrorists
Visitors
Foreign nation states/national agencies
Third-party partners/suppliers
Hackers/Script kiddies
Organized crime
Current and former employees
Top risks
Sources for incidents
Data theft and disclosure
Service outage
Phishing & social engineering
Unauthorized network access
Internal and external fraud
80%
of participants consider
their employees as the
main source for security
incidents
15. Increasing security awareness and training employees are considered as essential
elements of Information Security to protect corporate information
High priority topics
Copyright © 2015 Capgemini Consulting. All rights reserved.
15
44%
28%
23%
15%
13%
13%
10%
10%
10%
8%
Security awareness & training
Mobile device security
Identity & access management
Network security
Security operations center & monitoring
Holistic information security management system
Policies & documentation
Process optimization
Risk & vulnerability management
Business continuity/ disaster recovery management
44%
of respondents plan to
invest into awareness
campaigns in the
upcoming months
16. Internal and external audits are by far the most applied methods to measure security
effectiveness while security KPIs and ROI estimation are almost neglected
Effectiveness measurement
Copyright © 2015 Capgemini Consulting. All rights reserved.
16
4%
7%
16%
27%
31%
33%
38%
64%
96%
Return on investment (ROI) estimation
Special key performance indicators
Number of security policies and standards
Proportion of system downtime
Feedback from management
Industry benchmarking
Measurement of Information Security Awareness
Number of security incidents
Results of audits by internal or external auditors
4%
of companies
consider ROI
as an effectiveness
measure
17. ISO 2700x is the de-facto standard for Information Security in all sectors while COBIT is
only sparsely implemented among the study participants
Security standards and best practices
Copyright © 2015 Capgemini Consulting. All rights reserved.
17
100%
64%
55%
27%
18%
100%
33% 33%
17%
0%
80%
60%
80%
0% 0%
71% 71%
14%
57%
14%
73%
45%
55%
36%
0%
0%
20%
40%
60%
80%
100%
ISO 27001 ITIL BSI COBIT Other (e.g. PCI DSS)
Financial Sector Energy, Utilities, Chemicals Public Sector Manufacturing Other
ISO 2700x
Other (e.g. PCI DSS)
18. A lack of Information Security risk consideration during business decisions may result in
unsecure solutions with a high potential to security breaches
IT risk management
Copyright © 2015 Capgemini Consulting. All rights reserved.
18
7%
18%
44%
22%
9%
75%
of companies do not consider
security risks in their business
decisions making
Business decisions with security involvement
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
19. An essential part of the Information Security governance are steering committees where
security-related decisions are met by consensus of relevant stakeholders
Information Security governance
Copyright © 2015 Capgemini Consulting. All rights reserved.
19
56%
of respondents defined a
security steering committee
with various stakeholders
20%
35%16%
29%
0%
Involvement of relevant stakeholders
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
20. Information classification has been strongly neglected in recent years – the lack of
effective classification solutions is also a key security concern for cloud computing
Information classification and cloud computing
Copyright © 2015 Capgemini Consulting. All rights reserved.
20
4%
9%
27%
33
%
27%
50%
of companies
rate their data
classification as
inconsistent
3%
10%
38%45
%
5%
33%
of participants
allow an
uncontrolled
use of public
cloud services
Classification
Cloud computing
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
21. Transform the power of digital
Participants and Overview of the Study
Overall Study Results
– 1. Drivers & risks
– 2. Organization & budget
– 3. Overall security maturity assessment
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
21
22. 0 20 40 60 80 100 120
Medium-sized companies (<= 5,000 employees)
With typically 4 FTEs, large companies have twice as much resources as medium-sized
companies who work in the Information Security function
Organization – FTEs in Information Security
Copyright © 2015 Capgemini Consulting. All rights reserved.
22
Max: 62Min: 0.5 Median: 2
0 20 40 60 80 100 120
Max: 100Min: 1 Median: 4
4
FTEs is the
median size of
Information
Security
organizations in
large-sized
companies
Large-sized companies (5,000+ employees)
23. 56%
9%
36%
Budget increase Budget decrease
No statement
Budget changes
56% of the participating companies expect an increase of their security budget compared
to the previous year by 10%
Information Security budget
Copyright © 2015 Capgemini Consulting. All rights reserved.
23
-40 -20 0 20 40 60 80
Median: +10% Max: +67%Min: -25%
56%
of participants expect
an increase of their
security budget
Change of security budgets (in %)
24. Transform the power of digital
Participants and Overview of the Study
Overall Study Results
– 1. Drivers & risks
– 2. Organization & budget
– 3. Overall security maturity assessment
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
24
25. 2.5
2.2
2.1 2.0
1.7
With a typical maturity level of 2, most participants’ security areas are formally defined
but lack an effective measurement and automation
Overall security maturity assessment – industry peers
Copyright © 2015 Capgemini Consulting. All rights reserved.
25
is the highest
average maturity
level , achieved by
Public Sector
low
high
2.5
Public Sector Financial
Services
Manufacturing Energy, Utilities &
Chemicals
Other industries
MaturityLevel
26. Public Sector Financial Services Manufacturing Energy, Utilities & Chemicals Other Industries
0,00
1,00
2,00
3,00
4,00
Overall security maturity assessment – details
Public Sector outperformed in domains “Strategy & Governance” and “Organization &
People” while in “Processes” and “Technology” Financial Services showed highest maturity
Copyright © 2015 Capgemini Consulting. All rights reserved.
26
1.1 Strategy
1.2 Governance Structure
1.3 Compliance Management
1.4 Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident Reporting
2.1 Organization Structures
2.3 Employee Training and Awareness
2.4 Security Expert Training
2.5 Security Service Improvement
2.6 Cooperation with Corporate Security
2.7 Relationship with Business Units
2.8 Social Media
3.1 Identity and Access Management
3.2 Threat and Vulnerability Management
3.3 Patch ManagementInformation Classification 3.4
Sourcing and Vendor Management 3.5
Secure Application Development 3.6
Backup 3.7
Mobile Devices 3.8
Retention and Investigation of Data 3.9
Cloud Computing 3.10
Physical User Access Management 3.11
Firewalls 4.1
Remote User Access 4.2
Network Intrusion Protection 4.3
Wireless Network 4.4
Database Security 4.5
Server and System Security 4.6
Endpoint Device Security 4.7
Application Security 4.8
Malicious Content Protection 4.9
Physical Control Systems 4.10
2.2 Roles & Responsibilities
27. Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
27
28. Drivers, incident sources and measurement
COMPANY1’s security function is closely aligned to business, defining the support for
business goals as a key driver for its investments
Copyright © 2015 Capgemini Consulting. All rights reserved.
28
Prevention of system outages
Support for business goals
Organized crime
Visitors
Return on investment (ROI)
Results of audits by internal and external auditors
Industry benchmarking
Measurement of Information Security awareness
Feedback from management
DRIVERS FOR INFORMATION SECURITY
EXAMPLE
1 The following results represent an example of an anonymized individual assessment. COMPANY is only a placeholder.
Drivers for Information Security
Sources for incidents
Effectiveness measurements
A
B
C
SOURCES FOR INCIDENTS
A
B
C EFFECTIVENESS MEASUREMENTS
Prevention of system outages is the key driver for most
members (83%) of peer group “Energy, Utilities & Chemicals”
COMPANY is the only participant in the peer group defining
support for business goals as a key driver for security
In contrast to COMPANY, 50% of other participants in peer group
consider protection of customer data and protection of assets
and IP as a key driver for security
Organized crime is seen by COMPANY and most other peer
group members as a key source for incidents
In addition, other companies from the peer group consider
current/ former employees (67%) and hackers (50%) as a further
incident source
COMPANY is the only in the peer group considering ROI as
measure
84% of other participants consider the number of security
incidents as another effectiveness measure
29. Strengths, improvement fields, risks and priorities
COMPANY’s improvement fields are mainly located in the domain “Processes” - access
management and data classification are common improvements fields of the respondents
Copyright © 2015 Capgemini Consulting. All rights reserved.
29
Access mgmt
Compliance and req. mgmt
Data classification
Access control
Data classification
-
Top 3 improvement fields
Top 3 priorities
Vulnerability mgmt
Certified infrastructure
Integrated mgmt system
Top 3 strengths
Data leakage
Internal threats
Complexity
Top 3 risks
1
2
3
1
2
3
1
2
3
1
2
3
Capgemini Consulting
Information Security Framework
Processes Technology
Strategy &
Governance
Organization
& People
1 2
3 3
1
2
1
3
1
2
INFORMATION
SECURITY
2
COMPANY’s individual answers Domain Mapping
EXAMPLE
30. Security maturity assessment – domain Strategy & Governance
With an immature IT risk management COMPANY may miss or underestimate major risks
for its organization and become victim of internal and external threats
Copyright © 2015 Capgemini Consulting. All rights reserved.
30
“1.2 Governance Structure” is below
peer group average (COMPANY: 2 vs.
peers: 2.47). Recommendation:
Definition of security steering
committee with relevant stakeholders,
direct report to top management
“1.4 IT Risk Management” is
significantly below peer group average
(COMPANY: 1 vs. peers: 2.45).
Recommendation: Definition of
processes, roles & responsibilities,
regular assessments, mgmt of
mitigation measures, reporting,
definition of KRIs
“1.6 Audits” is below peer group
average (COMPANY: 2 vs. peers: 2.91).
Recommendation: Definition of data
collection methods for auditor support,
immediate response to findings by
automated process
A
C
EXAMPLE
B
COMPANY lies in 6 out of 8
areas below the peer group
average in the domain
“Strategy & Governance”
0
1
2
3
4
1.1 Strategy
1.2 Governance Structure
1.3 IT Compliance
Management
1.4 IT Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident
Reporting
COMPANY Financial Services
Top Performer in Peer Group Total Average (All Participants)
A
BC
Low risk Medium risk High riskNo riskCapgemini’s high-level risk evaluation:
TechnologyProcesses
Strategy &
Governance
Organization
& People
31. Security maturity assessment – domain Organization & People
A holistic Information Security awareness concept is the most effective solution to tackle
the increasing number of attacks on employees
Copyright © 2015 Capgemini Consulting. All rights reserved.
31
“2.3 Employee Training & Awareness”
is below peer group average. Due to
increasing importance, the average is
expected to raise. Recommendation:
Definition of a holistic concept,
measurement of awareness and
training success, use of multipliers
“2.4 Security Expert Training” is below
peer group average (COMPANY: 1 vs.
peers: 1.91). Recommendation:
Definition of trainings plans,
introduction of mandatory trainings/
certifications
“2.6 Cooperation with Corp. Sec.” is
significantly below peer group average
(COMPANY: 1 vs. peers: 2.45).
Recommendation: Intensification of
collaboration with Corporate Security,
use of joint success factors
EXAMPLE
B
COMPANY lies in 7 out of 8
areas below the peer group
average in the domain
“Organization & People”
A
B
0
1
2
3
4
2.1 Organization Structures
2.2 Roles & Responsibilities
2.3 Employee Training and
Awareness
2.4 Security Expert Training
2.5 Security Service
Improvement
2.6 Cooperation with
Corporate Security
2.7 Relationship with
Business Units
2.8 Social Media
COMPANY Manufacturing
Top Performer in Peer Group Total Average (All Participants)
A
B
C
Low risk Medium risk High riskNo riskCapgemini’s high-level risk evaluation:
TechnologyProcesses
Strategy &
Governance
Organization
& People
32. Copyright © 2015 Capgemini Consulting. All rights reserved.
32
If your organization would like to participate in
Capgemini’s free Information Security study and join full
insights from Capgemini’s extensive benchmarking
database, please contact
Capgemini Consulting is happy to perform a detailed and individual assessment of your
Information Security practice
Dr. Paul Lokuciejewski
Lead of Cybersecurity Consulting
Capgemini Deutschland GmbH
Berliner Str. 76
D-63065 Offenbach
Phone: +49 69 9515 1439
E-Mail: paul.lokuciejewski@capgemini.com
33. Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
33
34. Trends in Cybersecurity
With the increasing complexity of organizations and the ongoing penetration of SMACT1
technologies, a “full perimeter” protection is not feasible anymore
Copyright © 2015 Capgemini Consulting. All rights reserved.
34
Control-centric
Prevent & protect
Perimetric defense
Zero-risk dream & compliance
People-centric
Predict, monitor & respond
Data-centric defense
Digital risks & info. life cycle
Security Strategy
People & Awareness
Security Operations
SOLUTIONS
Risk Mgmt & Information
Classification
Old Paradigm New Paradigm
1 Social, Mobile, Analytics, Cloud and (Internet of) Things
35. Our Strategic Cybersecurity Consulting guides your organization through a secure Digital
Transformation while leveraging the power of modern technologies
Capgemini Consulting Cybersecurity Portfolio (excerpt)
Copyright © 2015 Capgemini Consulting. All rights reserved.
35
Benchmarking / Maturity Assessment Digital Risk Management
Awareness Campaign Security Target Operating Model (ISMS)
“gain a profound understanding
of your current Cybersecurity
situation.”
“make risk-based
decisions and protect your
business with optimal
investment strategies.”
“establish effective
Cybersecurity capabilities for a
holistic protection of your data
and systems.”
“foster a people-centric
security culture and protect
against the increasing number
of employee-focused attacks.”
OUR STRATEGIC CYBERSECURITY CONSULTING ADDRESSES C-LEVEL CONCERNS TO
ENABLE A SECURE DIGITAL TRANSFORMATION. IT WILL HELP YOU TO
1
4
2
3
36. CySIP Maturity Assessment approach
Capgemini performs its Cybersecurity & Information Protection (CySIP) Maturity
Assessment based on a proven approach and standardized tools
Copyright © 2015 Capgemini Consulting. All rights reserved.
36
Conduct focus interviews with
business and IT to assess maturity
Identify vulnerabilities and gaps
Benchmark with best practices
Define pain points, quick wins and
long-term measures
Prioritize measures
Define high-level business case
Define transformation plan
Align results with stakeholders
Prepare decision documents
Define scope of assessment
Derive strategic guidelines
Determine client-specific threats
Identify business-critical
information and systems
MATURITY ASSESSMENT TRANSFORMATION ROADMAPSCOPING & VISIONING
Overview of evaluated
vulnerabilities and gaps
Assessed CySIP maturity
Measurement catalogue
Aligned and prioritized measures
High-level business case
Transformation plan
Final decision documents
Aligned questionnaires
Defined strategic guidelines
Overview of business-critical
information and systems
Implementaiton
ResultsActivities
Management&GovernanceInt.Organization&Client
Applications& OperatingSystem Network& Hardware
Q4 2014 2015 2016
Analyzedata privacy
organization
Design IS policy
framework
Outlinegovernance
principles for data
Describe governance
profiles and roles
Transform to new
organization
Analysisbusiness & IT
requirements
Develop security
architecture model
Design technical
solutions
Build and customize
designed solution
Test and deploy
services
Conductrisk and
stakeholder analysis
Perform survey to
assess awareness level
Develop awareness
concept
Design awareness
objects
Define business
continuity strategy
Develop decision
structures
Develop organization
plan
Implement awareness
objects
Perform 2. survey to
measure effectiveness
Define business impact
analysis(BIA)
Conductbusiness
impact analysis
Formulate SLAs
Define business
continuity plans
Define business
continuity plans
CE v6.3
© 2007 Capgemini - All rights reserved
071217_IT ORGANIZATION AS-ISAND TO-BE_V11_TW-JW.PPT
2424
The to-be organization features an org-line for functional business
interaction as well as for supply management to enhance the capabilities
Org structure – To-be IT demand organization
Organization chart
Global Supply
R&D
External Supply
(EDM)
BusinessInformation
Manager (BIM)
HR
Controlling
Contract
Management
Architect
ProjectPort-
folio Mgmt
Technology
Innovation
Quality
Mgmt
IT Strategy
Business
Consulting
(SAP,EDM)
Business
(Keyuser)
Germany
France
Netherlands
R.o.W
Local IT
Mgmt
R&D RES-
QS
Manu
fact.
… Global Functional
Information
Management
Service
Mgmt
Com.
Com.line
Communication line
Communication line R&D
RESQS
Manufact.
S&M
Global IT
Management
Internal Supply
(SAP, IM)
US
CRIS SM EDM
Global Supply
Management
• Vacant positions in Global Functional Information Management (GFIMs) ar e re-staffed and enhanced by business consulting
capabilities for SAP and EDM
• New organizational line manages Pharma-specific supply as well as internal and external providers
0
1
2
3
4
1.1 Strategy
1.2 Governance Structure
1.3 IT Compliance
Management
1.4 IT Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident
Reporting
Bundesministerium für Finanzen Public Sector
Top Performer in Peer Group Total Average (All Participants)
C-LEVEL AND BUSINESS-ORIENTED, STRUCTURED APPROACH FOR AN ACCELERATED
INCREASE OF CLIENT’S MATURITY AND DEFINITION OF A CYBERSECURITY STRATEGY
Phase
Why Capgemini Consulting?
C-Level and business-oriented for alignment with business/IT strategy
Toolkit of proven questionnaires for accelerated maturity assessment
Extensive benchmark database for peer comparison
Collaborative approach to define clear strategy
1
37. Cybersecurity Digital Risk Management
Capgemini helps organizations to protect their critical information assets using optimal
investment strategies that minimize operational risk
Copyright © 2015 Capgemini Consulting. All rights reserved.
37
Describe procedures & interfaces
Define roles & responsibilities and
KRIs
Develop reporting
Profile threats and vulnerabilities
Develop questionnaires
Conduct risk assessments with
business and IT to identify and
evaluate risks
Create a holistic risk register
Define risk mitigation measures
Implement process
Define scope of risk assessment
Identify critical information assets
Assess business impact (business
impact analysis)
Perform gap analysis and define
measures
TO-BE DESIGN
RISK ASSESSMENT &
IMPLEMENTATION
VISIONING &
AS-IS ANALYSIS
Policy and process description
Role descriptions/ RACI
Reporting templates
Risk assessment templates
Validated risk assessment results
Consolidated risk register
Measurement catalogue
Training material & reporting
Assessment scope
Realistic and worst-case inherent
business impact ratings
Overview gaps/ measures
BUSINESS-FOCUSED, STRUCTURED AND PRACTICAL RISK MANAGEMENT METHODOLOGY
BASED ON RIGOROUS ASSESSMENT TO CREATE A HOLISTIC PROFILE OF DIGITAL RISKS
Why Capgemini Consulting?
Proven best practices approach to create a holistic risk profile
Focus on business perspective (“Digital Risk”)
Practical methodology with rigorous assessment process
Best practice templates to focus on key risks
Probability
HIGH
MEDIUM
LOW
LOW MEDIUM HIGH
Impact
7
2
3
1
4
6
5
11
9a
9c9b
9d
8
12
10
13
14b
14a
Aktuelle Themen
Bewertung
Maßnahmen
Themenbereich Anz. Grün Gelb Orange Rot Veränderung
zur Vorperiode
Thema 1 2 0 0 2 0 #DIV/0!
Thema 2 0 0 0 0 0 #DIV/0!
Thema 3 0 0 0 0 0 #DIV/0!
Thema 4 1 0 0 1 0 #DIV/0!
Management Summary
Darstellung des Umsetzungsstands von risikobehandelnden Maßnahmen zu wesentlichen Risiken
Überblick über aktuelle, gruppenweite Themen, z.B. IT-Projekte, Veränderungen beim IT-
Outsourcing
Zusammenfassung der Bewertung der gruppenweiten Risiken und dem Status der Risikoindikatoren
(Early Warning System)
Kommentierung
ResultsActivitiesPhase
2
38. Cybersecurity Target Operating Model (ISMS)
We support organizations in establishing an Information Security Management System
that ensures an adequate setup and development of their Cybersecurity capabilities
Copyright © 2015 Capgemini Consulting. All rights reserved.
38
Why Capgemini Consulting?
Models tailored towards your organization context
Experience from operating client ISMS
Best-practices following industry standards (e.g. ISO 27001)
Fast implementation due to ready-to-use assets (e.g. policies)
HOLISTIC AND RISK-BASED METHODOLOGY TO INTEGRATE CYBERSECURITY INTO YOUR
BUSINESS AND INCREASE RESILIENCE
PROCESSES & INTERFACES TECHNOLOGY & SYSTEMS PERFORMANCE METRIC
Information Security Management System – Operating Model
ORGANISATIONAL STRUCTURE GOVERNANCE MODEL ROLES & COMPETENCIES
3
39. Cybersecurity Awareness 2.0
Awareness initiatives offered by Capgemini leverage broad communication campaigns and
targeted training for roles with high risk profiles
Copyright © 2015 Capgemini Consulting. All rights reserved.
39
CONTENT ADAPTION PLANNINGQUICK SCAN
Phase
REVIEW RISKS, EXISTING
AWARENESS INITIATIVES AND
ANALYZE STAKEHOLDER AND
TARGET GROUPS
PRAGMATIC ADOPTION AND
CREATION OF AWARENESS
CONTENT, OUTLINE OF KPIs
AND MULTIPLIERS
DEFINE
TRANSFORMATION
ROADMAP FOR
PRIORITIZED MEASURES
Objectives
Store
Front
Timesheet
Workforce
Management
Mobile CRM
Mobile
Worker
Approvals
Interactive
Dashboards
Mobile Executive
Reports
Employee
Tracking
Self-Service
Operations
Support
Mobile
Sales
Training
Documentation
Collaboration
Tools
Mobile
Service
Customer
Factsheets
Customer
Interaction
Tracker
Pushed
Information
Automated
Services
Product
Information
Assistance
Services
Short
Term
Mid
Term
Long
Term
Strategic
Goal
Leadership team*
• Global
• Europe
Joint project team
• Other projects
within Company
Employees Europe
• UnitA
• Unit B
• Unit C
B
C
Retailers
Other distributors H
Consumers
I
K
Europe Leadership team
(first line leaders)
• UnitA
• Unit B
• Unit C
Manufactures
External Stakeholders Internal Stakeholders =
target audience
G
Corporate Functions
• Communications
• HR
D
Rest of Europe
Organisation
• Employees other units
A
E
F
Workers
council
Change
Program
J
The “Dark hotel” attack is targeting high-profile business travelers
48
Please remember:
Hackers use fake update notifications to get you to install malware on your computer.
“Dark hotel” attack – Step by step
2
You connect to the already
infected hotel Wi-Fi with your laptop
or Smartphone
You receive a fake software
update notification on your device
An update is
ready to install!
You install the faked update which is a
spy software that gives hackers
access to the PC
Hackers steal data, record
keystrokes and infiltrate
the o network
4
Tips for using foreign Wi-Fis
1. Always use the Company VPN
connection for any transmission of
confidential data
2. Do not download or apply any updates in
foreign Wi-Fis
3. Turn off the wireless functions (Wi-Fi,
Bluetooth, GPS and NFC) of your mobile
devices when you don’t need them
4. Always check if websites use the HTTPS
standard in the address bar
5. Always keep your antivirus software up-to-
date (update at Company or at home)
6. If you are unsure, use the roaming
package of your phone or your UMTS laptop
adapter instead
3
1
Possible threats
while on tour
Secure usage of
wireless services
Remote access
capabilities Copyright © 2015 Capgemini Consulting. All rights reserved.
Why Capgemini Consulting?
Structured, proven approach to optimize ongoing campaigns
Flexible and easy-to-adopt solutions
Extensive knowledge in change and communication mgmt
Measurable impact based on implemented KPIs
PROACTIVELY TACKLE SECURITY THREATS BY INTRODUCING POSITIVE SECURITY
BEHAVIORS THROUGH A HOLISTIC CYBERSECURITY AWARENESS CAMPAIGN
4
40. Examples (extract)Communication channelsFormat
Cybersecurity Awareness 2.0 - communication channels
A best practice mix of different channels is used to effectively communicate key messages
of the awareness campaign
40
Copyright © 2015 Capgemini Consulting. All rights reserved.
Print
Digital
Events
Poster
Article in internal newspapers
Information Security Handbook
Booklets
Leaflets
Flyers
Newsletters
Intranet/Web Sites/ banner/
blogs
Flat screen content
Online quizzes
Web-based trainings
Awareness movies
Logon screen messages
Online surveys / feedback polls
Phishing mail tests
Clean desk audits
Classroom trainings incl. train-
the-trainer concept
Information Security Days
Security breakfast/ lunch events
Live-hacks
Onboarding training material
Management trainings
EXAMPLE
2
4
41. Case study – Cybersecurity Awareness campaign design and implementation
Capgemini Consulting supports a leading energy company in significantly raising the
awareness for Cybersecurity of 22,000 employees in 20+ countries
41
Copyright © 2015 Capgemini Consulting. All rights reserved.
Issue
Our Client – an international energy company with approx. 28,000 employees in more than
20 countries – faced an increasing number of security breaches caused by employees
Loosely performed awareness initiatives in the past showed little to no positive effects
Unknown level of employee awareness for focused awareness activities
Missing local support for global implementation of security initiatives
No holistic approach for a group wide, target group specific awareness campaign
Solution
Conduction of a group-wide, multi-lingual online survey with 22,000+ participants
Development of a holistic awareness concept based on detailed survey evaluation
Design and creation of awareness objects using the right mix of communication channels
Organization and conduction of Cybersecurity Awareness events and trainings
Establishment of a multiplier network for an effective campaign implementation
Program management based on Capgemini’s proven methods and tools
Benefits
Increase awareness for security risks leading to adaption of positive security behaviors
Significantly decreased number of security breaches and human errors
Improved acceptance and visibility of Cybersecurity as business partner
Enforced compliance with legal and regulatory requirements
4
42. Cybersecurity Awareness 2.0 - why Capgemini Consulting?
Proven, easy-to-adopt solutions and an extensive project experience enable Capgemini to
efficiently implement effective Information Security Awareness campaigns
42
Copyright © 2015 Capgemini Consulting. All rights reserved.
Structured, proven approach to setup or optimize your ongoing
awareness activities
Flexible and easy-to-adopt solutions for an accelerated increase of
Information Security based on your needs
Benchmarking data derived from previous projects to compare with
industry peers
Measurable impact based on implemented KPIs
Extensive knowledge in project, change and communication
management
Global Capgemini network of security and communication experts
1
2
3
4
5
6
4
43. Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
43
44. Copyright © 2015 Capgemini Consulting. All rights reserved.
44
PEOPLE
• 140,000
employees
• Offices in 44
countries
Paul Hermelin
Group Chairman and CEO
COMPANY
• Listed on the Paris stock
exchange (CAC-40)
• 10.1 bn € revenues (2013)
• Top 5 consultancy worldwide
• Two thirds of the world‘s largest
companies are our clients
Headquarter in Paris
from a global point of view
CAPGEMINI GROUP
45. Copyright © 2015 Capgemini Consulting. All rights reserved.
45
Dr. Volkmar Varnhagen
CEO CC Germany/Austria/Switzerland
CAPGEMINI CONSULTING
GERMANY/AUSTRIA/
SWITZERLAND
GLOBAL
• Strong global
network
• 10.000 strategy
and management
consulting experts Cyril Garcia
CEO Capgemini Consulting
Present on all continents
The strategy and transformation brand of the group
CAPGEMINI CONSULTING
46. STRATEGIZE
IT Organizational Transformation
Cybersecurity Transformation
Digital Service Unit
Lean IT/ IT efficiency
IT Portfolio Management
IT Shared Service Center
Project Turn-around and PMO
TRANSFORM
How do you improve/ transform
your IT Organization long-term?
OUR MISSION is to SUPPORT CIO's in every aspect of their work
from ASSESSMENT to STRATEGY all the way through TRANSFORMATION
To increase the Capgemini Consulting client focus and build trusted long-term relation-
ships with our clients, we have designed our Service Offerings along the life-cycle of CIO’s
CIO Advisory Services
Copyright © 2015 Capgemini Consulting. All rights reserved.
46
IT Flash Assessment
Cybersecurity Risk Assessment
IT Project/ Program Audit
Digital Day
IT Due Diligence
Post-Merger Integration IT and
IT M&A Assessment
ASSESS
What is the current state of your
IT Operation?
IT Strategy Development
Cybersecurity Strategy
IT Innovation Strategies
IT Digital Strategies
Mobile Strategy
Cloud Strategy
How do you position your IT
Organization strategically?
47. Capgemini Consulting relies on a strong and global Cybersecurity capability network
within the Capgemini Group
Capgemini Group offers and capabilities
Copyright © 2015 Capgemini Consulting. All rights reserved.
47
2,500+ Capgemini
resources with
Cybersecurity skills
Canada
United States
Mexico
Brazil
Argentina
All over Europe
Morocco
Australia
People’s Republic
of China
India
Chile
Guatemala
Singapore
Philippines
Taiwan
Vietnam
United
Arab Emirates
Malaysia
New Zealand
Japan
South Africa
Colombia
Cybersecurity
Awareness
Security transformation
program management
Design and implementation of
security solutions
Digital security assessment
& strategy and
risk management
Management
Security technical assessment
Transformation
Build
48. We constantly search for new customer solutions and provide our customers
latest research and point of views on current and future topics
Capgemini Surveys and Benchmarks (examples)
Copyright © 2015 Capgemini Consulting. All rights reserved.
48
The objective is to understand how
the “digital winners” are managing
(or have managed) their Digital
Transformation, starting from “brick
and mortar” and moving to a
“digital company”, and to identify
some guiding principles and best
practices
International Information Security studies & POVs
IT Strategy & Change Management Digital Transformation in cooperation with MIT
Transform to the power of digital
Information Security Benchmarking 2015
Information Security assessment of companies in Germany, Austria and
Switzerland
May 2015
Trends in
Security 2014
49. Copyright © 2015 Capgemini Consulting. All rights reserved.
49
Dr. Guido Kamann
Head CIO Advisory Services DACH
Capgemini Suisse S.A.
Leutschenbachstrasse 95
CH-8050 Zürich
Phone: +41 44 5602 400
E-Mail: guido.kamann@capgemini.com
Dr. Paul Lokuciejewski
Lead of Cybersecurity Consulting
Capgemini Deutschland GmbH
Berliner Str. 76
D-63065 Offenbach
Phone: +49 151 4025 0855
E-Mail: paul.lokuciejewski@capgemini.com
Thank you.