CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

2 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

INTRODUCTION

Information security has evolved. As the landscape of threats increases and cyber security1 management becomes more complex, CISOs, security committees, executives and boards of directors are demanding meaningful information for decision-making. However, cyber security stakeholders face significant challenges identifying, obtaining, processing and aggregating key information that enables them to steer towards defined targets effectively, and ultimately be in better control of their organisation’s cyber security.

In practice, the responsibility for cyber security is often distributed amongst different organisational areas – as is the relevant information. In addition, the range of activities related to cyber security is so broad that it is not easy to identify the key elements that indicate how cyber security is contributing to (or even preventing) the achievement of the business’s goals. And, as if that isn’t enough of a challenge, the highly technical, specialist origins of cyber security often result in highly technical, specialist sets of information that, although essential for operational activities, are not valuable for high-level, business decision-making.

The good news is that complexity, interdependency, specialisation and large quantities of information are not new challenges for the business world. As mentioned in our publication The five most common cyber security mistakes, KPMG approaches cyber security as ‘business as usual’– an area of risk that requires the same level of attention as fraud. And in the same way that other business areas are monitored and measured, cyber security can be monitored and measured with the support of dashboards that display the right key performance indicators (KPIs).

1 Cyber Security is the endeavor to prevent damage by disruption, outage or misuse of IT and, if damage does occur, the repair of this damage. The damage may consist of: impairment of the reliability of IT, restriction of its availability, and the breach of confidentiality and/or the integrity of information stored in the IT system. (Source: National Cyber Security Strategy 2 – 2013).

3 FEEL FREE Cyber Security Dashboard© 2015 KPMG Advisory N.V.

WHY A CYBER SECURITY DASHBOARD?

In short, a Cyber Security Dashboard will help you steer your organisation towards the desired cyber security position, while providing answers to key questions often raised by executives. Examples of these questions are:

BOARD OF DIRECTORS CIO

• What is the status of our cyber resilience capabilities compared to the current and expected threat level?

• What is the impact that cyber security risks have on our strategy?

• How do our measures and investments compare to the rest of our sector?

• Are we compliant with the relevant cyber security and related regulations?

• Are we in control of cyber security in the value chain?

• What are the key drivers in cyber security risk management and how are they developing?

• What is the status of our preventative capabilities, as related to cyber security?

• What is the status of our detective and reactive capabilities, as related to cyber security?

• What is the status of the compliance framework?

• What were the root causes and actions taken in relation to the high-impact incidents in the last period?

4 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

When adequately designed and implemented, Cyber Security Dashboards also provide:

• INSIGHT into the overall state of cyber security, as related to business targets. This allows for improved decision-making and better control of cyber security;

• FOCUS on what is important for the business. Cyber security efforts should be balanced between business risks and opportunities. Nevertheless, it is easy to lose focus when the information available is too spread, detailed or technical to provide a consistent overview;

• COMMUNICATION & AWARENESS. Business executives and boards of directors are demanding relevant information, while cyber security professionals are trying to raise the awareness of executives and boards of directors. A Cyber Security Dashboard provides a means of communication that facilitates awareness of major areas of concern from both perspectives: cyber security and organisational goals;

• STANDARDISATION AND EFFICIENCY, particularly across regions and functional units within large organisations. As mentioned earlier, the responsibility for information security is often scattered, with local or regional security officers often interpreting, customising and implementing policies that are usually defined at corporate level. This sometimes results in non-standard reporting formats, increasing the time required to compile and produce aggregated reports, as well as the work required to interpret them.

Depending on the specific purpose of the dashboard, some benefits may be more prevalent than others; in any case, the dashboard will contribute by providing an overview of the main information needed to control cyber security and make decisions that further the business’ objectives.

But what information should a Cyber Security Dashboard display? In the same way that each organisation has a unique strategy, culture and maturity, it has unique cyber security information needs. Through a combination of research and our extensive experience, KPMG has identified six key areas of focus that provide a comprehensive overview of cyber security.

5 FEEL FREE Cyber Security Dashboard© 2015 KPMG Advisory N.V.

THE CYBER SECURITY DASHBOARD FOUNDATION: SIX AREAS OF FOCUS

RISKS- Benchmark with peers

- Coverage

- Top risks

- Others

PROJECTS- Impact on risk reduction

- Progress

- Cyber Security Maturity

COMPLIANCE- External

- Internal

- Readiness

INCIDENTS- Statistics

- Incident Management

- Benchmark with peers

AWARENESS & CULTURE- Learning scores

- Training coverage

- Incidents and other violations associated with awareness

THREAT LEVEL- External

- Internal

AREAS OF

FOCUS

The areas of focus serve as the foundation for identifying the most relevant measures to be considered on a company’s dashboard. They cover the core areas of cyber security: risks, compliance, incidents, awareness & culture, threat level and key cyber security projects in development.

6 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

CYBER SECURITY RISKS Cyber security management and business decision-making are closely related to risk management. Executives and board members need to understand and monitor the cyber risks that may hinder the organisation’s ability to achieve its goals. These risks are represented by key risk indicators (KRIs) that are directly derived from the organisation’s strategy. For example, if a retail company’s strategy is to grow through increased revenue and market share on e-Commerce channels, then the downtime of online shopping sites directly affects the realisation of the strategy, becoming a KRI.

Another perspective on risk may be provided via benchmarking. Executives often want to know their organisation’s status compared to industry peers or best practices. Benchmarks related to organisational maturity levels and framework compliance are available in the marketplace.

TOP 10 RISKS

Like

liho

od

Impact

6

5

4

3

2

1

0

0 1 2 3 4 5 6

R3

R6R4

R9

R5

R10

R1

R8

R7

R2

Top Risks

RISK DESCRIPTION LEVEL TREND COMMENTS

R1 LOSS OR ALTERATION OF INTELLECTUAL PROPERTY

Very High Existing system does not allow control of administrators. Analysis for change of system in progress.

SENSITIVE COSTUMER DATA DISCLOSURE

Medium Inventory of repositories is at 80%. Identified repositories are compliant with risk apetite.

UNAVAILABILITY OF ONLINE SALES CHANNELS

High Penetration test identified severe vulnerabilities in configuration. Changes in progress.

STRATEGIC INFORMATION LEAKAGE

Very High Increased impact with new business project. IT acquisition and awareness trainings in process.

FINANCIAL FRAUD

Medium Recent audit findings identified failures in user management processes. Changes in progress.

Benchmark Security Forum Control Framework 2014: second quartile

R1

R2

R3

R8

R7

7 FEEL FREE Cyber Security Dashboard© 2015 KPMG Advisory N.V.

COMPLIANCEIn practice, one of the main drivers of cyber security is compliance.

Typical requirements that organisations need to comply with include laws, regulations and contractual demands from business partners, suppliers and customers. Failing to comply may result in substantial fines, termination of contracts with strategic partners or customers and, ultimately, suspension to operate.

Furthermore, as threats increase and customers demand higher levels of data protection, new compliance requirements are continuously emerging. Being able to proactively monitor your organisation’s readiness to meet coming requirements may allow for a more timely and cost-effective compliance strategy.

CYBER SECURITY INCIDENTSIncidents do happen, and we need to react to, and learn from them. Analysis of information security incidents often provides business stakeholders with an additional perspective on risk levels, making it highly valuable. Usual measures of interest are general statistics on severe incidents such as the number, business impact and source; benchmarking with industry peers; and elements associated with the effectiveness of the incident management process, such as average incident detection/response time.

€ 1 € 10 € 100

Error

Physical theft/loss

Insider Misuse

Social

Malware

Hacking

Impact of incidents per category of threats (in millions)

4

3

2

1

0

DNB

Overall Maturity per Requirement (Europe)

InternalFrameworkOther

ISO 27001

PII

Current

Target

ISF

8 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

AWARENESS & CULTURE As important as awareness is, measuring it objectively poses a significant challenge. Current social and technology trends are forcing organisations to become more reliant on end-user behaviour to protect information. Telecommuting and bring-your-own-device are common practices worldwide, making information readily available almost everywhere, and more difficult – and expensive – to protect.

Cyber security awareness aims to develop specific behaviours in employees, contractors and other parties that process or use the organisation’s information. The main objectives are to reduce risks related to human error, as well as the time required to identify incidents and violations.

There is no single metric that accurately and objectively assesses people’s level of understanding, or their expected reaction should a cyber security situation arise. This is why KPMG approaches this dimension from two perspectives:

training – what is the company doing towards culture development – and actual behaviour – what is the result of those actions.

Indicators in training are usually related to coverage of the target audience and scores on assessments such as e-quizzes or surveys.

KPMG measures behaviour by looking at 8 soft controls: clarity of rules; exemplary behaviour; practicability; involvement; visibility; organizational openness; peer Openness and enforcement.

Being able to determine and compare security awareness levels between business units and regions supports decision-makers in prioritising resources and activities.

100%

80%

60%

40%

20%

0%

Clarity of Rules

Awareness

Response Prevention

Detection

ExemplaryBehaviourEnforcement

PeerOpenness

Practicabillity

Involvement

Visibility

Current

Target

OrganizationalOpenness

9 FEEL FREE Cyber Security Dashboard© 2015 KPMG Advisory N.V.

0

Threat level

10100

0

AWARENESS

70100

No discernible activity with a moderate or severe risk rating.

Source: ThreatCon

- No recent incidents- Positive scores on test (Q3-2013)

THREAT LEVEL Modern cyber resilience is based on threat intelligence. The better an organisation understands its threat environment, the better it can prepare and respond to it. Threats in the cyber landscape include nations, activists, organised crime, the competition and the organisation’s insiders, amongst others. By gathering and analysing data from internal and external sources, and identifying their implications in your own environment, it is possible to obtain an overview of a general threat level that can be used as a point of reference.

Key cyber security projects/initiatives

Project Division Status vs. target

Progress vs. plan

IRM EMEA

Cyber Security Governance

EMEA

Outsourcing review

ASIA

ISO 27001 Certification

AMERICAS

Awareness ALL

KEY SECURITY PROJECTS/INITIATIVES Knowing the progress and general status of the major security projects is essential to cyber security management. Furthermore, executives want to be able to assess the potential impact of these projects on cyber security posture, the potential constraints they may pose to target achievement, and whether actions are required to guarantee alignment with business objectives.

These areas of focus are not exhaustive, but they cover the key areas KPMG has found to make the difference in controlling cyber security. The goal is to identify the areas that better fit your organisation’s current and future business needs and include them as part of the dashboard. It is possible that additional topics, such as costs and budget-related indicators also need to be considered, but at the end, what matters is that the selected elements actually contribute to business decision-making, respond to the audience’s needs and are aligned with the company’s current security practices.

10 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

STRATEGIC APPROACH TO A CYBER SECURITY DASHBOARD

Defining and implementing a dashboard is a challenging project. Difficulties commonly found on the way include selecting the dashboard elements that will support decision-making, unforeseen impacts on operational and tactical processes, and complex data sources – sometimes dependent on third parties. This is why KPMG has developed a strategic, phased approach: by incrementally defining and constructing the dashboard,

requirements are constantly refined, while enabling optimal management of investment and creating situational awareness of the target audience.

The dashboard is built in two main phases, so from the beginning the benefits are tangible: first the reporting elements & prototype are defined, and then the dashboard is automated and embedded in the processes.

INITIALDESIGNREPORTING

ELEMENTS & PROTOTYPE DEFINITION

Assessment of delivery capabilities

PROTOTYPE Evaluation and refinements

DETAILED DESIGN Build business case

PROOF-OF-CONCEPT Evaluate PoC

BUILD DASHBOARD

Implementation and embedding per phase

TRAINING &SUPPORT

Establish organisation for support and enhancements

Identification of key stake-holders and their needs

Design prototype

Develop dashboard growth model

Build PoC

Phased approach for dashboard development

Training of users and administrators

DASHBOARD IMPLEMENTATION & AUTOMATION

11 FEEL FREE Cyber Security Dashboard© 2015 KPMG Advisory N.V.

The initial design should be balanced against what we refer to as ‘delivery capabilities’, in other words, elements within the organisation that enable the desired outcome. Examples of these capabilities are the organisation’s maturity, management support, internal processes, and available data sources and technology.

Delivery capabilities often pose important challenges for the project. For example, a data source may seem reliable and comprehensive, but later on it can be found that the data only covers a low percentage of the target population, or that the originating process is highly prone to human error.

Once the initial design is finalised, a prototype is built. The prototype allows for validation of the initial requirements, and results in design

and metric adjustments. The subsequent two stages focus on the development of a proof-of-concept that will determine whether the organisation is ready to build the dashboard, provided a growth model and a business case.

After the proof-of-concept has been positively evaluated, the dashboard is developed. This is achieved by following a phased approach that allows for gradual embedding in the internal processes. During this stage, common challenges relate to stakeholder management and dashboard embedding, since certain (parts of) processes may require changes to successfully incorporate the tool. Finally the transition activities take place, including training, implementation of the support scheme, and update and expansion processes.

12 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

CONCLUSION

Measuring and reporting on cyber security to the strategic level is not an easy task. Most existing security metrics focus on operational and technical aspects, while executives are demanding high-level, meaningful business-related information. In addition, the delegation of cyber security activities to local/regional security officers often results in non-standardised reporting, hindering in turn decision-making processes.

The end result may look simple but to deliver and successfully embed a reliable Cyber Security Dashboard requires skills and experience in many diverse areas, during each of the development phases.

A strategic approach to the definition of a Cyber Security Dashboard helps your organisation steer on key focus areas, create situational awareness, standardise reporting practices, align cyber security with the business and improve the control over cyber security activities.

Strategic Projects Key IncidentsStrategic Risk

Compliance Threat LevelMaturity

Imp

act

Chance

4

3

2

1

0

CMDB setup project

External penetration test

Hiring SOC personnel

Information security plan 2015

Internal vulnerability scanner

0 1 2 3 4

R3

R4

R5

R1

R2

Occ

ura

nce

Impact

Denial of Service

Insider Misuse

Misc. Errors

Physical Theft

Unknown

Category

Competitors

Cyber Investigators

Cyberpunks and scriptkiddies

External consultants

Hacktivists

Internal employee

Organized cyber criminals

States

Requirement

COBIT

DNB (banks)

Internal Framework

ISF

ISO 27001

SANS

SOx

2012

75%

90%

60%

60%

50%

70%

70%

2013

80%

90%

30%

60%

65%

70%

90%

2014

80%

20%

10%

60%

65%

65%

90%

3

2

4

2

1

4

4

2

4

3

2

1

0€ 0 € 10 € 100 € 1,000 € 10,000 0 20 40 60 80 100%

% Status vs. Target % Target vs. Plan

Current level Current level

0,0

0,5

1,0

1,5

2,0

2,5

3,0

3,5

ITH

ealth

Fina

nce

Adm

inis

tratio

n

HR

Risk

Mar

ketin

gTr

easu

ryIn

dust

ry

13 FEEL FREE Cyber Security Dashboard© 2015 KPMG Advisory N.V.

Strategic Projects Key IncidentsStrategic Risk

Compliance Threat LevelMaturity

Imp

act

Chance

4

3

2

1

0

CMDB setup project

External penetration test

Hiring SOC personnel

Information security plan 2015

Internal vulnerability scanner

0 1 2 3 4

R3

R4

R5

R1

R2

Occ

ura

nce

Impact

Denial of Service

Insider Misuse

Misc. Errors

Physical Theft

Unknown

Category

Competitors

Cyber Investigators

Cyberpunks and scriptkiddies

External consultants

Hacktivists

Internal employee

Organized cyber criminals

States

Requirement

COBIT

DNB (banks)

Internal Framework

ISF

ISO 27001

SANS

SOx

2012

75%

90%

60%

60%

50%

70%

70%

2013

80%

90%

30%

60%

65%

70%

90%

2014

80%

20%

10%

60%

65%

65%

90%

3

2

4

2

1

4

4

2

4

3

2

1

0€ 0 € 10 € 100 € 1,000 € 10,000 0 20 40 60 80 100%

% Status vs. Target % Target vs. Plan

Current level Current level

0,0

0,5

1,0

1,5

2,0

2,5

3,0

3,5

ITH

ealth

Fina

nce

Adm

inis

tratio

n

HR

Risk

Mar

ketin

gTr

easu

ryIn

dust

ry

14 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

WHY KPMG?

The Cyber Security Dashboard is one component of KPMG’s Global Cyber Transformation Service[s]. Our vision is to make cyber security an integral part of your business through:

• EXPERIENCE We understand the business and know about cyber security. We have supported organisations in diverse industry sectors in developing Cyber Security Dashboards, and have identified key information and metrics that strategic stakeholders are looking for;

• INTEGRATED APPROACH We bring together specialists in information protection, risk management, organisational design, behavioural change and intelligence management. These combined skills are utilised to tailor a solution relevant to your risk appetite and the cyber threats your organisation faces;

• END-TO-END VISION We do not just display data on a dashboard but also analyse the related processes and identify potential areas of improvement. By analysing the dashboard audiences and their activities, we develop the dashboard accordingly. Assistance is provided with embedding the dashboard within existing processes and leveraging it to further the organisation’s capabilities;

• DATA RELIABILITY KPMG is an audit firm. We look for reliable data. We challenge the data sources and assist in taking the steps required to make it accurate, complete and, ultimately, suitable for decision-making.

14 FEEL FREE Cyber Security Dashboard © 2015 KPMG Advisory N.V.

15 FEEL FREE Cyber Security Dashboard© 2015 KPMG Advisory N.V.© 2015 KPMG Advisory N.V.

© 2015 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The name KPMG, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Contact us

For more information on Cyber Dashboarding or KPMG’s Cyber Transformation Service, please contact one of our practitioners or visit us at www.kpmg.com/cybersecurity