1 © Copyright 2014 EMC Corporation. All rights reserved.

Transforming Information Security Insights from the Security for Business Innovation Council Dr. Michael Teschner, RSA Deutschland Mai 2014

2 © Copyright 2014 EMC Corporation. All rights reserved.

The Security for Business Innovation Council

A group of highly successful security executives from Global 1000 enterprises

Driving industry conversation about how to better aligning security with business strategy

Ideas published in a series of reports, combined with independent research

Convened and sponsored by RSA

3 © Copyright 2014 EMC Corporation. All rights reserved.

Who is in the SBIC? ABN Amro Dr. Martijn Dekker, Senior Vice President, Chief Information Security Officer AstraZeneca Simon Strickland, Global Head of Security Automatic Data Processing, Inc. Roland Cloutier, Vice President, Chief Security Officer The Coca-Cola Company Renee Guttmann, Chief Information Security Officer eBay Leanne Toliver, Office of the Chief Information Security Officer EMC Corporation Dave Martin, Vice President and Chief Security Officer FedEx Corporation Denise Wood, Corporate Vice President, Information Security, Chief Information Security Officer, Chief IT Risk Officer Fidelity Investments Timothy McKnight, Executive Vice President, Enterprise Information Security & Risk HDFC Bank Limited Vishal Salvi, Chief Information Security Officer and Senior Vice President HSBC Holdings plc. Bob Rodger, Group Head of Infrastructure Security Intel Malcolm Harkins, Vice President, Chief Security and Privacy Officer Johnson & Johnson Marene Allison, Worldwide Vice President of Information Security JPMorgan Chase Anish Bhimani, Chief Information Risk Officer Nokia Petri Kuivala, Chief Information Security Officer SAP AG Ralph Salomon, Vice President Security, Processes & Compliance Office, SAP Cloud and SAP IT TELUS Kenneth Haertling, Vice President and Chief Security Officer T-Mobile USA Bill Boni, Corporate Information Security Officer (CISO) and Vice President, Enterprise Information Security Walmart Jerry Geisler, Office of the Chief Information Security Officer

4 © Copyright 2014 EMC Corporation. All rights reserved.

Transforming Information Security

A three part series created across 2013-2014

Vision of what an effective and forward-leaning information security program looks

– Actionable advice for how to get there

Recommendations for: – Designing a state-of-the-art extended team – Future-proofing information security processes – Evaluating and adopting essential new technologies

5 © Copyright 2014 EMC Corporation. All rights reserved.

Designing a State-of-the Art Extended Team

6 © Copyright 2014 EMC Corporation. All rights reserved.

Today’s security teams are in transition

TEAMS IN THE PAST … TEAMS TODAY … Implemented and operated security controls

Performs business- and risk-driven security functions

Collaborative approach with shared responsibility for securing info assets

Siloed, “we do it all” approach

Focuses on proactive, strategic risk priorities

Focused on reactive, technical security controls

7 © Copyright 2014 EMC Corporation. All rights reserved.

Security teams in transition (cont’d.)

TEAMS IN THE PAST … TEAMS TODAY …

Multidisciplinary teams with diverse technical and business leadership skills

Technically-oriented security personnel

Wide range of backgrounds, from data science to military intel

Traditional IT or security backgrounds

8 © Copyright 2014 EMC Corporation. All rights reserved.

Redefine and strengthen core competencies

Increase proficiencies in four main areas: 1. Cyber risk intelligence and security data analytics 2. Security data management 3. Risk consultancy 4. Controls design and assurance

1

9 © Copyright 2014 EMC Corporation. All rights reserved.

Delegate routine operations Identify suitable processes: repeatable and well-established

Allocate to internal groups or external service providers

Ensure adequate command and control – Implement requirements, standards, and SLAs – Retain sufficient domain expertise

Continually evaluate what functions could be done by others more efficiently and/or cost-effectively

2

10 © Copyright 2014 EMC Corporation. All rights reserved.

Borrow or “rent” experts

Augment the expertise of the core team particularly when: – The core team lacks expertise in specialized areas – Infeasible or too costly to keep specialized experts on-staff – Work overflow due to special projects or staff shortages

Leverage personnel from other departments or external consultants

3

11 © Copyright 2014 EMC Corporation. All rights reserved.

Lead risk owners in risk management

Partner with the business to manage cyber risks – Establish risk appetite and acceptance levels – Gauge cyber risks versus business rewards

Develop a consistent approach to risk identification, assessment, remediation, and reporting

Incorporate information risk into overall ERM program

Make it easy for business and hold them accountable – Self-service tools, integrated processes, and automation

4

12 © Copyright 2014 EMC Corporation. All rights reserved.

Hire process optimization specialists

Meet requirement for formalized system to consistently measure and improve processes

Integrate team members with experience in quality, project management, or service delivery

– E.g. Six Sigma, ITIL’s IT Service Management (ITSM), COBIT IT Governance, and/or TOGAF’s Enterprise Architecture

Leverage professionals from other areas of the organization, – E.g. Quality Department or Enterprise Program Office

5

13 © Copyright 2014 EMC Corporation. All rights reserved.

Build key relationships

Engage at all levels of the organization – Managers controlling technology investments – Executives overseeing strategic business programs

Have influence with key players – Owners of the organization’s “crown jewels”

▪ E.g., business processes involving IP or valuable proprietary data – Middle management – Business process outsourcing providers

6

14 © Copyright 2014 EMC Corporation. All rights reserved.

Think out-of-the-box for future talent

Work with business units and HR on recruitment strategy – Consider wide-range of sources including unconventional

▪ E.g., database admins, software developers, military intel, journalists, historians, mathematicians, economists, DNA scientists

Lack of readily available expertise means developing talent – Create an internal “cyber security academy” – Support employees who pursue external training/certifications – Partner with universities

▪ E.g., shape curricula and create internship opportunities

7

15 © Copyright 2014 EMC Corporation. All rights reserved.

Future-Proofing Processes

16 © Copyright 2014 EMC Corporation. All rights reserved.

Processes That Need Improving

Risk Measurement

Business Engagement

Control Assessments

Third-Party Risk Assessments

Threat Detection

17 © Copyright 2014 EMC Corporation. All rights reserved.

Shift Focus from Technical Assets to Critical Business Processes

1

18 © Copyright 2014 EMC Corporation. All rights reserved.

Institute Business Estimates of Cybersecurity Risks

2

19 © Copyright 2014 EMC Corporation. All rights reserved.

Establish Business-Centric Risk Assessments

3

20 © Copyright 2014 EMC Corporation. All rights reserved.

Set a Course for Evidence-Based Controls Assurance

4

21 © Copyright 2014 EMC Corporation. All rights reserved.

Develop Informed Data Collection Techniques

5

22 © Copyright 2014 EMC Corporation. All rights reserved.

Focusing on Strategic

Technologies

23 © Copyright 2014 EMC Corporation. All rights reserved.

Thinking About Security Tech Investments Major innovations underway in

security technology can address emerging challenges

– Changes in the threat landscape – Use of cloud technologies – Transition to mobile devices

Technologies are not being developed or implemented quickly enough to keep up with emerging threats

24 © Copyright 2014 EMC Corporation. All rights reserved.

Shift In Mindset, Shift in Technology More organizations acknowledge the

inevitability of breaches, and have turned attention to minimizing their impact

– Leading security teams are making investments in technologies to detect versus prevent intrusions

Need for security technologies that can provides better anticipatory defenses as well as improve business productivity

25 © Copyright 2014 EMC Corporation. All rights reserved.

Focus Areas For Increased Investment

1. Cyber-threat Resilience – Detection and response to minimize

damage or loss

2. End-user Experience Optimization – Improved UX of security feature /

function

3. Cloud Security – Enhanced visibility and control

26 © Copyright 2014 EMC Corporation. All rights reserved.

Specific Technologies To Consider Security Analytics

– A foundational technology to help achieve a stronger cyber defense

Next-Generation Anti-Malware – Add new techniques to this baseline

capability

27 © Copyright 2014 EMC Corporation. All rights reserved.

Specific Technologies To Consider Flexible Authentication Methods

– Implement new analytics driven/risk-based models

– Optimize end-user convenience and level of assurance

Identity & Access Management – Increased granularity – providing deeper, vital

insight into user privileges

28 © Copyright 2014 EMC Corporation. All rights reserved.

Specific Technologies To Consider New Cloud Services

– Services to help with visibility and control in the Cloud

29 © Copyright 2014 EMC Corporation. All rights reserved.

Look At Least 3 Years Ahead

Determine what security capabilities will be needed and what security technologies will be available

– Think about maturity vs. value

Advanced planning can help the organization maintain a competitive advantage

– Report offers 5 ideas to stay ahead of the curve

1

30 © Copyright 2014 EMC Corporation. All rights reserved.

Achieve a Bigger Picture Through Integration Technologies are now available to more easily

integrate systems for a greater overall benefit – More comprehensive visibility – Data enrichment – Correlation – Operator efficiency

2

31 © Copyright 2014 EMC Corporation. All rights reserved.

Maximize Value through Formalized Technology Deployments Predict and Track Total Costs and Total Value

Scale Deployments for Quick Wins

Approach Maintenance strategically

3

32 © Copyright 2014 EMC Corporation. All rights reserved.

The Security Transformation Journey

Intelligence Driven

Security

People

Process

Technology

33 © Copyright 2014 EMC Corporation. All rights reserved.

For More Information

http://www.emc.com/microsites/rsa/security-for-business-innovation-council.htm

Download full reports, infographics, videos

Sign-up to get new reports delivered