8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
1/30
Cyber-Security: Proactivelymanaging the cyber threat
landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
2/30
Agenda
• Understanding the cyber threat landscape
• Building a resilient Cyber Risk capability
• An Internal Audit approach• Closing thoughts
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
3/30
Understanding the
cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
4/30
The evolving threat landscape…
1 http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/439492 http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=03 http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0
800 million
$55 million
40 million
3
Lilly scientists stole $55 million in trade secrets1
Indianapolis Business Journal, October 8, 2013
Last year, over 800 million records were breached globally, up from 250 million in 2012The Economist, July 2014
Target missed signs of a data breach (40 million credit card numbers compromis ed)2
NY Times, March 13, 2014
On a scale of 1 to 10… Amer ican preparedness for a large-scale cyber attack is around a 33NY Times, July 2012
Why?
Corporatechange
& innovation
Evolvingthreat
environment
Changingregulatory
environment
Regulatory changes continue
to absorb resources and attention.
Cyber threats are asymmetrical risks. Cyber crime
grows in sophistication, and attacks increase in
speed and number, while time to respond
decreases. Targeted attacks on operations, brand,
and competitive advantage are more impactfulthan ever.
Technology innovations that drive
business growth also create cyber risk.
New technology-enabled business
models create new opportunities for
malicious actors to exploit and higherlikelihood of accidental vulnerabilities.
© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape 4
http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/43949http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/43949
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
5/30
Cyber riskHigh on the agenda
Audit committees and board members are seeing cybersecurity as a top risk, underscored by recentheadlines and increased government and regulatory focus
The Executive Order highlights the focus on an improved cybersecurity framework and the rapid changes of regulatoryagency expectations and oversight
Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure obligations relating tocybersecurity risks and incidents…..
“Registrants should address cybersecurity risks and cyber incidents in theirManagement’s Discussion and Analysis of Financial Condition and Results ofOperations (MD&A), Risk Factors, Description of Business, Legal Proceedingsand Financial Statement Disclosures.” SEC Division of Corporate FinanceDisclosure Guidance: Topic No. 2 ‒ Cybersecurity
Ever-growing concerns about cyber-attacks affecting the nation’s critical infrastructure prompted the signing of theExecutive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.
One of the foundational drivers behind the update and release of the 2013 COSO Framework was the need to addresshow organizations use and rely on evolving technology for internal control purposes
5© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
6/30
Cyber risk (cont’d)Roles and responsibilities
Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the board’s needto understand the effectiveness of cybersecurity controls.
1st Line of defensebusiness and IT
functions
2nd Line of defenseinformation and technology
risk managementfunction
3rd Line ofdefense
internal audit
• Establish governance and oversight
• Set risk baselines, policies, and standards
• Implement tools and processes
• Monitor and call for action, as appropriate
• Provide oversight, consultation, checks and balances, andenterprise-level policies and standards
• Incorporate risk-informed decision making into day-to-day operationsand fully integrate risk management into operational processes
• Define risk appetite and escalate risks outside of tolerance
• Mitigate risks, as appropriate
• Independently review program effectiveness• Provide confirmation to the board on risk management effectiveness
• Meet requirements of SEC disclosure obligations focused oncybersecurity risks
Roles and responsibilities
Given recent high profile cyber attacks and data losses, and the SEC’s and other regulators’ expectations, it iscritical for Internal Audit to understand cyber risks and be prepared to address the questions and concernsexpressed by the audit commit tee and the board
6© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
7/30
What are we seeing?
1 Attack vector shifting from technology to people.
2 Attack patterns are increasingly starting to look like normal behavior. Threats are increasinglyhiding in plain sight. Some of the threats are adaptive and have the ability to go into dormantmode, making them difficult to detect.
3 Criminals, state actors and even Hactivists are building better intelligence, capability and have awider network of resources than organizations (i.e., wideningcapability gap).
4 Supply chain and business partner poisoning or lateral entry are on the rise.
5 Advanced Threat Adversaries' Calling Card – defy traditional signature-based approaches.
7© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
8/30
Incident patterns
of incidents can bedescribed by just
nine basic patterns
of incidents in anindustry can be
described by justthree of the nine
patterns
Card skimmersCyber-espionagePhysical theft/loss
Point-of-sale
intrusionsMiscellaneous errors
Web applicationattacks
Everything elseInsider misuse
CrimewareDenial of service attacks
8© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
9/30
• Cyber criminals
• Hactivists (agenda driven)
• Nation states
• Malicious insiders
• Rogue suppliers
• Competitors
• Skilled individual hacker
• Sensitive data
• Financial fraud(e.g., wire transfer,payments)
• Business disruption(building systems, etc.)
• Threats to health & safety
Who might attack?
What are they afterand what key businessrisks must we mitigate?
What tacticsmight they use?
• Spear phishing, drive bydownload, etc.
• Software or hardwarevulnerabilities
• Third party compromise
• Stolen credentials
• Control systemscompromise
Ultimately cyber is about brand and reputationwith your tenants and investors
It starts by understanding yourorganizational risk appetite
9© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
10/30
Cyber…
What is the actual threat?
Crime Did it?Who
Espionage Did they see & take?What
Warfare Do we fight back?When
Terrorism Did they do it?Why
Security Do we prevent it (again)?How
10© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
11/30
Fulfill objectiveSteal/damage/disruptEncrypt then exfiltrate data being stolen,stay hidden for long periods of time, erasedigital footprint
ReconnaissanceGain intelligence and identify vulnerabilitiesResearch the internet, call call-centers,trawl social media etc.
AttackTarget identified vulnerabilitiesTargeted email attacks, unsuspectingdownloads from malicious or compromisedwebsites, exploit application orinfrastructure software vulnerabilities etc.
ExploitGain broad deep accessEscalate privileges, gain increased access,
observe/control network or servers,increase sophistication of attacks, hidetracks, etc.
Strategic assets,
financial assets,
data & intelligence
Your business
What How
New technologies, new threats
Vulnerability Target
11© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
12/30
Speed of attack is accelerating
Initial attack to initialcompromise takes placewithin minutes(almost 3 of 4 cases)
Data leaks occur within minutes(nearly half)
Discoverytakesweeks or longer
Containment(post-discovery)
requiresweeks or longer
72%
72% 59%
46%
Time is of the essence
12© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
13/30
Case studyJP Morgan Chase & Co.
*http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0
Victim timeline
Mid-June Mid-August Aug 27 Aug 28 Sept 11 Oct 2 Jan 08
Attacker timel ine
JP learns of attack,closes all network
access path
State attorneysseek informationfrom JP about thebreach
JP reports to US-SEC, revealsdetails of cyber-attack
News agencies reportof FBI investigating thebank
Attackers gainaccess to JPservers stealsPersonalinformation
JP says it isn't seeing“ unusual fraud”
JP maintains thestatement ‒ isn’tseeing any “un usualfraud activity”
13© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
14/30
Building a resilient
Cyber Risk capability
© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
14
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
15/30
Build a resilient cyber securityorganization
This means having the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents
Are controls in place to guard
against known and emergingthreats?
Can we detect malicious or
unauthorized activity, includingthe unknown?
Can we act and recover quicklyto minimize impact?
Cyber governance
Cyber threat mitigationCyber threat intelligence Cyber incident response
Secure Vigilant Resilient
15© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
16/30
Changes in threat landscape versuscapability
C y b er
w ar f ar e
Behavioral analysis and machine learning model
Risk analytics (includ ing BDSA)
Effective Marginally effective In-effective
Signature based (e.g., correlation)
Conventional(Conventional warfare, symmetric vectors)
Infrastructure threats(Retail threats, open toolkits, general Botnet, Distributed
denial of service)
C onv e
n t i on al
w ar
f ar e
System 1 learning
Guerilla(Hide among civilians (hide in plain sight))
Targeted attacks(Hide within business traffic))
Espionage(Seek, analyze and exfiltrate)
Cyber-espionage(Seek, analyze and exfiltrate)
System 2 learning
Cat A ‒ SIEM (Near real time analysis)Cat B ‒ Behavioral analysis and
machine learning (mid term analysis)Cat C – Cyber analytics
(long term analysis)
16© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
17/30
OptionsBuilding your defenses
Insource Co-sourceOutsource
17© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
18/30
Benefits and challenges
Operating model
Maintain and enhance existinguse cases
Resourcing required to operatethree shifts
Industry and business alignment
Level one monitoringand management
Limited threat intelligencegathering
Hardware, build, run and maintaincosts
Alignment of use casesto evolving th reat landscape
Round the clock monitoring,management and incident response
Industry and risk profile alignment
Level one, two and threemonitor ing and management
Proactive cyber threat intelligence
Cloud based service –utility based costing
Alignment of use casesto evolving threat landscape
Round the clock monitoring,management and incident response
Business, industry andrisk profile alignment
Level one, two and threemonito ring and management
Proactive cyber threat intelligence
Hardware, build, runand maintain costs
Insource Outsource Co-source
Capex Opex Capex and Opex
18© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
19/30
An internal audit
approach
© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape 19
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
20/30
V i g i l a n t • Incident response and forensics
• Application security testing
• Threat modeling and intelligence
• Security event monitoring and logging
• Penetration testing• Vulnerability management
Threat and vulnerability management
• Information gathering and analysis around: – User, account, entity
– Events/incidents
– Fraud and anti-money laundering
– Operational loss
Risk analytics
• Data classification and inventory• Breach notification and management
• Data loss prevention
• Data security strategy
• Data encryption and obfuscation• Records and mobile device management
Data management and protection
R e s i l i e n t
• Recover strategy, plans & procedures• Testing & exercising
• Business impact analysis
• Business continuity planning• Disaster recovery planning
Crisis management and resiliency
• Security training• Security awareness
• Third-party responsibilities
Security awareness and training
• Change management• Configuration management
• Network defense
• Security operations management• Security architecture
Security operations
S e c u r e
• Compliance monitoring• Issue and corrective action planning
• Regulatory and exam management
• Risk and compliance assessment and mgmt.
• Integrated requirements and control framework
Cybersecurity risk and compliance management
• Evaluation and selection• Contract and service initiation
• Ongoing monitoring• Service termination
Third-party management
• Security direction and strategy• Security budget and finance management
• Policy and standards management
• Exception management
• Talent s trategy
Security program and talent management
• Account provisioning• Privileged user management
• Access certification• Access management and governance
Identity and access management
• Secure build and testing• Secure coding guidelines
• Application role design/access
• Security design/architecture
• Security/risk requirements
Secure development life cycle
• Information and asset classification and inventory• Information records management
• Physical and environment security controls• Physical media handling
Information and asset management
* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
An assessment of the organization’s cybersecurity should evaluate specificcapabilities across multiple domains
Cyber risk ‒ Deloitte cybersecurity framework*
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
20© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
http://www.deloitte.com/us/abouthttp://www.deloitte.com/us/about
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
21/30
V i g i l a n t • Incident response and forensics
• Application security testing
• Threat modeling and intelligence
• Security event monitoring and logging
• Penetration testing• Vulnerability management
Threat and vulnerability management
• Information gathering and analysis around: – User, account, entity
– Events/incidents
– Fraud and anti-money laundering
– Operational loss
Risk analytics
• Data classification and inventory• Breach notification and management
• Data loss prevention
• Data security strategy
• Data encryption and obfuscation• Records and mobile device management
Data management and protection
R e s i l i e n t
• Recover strategy, plans & procedures• Testing & exercising
• Business impact analysis
• Business continuity planning• Disaster recovery planning
Crisis management and resiliency
• Security training• Security awareness
• Third-party responsibilities
Security awareness and training
• Change management• Configuration management
• Network defense
• Security operations management• Security architecture
Security operations
S e c u r e
• Compliance monitoring• Issue and corrective action planning
• Regulatory and exam management
• Risk and compliance assessment and mgmt.
• Integrated requirements and control framework
Cybersecurity risk and compliance management
• Evaluation and selection• Contract and service initiation
• Ongoing monitoring• Service termination
Third-party management
• Security direction and strategy• Security budget and finance management
• Policy and standards management
• Exception management
• Talent s trategy
Security program and talent management
• Account provisioning• Privileged user management
• Access certification• Access management and governance
Identity and access management
• Secure build and testing• Secure coding guidelines
• Application role design/access
• Security design/architecture
• Security/risk requirements
Secure development life cycle
• Information and asset classification and inventory• Information records management
• Physical and environment security controls• Physical media handling
Information and asset management
* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
Certain cybersecurity domains may be partially covered by existing IT audits,however many capabilities have historically not been reviewed by internal audit
Cyber risk ‒ Deloitte cybersecurity framework* (cont’d)
SOX (financially relevant systems only BCP/DRP TestingPenetration and vulnerability testing
21© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
22/30
Phase IV: Gapassessment and
recommendations
Assessment approach
Cyber risk
An internal audit assessment of cybersecurity should cover all domains andrelevant capabilities, and involve subject matter specialists when appropriate
Phase III: Riskassessment
Phase II: Understandcurrent state
Phase I: Planning andscoping
P h a s e
K e y a c t i v i t i e s
D e l i v e r a b l e s
Acti vi ties:
• Identify specific internal andexternal stakeholders: IT,Compliance, Legal, Risk, etc.
• Understand organization missionand objectives
• Identify industry requirements andregulatory landscape
• Perform industry and sector riskprofiling (i.e., review industryreports, news, trends,risk vectors)
• Identify in-scope systems
and assets• Identify vendors and third-party
involvement
Acti vi ties:
• Conduct interviews and workshopsto understand the current profile
• Perform walkthroughs of in-scopesystems and processes tounderstand existing controls
• Understand the use of third-parties,including reviews of applicablereports
• Review relevant policies andprocedures, including securityenvironment, strategic plans, andgovernance for both internal and
external stakeholders• Review self assessments
• Review prior audits
Acti vi ties:
• Document list of potential risksacross all in-scope capabilities
• Collaborate with subject matterspecialists and management tostratify emerging risks, anddocument potential impact
• Evaluate likelihood and impact ofrisks
• Prioritize risks based uponorganization’s objectives,capabilities, and risk appetite
• Review and validate the risk
assessment results withmanagement and identify criticality
Acti vi ties :
• Document capability assessmentresults and develop assessmentscorecard
• Review assessment results withspecific stakeholders
• Identify gaps and evaluatepotential severity
• Map to maturity analysis
• Document recommendations
• Develop multiyear cybersecurity/ITaudit plan
Deliverable:• Assessment objectives and scope• Capability assessment scorecard
framework
Deliverable:• Understanding of environment and
current state
Deliverable:• Prioritized risk ranking• Capability assessment findings
Deliverables:• Maturity analysis• Assessment scorecard• Remediation recommendations• Cybersecurity audit plan
22© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
23/30
Maintaining and enhancing security capabilities can help mitigate cyber threats
and help the organization to arrive at its desired level of maturity
Cyber risk ‒ Assessment maturity analysis
Cybersecurity domain
Cybersecurity risk and compliance mgmt.
Third-party management
Secure development life cycle
Information and asset management
Security program and talent management
Identity and access management
Threat and vulnerability management
Data management and protection
Risk analytics
Crisis management and resiliency
Security operations
Security awareness and training
Initial Managed Defined Predictable Optimized
Current state CMMI maturity*
Maturity analysis
• Recognized the issue• Ad-hoc/case by case• Partially achieved goals• No training, communication, or
standardization
• Process is managed• Responsibility defined• Defined procedures with
deviations• Process reviews
• Defined process• Communicated procedures• Performance data collected• Integrated with other
processes• Compliance oversight
• Defined quantitative performancethresholds and control limits
• Constant improvement• Automation and tools implemented• Managed to business objectives
• Continuously improved• Improvement objectives
defined• Integrated with IT• Automated workflow• Improvements from new
technology
Stage 1: Initial Stage 2: Managed Stage 4: PredictableStage 3: Defined Stage 5: Optimized
*The industry recognizedCapability Maturity ModelIntegration (CMMI) can beused as the model for theassessment. Each domainconsists of specificcapabilities w hich areassessed and averaged tocalculate an overall domainmaturity.
S e c u r e
V i g i l a n t
R e s i l i e n t
23© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
24/30
A scorecard can support the overall maturity assessment, with detailed cyberrisks for people, process, and technology. Findings should be documented and
recommendations identified for all gaps
Cyber risk ‒ Assessment scorecard
Threat and vu lnerability management—Penetration testing
Area Findings Ref. Recommendations Ref.
People
• The organization hassome resources withinthe ISOC that canconduct penetrationtesting, but not on a
routine basis due tooperational constraintsand multiple roles thatthose resources arefulfilling
2.6.4
• The organization may findit of more value and costbenefit to utilize currentresources to conductinternal penetration testing
on a routine and dedicatedbasis since they do haveindividuals with thenecessary skills to performthis duty.
2.6.4
Process
• The organization haslimited capability toconduct penetrationtesting in a stagedenvironment or againstnew and emergingthreats
2.6.5
• The organization shouldexpand its penetrationtesting capability to includemore advance testing,more advanced socialengineering, and developgreater control over thefrequency of testing
2.6.5
Technology
• The organization lacksstandard tools to performits own ad-hoc and on-the-spot penetrationtests to confirm orsupport potentialvulnerability assessmentalerts and/or incidentinvestigation findings.
2.6.6
• Either through agreementwith a third-party vendor,or through technologyacquisition, develop thetechnology capability toperform out of cyclepenetration testing.
2.6.6
1: Initial2:
Managed4:
Predictable3:
Defined5:
Optimized
Capability assessment findings andrecommendations
Cybersecurity domain
Cybersecurity risk and compliance mgmt.
Third-party management
Secure development life cycle
Information and asset management
Security program and talent management
Identity and access management
Threat and vulnerability management
Data management and protection
Risk analytics
Crisis management and resiliency
Security operations
Security awareness and training
Asses smen t sco recar d
S e c u r e
V i g i l a n t
R e s i l i e n t
People Process Technology
4 2 1
24© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
25/30
A cybersecurity assessment can drive a risk-based IT internal audit plan. Auditfrequency should correspond to the level of risk identified, and applicableregulatory requirements/expectations.
25
Internal Audit FY 2015 FY 2016 FY 2017 Notes (representative)
SOX IT GeneralComputer Controls
X X X Annual requirement but only coversfinancially significant systems and
applicationsExternal Penetration andVulnerability Testing
X X X Cover a portion of IP addresses each year
Internal Vulnerability Testing X Lower risk due to physical access controls
Business ContinuityPlan/Disaster Recovery Plan
X XCoordinate with annual 1st and 2nd line ofdefense testing
Data Protection andInformation Security
X Lower risk due to …
Third-party Management X Lower risk due to …
Risk Analytics X X X Annual testing to cycle through risk areas,and continuous monitoring
Crisis Management X X Cyber war gaming scenario planned
Social Media X Social media policy and awareness program
Data Loss Protection (DLP) X Shared drive scan for SSN/Credit Card #
Cyber risk
Representative internal audit plan
© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
26/30
Closing thoughts
© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape 26
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
27/30
Key considerations
1. Know your crown jewels – not just what you want to protect,but what you need to protect
2. Know your fr iends – contractors, vendors and suppliers can be security allies or liabilities
3. Understand the threat landscape and assess incremental threat scenarios that expose yourorganization to risk
4. Assess controls and Identify gapsin policies, standards, processes, metrics and reporting, etc.5. Maintain “ cyber security” as an organizational priority and standing agenda item in audit
committee updates
6. Apprise the Audit Committee of key risks, enterprise level risk trends related to cyber security
7. Make awareness a priority within every internal departmentand among external partners
8. Fort ify and monitor – situational awareness, diligently gather intelligence, build, maintain and
proactively monitor9. Prepare for the inevitable – Test your incident management process
27© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
28/30
For more information
If you would like more information on cyber security or how Deloitte can help your organization, pleasecontact one of the following professionals:
Nick Galletto Americas Cyber Risk Leader [email protected]
Michael JuergensManaging Principal | IT Internal [email protected] |
28© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
mailto:[email protected]:[email protected]:[email protected]:[email protected]
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
29/30
Deloitte IT internal audit
Cyber risk
Leading cybersecurity risk management services ‒ Specifically suited to collaborate with you
Number 1 provider of cyber risk management solut ions
• The only organization with the breadth, depth, and insight to helpcomplex organizations become secure, vigilant, and resilient
• 1000+ cyber risk management projects in the U.S. alone in 2014executed cross industry
• 11,000 risk management and security professionals globally acrossthe Deloitte Touche Tohmatsu Limited network of member firms
Contributing t o the betterment of cyber risk managementpractices
• Assisted National Institute of Standards and Technology indeveloping their cybersecurity framework in response to the 2013Executive Order for Improving Critical Infrastructure Cybersecurity
• Third-party observer of the Quantum Dawn 2 Cyber AttackSimulation, conducted by the Securities Industry and FinancialMarkets Association in July 2013
• Working with government agencies on advanced threat solutions
• Named as a Kennedy Vanguard Leader in cyber security consulting: “[Deloitte] continually develops, tests, and launches methodologies thatreflect a deep understanding of clients’ cyber security and help the firm… set the bar.”
Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting 2013; Kennedy Consulting Research & Advisory estimates © 2013Kennedy Information, LLC. Rreproduced under license.
• “Deloitte’s ability to execute rated the highest of all the participants”
Forrester Research, “Forrester WaveTM: Information Security Consulting Services Q1 2013”, Ed Ferrara and Andrew Rose, February 1, 2013
The right resources at the right time
• Deloitte has provided IT audit services for the past 30 years and IT audittraining to the profession for more than 15 years. Our professionalsbring uncommon insights and a differentiated approach to IT auditing,and we are committed to remaining an industry leader.
• We have distinct advantages through:
− Access to a global team of IA professionals, including IT subject
matter specialists in a variety of technologies and risk areas
− A responsive team of cyber risk specialists with wide-rangingcapabilities virtually anywhere in the world, prepared to advise ascircumstances arise or as business needs change
− A differentiated IT IA approach that has been honed over the years insome of the most demanding environments in the world, with toolsand methodologies that help accelerate IT audit
− Access to leading practices and the latest IT thought leadership onaudit trends and issues
29© Deloitte LLP and affiliated entities. | Cybersecurity – Proactively managing the cyber threat landscape
8/17/2019 MONDAY CS 1 7 Nick Galletto Michael Juergens
30/30
www.deloitte.ca
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, anOntario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of memberfirms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legalstructure of Deloitte Touche Tohmatsu Limited and its member firms.
© Deloitte LLP and affiliated entities.