Beruflich Dokumente
Kultur Dokumente
Over the past decade, organizations have increasingly leveraged technology and the
digital realm in order to grow. However, as a result of this, they have also attracted an
increased number of cyberthreats.
The question facing leaders at these organizations is how to manage the elevated risk
of cyberattack so they can continue to realize the value generated by technology and
digital. To achieve this, we believe organizations need to change the game on cyber. This
report suggests a new approach that can help organizations not only remain secure, but
also become more vigilant and resilient to evolving cyberthreats.
• Vigilant: Organizations must establish capabilities for detecting cyber violations, and
to scan for and anticipate emerging threats so that they stay ahead of the game.
• Resilient: Organizations should recognize that no cyber defense can be 100 percent
effective, and so they must develop the ability to respond to inevitable cyberattacks
and return to normal operations as quickly as possible.
We believe that adopting this secure, vigilant and resilient approach to cyber is a key
step in helping leaders continue to drive performance at their organizations. Deloitte’s
Cyber Risk professionals around the world can guide you on that journey, and help you
transform your organization into a place where risk powers performance.
Regards,
Owen Ryan
Global Risk Advisory Leader
Contents
Introduction 1
Becoming secure: Fortify the organization 2
Remaining vigilant: Manage the inevitable 3
Being resilient: Prepare for the unpreventable 4
Getting governance right 5
Where to start 6
Contacts 7
Changing the game on cyber risk |
Introduction
Introduction
The cyberthreat landscape continues to evolve, with increasingly determined and
sophisticated attackers. At the same time, organizations are spending more money
and paying more attention to cyber than ever before.
Yet the problem of cyberattacks persist, As cyber incidents and their associated
amid an increasingly complex cyberthreat costs continue to rise, there’s a growing
landscape where businesses continue to realization that becoming impenetrably
At a glance: What does
trek deeper into the digital realm—adding secure is impossible in today’s environment. it means to be secure,
new layers of connectivity and interaction It is almost inevitable that safeguards will
between themselves and their customers sometimes fail. Managing cyber risk is not a
vigilant, and resilient?
and partners. one-time solution. It is an ongoing journey—
for information technology (IT) leaders and
Both the economy and our society-at-large business decision-makers alike—to take
have become connected using platforms meaningful steps to change the game on Secure
designed for sharing information, not cyber risk.
protecting it – presenting new opportunities
Establish and continually maintain
every day for would-be attackers. And the Cyber risk management is an enterprise-
foundational security capabilities
very things organizations do to innovate and wide concept that encompasses the
—by enhancing risk-prioritized
grow will actually create or magnify cyber IT-centric discipline of cybersecurity
controls to protect against known
risk. as well as a broad set of business risks
and emerging threats, while also
that have strategic, operational, and
complying with industry cyber
Risks today extend far beyond theft regulatory implications. Effective cyber risk
standards and regulations.
and fraud to include loss of competitive management focuses on assessing threats,
advantage due to stolen intellectual vulnerabilities, and their potential impact on
property, loss of customer or business the broader organization. Ultimately, cyber
partner trust, and overall damage to an risk management is inextricably linked to an
organization’s reputation and brand. organization’s ability to conduct business Vigilant
Managing cyber risk has become a effectively.
strategic imperative that has profound
Detect violations and anomalies
implications for the overall performance Toward a more secure, vigilant, and
through better situational
of the enterprise. And the complexity of resilient organization
awareness both externally and
the risk will only grow as the vision of the Because you can’t prevent all cyber
across your environment
Internet of Things continues to take shape. incidents, organizations need to be
—spanning all areas of your
More connected devices, more sources of secure, vigilant, and resilient. With many
ecosystem.
data, more process automation, and more organizations today already breached by
third-party relationships will help create new cyberattackers—and with many unaware of
layers of opportunities for cyberattackers. the breaches—realistically assessing your
organization’s changing risk profile becomes
Organizations will have to move far beyond critical, to help determine what levels and Resilient
a “secure the perimeter” mentality and types of cyber risk are acceptable. Through
begin incorporating cyber risk thinking the lens of what’s most important to your
Establish and exercise the ability to
into their product design and engineering organization, businesses today should
quickly return to normal operations
processes—taking a long-term view of what invest in cost-justified security controls to
and repair damage to the business
it means to be secure. protect their most important assets, while
following the inevitable cyberattack.
also gaining more insight into threats and
responding more effectively to reduce their
impact.
1
Changing the game on cyber risk |
Becoming secure
Becoming secure:
Fortify the organization
Being secure means focusing protection Don’t allow gaps to leave you exposed
around the risk-sensitive assets at the heart Many organizations can significantly improve
of your organization’s mission. Traditional cyber risk management by instilling fresh
security controls, preventive measures, discipline in some basic areas, such as data
and compliance initiatives probably have tracking and classification. Another common
consumed the greatest part of your and closely related area of weakness is asset
investment in cyber risk management, and management. Large organizations generate
you will most likely need to continue—or enormous change on a daily basis—new
increase—your investment levels. users, new devices, new applications, and
supporting changes to the underlying
But as you engage in these core cyber infrastructure. If security controls are
“hygiene” activities, you might need to not adjusted to keep pace, you’re likely to
rethink your decision criteria. Malicious create gaping holes that can leave your Security starts at
actors, especially those motivated by organization exposed for days, months, or
the top: Put a senior
financial gain, tend to operate on a cost/ even years.
reward basis. If your defenses are strong executive at the helm
enough to raise their risks (and level of effort Non-negotiable areas to fortify
relative to the value of what they can gain), Most cyberattacks exploit well-known
Above all, fortifying your
they are more likely to turn their attention system weaknesses—known to hackers
organization will require a strong
elsewhere. and known to the organizations they
leader to drive cohesive, decisive
target. You can address such weaknesses
action. Establishing a solid cyber
Protecting the heart of the business by administering a comprehensive patch-
foundation requires someone with
Given the reach and complexity of your management program that focuses on
broad influence who can generate
digital ecosystem, you can’t secure critical data assets using a risk-based
collaborative engagement among
everything equally so focus protection approach, rather than an ad hoc or
the diverse range of players
around the risk-sensitive assets at the heart compliance-based approach. Some other
essential to the success of the
of your organization’s mission—the ones areas to fortify: software development, IT
program—many of whom might be
that both you and your adversaries view as asset management, and physical security.
unaccustomed to thinking about
highest value. Among the most important Organizations should add protocols and
cyber risk. Who should take the
elements are critical infrastructure, a security mindset to the development
lead? You want someone who not
applications, and data, as well as specialized and asset management processes. They
only understands the business, but
control systems. Also remember that these also should work to spot physical security
who can also manage risks and
elements are part of larger services and holes and weaknesses that could allow
authoritatively drive a
transaction chains, and addressing weak an unauthorized individual, a disgruntled
transformation agenda. Someone
points along the end-to-end business worker, or an unwitting employee to leak or
who can enable innovation,
process is essential. steal critical information.
eliminate obstacles, and support
growth—all the while taking the
necessary steps to prepare for the
possible outcomes.
2
Changing the game on cyber risk |
Remaining vigilant
Remaining vigilant:
Manage the inevitable
3
Changing the game on cyber risk |
Being resilient
Being resilient:
Prepare for the unpreventable
4
Changing the game on cyber risk |
Getting governance right
5
Changing the game on cyber risk |
Where to start
Where to start
Where to begin with improving your cyber risk profile will depend on where you are
today. If you’re in the early stages of a transformation process, the following additional
steps can help you move in the right direction:
Staying a step ahead of cyberattacks requires a comprehensive, proactive, and risk-based approach to preventing, detecting, and responding
to cyberthreats. For modern enterprises operating in today’s hyperconnected business environment, the ultimate vision is to become
a secure, vigilant, and resilient organization, an organization with solid defenses, expansive threat awareness, and strong response and
recovery capabilities.
6
Changing the game on cyber risk |
Contacts
Contacts
For more information, please contact:
Nick Galletto Ed Powers
Global Cyber Risk Services Leader US Cyber Risk Services Leader
+1 416-601-6734 +1 212-436-5599
ngalletto@deloitte.ca epowers@deloitte.com
Deloitte has been widely recognized as a market leader, including these recent
independent analyst reports:
• Deloitte named a global leader in Security Operations Consulting by ALM Intelligence
Source: ALM Intelligence; Security Operations Center Consulting 2015; Kennedy Consulting Research & Advisory estimates
© 2016 ALM Media Properties, LLC. Reproduced under license
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its
network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent
entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to
learn more about our global network of member firms.
Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients
spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected
network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-
quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately
245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or
their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or
services. Before making any decision or taking any action that may affect your finances or your business, you should consult a
qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any
person who relies on this communication.