cybersecurity-5
Content
view
Issue 15 24 Cybersecurity 34 Beyond the BRICS 46 Interview with P&G’s Deb Henretta
Designing your fiercest competitor
Mastering change by making it real page 12
Managing risk
Cybersecurity The new business priority
By Gary Loveland and Mark Lobel
Gary Loveland is the US Leader and Mark Lobel is Principal in PwC’s Security practice. They also oversee the annual Global State of Information Security Survey, which PwC has conducted for 14 years. For a detailed look at the survey, visit www.pwc.com/giss2012.
In today’s global, digital world, data rule. Safeguarding intellectual property, financial information, and your company’s reputation is a crucial part of business strategy. Yet with the number of threats and the sophistication of attacks increasing, it’s a formidable challenge. PwC’s US Security Leader Gary Loveland and Security Principal Mark Lobel reveal how company leaders can protect— and strengthen—the business with the right approach to information security.
24
PwC View Issue 15
Information security probably isn’t something that gets a lot of executive attention. It’s the CIO’s job or the responsibility of his lieutenants. Yet every so often when scanning the headlines, news about the latest high-profile cyberattacks elevates your blood pressure as you wonder: Could that happen to us? What would be the impact on our business? How would we respond to customers and shareholders? But then it’s often back to the more pressing issues of the day, and the state of your company’s information security recedes to the background. You won’t likely give it another thought—until there’s an incident. Then it’s damage-control mode, as the company deals with stolen customer data, disclosure of confidential financial information, a disabled Web storefront, or worse.
This reactive approach is all too common, even though the question is not if a company will suffer an incident but when. In the annual PwC, CIO, and CSO survey of more than 9,600 global executives, 41 percent of US respondents had experienced one or more security incidents during the past year.1 And that number is rising. Respondents reported financial losses, intellectual property theft, reputational damage, fraud, and legal exposure, among other effects. (See Figure 1.) With such high stakes, most would agree that information security deserves full attention at the highest levels of the company.
Figure 1: US business impact of security incidents 37.5% Financial losses 31.8% Intellectual property theft 31.2% Brand/reputation compromised 15.8% Fraud 12.2% Legal exposure/lawsuit 11.3% Loss of shareholder value 7.1% Extortion
1 PwC, CIO, and CSO 2012 Global State of Information Security Survey.
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
PwC View Issue 15
25
Figure 2: Differing views of information security effectiveness and leadership The majority of executives in the survey—72%—reported being very confident or somewhat confident that their organization’s information security activities were effective. Yet just 43% described themselves as Front-runners, meaning they had a strategy in place and proactively executed it. But when we analyzed their information security practices, only 13% of companies could be considered True Leaders.
All companies: 100%
Confident: 72%
Front-runners: 43%
True Leaders: 13%
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
Government leaders, at least, are taking notice: Lawmakers, the Securities and Exchange Commission (SEC), and the Administration have been highlighting increased security risks and the need for both the private and public sectors to step up their security game. In October 2011, the SEC issued guidance on the disclosure of cybersecurity risks and incidents.2 While the guidance didn’t propose new requirements, it reminded company leaders—and boards of directors—of their obligations under current rules. That same month, in the aftermath of disclosures by WikiLeaks, President Obama issued an Executive Order calling for measures to enhance national security in order to reduce the risk of a similar breach in the future.3 These developments follow ongoing efforts to move cybersecurity legislation through Congress and into law. perception versus reality Back in the corporate world, is cybersecurity still considered a purely technical matter? Or do businesses understand that
2 http://sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
it is the lynchpin for safeguarding their most precious assets—intellectual property, customer information, financial data, employee records, and much more? It depends upon whom you ask. The PwC, CIO, and CSO survey revealed that executives may say and believe one thing, but the data and expert analysis indicate that they do another. First, the survey asked, How confident are you that your organization’s information security activities are effective? Seventy-two percent of respondents answered that they were very confident or somewhat confident.4 However, when executives were asked to characterize their company’s approach to information security, identifying whether they possess an information security strategy and have proactively implemented it, the positive results took a nosedive. Just 43 percent of respondents self-identified as Front-runners; that is, those who felt they have an effective information security strategy in place and are proactive
in executing the plan. Those who saw themselves as Strategists (27 percent) felt they have the big picture right but fall down on execution, while Tacticians (15 percent) said they are better at getting things done than in defining a broader strategy. Finally, the Firefighters (14 percent globally but 22 percent in the US) admitted to lacking a strategy and to being reactive regarding information security.5 But when it came time to let the data do the talking, the companies that were “walking the walk” and not merely “talking the talk” were significantly fewer: just 13 percent of respondents. (See Figure 2.) These leading companies not only have an information security strategy in place, but they demonstrate a number of other leading practices, including having a high-level security chief, regularly measuring and reviewing the effectiveness of their policies and procedures each year, and possessing a deep understanding of the types of security events that have occurred in their organizations.
3 http://www.whitehouse.gov/the-press-office/2011/10/07/fact-sheet-safeguarding-us-governments-classified-information-and-networ. 4 PwC, CIO, and CSO 2012 Global State of Information Security Survey. 5 Numbers reported do not total up to 100 due to rounding.
26
PwC View Issue 15
14%
of executives surveyed admitted to lacking a strategy and being reactive when it came to information security.
Barriers to effective cybersecurity
Figure 3: Primary obstacles to information security, by senior executive 27% 23% 29% Insufficient funding for capital expenditures 25% 27% 25% Leadership – CEO 23% 19% 25% Absence or shortage of in-house technical expertise 23% 16% 23% Insufficient funding for operating expenditures 18% 25% 25% Lack of an effective information security strategy 17% 25% 30% Lack of an actionable vision or understanding 14% 23% 18% Leadership – CIO 13% 14% 19% Poorly integrated or overly complex information/IT systems 12% 22% 16% Leadership – Security chief
CEO CFO CIO
Addressing information security can be especially challenging because executives do not always agree about company issues and goals. In the survey, we asked respondents what the greatest obstacles were to improving their organization’s information security. While the number one response predictably was about resources—insufficient funding for capital expenditures—the answers often changed when we looked more specifically at who was answering. CEOs agreed that lack of capital funding was the problem, but CFOs indicated a lack of leadership from the CEO was the reason. Meanwhile, CIOs and security executives pointed to a lack of actionable vision or understanding within the organization.
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey PwC View Issue 15
27
41%
of US executives surveyed had experienced one or more security incidents in the past year.
four growing cyberthreats The companies in this top tier—whom we refer to as security leaders—understand that they are up against different types of cyberthreats. There essentially are four types of attacks, each of which has a different motive. It’s helpful to think of these as storm waves, swirling around your business. At any given time, it is impossible to know which wave will hit and what type of damage it will wreak. The first and oldest wave is nuisance hacking, in which there is little material impact to the company. A classic example is hackers defacing your company’s website. More serious and widespread is the second wave, which is hacking for financial gain.
As business has migrated to the digital world, criminals have, too. What has emerged is a sophisticated criminal ecosystem that has matured to the point that it functions much like any business—management structure, quality control, offshoring, and so on. This type of hacking now goes beyond blindly stealing customer credit card information or employee passwords. For example, hackers might target a company’s financial function in order to obtain its earnings report before it is publicly released. With such advance knowledge, they can profit by acquiring or dumping stock. Protecting the business from cybercrime is one thing, but companies also must worry about a new type of risk—the advanced persistent threat. If you think the term sounds
28
PwC View Issue 15
like it’s out of a spy movie, you’re not far off. This type of hacking is predominantly about stealing intellectual property and typically is associated with state-sponsored espionage. The motives go beyond financial gain. Experts may quibble about the specifics of this type of attack and whether it always has involved use of advanced techniques, but this is a serious and growing threat. It is not an understatement to say that what’s at risk is not only your intellectual property but possibly national security. The high-profile Stuxnet worm case demonstrates how specialized and sophisticated these attacks can be. The Stuxnet worm that was discovered in 2010 was designed to infiltrate industrial control systems, such as those that manage water or power plants. But it
wasn’t an infrastructure system that was hit; hackers infiltrated and potentially sabotaged the Iranian systems that manage uranium. As the chilling details emerge, what’s noteworthy is that the attack was planned (and the worm developed and placed) as many as four years ahead of the incident. This foresight echoes a trend we have seen in our work with companies such as defense contractors. When they announce plans to acquire another company, perpetrators go after the potential acquisition. Their hope is to embed malicious software on the systems of the acquisition target so that when the companies ultimately are integrated, hackers will have access to the parent company’s systems—even if it means biding time for 18 to 24 months or longer.
And it’s not only specialized industries like defense that are at risk for advanced persistent threats. We have seen considerable activity in the financial services and technology industries. In some cases, the perpetrators infiltrate a bank or service provider in order to get access to the organization’s customers’ systems. Finally, there’s one more type of threat that is on the rise: hacktivism. WikiLeaks immediately comes to mind, but, for the private sector, think of this as the digital equivalent to Occupy Wall Street. The goal of perpetrators is to change or create a public perception of your brand. For example, hackers might obtain sensitive information and disclose it to the public.
PwC View Issue 15
29
Keeping pace with new technologies Not only do companies face a myriad of threats, their exposure grows as they invest in technologies like mobile, social, and cloud. In the survey, only a minority of US companies had strategies in place to protect against the risks that these new technologies bring.6 (See Figure 4.) Mobile, in particular, challenges the business because suddenly corporate data can be widely accessed outside of the enterprise. And employees often don’t realize the risks being introduced when sharing, sending, or receiving corporate information on a smartphone or tablet, especially if it is a personal device. Likewise, with social media, where the line between personal and professional can become blurry, employees inadvertently may be disclosing sensitive information. Called data leakage, it can happen when employees share seemingly innocuous details, such as the airport they are in or the coffee shop they are frequenting every morning. Others within their social networks can use these clues, along with profile information about their jobs (bankruptcy attorney, M&A specialist), to ferret out potentially sensitive information, such as the identity of a financially troubled company or a potential acquisition target.
6 PwC, CIO, and CSO 2012 Global State of Information Security Survey.
Figure 4: Companies addressing security risks from new technologies
21.1% Cloud security strategy 31.5% Social media security strategy 33.7% Mobile device security strategy 37.4% Security strategy for employee use of personal devices
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
Strategies for strengthening the business With so many risks, business leaders may be unsure of where to focus. In our experience, it is crucial to elevate the role of information security in the organization and emphasize the fact that it is not just a technology function. As a make-or-break business issue, it requires a leader who reports directly to a senior executive. The title of the person— chief security officer, chief information security officer, security director—isn’t what matters. Instead, it’s the ability of that individual to bring security issues to the C-suite and help the management team think and talk about how security affects every other business decision.
Effective security leaders consistently demonstrate the linkages between security and the company’s goals. They remind the rest of the management team that security is a strategic issue. In the survey, the Front-runner group emphasized this approach by citing client requirements as the driving force behind the company’s information security investments. The other respondents pointed to legal and regulatory requirements as the main justification for information security spending in their organizations.
30
PwC View Issue 15
What concerns security experts most?
Like the very nature of business itself, information security challenges are evolving. This topic came up continually as we discussed the survey findings with companies in all fields. What are the security chiefs at leading organizations most worried about? Here are some of the top concerns: Mobile devices The power of employee and customer mobile devices makes companies increasingly vulnerable. Consider just a few scary possibilities: Hackers mobilizing smartphone users to bring down a company network by organizing a “computational flash mob.” Or banking apps available from popular online stores that are not affiliated with the banks they claim to represent; instead, they are designed to steal data. What is the best thing companies can do? Come to terms with the fact that mobile is here to stay and address it head-on in your strategy and policies. Begin thinking of mobile devices not as phones or adjunct devices but on par with laptop computers that have their own powerful peer-to-peer networks. Increasing sophistication of the attacks Whatever you call these attacks—and security experts have been known to go round and round about just what constitutes an advanced persistent threat and whether the term is useful—some perpetrators are changing the rules of the game. They are locking on a specific target and formulating long-range plans to accomplish their goals. In the last year, we have seen several industryleading companies in the technology and financial services industries that have been victimized. If it could happen to them, it could happen to anyone. proposed legislation Experts seem to agree that it’s only a matter of time before information security is mandated by law. Over the past few years, various incarnations of bills have been proposed. While security chiefs understand the scrutiny, they have concerns about security becoming a compliance burden. They worry that this will cause businesses to lose sight of what really matters: focusing on their strategy and thinking about next threats.
An organization that embraces this mindset, for example, might engage the security leader and the sales leader, together, to consider how better information security can help close or speed sales. They might determine that having well-documented information security controls, processes, or certifications in place enables them to anticipate and address customer concerns immediately when or before the issue first is raised. Some companies we work with find it effective to have security leaders embedded within each business unit. These individuals report to line-of-business heads and work directly with them to evaluate how security can support each group’s business goals.
where’s the data? Companies that understand the value that security brings to the business also ensure that they have a comprehensive strategy in place—and that they have the processes and procedures to back up their vision. The guiding principles for strategy are driven, in large part, by their data. Companies will want to ask a seemingly simple question: What’s our most sensitive data? Surprisingly, many companies can’t begin to answer that question. Company leaders will need to identify their most sensitive data. They’ll consider business assets like intellectual property, as well as information
that they have a fiduciary responsibility to protect, including customer, business partner, or employee data. As companies undertake this foundational exercise, they will ask: What data do we have? Where are they located? What laws and regulations apply to them? What controls do we have around them? Are we sending data to third parties? If so, is it being handled securely? There’s much work to be done here: In the survey, only 29 percent of companies have an accurate inventory of data—a decline of 10 percent from just two years ago.
PwC View Issue 15
31
100% 50%
of the companies we defined as security leaders measure and review the effectiveness of their security policies and procedures annually.
fewer information security incidents were experienced by the security leaders, compared with the rest of the survey respondents.
For companies that have grown through mergers and acquisitions, there’s the additional hurdle of getting a handle on disparate data sources—not to mention different policies, processes, and systems that were inherited with each merger or acquisition. In the process of evaluating what’s currently in place and where the company’s attention needs better focus, some organizations find it helpful to conduct an outside assessment of their current operations. Often, when companies get a glimpse into what really is going on, they are surprised. They discover that the biggest problems may be caused by their employees. For example, companies may find that workers lack even a basic awareness of the information security risks to which employees are subjecting the business when they don’t follow policy—for example, they fail to change default passwords or they leave
their computers on when they go home. Some companies bring in outside security experts to conduct an assessment, particularly if an organization wants to test the security of its networks. This so-called ethical hacking attempts to penetrate a company’s network to pinpoint vulnerabilities. In our work as security specialists, the trend we’ve observed is that companies have become much better about protecting the organization from the outside. But once a perpetrator is able to gain access to an internal network—whether by walking in the door and plugging into a network jack or via malware that is dormant on a USB drive that an employee picks up in the parking lot and plugs into his networked computer— we always have been able to gain levels of unauthorized access. A security assessment also might reveal that the company has not kept up with a changing IT environment, especially one
in which business units or employees have independently added their own devices or applications to the mix. All too often, businesses maintain the status quo but don’t adequately address how these latest technologies and new ways of working put them at risk. testing, testing, testing Recognizing that organizations are dynamic—and that criminals always are innovating—it’s especially important for companies to consistently monitor and test what they have in place. In the survey, the companies that we defined as True Leaders measure and review the effectiveness of their security policies and procedures annually (compared with just 54 percent of other respondents). These organizations also know where they are vulnerable and need to shore up their defenses. This is significant because just a few years ago, almost half of the survey’s respondents couldn’t answer the most basic questions
32
PwC View Issue 15
about the nature of security-related breaches; now approximately 80 percent or more of respondents can provide specific information about the frequency, type, and source of security breaches their organizations faced. And they are seeing results: The leaders reported half as many information security incidents per year, compared with the rest of survey respondents. Companies that are proactive about information security also consider the impact of breaches—especially given that these events are on the rise. Of those, risks associated with customers, partners, or suppliers are a major concern, having nearly doubled in the past two years. This situation is compounded by the fact that given recent economic uncertainty, security has not been a priority. The levels of investment, awareness, and training all have declined. In thinking about potential breaches, organizations will determine to whom
they need to disclose an event. This issue is gaining more attention in light of the SEC’s recent guidance on the matter, reminding public companies that the following impacts must be included: remediation costs to customers or partners, increased information security investments required to remedy the situation, lost revenues due to breach, litigation resulting from breach, and reputational damage affecting customer or investor confidence. Company management and boards will want to consider the balancing act required to fulfill these responsibilities to investors and customers while ensuring that leadership does not disclose information that would make the company further vulnerable to hackers. follow the leaders Leading companies today are rethinking the role of information security in their organizations. They realize that in a digital world, cybersecurity is the key to safeguarding their most precious
assets—intellectual property, customer information, financial data, and employee records, among others. But far more than a defensive measure, companies also know that cybersecurity can better position their organization with business partners, customers, investors, and other stakeholders. Additionally, a sustained approach to security enables companies to better take advantage of newer technologies—mobile, social media, and cloud—that are driving business growth for many organizations. Company executives are leading the charge, working across the business to assess the current environment, define their most sensitive data, assign accountability, devise a strategy, and measure their progress. With strong leadership and a comprehensive approach that continually links information security back to business strategy, top managers will better position their organizations for success.
PwC View Issue 15
33
view
Issue 15
editorial Editorial Director Tom Craren Managing Editor Gene Zasadinski Assistant Managing Editor Christine Wendin View points Editor Angela Pham Contributing Editors Mike Brewster Emily Church Cecily Dixon Susan Eggleton Benjamin Isgur Sandy Lutz Susan Poole Anand Rao Bill Sand Jamie Yoder online Jeffrey Dreiblatt Adiba Khan Scott Schmidt Jack Teuber design Odgis + Company Creative Director Janet Odgis Senior Designer Banu Berker Designers Rhian Swierat T. Chloé Bartholomew
Contributors We thank the following individuals for their contributions to this issue of View: Caroline Calkins-Heine Steve Lechner Alfred Peguero Daryl Walcroft photography AP Images Brian Bielmann Corbis Images Bill Gallery Getty Images Andreas Herzau/Laif/Redux iStockphoto Vincent Lafloret Chen Ming/Xinhua/Eyevine/Redux Tommaso Rada/4See/Redux Reuters Pictures Brian Smale Stephen Wilkes
52
PwC View Issue 15
View magazine is printed at an ISO 14001:2004 certified plant with Forest Stewardship Council (FSC) Chain of Custody certification (BVCOC-080903). It was printed with the use of renewable wind power resulting in nearly zero volatile organic compound (VOC) emissions. The paper used is 10 percent recycled minimum with postconsumer waste. By printing at a facility that uses wind-generated electricity: 6,440 lbs of greenhouse gases were prevented equivalent to 5,588 miles not driven in a year equivalent to planting 438 trees By using postconsumer recycled fiber in lieu of virgin fiber: 105,932 gallons of wastewater flow was saved 12,070 lbs of solid waste was not generated 32,676 lbs net of greenhouse gases was prevented 158,000,000 BTUs of energy was not consumed Source: Environmental Defense Fund paper calculator
To request additional copies of View or to comment: www.pwc.com/view. PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms with 169,000 people in more than 158 countries who are committed to deliver quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at http://www.pwc.com/. © 2012 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. The information contained in this document is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, rules, and regulations, there may be omissions or inaccuracies in information contained in this document. Before making any decision or taking any action, you should consult a competent professional adviser. Although we believe that the information contained in this document has been obtained from reliable sources, PricewaterhouseCoopers is not responsible for any errors or omissions contained herein or for the results obtained from the use of this information.
Rear view
www.pwc.com/view
Are you designing a disruptive business model to keep your fiercest competitor at bay?
Alter your mental model
Imagine scenarios involving disruptive, greenfield competitors
Apply insights gained
Issue 15 24 Cybersecurity 34 Beyond the BRICS 46 Interview with P&G’s Deb Henretta
Designing your fiercest competitor
Mastering change by making it real page 12
Managing risk
Cybersecurity The new business priority
By Gary Loveland and Mark Lobel
Gary Loveland is the US Leader and Mark Lobel is Principal in PwC’s Security practice. They also oversee the annual Global State of Information Security Survey, which PwC has conducted for 14 years. For a detailed look at the survey, visit www.pwc.com/giss2012.
In today’s global, digital world, data rule. Safeguarding intellectual property, financial information, and your company’s reputation is a crucial part of business strategy. Yet with the number of threats and the sophistication of attacks increasing, it’s a formidable challenge. PwC’s US Security Leader Gary Loveland and Security Principal Mark Lobel reveal how company leaders can protect— and strengthen—the business with the right approach to information security.
24
PwC View Issue 15
Information security probably isn’t something that gets a lot of executive attention. It’s the CIO’s job or the responsibility of his lieutenants. Yet every so often when scanning the headlines, news about the latest high-profile cyberattacks elevates your blood pressure as you wonder: Could that happen to us? What would be the impact on our business? How would we respond to customers and shareholders? But then it’s often back to the more pressing issues of the day, and the state of your company’s information security recedes to the background. You won’t likely give it another thought—until there’s an incident. Then it’s damage-control mode, as the company deals with stolen customer data, disclosure of confidential financial information, a disabled Web storefront, or worse.
This reactive approach is all too common, even though the question is not if a company will suffer an incident but when. In the annual PwC, CIO, and CSO survey of more than 9,600 global executives, 41 percent of US respondents had experienced one or more security incidents during the past year.1 And that number is rising. Respondents reported financial losses, intellectual property theft, reputational damage, fraud, and legal exposure, among other effects. (See Figure 1.) With such high stakes, most would agree that information security deserves full attention at the highest levels of the company.
Figure 1: US business impact of security incidents 37.5% Financial losses 31.8% Intellectual property theft 31.2% Brand/reputation compromised 15.8% Fraud 12.2% Legal exposure/lawsuit 11.3% Loss of shareholder value 7.1% Extortion
1 PwC, CIO, and CSO 2012 Global State of Information Security Survey.
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
PwC View Issue 15
25
Figure 2: Differing views of information security effectiveness and leadership The majority of executives in the survey—72%—reported being very confident or somewhat confident that their organization’s information security activities were effective. Yet just 43% described themselves as Front-runners, meaning they had a strategy in place and proactively executed it. But when we analyzed their information security practices, only 13% of companies could be considered True Leaders.
All companies: 100%
Confident: 72%
Front-runners: 43%
True Leaders: 13%
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
Government leaders, at least, are taking notice: Lawmakers, the Securities and Exchange Commission (SEC), and the Administration have been highlighting increased security risks and the need for both the private and public sectors to step up their security game. In October 2011, the SEC issued guidance on the disclosure of cybersecurity risks and incidents.2 While the guidance didn’t propose new requirements, it reminded company leaders—and boards of directors—of their obligations under current rules. That same month, in the aftermath of disclosures by WikiLeaks, President Obama issued an Executive Order calling for measures to enhance national security in order to reduce the risk of a similar breach in the future.3 These developments follow ongoing efforts to move cybersecurity legislation through Congress and into law. perception versus reality Back in the corporate world, is cybersecurity still considered a purely technical matter? Or do businesses understand that
2 http://sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
it is the lynchpin for safeguarding their most precious assets—intellectual property, customer information, financial data, employee records, and much more? It depends upon whom you ask. The PwC, CIO, and CSO survey revealed that executives may say and believe one thing, but the data and expert analysis indicate that they do another. First, the survey asked, How confident are you that your organization’s information security activities are effective? Seventy-two percent of respondents answered that they were very confident or somewhat confident.4 However, when executives were asked to characterize their company’s approach to information security, identifying whether they possess an information security strategy and have proactively implemented it, the positive results took a nosedive. Just 43 percent of respondents self-identified as Front-runners; that is, those who felt they have an effective information security strategy in place and are proactive
in executing the plan. Those who saw themselves as Strategists (27 percent) felt they have the big picture right but fall down on execution, while Tacticians (15 percent) said they are better at getting things done than in defining a broader strategy. Finally, the Firefighters (14 percent globally but 22 percent in the US) admitted to lacking a strategy and to being reactive regarding information security.5 But when it came time to let the data do the talking, the companies that were “walking the walk” and not merely “talking the talk” were significantly fewer: just 13 percent of respondents. (See Figure 2.) These leading companies not only have an information security strategy in place, but they demonstrate a number of other leading practices, including having a high-level security chief, regularly measuring and reviewing the effectiveness of their policies and procedures each year, and possessing a deep understanding of the types of security events that have occurred in their organizations.
3 http://www.whitehouse.gov/the-press-office/2011/10/07/fact-sheet-safeguarding-us-governments-classified-information-and-networ. 4 PwC, CIO, and CSO 2012 Global State of Information Security Survey. 5 Numbers reported do not total up to 100 due to rounding.
26
PwC View Issue 15
14%
of executives surveyed admitted to lacking a strategy and being reactive when it came to information security.
Barriers to effective cybersecurity
Figure 3: Primary obstacles to information security, by senior executive 27% 23% 29% Insufficient funding for capital expenditures 25% 27% 25% Leadership – CEO 23% 19% 25% Absence or shortage of in-house technical expertise 23% 16% 23% Insufficient funding for operating expenditures 18% 25% 25% Lack of an effective information security strategy 17% 25% 30% Lack of an actionable vision or understanding 14% 23% 18% Leadership – CIO 13% 14% 19% Poorly integrated or overly complex information/IT systems 12% 22% 16% Leadership – Security chief
CEO CFO CIO
Addressing information security can be especially challenging because executives do not always agree about company issues and goals. In the survey, we asked respondents what the greatest obstacles were to improving their organization’s information security. While the number one response predictably was about resources—insufficient funding for capital expenditures—the answers often changed when we looked more specifically at who was answering. CEOs agreed that lack of capital funding was the problem, but CFOs indicated a lack of leadership from the CEO was the reason. Meanwhile, CIOs and security executives pointed to a lack of actionable vision or understanding within the organization.
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey PwC View Issue 15
27
41%
of US executives surveyed had experienced one or more security incidents in the past year.
four growing cyberthreats The companies in this top tier—whom we refer to as security leaders—understand that they are up against different types of cyberthreats. There essentially are four types of attacks, each of which has a different motive. It’s helpful to think of these as storm waves, swirling around your business. At any given time, it is impossible to know which wave will hit and what type of damage it will wreak. The first and oldest wave is nuisance hacking, in which there is little material impact to the company. A classic example is hackers defacing your company’s website. More serious and widespread is the second wave, which is hacking for financial gain.
As business has migrated to the digital world, criminals have, too. What has emerged is a sophisticated criminal ecosystem that has matured to the point that it functions much like any business—management structure, quality control, offshoring, and so on. This type of hacking now goes beyond blindly stealing customer credit card information or employee passwords. For example, hackers might target a company’s financial function in order to obtain its earnings report before it is publicly released. With such advance knowledge, they can profit by acquiring or dumping stock. Protecting the business from cybercrime is one thing, but companies also must worry about a new type of risk—the advanced persistent threat. If you think the term sounds
28
PwC View Issue 15
like it’s out of a spy movie, you’re not far off. This type of hacking is predominantly about stealing intellectual property and typically is associated with state-sponsored espionage. The motives go beyond financial gain. Experts may quibble about the specifics of this type of attack and whether it always has involved use of advanced techniques, but this is a serious and growing threat. It is not an understatement to say that what’s at risk is not only your intellectual property but possibly national security. The high-profile Stuxnet worm case demonstrates how specialized and sophisticated these attacks can be. The Stuxnet worm that was discovered in 2010 was designed to infiltrate industrial control systems, such as those that manage water or power plants. But it
wasn’t an infrastructure system that was hit; hackers infiltrated and potentially sabotaged the Iranian systems that manage uranium. As the chilling details emerge, what’s noteworthy is that the attack was planned (and the worm developed and placed) as many as four years ahead of the incident. This foresight echoes a trend we have seen in our work with companies such as defense contractors. When they announce plans to acquire another company, perpetrators go after the potential acquisition. Their hope is to embed malicious software on the systems of the acquisition target so that when the companies ultimately are integrated, hackers will have access to the parent company’s systems—even if it means biding time for 18 to 24 months or longer.
And it’s not only specialized industries like defense that are at risk for advanced persistent threats. We have seen considerable activity in the financial services and technology industries. In some cases, the perpetrators infiltrate a bank or service provider in order to get access to the organization’s customers’ systems. Finally, there’s one more type of threat that is on the rise: hacktivism. WikiLeaks immediately comes to mind, but, for the private sector, think of this as the digital equivalent to Occupy Wall Street. The goal of perpetrators is to change or create a public perception of your brand. For example, hackers might obtain sensitive information and disclose it to the public.
PwC View Issue 15
29
Keeping pace with new technologies Not only do companies face a myriad of threats, their exposure grows as they invest in technologies like mobile, social, and cloud. In the survey, only a minority of US companies had strategies in place to protect against the risks that these new technologies bring.6 (See Figure 4.) Mobile, in particular, challenges the business because suddenly corporate data can be widely accessed outside of the enterprise. And employees often don’t realize the risks being introduced when sharing, sending, or receiving corporate information on a smartphone or tablet, especially if it is a personal device. Likewise, with social media, where the line between personal and professional can become blurry, employees inadvertently may be disclosing sensitive information. Called data leakage, it can happen when employees share seemingly innocuous details, such as the airport they are in or the coffee shop they are frequenting every morning. Others within their social networks can use these clues, along with profile information about their jobs (bankruptcy attorney, M&A specialist), to ferret out potentially sensitive information, such as the identity of a financially troubled company or a potential acquisition target.
6 PwC, CIO, and CSO 2012 Global State of Information Security Survey.
Figure 4: Companies addressing security risks from new technologies
21.1% Cloud security strategy 31.5% Social media security strategy 33.7% Mobile device security strategy 37.4% Security strategy for employee use of personal devices
Source: PwC, CIO, and CSO 2012 Global State of Information Security Survey
Strategies for strengthening the business With so many risks, business leaders may be unsure of where to focus. In our experience, it is crucial to elevate the role of information security in the organization and emphasize the fact that it is not just a technology function. As a make-or-break business issue, it requires a leader who reports directly to a senior executive. The title of the person— chief security officer, chief information security officer, security director—isn’t what matters. Instead, it’s the ability of that individual to bring security issues to the C-suite and help the management team think and talk about how security affects every other business decision.
Effective security leaders consistently demonstrate the linkages between security and the company’s goals. They remind the rest of the management team that security is a strategic issue. In the survey, the Front-runner group emphasized this approach by citing client requirements as the driving force behind the company’s information security investments. The other respondents pointed to legal and regulatory requirements as the main justification for information security spending in their organizations.
30
PwC View Issue 15
What concerns security experts most?
Like the very nature of business itself, information security challenges are evolving. This topic came up continually as we discussed the survey findings with companies in all fields. What are the security chiefs at leading organizations most worried about? Here are some of the top concerns: Mobile devices The power of employee and customer mobile devices makes companies increasingly vulnerable. Consider just a few scary possibilities: Hackers mobilizing smartphone users to bring down a company network by organizing a “computational flash mob.” Or banking apps available from popular online stores that are not affiliated with the banks they claim to represent; instead, they are designed to steal data. What is the best thing companies can do? Come to terms with the fact that mobile is here to stay and address it head-on in your strategy and policies. Begin thinking of mobile devices not as phones or adjunct devices but on par with laptop computers that have their own powerful peer-to-peer networks. Increasing sophistication of the attacks Whatever you call these attacks—and security experts have been known to go round and round about just what constitutes an advanced persistent threat and whether the term is useful—some perpetrators are changing the rules of the game. They are locking on a specific target and formulating long-range plans to accomplish their goals. In the last year, we have seen several industryleading companies in the technology and financial services industries that have been victimized. If it could happen to them, it could happen to anyone. proposed legislation Experts seem to agree that it’s only a matter of time before information security is mandated by law. Over the past few years, various incarnations of bills have been proposed. While security chiefs understand the scrutiny, they have concerns about security becoming a compliance burden. They worry that this will cause businesses to lose sight of what really matters: focusing on their strategy and thinking about next threats.
An organization that embraces this mindset, for example, might engage the security leader and the sales leader, together, to consider how better information security can help close or speed sales. They might determine that having well-documented information security controls, processes, or certifications in place enables them to anticipate and address customer concerns immediately when or before the issue first is raised. Some companies we work with find it effective to have security leaders embedded within each business unit. These individuals report to line-of-business heads and work directly with them to evaluate how security can support each group’s business goals.
where’s the data? Companies that understand the value that security brings to the business also ensure that they have a comprehensive strategy in place—and that they have the processes and procedures to back up their vision. The guiding principles for strategy are driven, in large part, by their data. Companies will want to ask a seemingly simple question: What’s our most sensitive data? Surprisingly, many companies can’t begin to answer that question. Company leaders will need to identify their most sensitive data. They’ll consider business assets like intellectual property, as well as information
that they have a fiduciary responsibility to protect, including customer, business partner, or employee data. As companies undertake this foundational exercise, they will ask: What data do we have? Where are they located? What laws and regulations apply to them? What controls do we have around them? Are we sending data to third parties? If so, is it being handled securely? There’s much work to be done here: In the survey, only 29 percent of companies have an accurate inventory of data—a decline of 10 percent from just two years ago.
PwC View Issue 15
31
100% 50%
of the companies we defined as security leaders measure and review the effectiveness of their security policies and procedures annually.
fewer information security incidents were experienced by the security leaders, compared with the rest of the survey respondents.
For companies that have grown through mergers and acquisitions, there’s the additional hurdle of getting a handle on disparate data sources—not to mention different policies, processes, and systems that were inherited with each merger or acquisition. In the process of evaluating what’s currently in place and where the company’s attention needs better focus, some organizations find it helpful to conduct an outside assessment of their current operations. Often, when companies get a glimpse into what really is going on, they are surprised. They discover that the biggest problems may be caused by their employees. For example, companies may find that workers lack even a basic awareness of the information security risks to which employees are subjecting the business when they don’t follow policy—for example, they fail to change default passwords or they leave
their computers on when they go home. Some companies bring in outside security experts to conduct an assessment, particularly if an organization wants to test the security of its networks. This so-called ethical hacking attempts to penetrate a company’s network to pinpoint vulnerabilities. In our work as security specialists, the trend we’ve observed is that companies have become much better about protecting the organization from the outside. But once a perpetrator is able to gain access to an internal network—whether by walking in the door and plugging into a network jack or via malware that is dormant on a USB drive that an employee picks up in the parking lot and plugs into his networked computer— we always have been able to gain levels of unauthorized access. A security assessment also might reveal that the company has not kept up with a changing IT environment, especially one
in which business units or employees have independently added their own devices or applications to the mix. All too often, businesses maintain the status quo but don’t adequately address how these latest technologies and new ways of working put them at risk. testing, testing, testing Recognizing that organizations are dynamic—and that criminals always are innovating—it’s especially important for companies to consistently monitor and test what they have in place. In the survey, the companies that we defined as True Leaders measure and review the effectiveness of their security policies and procedures annually (compared with just 54 percent of other respondents). These organizations also know where they are vulnerable and need to shore up their defenses. This is significant because just a few years ago, almost half of the survey’s respondents couldn’t answer the most basic questions
32
PwC View Issue 15
about the nature of security-related breaches; now approximately 80 percent or more of respondents can provide specific information about the frequency, type, and source of security breaches their organizations faced. And they are seeing results: The leaders reported half as many information security incidents per year, compared with the rest of survey respondents. Companies that are proactive about information security also consider the impact of breaches—especially given that these events are on the rise. Of those, risks associated with customers, partners, or suppliers are a major concern, having nearly doubled in the past two years. This situation is compounded by the fact that given recent economic uncertainty, security has not been a priority. The levels of investment, awareness, and training all have declined. In thinking about potential breaches, organizations will determine to whom
they need to disclose an event. This issue is gaining more attention in light of the SEC’s recent guidance on the matter, reminding public companies that the following impacts must be included: remediation costs to customers or partners, increased information security investments required to remedy the situation, lost revenues due to breach, litigation resulting from breach, and reputational damage affecting customer or investor confidence. Company management and boards will want to consider the balancing act required to fulfill these responsibilities to investors and customers while ensuring that leadership does not disclose information that would make the company further vulnerable to hackers. follow the leaders Leading companies today are rethinking the role of information security in their organizations. They realize that in a digital world, cybersecurity is the key to safeguarding their most precious
assets—intellectual property, customer information, financial data, and employee records, among others. But far more than a defensive measure, companies also know that cybersecurity can better position their organization with business partners, customers, investors, and other stakeholders. Additionally, a sustained approach to security enables companies to better take advantage of newer technologies—mobile, social media, and cloud—that are driving business growth for many organizations. Company executives are leading the charge, working across the business to assess the current environment, define their most sensitive data, assign accountability, devise a strategy, and measure their progress. With strong leadership and a comprehensive approach that continually links information security back to business strategy, top managers will better position their organizations for success.
PwC View Issue 15
33
view
Issue 15
editorial Editorial Director Tom Craren Managing Editor Gene Zasadinski Assistant Managing Editor Christine Wendin View points Editor Angela Pham Contributing Editors Mike Brewster Emily Church Cecily Dixon Susan Eggleton Benjamin Isgur Sandy Lutz Susan Poole Anand Rao Bill Sand Jamie Yoder online Jeffrey Dreiblatt Adiba Khan Scott Schmidt Jack Teuber design Odgis + Company Creative Director Janet Odgis Senior Designer Banu Berker Designers Rhian Swierat T. Chloé Bartholomew
Contributors We thank the following individuals for their contributions to this issue of View: Caroline Calkins-Heine Steve Lechner Alfred Peguero Daryl Walcroft photography AP Images Brian Bielmann Corbis Images Bill Gallery Getty Images Andreas Herzau/Laif/Redux iStockphoto Vincent Lafloret Chen Ming/Xinhua/Eyevine/Redux Tommaso Rada/4See/Redux Reuters Pictures Brian Smale Stephen Wilkes
52
PwC View Issue 15
View magazine is printed at an ISO 14001:2004 certified plant with Forest Stewardship Council (FSC) Chain of Custody certification (BVCOC-080903). It was printed with the use of renewable wind power resulting in nearly zero volatile organic compound (VOC) emissions. The paper used is 10 percent recycled minimum with postconsumer waste. By printing at a facility that uses wind-generated electricity: 6,440 lbs of greenhouse gases were prevented equivalent to 5,588 miles not driven in a year equivalent to planting 438 trees By using postconsumer recycled fiber in lieu of virgin fiber: 105,932 gallons of wastewater flow was saved 12,070 lbs of solid waste was not generated 32,676 lbs net of greenhouse gases was prevented 158,000,000 BTUs of energy was not consumed Source: Environmental Defense Fund paper calculator
To request additional copies of View or to comment: www.pwc.com/view. PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms with 169,000 people in more than 158 countries who are committed to deliver quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at http://www.pwc.com/. © 2012 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. The information contained in this document is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, rules, and regulations, there may be omissions or inaccuracies in information contained in this document. Before making any decision or taking any action, you should consult a competent professional adviser. Although we believe that the information contained in this document has been obtained from reliable sources, PricewaterhouseCoopers is not responsible for any errors or omissions contained herein or for the results obtained from the use of this information.
Rear view
www.pwc.com/view
Are you designing a disruptive business model to keep your fiercest competitor at bay?
Alter your mental model
Imagine scenarios involving disruptive, greenfield competitors
Apply insights gained
Sponsor Documents
Recommended
No recommend documents