Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

ISACA talk - cybersecurity and security culture

PwC's talented senior cybersecurity and infosec manager Ross Foley recently gave a great talk on the growing importance of security culture within infosec. Here are the slides to help raise awareness of this issue.

1 of 14
Download to read offline
Security Culture Ross Foley Senior Manager, Cyber Security 27th July 2017 It’s not just about awareness training!
Blackhat 2017 Security Culture | 2 ““We focus too much on complexity, not harm… the things that we see, that we come across every day, that cause people to lose control of their information are not that advanced Alex Stamos Chief Security Offer, Facebook
The security culture journey Security Culture | 3 Culture is more than awareness There has been under investment in the people components. Understanding your culture, human motivation and cognitive bias is critical. Behaviours need to change first and then mindsets will follow. 144% increase in successful cyber attacks on businesses. is the average total cost of the worst security incidents experienced by large organisations in 2015, an increase of between 143% and 173% on 2014. £1.5 to £3.1m Cyber threats are evolving Threats are changing rapidly, with regulation following, and the public increasing its expectations on security. GDPR People are the weak link Cybersecurity generally fails where people meet technology. Humans are often the weak link. of the worst breaches in the year were caused by inadvertent human error up from 30% one yearago. 75% large organisations suffered staff related security. breaches last year. 50% We are not rational. Our decisions are influenced by emotions. We miscalculate risk.
Why is culture so important? Security Culture | 4 ““81% of hacking-related breaches leveraged either stolen and/or weak passwords Source: Verizon Data Breach Survey 2017 Source: HM Gov. Cyber Security Breaches Survey 2017
But it’s not just about phishing! Security Culture | 5 The best security technology in the world cannot help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources US National Cyber Security Alliance
So what is culture? Security Culture | 6 “ “The assumptions or beliefs which are common across the organisation that allow you to predict how your people will behave and what they will achieve PwC Risk Culture Organisational culture Behaviours Ethics Personal predisposition to risk IRM
Common challenges to culture change Security Culture | 7 Organisation structure Embedded behaviours Prevailing mindset Time to change
And there is no accounting for people… Security Culture | 8
But what does this mean for security? Security Culture | 9 Security is a reality… …but it is also a feeling “ “We have zero appetite for cyber security risk
The psychology of risk management… Security Culture | 10 People exaggerate risks that are: People downplay risks that are: Rare Common Spectacular Pedestrian Personified Anonymous Outside of their control Under their control Talked about Not discussed Immediate / sudden Long term / evolving Affect them personally Affect others
Measuring your security culture Security Culture | 11 It’s not just about awareness training or ethical phishing! Focus on the “moments that matter” Do they proactively manage cyber risk? • Ratio of leavers to users removed during attestation • Exceptions to policy • Average time to close risks Would staff spot a cyber threat? • Volume of email traffic to webmail • Volume of (attempted) web traffic to file sharing or webmail • % of users who receive targeted training How would they respond to an incident? • Number of submissions to phishing mailbox • Repeat DLP offenders • Average time to report physical data/asset losses
Setting the tone from the top Effectivecyberriskmanagement ‘We understand cyber is a relevant topic and our executives inform us regularly’ ‘We maintain a considered cyber risk appetite and see accurate management information which demonstrates compliance’ ‘We actively manage cyber risk, making well- informed choices about how we run our business and placing clear requirements on executives. Risk appetite influences our strategy and vice versa’ ‘We are leading a business in the digital age. Cyber risk is an integral part of innovation and growth; it is led from the top and managed by all executives’ Owner: CTO Awareness Owner: CEO Understanding Owner: Board Good Governance Owner: Board + Whole Enterprise Effective Leadership Denial? Awareness and Leadership Views from the Board Security Culture | 12
What can I do tomorrow? Security Culture | 13 Remember you are not alone & utilise alternative skillsets across the business Widen your metrics to include more than just than completion of awareness training & ethical phishing results Get more targeted! Tailor your training based on risk Maximise the visual impact of your initial awareness activity Create a brand for security within the organisation & promote positive behaviour
www.pwc.co.uk/cyber This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2017 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. Ross Foley Senior Manager ross.foley@pwc.com +44 (0) 7843 330838 Contact Thank You!

More Related Content

ISACA talk - cybersecurity and security culture

  • 1. Security Culture Ross Foley Senior Manager, Cyber Security 27th July 2017 It’s not just about awareness training!
  • 2. Blackhat 2017 Security Culture | 2 ““We focus too much on complexity, not harm… the things that we see, that we come across every day, that cause people to lose control of their information are not that advanced Alex Stamos Chief Security Offer, Facebook
  • 3. The security culture journey Security Culture | 3 Culture is more than awareness There has been under investment in the people components. Understanding your culture, human motivation and cognitive bias is critical. Behaviours need to change first and then mindsets will follow. 144% increase in successful cyber attacks on businesses. is the average total cost of the worst security incidents experienced by large organisations in 2015, an increase of between 143% and 173% on 2014. £1.5 to £3.1m Cyber threats are evolving Threats are changing rapidly, with regulation following, and the public increasing its expectations on security. GDPR People are the weak link Cybersecurity generally fails where people meet technology. Humans are often the weak link. of the worst breaches in the year were caused by inadvertent human error up from 30% one yearago. 75% large organisations suffered staff related security. breaches last year. 50% We are not rational. Our decisions are influenced by emotions. We miscalculate risk.
  • 4. Why is culture so important? Security Culture | 4 ““81% of hacking-related breaches leveraged either stolen and/or weak passwords Source: Verizon Data Breach Survey 2017 Source: HM Gov. Cyber Security Breaches Survey 2017
  • 5. But it’s not just about phishing! Security Culture | 5 The best security technology in the world cannot help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources US National Cyber Security Alliance
  • 6. So what is culture? Security Culture | 6 “ “The assumptions or beliefs which are common across the organisation that allow you to predict how your people will behave and what they will achieve PwC Risk Culture Organisational culture Behaviours Ethics Personal predisposition to risk IRM
  • 7. Common challenges to culture change Security Culture | 7 Organisation structure Embedded behaviours Prevailing mindset Time to change
  • 8. And there is no accounting for people… Security Culture | 8
  • 9. But what does this mean for security? Security Culture | 9 Security is a reality… …but it is also a feeling “ “We have zero appetite for cyber security risk
  • 10. The psychology of risk management… Security Culture | 10 People exaggerate risks that are: People downplay risks that are: Rare Common Spectacular Pedestrian Personified Anonymous Outside of their control Under their control Talked about Not discussed Immediate / sudden Long term / evolving Affect them personally Affect others
  • 11. Measuring your security culture Security Culture | 11 It’s not just about awareness training or ethical phishing! Focus on the “moments that matter” Do they proactively manage cyber risk? • Ratio of leavers to users removed during attestation • Exceptions to policy • Average time to close risks Would staff spot a cyber threat? • Volume of email traffic to webmail • Volume of (attempted) web traffic to file sharing or webmail • % of users who receive targeted training How would they respond to an incident? • Number of submissions to phishing mailbox • Repeat DLP offenders • Average time to report physical data/asset losses
  • 12. Setting the tone from the top Effectivecyberriskmanagement ‘We understand cyber is a relevant topic and our executives inform us regularly’ ‘We maintain a considered cyber risk appetite and see accurate management information which demonstrates compliance’ ‘We actively manage cyber risk, making well- informed choices about how we run our business and placing clear requirements on executives. Risk appetite influences our strategy and vice versa’ ‘We are leading a business in the digital age. Cyber risk is an integral part of innovation and growth; it is led from the top and managed by all executives’ Owner: CTO Awareness Owner: CEO Understanding Owner: Board Good Governance Owner: Board + Whole Enterprise Effective Leadership Denial? Awareness and Leadership Views from the Board Security Culture | 12
  • 13. What can I do tomorrow? Security Culture | 13 Remember you are not alone & utilise alternative skillsets across the business Widen your metrics to include more than just than completion of awareness training & ethical phishing results Get more targeted! Tailor your training based on risk Maximise the visual impact of your initial awareness activity Create a brand for security within the organisation & promote positive behaviour
  • 14. www.pwc.co.uk/cyber This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2017 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. Ross Foley Senior Manager ross.foley@pwc.com +44 (0) 7843 330838 Contact Thank You!