SlideShare una empresa de Scribd logo

Manifesto_final

Sarah Jarvis
Sarah Jarvis
1 de 14
Descargar para leer sin conexión
A Manifesto for Cyber Resilience Cyber DefinedUnknown Unkowns Fighting Yesterday’s battles Human Factor Understand whereyoustand BYOD Cyber Resilience Employee Threat Revolutionaries
2 3 Cyber Resilience Defined Cyber increasingly describes our online work and play; it’s a big and growing element of our real lives. Today, some 2.4 billion global internet users, 34% of the world’s population, spend increasing amounts of time online.1 All our Cyber activity adds up to a lot of online business making it an unstoppable movement – the type that starts revolutions. To some, the benefits of our Cyber lives and new business models come with understandable and acceptable risks. Others feel such mass movements demand more considered responses. But there is little time for debate. What we really need is a Call to Action. De-risking our Cyber lives means understanding four opposing forces – all of which bring different Cyber Risks and demand urgent management attention: Democratization – ‘Power to the people’ as organizations learn to work with customers via the channels they dictate. Consumerization – The impact of the many devices, or more importantly the apps, which span work and play in our Cyber lives. Externalization – The economics of the cloud, slashing Capital Expenditure and shaking up how data moves in and out of organizations. Digitization – The exponential connectivity created when sensors and devices form the ‘Internet of Things’. Solving Cyber Risk for one of these trends merely raises the importance of the next in line. As with most other ‘best-practices’, there are several right answers meaning, at best, you can optimise your organization’s environment to reduce its exposure. Thanks to these powerful forces above, Cyber Risk cannot be eradicated. This Manifesto sets out a plan to reduce, not eliminate, the real and growing risks we face as individuals, businesses and governments. Its goal is simple, to make us Cyber Resilient. Democratization Externalization Digitization Consumerization
4 5555555555555555555555555 What We Know Today Cyber makes the previously impossible, possible. Without Cyber, our lives would literally resemble the past. Consider: • Which bank customers would give up the freedom to move money across international boundaries in milliseconds? • What would force businesspeople back into queues for airline tickets, phone booths or to post parcels ? • Why would anyone air-freight a component which could be printed out for less? The situation today is complex, fast-moving and potentially devastating for organizations?While just 15% of the world’s internet traffic is mobile right now, that figure is growing thanks to five billion mobile phones, and a third of them are internet-accessing smartphones.1 Each day 500 million photos are shared and the average user checks their messages 23 times a day.1 Cyber-attacks claim 1.5 million victims every day and add up, conservatively, to $110bn of losses each year.2 Malware, or malicious software attacks, on the web increased 30% in 2012 and on mobile devices grew 139% in the same period.3 Crucially, of the websites serving up malware, 62% were from legitimate sites that had been compromised.3 Worried yet? These Cyber threats will only increase, as will their sophistication. This is because older targets, such as PC operating systems, are giving way to new web-based and mobile platforms as well as social apps. Changes to what security experts call The Threat Landscape are hard to address. Without levels of security, previously only seen in large enterprises, you are exposed. As we shall see, size is just one of our worries.
6 7 The Unknown Unknowns Understanding the future enriches lives. By contrast in the world of Cyber, unknowable intentions and unexpected consequences create chaos. It is impossible to predict all the new Cyber Threats which your organizationwill face – some are yet to be dreamt up. Whether disgruntled ‘hacktivists’ or Cyber criminals, Cyber terrorists, or even state-sponsored Cyber armies, most have the advantage of surprise over us. Their motivations are wide-ranging, from peaceful protest to malicious intent, political gain to personal gain, or a combination of these. However the means to create Cyber Risks at their disposal are increasing exponentially, stacking the odds against the unprepared. More and more ready-made malware kits are made available over the Internet, paid for with virtual currencies far from prying eyes. The ‘Black Economy’ of Cyber is thriving and there really is honour amongst thieves. Their Centres of Excellence, hidden behind very secure protection, are where they can outlearn all but the most knowledgeable of security experts. There they can share data, stolen without the knowledge of their victims, the original owners. For a price, they share their secrets with other Cyber conmen. Your law-abiding organization is unlikely to receive a backstage pass. As a victim, unlike the natural world, being a small fish in a big pond does not help. In fact it makes it worse, with 31% of Cyber-attacks affecting organizations with just 1 to 250 employees.2 While large enterprises are well used to Cyber Threats, their smaller suppliers are much more attractive to those with bad intentions. Infiltrating a major company’s supply chain is best achieved from below, rather than above.
8 9 The Human Factor While 84% of data breaches take hours or less to complete, discovering them takes months, in 66% of cases, and containment takes months or years for 22% of us.4 Why is this? You might think the difference between a Cyber- Resilient organization and the ones open to exploitation is better computers, software or faster telecommunications. Sadly, it is almost never the case. It may well be necessary to have the very best technology you can get to secure your organization. However, necessary may not be sufficient. Newer, faster, shinier pieces of kit in isolation seldom save the day. The weakest link in Cyber Security is the person reading this manifesto – You and I. IT is the beating heart of all modern organizational processes infiltrating every department and IT has traditionally been responsible for Cyber Security. However its former role, as the lead purchaser of technology, is fast-changing to one of trusted adviser. Recent research has shown 14% of cloud storage, 13% of social media and 11% of office productivity software is purchased without the IT department’s knowledge.5 Gartner data shows the movement of IT budget away from its traditional ‘owners’ to other departments is already well under way. The marketing department is a front-runner and due to outspend the IT department on technology by 2017.6 All of this means the human element of Cyber Risk is likely to be highest within your organization but outside the IT department. Today, concentrating Cyber Security knowledge solely within the IT department is not business as usual, but just a way to add Cyber Risk to your organization. To err is human so why keep the burden of Cyber Resilience solely within one (IT) department? It’s high time to move to a security culture which is all-inclusive. initial compromises take hours or less breaches are not discovered for months breaches take months or longer to contain 84% 66% 22%
10 1111 Risk 1 Businesses Are Small Compared to the Threat Globally, few organizations have the resources to stay on top of all the Cyber threats a highly- motivated team can mount. Even multinational organizations can only employ relatively small teams. The bad guys are also smart guys. They learnt long ago how to collaborate by forming virtual teams across national boundaries for mutual benefit. They selltheir tricks to each other and trade stolen identities, to defeat security systems mostly built for a pre-Cyber, pre-mobile and even pre-Web, nation-based set of risks. Cyber attacks themselves remain comparatively unsophisticated, but scale alone is not the issue. Most organizations already have the basics of Cyber Security right and this limits to 10% the number of Cyber attacks which could be carried out by the average user. It is the next level which is hard, because 78% use only the ‘basic’ resources available online and no customization.4 One issue could be approach. The natural reaction of a traditional security professional is to buy more security tools, but such a piecemeal approaches fail at scale. It would be better to get fuller visibility into where their organization is today and react accordingly. In the future Cyber Attackers will likely have even more to aim at. As the drive for efficiency means linking ever more systems together, using smart meters to manage energy use, sensors to control production lines and RFID tags to track shipments means the largest users of Cyber are no longer the IT department, nor are they even human. With threats global in their nature, only a privileged few organizations, mostly in the defence sector,can spend all their time fighting Cyber wars. The rest of us still have the day job, be it sorting out insurance claims, selling shoes or servicing cars. We have to spend wisely to become more Cyber Resilient. What chance then for the smaller guys? The answer for security professionals is to ‘club together’ just as their attackers have already done. Pooled resources and shared knowledge about the severity of threats could even up the fight.
12 1313 Risk 2 Fighting yesterday’s battles loses the war As Cyber Risks have become more subtle, personalized and distributed, detecting them has become increasingly hard. So hard, it would be a brave person who would claim any IT systems connected to the Internet (virtually all commercial systems) were impregnable. Historically, ‘walls of steel’ have a bad history– human intelligence bypasses them. Today’s smarter Cyber threats are seldom full frontal assaults but are more personalized and attack many vulnerabilities simultaneously making them more devastating. Their payloads, whether arriving by web, email or mobile, wait patiently and silently as resident botnets on infected systems and can then awake from their slumber on command – even after the infection was detected and the ‘door has been shut’. Yesterday’s thinking on Cyber Security is of limited value. Given this fiendish amount of cat and mouse, the best strategy is not the isolated removal of threats, but a slow, determined and ongoing process of Cyber Resilience. Cyber Resilience accepts there is no silver bullet, no cure for the common cold and certainly no cavalry coming over the hill. It counsels but that the best offense is a considered defense. Its objective is to create an uneven playing field, where accessing your systems is tougher and less profitable than others. With better informationcomes better decisions. After all, taking no risks can be just as risky a decision in today’s business environment. Having a clearer view of the threats your organization faces is the best way to build upyour Cyber Resilience.
14 15 Risk 3 Ignoring the role of Employees Employees are often cited as the greatest asset an organization has. The reality is they can also be the greatest liability from a security point of view. Identity theft and the physical theft of unprotected devices, often encouraged by today’s generous BYOD policies, greatly complicate matters. Where once security was the sole responsibility of IT professionals, today it cannot be left to them alone. One person’s ‘Shadow IT’, or non- sanctioned technology spending, is another’s fast track to innovation. Aggressively cracking down on what others regard as productivity tools, is a sure way for IT professionals to remove themselves from future discussions – we already discussed yesterday’s battles. Employee attitudes do need to change a little too. Surveys show 53% of employees believe it is OK to take corporate data because ‘It doesn’t harm the company’.7 But is that their call? Surely better to empower non-technical employees and reduce non-intentional malpractice. This will give them the knowledge to increase the organization’s Cyber Resilience through their technology decisions and the processes they enforce. Important when such behaviour accounts for 35% of all data breaches and, unsurprisingly, such immorality spikes up steeply as individuals prepare to exit companies.8 Far from being an abdication of responsibility by IT, here is a chance to convert IT expertise into competitive advantage. There is a new deal to be struck between non-IT professionals and their more technical IT colleagues, showing them how Cyber Resilience can increase their organization’s potential. In Cyber, ignorance is not bliss – it’s a communication and an organizational challenge. In other words an untapped commercial opportunity.
16 17 How To Become Cyber Resilient 1 Understand where your organization stands A well-known management saying is you cannot manage what you cannot measure. However most Cyber attacks are unnoticed, let alone measured, as are the risks they pose.4 How can we then assess how at risk we are? The answer hated by schoolchildren, loved by quality organizations globally, is external assessment. More precisely for organizations at risk of Cyber attack, a comprehensive Cyber Assessment of people, processes and products is essential. Honesty, boring as it may be to some, is the start of the journey to Cyber Resilience. Of course, an independent audit of vulnerabilities, base lining the technology and processes at use in your organization is a good start. But this is just a start to the journey. How about a benchmark to relate your score with that of your peers? How about some practical recommendations based on a gap analysis of where you are and where you want to be? Now IT is becoming genuinely strategic. Armed with such information, the path to Cyber Resilience becomes clearer. Better still, when those Unknown Unknowns we mentioned start to become visible action items, not just for the IT department, but across an entire organization. Such insights then become your unfair advantage. Even though Cyber Resilience does not equal immunity from Cyber-attack, the very point of Cyber Resilience is to make your organization’s vulnerabilities less appealing to attack. But only once there is a baseline and a corporate-wide goal, can you prioritize and start work on the toughest Cyber issues facing your organization first.
18 Once upon a time a small number of people were responsible for IT. This worked well when computers were locked up in rooms by computer scientists. Now critical confidential data is walking around in employee’s pockets and sometimes the pockets of your organization’s partners and their partners and so on… Things have changed. For one, your Unknown Unknowns mean the genie is out of the bottle. Best practices for on-premise Cyber Security can only protect your organization to the extent that the weakest, least secure member of your team, or extended supply chain, practices them. So while you may do a fine job writing and even enforcing password policies or locking down devices and complying with ISO standards, this will not make you Cyber Resilient. Unless you can assure similar standards are maintained from your contract cleaners to your auditors, your external caterers to your lawyers. Secondly, as we have seen, analysts predict non-IT staff will shortly spend more on technology than those with ‘IT’ let alone those with ‘IT Security’ in their job titles. So it’s time to think outside of the box, outside of the IT department, outside of job descriptions and outside of your organizational boundaries. Thirdly, while you may have spent a career in IT, it is unlikely your experience to date has prepared you for the role of Cyber is assuming in our lives today. While you are struggling to benchmark which Cyber Risks you are exposed to and where to start the journey to Cyber Resilience, for some an even tougher challenge looms. Dropping the tech-speak. How To Become Cyber Resilient 2 Coaching your colleagues, ALL of them Reaching out to colleagues is crucial but you will fail without one simple skill. The ability to unlearn decades of IT and IT Security jargon. It is not only unnecessary, it weakens your point. Truly, jargon is the enemy of Cyber Resilience.
20 As we have seen, working alone on Cyber Resilience is a futile exercise. Cyber Risk comes from unseen and clever enemies, made up of cells who can form, dissolve and reform fluidly. Matching this ability is neither practical, nor desirable and besides, who would do your day job? Philosophers tell us “Those who do not learn lessons from the errors of the past, will repeat them”. But you are not alone. There is strength in numbers in Cyber. Why suffer while your organization decides which Cyber Resilience strategy to get onboard with? Much smarter to join up with others who share the same beliefs as your organization, pooling intelligence and developing strategies Your skillset makes you ideally placed to help your organization become more Cyber Resilient. Some would say this is the only strategy which can succeed given the constant nature of the threat. Imagine a nerve centre of Cyber Intelligence, like a highly stimulated virtual brain, pulling together billions of small observations from the Cyber issues facing many thousands of organizations and millions of users, to create a clear overview of the Cyber threats faced by your organization. Compare that future role, one at the heart of a Cyber Resilient organization out-performing its competition with today’s view of IT as who to blame when things go wrong. This is not to say the basics are unimportant, the information from existing security controls really matters. IT’s new role is as the Centre of Excellence for Cyber Risk assessment. To provide new signposts for executive leaders to gauge their organization’s Cyber Resilience. Cyber Risk transcends IT, departmental and even national boundaries. Cyber Resilience is a team sport played by leaders. Like you. Catch the train now, it is ready to depart. How To Become Cyber Resilient 3 Make Cyber Resilience your competitive advantage
22 23 Conclusion The results of the move to Cyber are already impressive and we have only just begun. Amazingly this progress only requires the ability to send and receive data securely. Unfortunately this is a complex technological feat and as Arthur C. Clarke, a futurist and writer, said “Any sufficiently advanced technology is indistinguishable from magic”. Cyber is too important to be just ‘magic’. On a personal level, Cyber Risks question our identity and our privacy. On a global level, Cyber Risks threaten the stability of our government and banking systems. Cyber needs to be understandable by businesses and public organisations leaders in the same way as power, water, talent and other vital real-world inputs. Today it is not treated this way. No top-down edict will succeed. Cyber is too fast moving. Only a grass roots movement, informed but flexible, has a prayer of success. IT professionals have a critical role here only if they can: 1. Effectively baseline where their organization’s Cyber Resilience is today. Faster and with more rigour than previously. 2. Make their people part of Cyber Resilience. Educate everyone in their organization’s supply chain to balance the innovation they want with the Cyber Resilience they need. 3. Use Cyber Resilience for long-term strategic competitive advantage in their organization. Hopefully the ‘idea grenades’ lobbed in this Manifesto will start the chain reaction your organization needs to get to Cyber Resilience. If it has you might want to join up with the experts at Symantec whose Cyber Assessment, security products and services are helping millions of users, to help thousands of Chief Executives to make their organization Cyber Resilient. Cyber Resilience Define Cyber Baseline BYOD Cloud IT Business Supply Chain Today On Premise Core IP Educated Workforce Future Supply Chain Cloud Outsourced Transition Tomorrow Cyber Threats Impact Evolution Legacy Approach Strategic Resilience
24 25 Contacts References Symantec EMEA Headquarters 350 Brook Drive Green Park Reading RG2 6UH Tel: +44 (0)870 243 1080 1 – Mary Meeker, KPCB, 2013 Internet Trends 2 – Norton Cybercrime Report 3 – Symantec ISTR 2012 4 – Verizon DBIR 2013 5 – Economist Intelligence unit July 2013 ‘Security Empowers Business – unlock the power of a protected enterprise’ 6 – Gartner Webinar January 2013 ‘By 2017 the CMO will spend more than the CIO’ by Laura McLellan 7 – Symantec ‘What’s Yours is Mine: How Employees are Putting Your IP at Risk’ paper 2013 8 – Symantec ‘Cost of a Data Breach Study 2013’ Unstoppable movements start revolutions. Symantec would like to engage with your Cyber efforts. Our products and services are acknowledge to be at the leading edge of Cyber knowledge. Share today, be part of the resistance. To sign up for an initial CyberV assessment please contact us. http://www.emea.symantec.com/cyber-resilience/ Symantec is a global leader in providing security, storage and systems management solutions to help customers secure and manage their information and identities. Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 12/12
Manifesto_final

Recomendados

Information Security
Information SecurityInformation Security
Information Security
trunko
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!
Ludmila Morozova-Buss
 
Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021
Ludmila Morozova-Buss
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
at MicroFocus Italy ❖✔
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
Adela Cocic
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber Security
Alistair Blake
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity Predictions
Matthew Rosenquist
 
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know AboutThe 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
Bernard Marr
 

Recomendados

Information Security
Information SecurityInformation Security
Information Security
trunko
 
Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!Raise The Cybersecurity Curtain! Be The Voice!
Raise The Cybersecurity Curtain! Be The Voice!
Ludmila Morozova-Buss
 
Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021
Ludmila Morozova-Buss
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
at MicroFocus Italy ❖✔
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
Adela Cocic
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber Security
Alistair Blake
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity Predictions
Matthew Rosenquist
 
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know AboutThe 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
Bernard Marr
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
Henry Worth
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-Security
Tara Gravel
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceo
João Rufino de Sales
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
Kevin Leffew
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
Jake Weaver
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
Kristin Judge
 
Security for Smartgrid
Security for SmartgridSecurity for Smartgrid
Security for Smartgrid
Gruene-it.org
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
S-RM Risk and Intelligence Consulting
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3
NTT Innovation Institute Inc.
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security
Booz Allen Hamilton
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber Analysts
Booz Allen Hamilton
 
Risky Business
Risky BusinessRisky Business
Risky Business
Samantha Park
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOs
IBM Security
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Ernst & Young
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
ITDogadjaji.com
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
Booz Allen Hamilton
 
CIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalCIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survival
Morgan Jones
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
Rick Bouter
 
Cyber Risk in Real Estate Sales - Workshop Presentation
Cyber Risk in Real Estate Sales - Workshop PresentationCyber Risk in Real Estate Sales - Workshop Presentation
Cyber Risk in Real Estate Sales - Workshop Presentation
Brad Deflin
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
Jonny Nässlander
 
Panoramic photography
Panoramic photographyPanoramic photography
Panoramic photography
megan237
 
Music video production schedule
Music video production scheduleMusic video production schedule
Music video production schedule
kannkarry
 

Más contenido relacionado

La actualidad más candente

Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
Henry Worth
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-Security
Tara Gravel
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
Kevin Leffew
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
Kristin Judge
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
Rick Bouter
 

La actualidad más candente (20)

Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
 
140707_Cyber-Security
140707_Cyber-Security140707_Cyber-Security
140707_Cyber-Security
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceo
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
 
Security for Smartgrid
Security for SmartgridSecurity for Smartgrid
Security for Smartgrid
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security
 
Cyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber AnalystsCyber Training: Developing the Next Generation of Cyber Analysts
Cyber Training: Developing the Next Generation of Cyber Analysts
 
Risky Business
Risky BusinessRisky Business
Risky Business
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOs
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
CIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survivalCIR Magazine - Cyber Readiness, key to survival
CIR Magazine - Cyber Readiness, key to survival
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
 
Cyber Risk in Real Estate Sales - Workshop Presentation
Cyber Risk in Real Estate Sales - Workshop PresentationCyber Risk in Real Estate Sales - Workshop Presentation
Cyber Risk in Real Estate Sales - Workshop Presentation
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 

Destacado

Music video production schedule
Music video production scheduleMusic video production schedule
Music video production schedule
kannkarry
 
Registro fotográfico y clasificación de las antenas de la ciudad
Registro fotográfico y clasificación de las antenas de la ciudadRegistro fotográfico y clasificación de las antenas de la ciudad
Registro fotográfico y clasificación de las antenas de la ciudad
moisesmo19
 
Assignment 1 compare contrast essay
Assignment 1 compare contrast essayAssignment 1 compare contrast essay
Assignment 1 compare contrast essay
G-ny Gynie
 
27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...
27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...
27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...
Organización política
 
Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.
Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.
Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.
Corneliu Liviu Costea
 
No more sorrow recce photos
No more sorrow recce photosNo more sorrow recce photos
No more sorrow recce photos
kannkarry
 

Destacado (16)

Panoramic photography
Panoramic photographyPanoramic photography
Panoramic photography
 
Music video production schedule
Music video production scheduleMusic video production schedule
Music video production schedule
 
Registro fotográfico y clasificación de las antenas de la ciudad
Registro fotográfico y clasificación de las antenas de la ciudadRegistro fotográfico y clasificación de las antenas de la ciudad
Registro fotográfico y clasificación de las antenas de la ciudad
 
Assignment 1 compare contrast essay
Assignment 1 compare contrast essayAssignment 1 compare contrast essay
Assignment 1 compare contrast essay
 
Assignment 2-research-report
Assignment 2-research-reportAssignment 2-research-report
Assignment 2-research-report
 
Smart Sexy TV Videos
Smart Sexy TV VideosSmart Sexy TV Videos
Smart Sexy TV Videos
 
27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...
27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...
27 02 2014 - Conferencia “Balance y Prospectiva de la Situación Política, Eco...
 
Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.
Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.
Organizational Skills And Technical Competences as LEAD PIPING MATERIAL ENG.
 
Презентация день именинника
Презентация день именинникаПрезентация день именинника
Презентация день именинника
 
13. registro de clases (portafolio)
13. registro de clases (portafolio)13. registro de clases (portafolio)
13. registro de clases (portafolio)
 
No more sorrow recce photos
No more sorrow recce photosNo more sorrow recce photos
No more sorrow recce photos
 
Evidencias CT OCTUBRE 2015 TV 240
Evidencias CT OCTUBRE 2015 TV 240Evidencias CT OCTUBRE 2015 TV 240
Evidencias CT OCTUBRE 2015 TV 240
 
Assignment 1 compare contrast essay
Assignment 1 compare contrast essayAssignment 1 compare contrast essay
Assignment 1 compare contrast essay
 
Burt_MS
Burt_MSBurt_MS
Burt_MS
 
Mule management console
Mule management consoleMule management console
Mule management console
 
U1: FUNCIÓNS E CONTINUIDADE
U1: FUNCIÓNS E CONTINUIDADEU1: FUNCIÓNS E CONTINUIDADE
U1: FUNCIÓNS E CONTINUIDADE
 

Similar a Manifesto_final

A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
Symantec
 
Cybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global ThreatCybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global Threat
NTT Innovation Institute Inc.
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
Austin Eppstein
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_final
Jerome Chapolard
 
The increased use of technology may be a threat to public administra.pdf
The increased use of technology may be a threat to public administra.pdfThe increased use of technology may be a threat to public administra.pdf
The increased use of technology may be a threat to public administra.pdf
ammancellcom
 

Similar a Manifesto_final (20)

A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
Cybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global ThreatCybercrime: Radically Rethinking the Global Threat
Cybercrime: Radically Rethinking the Global Threat
 
Cyber Security importance.pdf
Cyber Security importance.pdfCyber Security importance.pdf
Cyber Security importance.pdf
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Darktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystemDarktrace_WhitePaper_EnterpriseImmuneSystem
Darktrace_WhitePaper_EnterpriseImmuneSystem
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Staying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters NowStaying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters Now
 
10 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 201610 IT Security Trends to Watch for in 2016
10 IT Security Trends to Watch for in 2016
 
10 Things to Watch for in 2016
10 Things to Watch for in 201610 Things to Watch for in 2016
10 Things to Watch for in 2016
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digital
 
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information SecurityThe significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Security
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
Darktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_finalDarktrace_WhitePaper_Needle_final
Darktrace_WhitePaper_Needle_final
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Ways To Protect Your Company From Cybercrime
Ways To Protect Your Company From CybercrimeWays To Protect Your Company From Cybercrime
Ways To Protect Your Company From Cybercrime
 
The increased use of technology may be a threat to public administra.pdf
The increased use of technology may be a threat to public administra.pdfThe increased use of technology may be a threat to public administra.pdf
The increased use of technology may be a threat to public administra.pdf
 
The 10 successful entrepreneur revamping the future compressed
The 10 successful entrepreneur revamping the future compressedThe 10 successful entrepreneur revamping the future compressed
The 10 successful entrepreneur revamping the future compressed
 
Cybersecurity- Role of FinTech
Cybersecurity- Role of FinTech Cybersecurity- Role of FinTech
Cybersecurity- Role of FinTech
 
EnterpriseImmuneSystem
EnterpriseImmuneSystemEnterpriseImmuneSystem
EnterpriseImmuneSystem
 

Manifesto_final

  • 1. A Manifesto for Cyber Resilience Cyber DefinedUnknown Unkowns Fighting Yesterday’s battles Human Factor Understand whereyoustand BYOD Cyber Resilience Employee Threat Revolutionaries
  • 2. 2 3 Cyber Resilience Defined Cyber increasingly describes our online work and play; it’s a big and growing element of our real lives. Today, some 2.4 billion global internet users, 34% of the world’s population, spend increasing amounts of time online.1 All our Cyber activity adds up to a lot of online business making it an unstoppable movement – the type that starts revolutions. To some, the benefits of our Cyber lives and new business models come with understandable and acceptable risks. Others feel such mass movements demand more considered responses. But there is little time for debate. What we really need is a Call to Action. De-risking our Cyber lives means understanding four opposing forces – all of which bring different Cyber Risks and demand urgent management attention: Democratization – ‘Power to the people’ as organizations learn to work with customers via the channels they dictate. Consumerization – The impact of the many devices, or more importantly the apps, which span work and play in our Cyber lives. Externalization – The economics of the cloud, slashing Capital Expenditure and shaking up how data moves in and out of organizations. Digitization – The exponential connectivity created when sensors and devices form the ‘Internet of Things’. Solving Cyber Risk for one of these trends merely raises the importance of the next in line. As with most other ‘best-practices’, there are several right answers meaning, at best, you can optimise your organization’s environment to reduce its exposure. Thanks to these powerful forces above, Cyber Risk cannot be eradicated. This Manifesto sets out a plan to reduce, not eliminate, the real and growing risks we face as individuals, businesses and governments. Its goal is simple, to make us Cyber Resilient. Democratization Externalization Digitization Consumerization
  • 3. 4 5555555555555555555555555 What We Know Today Cyber makes the previously impossible, possible. Without Cyber, our lives would literally resemble the past. Consider: • Which bank customers would give up the freedom to move money across international boundaries in milliseconds? • What would force businesspeople back into queues for airline tickets, phone booths or to post parcels ? • Why would anyone air-freight a component which could be printed out for less? The situation today is complex, fast-moving and potentially devastating for organizations?While just 15% of the world’s internet traffic is mobile right now, that figure is growing thanks to five billion mobile phones, and a third of them are internet-accessing smartphones.1 Each day 500 million photos are shared and the average user checks their messages 23 times a day.1 Cyber-attacks claim 1.5 million victims every day and add up, conservatively, to $110bn of losses each year.2 Malware, or malicious software attacks, on the web increased 30% in 2012 and on mobile devices grew 139% in the same period.3 Crucially, of the websites serving up malware, 62% were from legitimate sites that had been compromised.3 Worried yet? These Cyber threats will only increase, as will their sophistication. This is because older targets, such as PC operating systems, are giving way to new web-based and mobile platforms as well as social apps. Changes to what security experts call The Threat Landscape are hard to address. Without levels of security, previously only seen in large enterprises, you are exposed. As we shall see, size is just one of our worries.
  • 4. 6 7 The Unknown Unknowns Understanding the future enriches lives. By contrast in the world of Cyber, unknowable intentions and unexpected consequences create chaos. It is impossible to predict all the new Cyber Threats which your organizationwill face – some are yet to be dreamt up. Whether disgruntled ‘hacktivists’ or Cyber criminals, Cyber terrorists, or even state-sponsored Cyber armies, most have the advantage of surprise over us. Their motivations are wide-ranging, from peaceful protest to malicious intent, political gain to personal gain, or a combination of these. However the means to create Cyber Risks at their disposal are increasing exponentially, stacking the odds against the unprepared. More and more ready-made malware kits are made available over the Internet, paid for with virtual currencies far from prying eyes. The ‘Black Economy’ of Cyber is thriving and there really is honour amongst thieves. Their Centres of Excellence, hidden behind very secure protection, are where they can outlearn all but the most knowledgeable of security experts. There they can share data, stolen without the knowledge of their victims, the original owners. For a price, they share their secrets with other Cyber conmen. Your law-abiding organization is unlikely to receive a backstage pass. As a victim, unlike the natural world, being a small fish in a big pond does not help. In fact it makes it worse, with 31% of Cyber-attacks affecting organizations with just 1 to 250 employees.2 While large enterprises are well used to Cyber Threats, their smaller suppliers are much more attractive to those with bad intentions. Infiltrating a major company’s supply chain is best achieved from below, rather than above.
  • 5. 8 9 The Human Factor While 84% of data breaches take hours or less to complete, discovering them takes months, in 66% of cases, and containment takes months or years for 22% of us.4 Why is this? You might think the difference between a Cyber- Resilient organization and the ones open to exploitation is better computers, software or faster telecommunications. Sadly, it is almost never the case. It may well be necessary to have the very best technology you can get to secure your organization. However, necessary may not be sufficient. Newer, faster, shinier pieces of kit in isolation seldom save the day. The weakest link in Cyber Security is the person reading this manifesto – You and I. IT is the beating heart of all modern organizational processes infiltrating every department and IT has traditionally been responsible for Cyber Security. However its former role, as the lead purchaser of technology, is fast-changing to one of trusted adviser. Recent research has shown 14% of cloud storage, 13% of social media and 11% of office productivity software is purchased without the IT department’s knowledge.5 Gartner data shows the movement of IT budget away from its traditional ‘owners’ to other departments is already well under way. The marketing department is a front-runner and due to outspend the IT department on technology by 2017.6 All of this means the human element of Cyber Risk is likely to be highest within your organization but outside the IT department. Today, concentrating Cyber Security knowledge solely within the IT department is not business as usual, but just a way to add Cyber Risk to your organization. To err is human so why keep the burden of Cyber Resilience solely within one (IT) department? It’s high time to move to a security culture which is all-inclusive. initial compromises take hours or less breaches are not discovered for months breaches take months or longer to contain 84% 66% 22%
  • 6. 10 1111 Risk 1 Businesses Are Small Compared to the Threat Globally, few organizations have the resources to stay on top of all the Cyber threats a highly- motivated team can mount. Even multinational organizations can only employ relatively small teams. The bad guys are also smart guys. They learnt long ago how to collaborate by forming virtual teams across national boundaries for mutual benefit. They selltheir tricks to each other and trade stolen identities, to defeat security systems mostly built for a pre-Cyber, pre-mobile and even pre-Web, nation-based set of risks. Cyber attacks themselves remain comparatively unsophisticated, but scale alone is not the issue. Most organizations already have the basics of Cyber Security right and this limits to 10% the number of Cyber attacks which could be carried out by the average user. It is the next level which is hard, because 78% use only the ‘basic’ resources available online and no customization.4 One issue could be approach. The natural reaction of a traditional security professional is to buy more security tools, but such a piecemeal approaches fail at scale. It would be better to get fuller visibility into where their organization is today and react accordingly. In the future Cyber Attackers will likely have even more to aim at. As the drive for efficiency means linking ever more systems together, using smart meters to manage energy use, sensors to control production lines and RFID tags to track shipments means the largest users of Cyber are no longer the IT department, nor are they even human. With threats global in their nature, only a privileged few organizations, mostly in the defence sector,can spend all their time fighting Cyber wars. The rest of us still have the day job, be it sorting out insurance claims, selling shoes or servicing cars. We have to spend wisely to become more Cyber Resilient. What chance then for the smaller guys? The answer for security professionals is to ‘club together’ just as their attackers have already done. Pooled resources and shared knowledge about the severity of threats could even up the fight.
  • 7. 12 1313 Risk 2 Fighting yesterday’s battles loses the war As Cyber Risks have become more subtle, personalized and distributed, detecting them has become increasingly hard. So hard, it would be a brave person who would claim any IT systems connected to the Internet (virtually all commercial systems) were impregnable. Historically, ‘walls of steel’ have a bad history– human intelligence bypasses them. Today’s smarter Cyber threats are seldom full frontal assaults but are more personalized and attack many vulnerabilities simultaneously making them more devastating. Their payloads, whether arriving by web, email or mobile, wait patiently and silently as resident botnets on infected systems and can then awake from their slumber on command – even after the infection was detected and the ‘door has been shut’. Yesterday’s thinking on Cyber Security is of limited value. Given this fiendish amount of cat and mouse, the best strategy is not the isolated removal of threats, but a slow, determined and ongoing process of Cyber Resilience. Cyber Resilience accepts there is no silver bullet, no cure for the common cold and certainly no cavalry coming over the hill. It counsels but that the best offense is a considered defense. Its objective is to create an uneven playing field, where accessing your systems is tougher and less profitable than others. With better informationcomes better decisions. After all, taking no risks can be just as risky a decision in today’s business environment. Having a clearer view of the threats your organization faces is the best way to build upyour Cyber Resilience.
  • 8. 14 15 Risk 3 Ignoring the role of Employees Employees are often cited as the greatest asset an organization has. The reality is they can also be the greatest liability from a security point of view. Identity theft and the physical theft of unprotected devices, often encouraged by today’s generous BYOD policies, greatly complicate matters. Where once security was the sole responsibility of IT professionals, today it cannot be left to them alone. One person’s ‘Shadow IT’, or non- sanctioned technology spending, is another’s fast track to innovation. Aggressively cracking down on what others regard as productivity tools, is a sure way for IT professionals to remove themselves from future discussions – we already discussed yesterday’s battles. Employee attitudes do need to change a little too. Surveys show 53% of employees believe it is OK to take corporate data because ‘It doesn’t harm the company’.7 But is that their call? Surely better to empower non-technical employees and reduce non-intentional malpractice. This will give them the knowledge to increase the organization’s Cyber Resilience through their technology decisions and the processes they enforce. Important when such behaviour accounts for 35% of all data breaches and, unsurprisingly, such immorality spikes up steeply as individuals prepare to exit companies.8 Far from being an abdication of responsibility by IT, here is a chance to convert IT expertise into competitive advantage. There is a new deal to be struck between non-IT professionals and their more technical IT colleagues, showing them how Cyber Resilience can increase their organization’s potential. In Cyber, ignorance is not bliss – it’s a communication and an organizational challenge. In other words an untapped commercial opportunity.
  • 9. 16 17 How To Become Cyber Resilient 1 Understand where your organization stands A well-known management saying is you cannot manage what you cannot measure. However most Cyber attacks are unnoticed, let alone measured, as are the risks they pose.4 How can we then assess how at risk we are? The answer hated by schoolchildren, loved by quality organizations globally, is external assessment. More precisely for organizations at risk of Cyber attack, a comprehensive Cyber Assessment of people, processes and products is essential. Honesty, boring as it may be to some, is the start of the journey to Cyber Resilience. Of course, an independent audit of vulnerabilities, base lining the technology and processes at use in your organization is a good start. But this is just a start to the journey. How about a benchmark to relate your score with that of your peers? How about some practical recommendations based on a gap analysis of where you are and where you want to be? Now IT is becoming genuinely strategic. Armed with such information, the path to Cyber Resilience becomes clearer. Better still, when those Unknown Unknowns we mentioned start to become visible action items, not just for the IT department, but across an entire organization. Such insights then become your unfair advantage. Even though Cyber Resilience does not equal immunity from Cyber-attack, the very point of Cyber Resilience is to make your organization’s vulnerabilities less appealing to attack. But only once there is a baseline and a corporate-wide goal, can you prioritize and start work on the toughest Cyber issues facing your organization first.
  • 10. 18 Once upon a time a small number of people were responsible for IT. This worked well when computers were locked up in rooms by computer scientists. Now critical confidential data is walking around in employee’s pockets and sometimes the pockets of your organization’s partners and their partners and so on… Things have changed. For one, your Unknown Unknowns mean the genie is out of the bottle. Best practices for on-premise Cyber Security can only protect your organization to the extent that the weakest, least secure member of your team, or extended supply chain, practices them. So while you may do a fine job writing and even enforcing password policies or locking down devices and complying with ISO standards, this will not make you Cyber Resilient. Unless you can assure similar standards are maintained from your contract cleaners to your auditors, your external caterers to your lawyers. Secondly, as we have seen, analysts predict non-IT staff will shortly spend more on technology than those with ‘IT’ let alone those with ‘IT Security’ in their job titles. So it’s time to think outside of the box, outside of the IT department, outside of job descriptions and outside of your organizational boundaries. Thirdly, while you may have spent a career in IT, it is unlikely your experience to date has prepared you for the role of Cyber is assuming in our lives today. While you are struggling to benchmark which Cyber Risks you are exposed to and where to start the journey to Cyber Resilience, for some an even tougher challenge looms. Dropping the tech-speak. How To Become Cyber Resilient 2 Coaching your colleagues, ALL of them Reaching out to colleagues is crucial but you will fail without one simple skill. The ability to unlearn decades of IT and IT Security jargon. It is not only unnecessary, it weakens your point. Truly, jargon is the enemy of Cyber Resilience.
  • 11. 20 As we have seen, working alone on Cyber Resilience is a futile exercise. Cyber Risk comes from unseen and clever enemies, made up of cells who can form, dissolve and reform fluidly. Matching this ability is neither practical, nor desirable and besides, who would do your day job? Philosophers tell us “Those who do not learn lessons from the errors of the past, will repeat them”. But you are not alone. There is strength in numbers in Cyber. Why suffer while your organization decides which Cyber Resilience strategy to get onboard with? Much smarter to join up with others who share the same beliefs as your organization, pooling intelligence and developing strategies Your skillset makes you ideally placed to help your organization become more Cyber Resilient. Some would say this is the only strategy which can succeed given the constant nature of the threat. Imagine a nerve centre of Cyber Intelligence, like a highly stimulated virtual brain, pulling together billions of small observations from the Cyber issues facing many thousands of organizations and millions of users, to create a clear overview of the Cyber threats faced by your organization. Compare that future role, one at the heart of a Cyber Resilient organization out-performing its competition with today’s view of IT as who to blame when things go wrong. This is not to say the basics are unimportant, the information from existing security controls really matters. IT’s new role is as the Centre of Excellence for Cyber Risk assessment. To provide new signposts for executive leaders to gauge their organization’s Cyber Resilience. Cyber Risk transcends IT, departmental and even national boundaries. Cyber Resilience is a team sport played by leaders. Like you. Catch the train now, it is ready to depart. How To Become Cyber Resilient 3 Make Cyber Resilience your competitive advantage
  • 12. 22 23 Conclusion The results of the move to Cyber are already impressive and we have only just begun. Amazingly this progress only requires the ability to send and receive data securely. Unfortunately this is a complex technological feat and as Arthur C. Clarke, a futurist and writer, said “Any sufficiently advanced technology is indistinguishable from magic”. Cyber is too important to be just ‘magic’. On a personal level, Cyber Risks question our identity and our privacy. On a global level, Cyber Risks threaten the stability of our government and banking systems. Cyber needs to be understandable by businesses and public organisations leaders in the same way as power, water, talent and other vital real-world inputs. Today it is not treated this way. No top-down edict will succeed. Cyber is too fast moving. Only a grass roots movement, informed but flexible, has a prayer of success. IT professionals have a critical role here only if they can: 1. Effectively baseline where their organization’s Cyber Resilience is today. Faster and with more rigour than previously. 2. Make their people part of Cyber Resilience. Educate everyone in their organization’s supply chain to balance the innovation they want with the Cyber Resilience they need. 3. Use Cyber Resilience for long-term strategic competitive advantage in their organization. Hopefully the ‘idea grenades’ lobbed in this Manifesto will start the chain reaction your organization needs to get to Cyber Resilience. If it has you might want to join up with the experts at Symantec whose Cyber Assessment, security products and services are helping millions of users, to help thousands of Chief Executives to make their organization Cyber Resilient. Cyber Resilience Define Cyber Baseline BYOD Cloud IT Business Supply Chain Today On Premise Core IP Educated Workforce Future Supply Chain Cloud Outsourced Transition Tomorrow Cyber Threats Impact Evolution Legacy Approach Strategic Resilience
  • 13. 24 25 Contacts References Symantec EMEA Headquarters 350 Brook Drive Green Park Reading RG2 6UH Tel: +44 (0)870 243 1080 1 – Mary Meeker, KPCB, 2013 Internet Trends 2 – Norton Cybercrime Report 3 – Symantec ISTR 2012 4 – Verizon DBIR 2013 5 – Economist Intelligence unit July 2013 ‘Security Empowers Business – unlock the power of a protected enterprise’ 6 – Gartner Webinar January 2013 ‘By 2017 the CMO will spend more than the CIO’ by Laura McLellan 7 – Symantec ‘What’s Yours is Mine: How Employees are Putting Your IP at Risk’ paper 2013 8 – Symantec ‘Cost of a Data Breach Study 2013’ Unstoppable movements start revolutions. Symantec would like to engage with your Cyber efforts. Our products and services are acknowledge to be at the leading edge of Cyber knowledge. Share today, be part of the resistance. To sign up for an initial CyberV assessment please contact us. http://www.emea.symantec.com/cyber-resilience/ Symantec is a global leader in providing security, storage and systems management solutions to help customers secure and manage their information and identities. Copyright © 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 12/12