Information Security Benchmarking 2015

Transform to the power of digital
Information Security Benchmarking 2015
Information Security assessment of companies in Germany, Austria and
Switzerland
May 2015

Capgemini Consulting conducted a benchmarking study on Information Security to provide
a thorough and balanced view of the current state of security in DACH organizations
Management summary – study design and approach
Copyright © 2015 Capgemini Consulting. All rights reserved.
2
 Information Security is key for today‘s organizations. The increasing number of serious security breaches announced in the
press reminds us every day of the financial and non-financial consequences a successful attack exposes business to. New
business and regulatory requirements, recent trends and the increasing sophistication of cyberattackers makes this topic
an even greater headache - not only for security officers but also the board.
 To understand how other peers implement Information Security to protect the confidentiality, integrity and availability of
data provides valuable insight for every organization. Such insights are not only helpful in recognizing current trends but
also enable the quickly identification of individual strengths, areas of improvement and allow for the benchmarking across
the organizations’ peer group.
 In Q4 2014, Capgemini Consulting conducted an Information Security benchmarking study among companies and organi-
zations in Germany, Austria and Switzerland. The 45 respondents from 10 different industry sectors provided their views on
upcoming trends as well as delivered information on topics such as their security budget and organization structures.
 The Information Security assessment was conducted based on a detailed maturity model. Using this model, study
participants evaluated their security practice in the domains “Strategy & Governance”, “Organization & People”,
“Processes” and “Technology”.
 Capgemini evaluated the respondents’ answers and presents the study results from two different points of view:
– overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity in
DACH
– an individual assessment for each participant where individual answers are discussed and compared against their
industry peer group

Despite a high top management attention and increasing budgets, Information Security
must undergo a deep transformation to improve alignment and cooperation with business
Management summary – key insights
3
 High top management attention for Information Security – 75% of the respondents rated the top management’s priority
on Information Security as medium or high, numerous companies even view it as one of their strengths.
 Business goals not aligned with Information Security – Protection of data and prevention of system outages are
considered key drivers for Information Security, while only 31% of the respondents view support of business goals as a
driver for their security practice.
 Security risks ignored by business decision makers – 75% of the participating companies stated that business is not
involved in their IT risk management and does not consider security risks in their decision making.
 Lack of security KPIs and ROI consideration – 96% of the participants rely on the results of internal and external audits to
measure effectiveness of their Information Security, but only 7% use specific KPIs and merely 4% consider ROI estimates.
 Unstructured security awareness programs – Increasing employee security awareness is the number one area of
improvement for many companies. Only 27% of the participants characterized their awareness program as holistic,
although 80% of respondents identified employees as the key source for security incidents,
 Inconsistent information classification – 50% of the respondents rated their information classification as inconsistent with
a lack of clearly defined classification policies and owners for each information asset.
 Uncontrolled use of public clouds – 33% use public cloud services without full control of transmitted data, exposing it to
potential unauthorized access. 27% of participants do not use public cloud services at all.
 Increasing security budgets – More than half of the study participants (56%) expect an increase of their security budget
while only 9% expect a budget decrease. The expected increase of the security budget is 10% (median).

Growing requirements and recent trends continue to pose new challenges to
Cybersecurity and endanger the success of Digital Transformation for today’s companies
Cybersecurity challenges
4
Organized cybercrime with sophisticated attacks
New requirements and trends Slowly growing Cybersecurity budgets
Trends from Digital Transformation
Mobility
Business
demanding higher
flexibility
Complex
ecosystems (e.g.
Industry 4.0)
New regulations &
laws e.g.“IT-
Sicherheitsgesetz”
Low awareness level of
employees due to lack of
holistic programs
DIGITAL
TRANSFORMATION
Constrained
security resources
Cloud Big Data Social
Industrialization of
hacking, professional
attack software “as a
service”
National intelligence
agencies with unlimited
resources
Employees attacked by
phishing, social
engineering …

Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
5

13%
24%
22%
11%
29%
Participants’ industry sectors
Energy, Utilities &
Chemicals
Financial Services
Manufacturing
Public Sector
Other Industries
69%
16%
4%
2%
7%
2%
Participants’ role
CISO/IT Security Manager
CIO
IT Service Manager
IT Application Manager
Other
Not Specified
Experts from medium- and large-sized companies across multiple industry sectors
participated in the study – with a majority of participants from Germany and Austria
Participants information
6
1 Other industries include Retail, Logistics, Telco/Media/ Entertainment, Automotive
45%
34%
14%
7%
Participants’ origin*
*Number of participants n=45
Other
4%
9%
31%
18%
36%
2%
1-500 501-1,000 1,001-5,000 5,001-15,000 >15,000 Not Specified
Company sizes (number of employees)
1

Leading DAX, ATX and SMI companies, hidden champions from various industries and
public sector organizations participated in the Capgemini Consulting benchmarking study
Participant peer groups
7
Financial Services
Major Austrian and Swiss banks, leading insurance companies from
Germany, Austria and Switzerland, service providers for financial institutes
Manufacturing
DAX companies, large international manufacturer and hidden
champions from Germany, Austria and Switzerland
Public Sector
Major German and Austrian federal authorities and ministries,
infrastructure operators and competence centers for municipals
Energy, Utilities & Chemicals
Leading energy and chemical companies from DAX
and ATX, international Swiss electric utilities
Other Industries
Leading international retailer, logistic, telco, media and car
supplier companies from Germany, Austria and Switzerland

Information Security
Organization &
budget
Drivers & strengths/
pain points &
risks
Maturity assessment
of all Information
Security areas
Capgemini Consulting benchmarking study evaluates all relevant areas of an organization’s
Information Security practice using proven standards and industry best practices
Information Security benchmarking
8
Covers all relevant security areas
Scope of Benchmarking Study
ISO 2700x
Based on common Information Security standards and
industry best practices
INFORMATION
SECURITY
TechnologyProcesses
Strategy &
Governance
Organization
& People
Structure of the study

T Y P I C A L C H A R A C T E R I S T I C S
M A T U R I T Y L E V E L
Maturity model – design principles
The benchmark evaluates the participants‘ security based on Capgemini Consulting
Information Security maturity model
9
1 –
AD HOC
2 –
DEFINED
3 –
MEASURED
4 –
OPTIMIZED
 To achieve reliable
results, the study aims
at an objective and
repeatable security
maturity assessment of
all participants
 Objectivity is achieved
by assessing each
Information Security
component based on a
clearly defined
5-level maturity model
Maturity levellow high
0 –
NON-EXISTENT
 Ad hoc
 As needed
 Informal
 Loosely
defined
 Inconsistent
 Basic
 Occasional
 Defined
process,
roles,
responsibilities
 Documented
 Formal
 Communicated
 Measured to
work
effectively
 Monitored
 Use of KPIs
 Regular
review/
audits
 Partially
automated
 Reactive
 Not
performed
 Non-
existent
 Not installed
 Necessity
not
understood
 Continuous
improvement
and
optimization
 Best practice
 Risk mitigation
 Automated
workflow
 Business
enabler
 Proactive

– 1. Drivers & risks
– 2. Organization & budget
– 3. Overall security maturity assessment
Table of contents
10

Protection of data is the key driver for Information Security – supporting business goals
and enabling Digital Transformation is of less relevance for most companies
Drivers for Information Security
11
78%
71%
69%
58%
44%
31%
16%
11%
7%
2%
2%
2%
Protection of customer data
Prevention of system/ process outage
Protection of personal data
Protection of assets and IP
Safeguard for reputation
Support for business goals
Enabler for Digital Transformtion
Strengthening competitiveness
Increase of efficiency/cost reduction
Critical infrastrcuture protection
Compliance
Legal requirements
31%
of participants only
rated support of
business goals as a
key driver

Information Security is on the boardroom agenda – many participants see top
management attention as one of their strengths
Strengths and top management attention
12
Security expertise & capabilities
Management attention & commitment
Holistic Target Operating Model/ ISMS1
Security awareness & training
Data protection based on requirements
1 ISMS: Information Security Management System
75%
of participants rated top
management attention as
medium to high
Ranked top strengths

Although the majority of the participants already identified its importance, several
companies still lack the implementation of a holistic security awareness program
Improvement fields and awareness programs
13
Communication & collaboration
Policies & documentation
Security expertise & capabilities
Security operation center & monitoring
Ranked top improvement fields
73%
of participants consider
their awareness program
as unstructured

Data theft and disclosure of information represent the largest security risk – the resulting
incidents are frequently caused by current and former employees
Security risks and sources for security incidents
14
11%
13%
13%
29%
47%
56%
56%
80%
Competitors
Terrorists
Visitors
Foreign nation states/national agencies
Third-party partners/suppliers
Hackers/Script kiddies
Organized crime
Current and former employees
Top risks
Sources for incidents
Data theft and disclosure
Service outage
Phishing & social engineering
Unauthorized network access
Internal and external fraud
80%
of participants consider
their employees as the
main source for security
incidents

Increasing security awareness and training employees are considered as essential
elements of Information Security to protect corporate information
High priority topics
15
44%
28%
23%
15%
13%
13%
10%
10%
10%
8%
Mobile device security
Identity & access management
Network security
Security operations center & monitoring
Holistic information security management system
Policies & documentation
Process optimization
Risk & vulnerability management
Business continuity/ disaster recovery management
44%
of respondents plan to
invest into awareness
campaigns in the
upcoming months

Internal and external audits are by far the most applied methods to measure security
effectiveness while security KPIs and ROI estimation are almost neglected
Effectiveness measurement
16
4%
7%
16%
27%
31%
33%
38%
64%
96%
Return on investment (ROI) estimation
Special key performance indicators
Number of security policies and standards
Proportion of system downtime
Feedback from management
Industry benchmarking
Measurement of Information Security Awareness
Number of security incidents
Results of audits by internal or external auditors
4%
of companies
consider ROI
as an effectiveness
measure

ISO 2700x is the de-facto standard for Information Security in all sectors while COBIT is
only sparsely implemented among the study participants
Security standards and best practices
17
100%
64%
55%
27%
18%
100%
33% 33%
17%
0%
80%
60%
80%
0% 0%
71% 71%
14%
57%
14%
73%
45%
55%
36%
0%
0%
20%
40%
60%
80%
100%
ISO 27001 ITIL BSI COBIT Other (e.g. PCI DSS)
Financial Sector Energy, Utilities, Chemicals Public Sector Manufacturing Other
ISO 2700x
Other (e.g. PCI DSS)

A lack of Information Security risk consideration during business decisions may result in
unsecure solutions with a high potential to security breaches
IT risk management
18
7%
18%
44%
22%
9%
75%
of companies do not consider
security risks in their business
decisions making


Business decisions with security involvement
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)

An essential part of the Information Security governance are steering committees where
security-related decisions are met by consensus of relevant stakeholders
Information Security governance
19
56%
of respondents defined a
security steering committee
with various stakeholders
20%
35%16%
29%
0%


Involvement of relevant stakeholders
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4

Information classification has been strongly neglected in recent years – the lack of
effective classification solutions is also a key security concern for cloud computing
Information classification and cloud computing
20
4%
9%
27%
33
%
27%
50%
of companies
rate their data
classification as
inconsistent
3%
10%
38%45
%
5%
33%
of participants
allow an
uncontrolled
use of public
cloud services
Classification
Cloud computing
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4

Table of contents
21

0 20 40 60 80 100 120
Medium-sized companies (<= 5,000 employees)
With typically 4 FTEs, large companies have twice as much resources as medium-sized
companies who work in the Information Security function
Organization – FTEs in Information Security
22
Max: 62Min: 0.5 Median: 2
0 20 40 60 80 100 120
Max: 100Min: 1 Median: 4
4
FTEs is the
median size of
Information
Security
organizations in
large-sized
companies
Large-sized companies (5,000+ employees)

56%
9%
36%
Budget increase Budget decrease
No statement
Budget changes
56% of the participating companies expect an increase of their security budget compared
to the previous year by 10%
Information Security budget
23
-40 -20 0 20 40 60 80
Median: +10% Max: +67%Min: -25%
56%
of participants expect
an increase of their
security budget
Change of security budgets (in %)

Table of contents
24

2.5
2.2
2.1 2.0
1.7
With a typical maturity level of 2, most participants’ security areas are formally defined
but lack an effective measurement and automation
Overall security maturity assessment – industry peers
25
is the highest
average maturity
level , achieved by
Public Sector
low
high
2.5
Public Sector Financial
Services
Manufacturing Energy, Utilities &
Chemicals
Other industries
MaturityLevel

Public Sector Financial Services Manufacturing Energy, Utilities & Chemicals Other Industries
0,00
1,00
2,00
3,00
4,00
Overall security maturity assessment – details
Public Sector outperformed in domains “Strategy & Governance” and “Organization &
People” while in “Processes” and “Technology” Financial Services showed highest maturity
26
1.1 Strategy
1.2 Governance Structure
1.3 Compliance Management
1.4 Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident Reporting
2.1 Organization Structures
2.3 Employee Training and Awareness
2.4 Security Expert Training
2.5 Security Service Improvement
2.6 Cooperation with Corporate Security
2.7 Relationship with Business Units
2.8 Social Media
3.1 Identity and Access Management
3.2 Threat and Vulnerability Management
3.3 Patch ManagementInformation Classification 3.4
Sourcing and Vendor Management 3.5
Secure Application Development 3.6
Backup 3.7
Mobile Devices 3.8
Retention and Investigation of Data 3.9
Cloud Computing 3.10
Physical User Access Management 3.11
Firewalls 4.1
Remote User Access 4.2
Network Intrusion Protection 4.3
Wireless Network 4.4
Database Security 4.5
Server and System Security 4.6
Endpoint Device Security 4.7
Application Security 4.8
Malicious Content Protection 4.9
Physical Control Systems 4.10
2.2 Roles & Responsibilities

Table of contents
27

Drivers, incident sources and measurement
COMPANY1’s security function is closely aligned to business, defining the support for
business goals as a key driver for its investments
28
 Prevention of system outages
 Support for business goals
 Organized crime
 Visitors
 Return on investment (ROI)
 Results of audits by internal and external auditors
 Industry benchmarking
 Measurement of Information Security awareness
 Feedback from management
DRIVERS FOR INFORMATION SECURITY
EXAMPLE
1 The following results represent an example of an anonymized individual assessment. COMPANY is only a placeholder.
Drivers for Information Security
Sources for incidents
Effectiveness measurements
A
B
C
SOURCES FOR INCIDENTS
A
B
C EFFECTIVENESS MEASUREMENTS
 Prevention of system outages is the key driver for most
members (83%) of peer group “Energy, Utilities & Chemicals”
 COMPANY is the only participant in the peer group defining
support for business goals as a key driver for security
 In contrast to COMPANY, 50% of other participants in peer group
consider protection of customer data and protection of assets
and IP as a key driver for security
 Organized crime is seen by COMPANY and most other peer
group members as a key source for incidents
 In addition, other companies from the peer group consider
current/ former employees (67%) and hackers (50%) as a further
incident source
 COMPANY is the only in the peer group considering ROI as
measure
 84% of other participants consider the number of security
incidents as another effectiveness measure

Strengths, improvement fields, risks and priorities
COMPANY’s improvement fields are mainly located in the domain “Processes” - access
management and data classification are common improvements fields of the respondents
29
Access mgmt
Compliance and req. mgmt
Data classification
Access control
Data classification
-
Top 3 improvement fields
Top 3 priorities
Vulnerability mgmt
Certified infrastructure
Integrated mgmt system
Top 3 strengths
Data leakage
Internal threats
Complexity
Top 3 risks
1
2
3
1
2
3
1
2
3
1
2
3
Capgemini Consulting
Information Security Framework
Processes Technology
Strategy &
Governance
Organization
& People
1 2
3 3
1
2
1
3
1
2
INFORMATION
SECURITY
2
COMPANY’s individual answers Domain Mapping
EXAMPLE

Security maturity assessment – domain Strategy & Governance
With an immature IT risk management COMPANY may miss or underestimate major risks
for its organization and become victim of internal and external threats
30
“1.2 Governance Structure” is below
peer group average (COMPANY: 2 vs.
peers: 2.47). Recommendation:
Definition of security steering
committee with relevant stakeholders,
direct report to top management
“1.4 IT Risk Management” is
significantly below peer group average
(COMPANY: 1 vs. peers: 2.45).
Recommendation: Definition of
processes, roles & responsibilities,
regular assessments, mgmt of
mitigation measures, reporting,
definition of KRIs
“1.6 Audits” is below peer group
average (COMPANY: 2 vs. peers: 2.91).
Recommendation: Definition of data
collection methods for auditor support,
immediate response to findings by
automated process
A
C
EXAMPLE
B
COMPANY lies in 6 out of 8
areas below the peer group
average in the domain
“Strategy & Governance”
0
1
2
3
4
1.1 Strategy
1.3 IT Compliance
Management
1.4 IT Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident
Reporting
COMPANY Financial Services
Top Performer in Peer Group Total Average (All Participants)
A
BC
Low risk Medium risk High riskNo riskCapgemini’s high-level risk evaluation:
TechnologyProcesses
Strategy &
Governance
Organization
& People

Security maturity assessment – domain Organization & People
A holistic Information Security awareness concept is the most effective solution to tackle
the increasing number of attacks on employees
31
“2.3 Employee Training & Awareness”
is below peer group average. Due to
increasing importance, the average is
expected to raise. Recommendation:
Definition of a holistic concept,
measurement of awareness and
training success, use of multipliers
“2.4 Security Expert Training” is below
peer group average (COMPANY: 1 vs.
peers: 1.91). Recommendation:
Definition of trainings plans,
introduction of mandatory trainings/
certifications
“2.6 Cooperation with Corp. Sec.” is
significantly below peer group average
(COMPANY: 1 vs. peers: 2.45).
Recommendation: Intensification of
collaboration with Corporate Security,
use of joint success factors
EXAMPLE
B
COMPANY lies in 7 out of 8
areas below the peer group
average in the domain
“Organization & People”
A
B
0
1
2
3
4
2.1 Organization Structures
2.2 Roles & Responsibilities
2.3 Employee Training and
Awareness
2.4 Security Expert Training
2.5 Security Service
Improvement
2.6 Cooperation with
Corporate Security
2.7 Relationship with
Business Units
2.8 Social Media
COMPANY Manufacturing
A
B
C
Low risk Medium risk High riskNo riskCapgemini’s high-level risk evaluation:
TechnologyProcesses
Strategy &
Governance
Organization
& People

32
If your organization would like to participate in
Capgemini’s free Information Security study and join full
insights from Capgemini’s extensive benchmarking
database, please contact
Capgemini Consulting is happy to perform a detailed and individual assessment of your
Information Security practice
Dr. Paul Lokuciejewski
Lead of Cybersecurity Consulting
Capgemini Deutschland GmbH
Berliner Str. 76
D-63065 Offenbach
Phone: +49 69 9515 1439
E-Mail: paul.lokuciejewski@capgemini.com

Table of contents
33

Trends in Cybersecurity
With the increasing complexity of organizations and the ongoing penetration of SMACT1
technologies, a “full perimeter” protection is not feasible anymore
34
Control-centric
Prevent & protect
Perimetric defense
Zero-risk dream & compliance
People-centric
Predict, monitor & respond
Data-centric defense
Digital risks & info. life cycle
Security Strategy
People & Awareness
Security Operations
SOLUTIONS
Risk Mgmt & Information
Classification
Old Paradigm New Paradigm
1 Social, Mobile, Analytics, Cloud and (Internet of) Things

Our Strategic Cybersecurity Consulting guides your organization through a secure Digital
Transformation while leveraging the power of modern technologies
Capgemini Consulting Cybersecurity Portfolio (excerpt)
35
Benchmarking / Maturity Assessment Digital Risk Management
Awareness Campaign Security Target Operating Model (ISMS)
“gain a profound understanding
of your current Cybersecurity
situation.”
“make risk-based
decisions and protect your
business with optimal
investment strategies.”
“establish effective
Cybersecurity capabilities for a
holistic protection of your data
and systems.”
“foster a people-centric
security culture and protect
against the increasing number
of employee-focused attacks.”
OUR STRATEGIC CYBERSECURITY CONSULTING ADDRESSES C-LEVEL CONCERNS TO
ENABLE A SECURE DIGITAL TRANSFORMATION. IT WILL HELP YOU TO
1
4
2
3

CySIP Maturity Assessment approach
Capgemini performs its Cybersecurity & Information Protection (CySIP) Maturity
Assessment based on a proven approach and standardized tools
36
 Conduct focus interviews with
business and IT to assess maturity
 Identify vulnerabilities and gaps
 Benchmark with best practices
 Define pain points, quick wins and
long-term measures
 Prioritize measures
 Define high-level business case
 Define transformation plan
 Align results with stakeholders
 Prepare decision documents
 Define scope of assessment
 Derive strategic guidelines
 Determine client-specific threats
 Identify business-critical
information and systems
MATURITY ASSESSMENT TRANSFORMATION ROADMAPSCOPING & VISIONING
 Overview of evaluated
vulnerabilities and gaps
 Assessed CySIP maturity
 Measurement catalogue
 Aligned and prioritized measures
 High-level business case
 Transformation plan
 Final decision documents
 Aligned questionnaires
 Defined strategic guidelines
 Overview of business-critical
information and systems
Implementaiton
ResultsActivities
Management&GovernanceInt.Organization&Client
Applications& OperatingSystem Network& Hardware
Q4 2014 2015 2016
Analyzedata privacy
organization
Design IS policy
framework
Outlinegovernance
principles for data
Describe governance
profiles and roles
Transform to new
organization
Analysisbusiness & IT
requirements
Develop security
architecture model
Design technical
solutions
Build and customize
designed solution
Test and deploy
services
Conductrisk and
stakeholder analysis
Perform survey to
assess awareness level
Develop awareness
concept
Design awareness
objects
Define business
continuity strategy
Develop decision
structures
Develop organization
plan
Implement awareness
objects
Perform 2. survey to
measure effectiveness
Define business impact
analysis(BIA)
Conductbusiness
impact analysis
Formulate SLAs
Define business
continuity plans
Define business
continuity plans
CE v6.3
© 2007 Capgemini - All rights reserved
071217_IT ORGANIZATION AS-ISAND TO-BE_V11_TW-JW.PPT
2424
The to-be organization features an org-line for functional business
interaction as well as for supply management to enhance the capabilities
Org structure – To-be IT demand organization
Organization chart
Global Supply
R&D
External Supply
(EDM)
BusinessInformation
Manager (BIM)
HR
Controlling
Contract
Management
Architect
ProjectPort-
folio Mgmt
Technology
Innovation
Quality
Mgmt
IT Strategy
Business
Consulting
(SAP,EDM)
Business
(Keyuser)
Germany
France
Netherlands
R.o.W
Local IT
Mgmt
R&D RES-
QS
Manu
fact.
… Global Functional
Information
Management
Service
Mgmt
Com.
Com.line
Communication line
Communication line R&D
RESQS
Manufact.
S&M
Global IT
Management
Internal Supply
(SAP, IM)
US
CRIS SM EDM
Global Supply
Management
• Vacant positions in Global Functional Information Management (GFIMs) ar e re-staffed and enhanced by business consulting
capabilities for SAP and EDM
• New organizational line manages Pharma-specific supply as well as internal and external providers
0
1
2
3
4
1.1 Strategy
1.3 IT Compliance
Management
1.4 IT Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident
Reporting
Bundesministerium für Finanzen Public Sector
C-LEVEL AND BUSINESS-ORIENTED, STRUCTURED APPROACH FOR AN ACCELERATED
INCREASE OF CLIENT’S MATURITY AND DEFINITION OF A CYBERSECURITY STRATEGY
Phase
Why Capgemini Consulting?
 C-Level and business-oriented for alignment with business/IT strategy
 Toolkit of proven questionnaires for accelerated maturity assessment
 Extensive benchmark database for peer comparison
 Collaborative approach to define clear strategy
1

Cybersecurity Digital Risk Management
Capgemini helps organizations to protect their critical information assets using optimal
investment strategies that minimize operational risk
37
 Describe procedures & interfaces
 Define roles & responsibilities and
KRIs
 Develop reporting
 Profile threats and vulnerabilities
 Develop questionnaires
 Conduct risk assessments with
business and IT to identify and
evaluate risks
 Create a holistic risk register
 Define risk mitigation measures
 Implement process
 Define scope of risk assessment
 Identify critical information assets
 Assess business impact (business
impact analysis)
 Perform gap analysis and define
measures
TO-BE DESIGN
RISK ASSESSMENT &
IMPLEMENTATION
VISIONING &
AS-IS ANALYSIS
 Policy and process description
 Role descriptions/ RACI
 Reporting templates
 Risk assessment templates
 Validated risk assessment results
 Consolidated risk register
 Measurement catalogue
 Training material & reporting
 Assessment scope
 Realistic and worst-case inherent
business impact ratings
 Overview gaps/ measures
BUSINESS-FOCUSED, STRUCTURED AND PRACTICAL RISK MANAGEMENT METHODOLOGY
BASED ON RIGOROUS ASSESSMENT TO CREATE A HOLISTIC PROFILE OF DIGITAL RISKS
 Proven best practices approach to create a holistic risk profile
 Focus on business perspective (“Digital Risk”)
 Practical methodology with rigorous assessment process
 Best practice templates to focus on key risks
Probability
HIGH
MEDIUM
LOW
LOW MEDIUM HIGH
Impact
7
2
3
1
4
6
5
11
9a
9c9b
9d
8
12
10
13
14b
14a
Aktuelle Themen
Bewertung
Maßnahmen
Themenbereich Anz. Grün Gelb Orange Rot Veränderung
zur Vorperiode
Thema 1 2 0 0 2 0 #DIV/0!
Thema 2 0 0 0 0 0 #DIV/0!
Thema 3 0 0 0 0 0 #DIV/0!
Thema 4 1 0 0 1 0 #DIV/0!
Management Summary
Darstellung des Umsetzungsstands von risikobehandelnden Maßnahmen zu wesentlichen Risiken
Überblick über aktuelle, gruppenweite Themen, z.B. IT-Projekte, Veränderungen beim IT-
Outsourcing
Zusammenfassung der Bewertung der gruppenweiten Risiken und dem Status der Risikoindikatoren
(Early Warning System)
Kommentierung
ResultsActivitiesPhase
2

Cybersecurity Target Operating Model (ISMS)
We support organizations in establishing an Information Security Management System
that ensures an adequate setup and development of their Cybersecurity capabilities
38
 Models tailored towards your organization context
 Experience from operating client ISMS
 Best-practices following industry standards (e.g. ISO 27001)
 Fast implementation due to ready-to-use assets (e.g. policies)
HOLISTIC AND RISK-BASED METHODOLOGY TO INTEGRATE CYBERSECURITY INTO YOUR
BUSINESS AND INCREASE RESILIENCE
PROCESSES & INTERFACES TECHNOLOGY & SYSTEMS PERFORMANCE METRIC
Information Security Management System – Operating Model
ORGANISATIONAL STRUCTURE GOVERNANCE MODEL ROLES & COMPETENCIES
3

Cybersecurity Awareness 2.0
Awareness initiatives offered by Capgemini leverage broad communication campaigns and
targeted training for roles with high risk profiles
39
CONTENT ADAPTION PLANNINGQUICK SCAN
Phase
REVIEW RISKS, EXISTING
AWARENESS INITIATIVES AND
ANALYZE STAKEHOLDER AND
TARGET GROUPS
PRAGMATIC ADOPTION AND
CREATION OF AWARENESS
CONTENT, OUTLINE OF KPIs
AND MULTIPLIERS
DEFINE
TRANSFORMATION
ROADMAP FOR
PRIORITIZED MEASURES
Objectives
Store
Front
Timesheet
Workforce
Management
Mobile CRM
Mobile
Worker
Approvals
Interactive
Dashboards
Mobile Executive
Reports
Employee
Tracking
Self-Service
Operations
Support
Mobile
Sales
Training
Documentation
Collaboration
Tools
Mobile
Service
Customer
Factsheets
Customer
Interaction
Tracker
Pushed
Information
Automated
Services
Product
Information
Assistance
Services
Short
Term
Mid
Term
Long
Term
Strategic
Goal
Leadership team*
• Global
• Europe
Joint project team
• Other projects
within Company
Employees Europe
• UnitA
• Unit B
• Unit C
B
C
Retailers
Other distributors H
Consumers
I
K
Europe Leadership team
(first line leaders)
• UnitA
• Unit B
• Unit C
Manufactures
External Stakeholders Internal Stakeholders =
target audience
G
Corporate Functions
• Communications
• HR
D
Rest of Europe
Organisation
• Employees other units
A
E
F
Workers
council
Change
Program
J
The “Dark hotel” attack is targeting high-profile business travelers
48
Please remember:
Hackers use fake update notifications to get you to install malware on your computer.
“Dark hotel” attack – Step by step
2
You connect to the already
infected hotel Wi-Fi with your laptop
or Smartphone
You receive a fake software
update notification on your device
An update is
ready to install!
You install the faked update which is a
spy software that gives hackers
access to the PC
Hackers steal data, record
keystrokes and infiltrate
the o network
4
Tips for using foreign Wi-Fis
1. Always use the Company VPN
connection for any transmission of
confidential data
2. Do not download or apply any updates in
foreign Wi-Fis
3. Turn off the wireless functions (Wi-Fi,
Bluetooth, GPS and NFC) of your mobile
devices when you don’t need them
4. Always check if websites use the HTTPS
standard in the address bar
5. Always keep your antivirus software up-to-
date (update at Company or at home)
6. If you are unsure, use the roaming
package of your phone or your UMTS laptop
adapter instead
3
1
Possible threats
while on tour
Secure usage of
wireless services
Remote access
capabilities Copyright © 2015 Capgemini Consulting. All rights reserved.
 Structured, proven approach to optimize ongoing campaigns
 Flexible and easy-to-adopt solutions
 Extensive knowledge in change and communication mgmt
 Measurable impact based on implemented KPIs
PROACTIVELY TACKLE SECURITY THREATS BY INTRODUCING POSITIVE SECURITY
BEHAVIORS THROUGH A HOLISTIC CYBERSECURITY AWARENESS CAMPAIGN
4

Examples (extract)Communication channelsFormat
Cybersecurity Awareness 2.0 - communication channels
A best practice mix of different channels is used to effectively communicate key messages
of the awareness campaign
40
Print
Digital
Events
 Poster
 Article in internal newspapers
 Information Security Handbook
 Booklets
 Leaflets
 Flyers
 Newsletters
 Intranet/Web Sites/ banner/
blogs
 Flat screen content
 Online quizzes
 Web-based trainings
 Awareness movies
 Logon screen messages
 Online surveys / feedback polls
 Phishing mail tests
 Clean desk audits
 Classroom trainings incl. train-
the-trainer concept
 Information Security Days
 Security breakfast/ lunch events
 Live-hacks
 Onboarding training material
 Management trainings
EXAMPLE
2
4

Case study – Cybersecurity Awareness campaign design and implementation
Capgemini Consulting supports a leading energy company in significantly raising the
awareness for Cybersecurity of 22,000 employees in 20+ countries
41
Issue
 Our Client – an international energy company with approx. 28,000 employees in more than
20 countries – faced an increasing number of security breaches caused by employees
 Loosely performed awareness initiatives in the past showed little to no positive effects
 Unknown level of employee awareness for focused awareness activities
 Missing local support for global implementation of security initiatives
 No holistic approach for a group wide, target group specific awareness campaign
Solution
 Conduction of a group-wide, multi-lingual online survey with 22,000+ participants
 Development of a holistic awareness concept based on detailed survey evaluation
 Design and creation of awareness objects using the right mix of communication channels
 Organization and conduction of Cybersecurity Awareness events and trainings
 Establishment of a multiplier network for an effective campaign implementation
 Program management based on Capgemini’s proven methods and tools
Benefits
Increase awareness for security risks leading to adaption of positive security behaviors
Significantly decreased number of security breaches and human errors
Improved acceptance and visibility of Cybersecurity as business partner
Enforced compliance with legal and regulatory requirements




4

Cybersecurity Awareness 2.0 - why Capgemini Consulting?
Proven, easy-to-adopt solutions and an extensive project experience enable Capgemini to
efficiently implement effective Information Security Awareness campaigns
42
Structured, proven approach to setup or optimize your ongoing
awareness activities
Flexible and easy-to-adopt solutions for an accelerated increase of
Information Security based on your needs
Benchmarking data derived from previous projects to compare with
industry peers
Measurable impact based on implemented KPIs
Extensive knowledge in project, change and communication
management
Global Capgemini network of security and communication experts
1
2
3
4
5
6
4

Table of contents
43

44
PEOPLE
• 140,000
employees
• Offices in 44
countries
Paul Hermelin
Group Chairman and CEO
COMPANY
• Listed on the Paris stock
exchange (CAC-40)
• 10.1 bn € revenues (2013)
• Top 5 consultancy worldwide
• Two thirds of the world‘s largest
companies are our clients
Headquarter in Paris
from a global point of view
CAPGEMINI GROUP

45
Dr. Volkmar Varnhagen
CEO CC Germany/Austria/Switzerland
CAPGEMINI CONSULTING
GERMANY/AUSTRIA/
SWITZERLAND
GLOBAL
• Strong global
network
• 10.000 strategy
and management
consulting experts Cyril Garcia
CEO Capgemini Consulting
Present on all continents
The strategy and transformation brand of the group
CAPGEMINI CONSULTING

STRATEGIZE
 IT Organizational Transformation
 Cybersecurity Transformation
 Digital Service Unit
 Lean IT/ IT efficiency
 IT Portfolio Management
 IT Shared Service Center
 Project Turn-around and PMO
TRANSFORM
How do you improve/ transform
your IT Organization long-term?
OUR MISSION is to SUPPORT CIO's in every aspect of their work
from ASSESSMENT to STRATEGY all the way through TRANSFORMATION
To increase the Capgemini Consulting client focus and build trusted long-term relation-
ships with our clients, we have designed our Service Offerings along the life-cycle of CIO’s
CIO Advisory Services
46
 IT Flash Assessment
 Cybersecurity Risk Assessment
 IT Project/ Program Audit
 Digital Day
 IT Due Diligence
 Post-Merger Integration IT and
IT M&A Assessment
ASSESS
What is the current state of your
IT Operation?
 IT Strategy Development
 Cybersecurity Strategy
 IT Innovation Strategies
 IT Digital Strategies
 Mobile Strategy
 Cloud Strategy
How do you position your IT
Organization strategically?

Capgemini Consulting relies on a strong and global Cybersecurity capability network
within the Capgemini Group
Capgemini Group offers and capabilities
47
2,500+ Capgemini
resources with
Cybersecurity skills
Canada
United States
Mexico
Brazil
Argentina
All over Europe
Morocco
Australia
People’s Republic
of China
India
Chile
Guatemala
Singapore
Philippines
Taiwan
Vietnam
United
Arab Emirates
Malaysia
New Zealand
Japan
South Africa
Colombia
Cybersecurity
Awareness
Security transformation
program management
Design and implementation of
security solutions
Digital security assessment
& strategy and
risk management
Management
Security technical assessment
Transformation
Build

We constantly search for new customer solutions and provide our customers
latest research and point of views on current and future topics
Capgemini Surveys and Benchmarks (examples)
48
The objective is to understand how
the “digital winners” are managing
(or have managed) their Digital
Transformation, starting from “brick
and mortar” and moving to a
“digital company”, and to identify
some guiding principles and best
practices
International Information Security studies & POVs
IT Strategy & Change Management Digital Transformation in cooperation with MIT
Transform to the power of digital
Information Security Benchmarking 2015
Information Security assessment of companies in Germany, Austria and
Switzerland
May 2015
Trends in
Security 2014

49
Dr. Guido Kamann
Head CIO Advisory Services DACH
Capgemini Suisse S.A.
Leutschenbachstrasse 95
CH-8050 Zürich
Phone: +41 44 5602 400
E-Mail: guido.kamann@capgemini.com
Dr. Paul Lokuciejewski
Lead of Cybersecurity Consulting
Capgemini Deutschland GmbH
Berliner Str. 76
D-63065 Offenbach
Phone: +49 151 4025 0855
E-Mail: paul.lokuciejewski@capgemini.com
Thank you.

Information Security Benchmarking 2015

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Information Security Benchmarking 2015

Similar a Information Security Benchmarking 2015 (20)

Más de Capgemini

Más de Capgemini (20)

Último

Último (20)

Information Security Benchmarking 2015