Capgemini Consulting

(1)

Transform to the power of digital

Cybersecurity @ Capgemini Consulting

Capgemini Consulting Cybersecurity Service Portfolio

July 2015

(2)

Growing requirements and recent trends continue to pose new challenges to

Cybersecurity and endanger the success of Digital Transformation for today’s companies

Cybersecurity challenges

2

Organized cybercrime with sophisticated attacks

New requirements and trends

Slowly growing Cybersecurity budgets

Trends from Digital Transformation

Mobility

Regulatory pressure and new

laws Business demanding higher flexibility Complex ecosystem

Low awareness level of employees due to lack of

holistic programs

DIGITAL

TRANSFORMATION

Constrained security resources

Cloud Big Data Social

Industrialization of hacking, professional attack software “as a

service”

National intelligence agencies with unlimited

resources Employees attacked by

phishing, social engineering …

(3)

Capgemini Consulting Cybersecurity Framework

Capgemini supports a successful transformation of the Cybersecurity function into an

integrated, strategic and risk-focused business partner

Organization Transformation & Professionalization

ORGANIZATION & PEOPLE

PROCESSES

TECHNOLOGY

STRATEGY & GOVERNANCE

Program Management Change & Communication Management

Cybersecurity Ecosystem

CYBERSECURITY & INFORMATION PROTECTION MATURITY ASSESSMENT

CYBERSECURITY RISK MANAGEMENT

CYBERSECURITY TARGET OPERATING MODEL (ISMS)

AWARENESS 2.0 SECURITY EXPERT TRAINING

3

CRISIS MANAGEMENT IDENTITY AND ACCESS

MANAGEMENT MOBILE SECURE

Deep Dive - Cybersecurity Offerings

2

END-POINT SECURITY DATA CENTER SECURITY/

SOC SERVICES

APPLICATION AND OT SECURITY

(4)

CySIP Maturity Assessment approach

Capgemini performs its Cybersecurity & Information Protection (CySIP) Maturity

Assessment based on a proven approach and standardized tools

4

 Conduct focus interviews with business and IT to assess maturity

 Identify vulnerabilities and gaps

 Benchmark with best practices

 Define pain points, quick wins and long-term measures

 Prioritize measures

 Define high-level business case

 Define transformation plan

 Align results with stakeholders

 Prepare decision documents

 Define scope of assessment

 Derive strategic guidelines

 Determine client-specific threats

 Identify business-critical information and systems

MATURITYASSESSMENT

T

RANSFORMATION

R

OADMAP

SCOPING

&

VISIONING

 Overview of evaluated vulnerabilities and gaps

 Assessed CySIP maturity

 Measurement catalogue

 Aligned and prioritized measures

 High-level business case

 Transformation plan

 Final decision documents

 Aligned questionnaires

 Defined strategic guidelines

 Overview of business-critical information and systems

Im

plem

en

tait

on

R esu lt s Act ivit ies M ana ge m ent & G ov erna nc e Int . O rg ani za tion & C lie nt

Applications & Operating System Network & Hardware

Q4 2014 2015 2016

Analyze data privacy organization

Design IS policy framework

Outline governance principles for data

Describe governance profiles and roles

Transform to new organization

Analysis business & IT requirements

Develop security architecture model Design technical

solutions Build and customize designed solution Test and deploy

services

Conduct risk and stakeholder analysis

Perform survey to assess awareness level

Develop awareness concept Design awareness objects Define business continuity strategy Develop decision structures Develop organization plan Implement awareness objects Perform 2. survey to measure effectiveness

Define business impact analysis (BIA) Conduct business impact analysis Formulate SLAs Define business continuity plans Define business continuity plans CE v6 .3

The to-be organization features an org-line for functional business interaction as well as for supply management to enhance the capabilities Org structure – To-be IT demand organization

Organization chart

Global Supply R&D External Supply (EDM) Business Information Manager (BIM) HR Controlling Contract Management Architect Project Port-folio Mgmt Technology Innovation Quality Mgmt IT Strategy Business Consulting (SAP,EDM) Business (Key user) Germany France Netherlands R.o.W Local ITMgmt R&D RES-QS Manufact. … Global Functional Information Management Service Mgmt Com. Com. line Communication line Communication line R&D

RESQS Manufact. S&M Global IT Management Internal Supply (SAP, IM) US CRIS SM EDM Global Supply Management

• Vacant positions in Gl obal F uncti onal Information Management ( GFIMs) ar e re-staffed and enhanced by business consulting capabilities for SAP and EDM

• New organizational line manages Pharma-specific suppl y as well as i nternal and external provi ders

0 1 2 3 4 1.1 Strategy 1.2 Governance Structure 1.3 IT Compliance Management 1.4 IT Risk Management 1.5 BCM/DRM 1.6 Audits 1.7 Data Privacy 1.8 Security Incident Reporting

Bundesministerium für Finanzen Public Sector Top Performer in Peer Group Total Average (All Participants)

C-LEVEL AND BUSINESS-ORIENTED, STRUCTURED APPROACH FOR AN ACCELERATED

INCREASE OF

CLIENT

’

S

MATURITY

AND

DEFINITION

OF

A

CYBERSECURITY

STRATEGY

Ph

ase

Why Capgemini Consulting?



C-Level and business-oriented for alignment with business/IT strategy



Toolkit of proven questionnaires for accelerated maturity assessment



Extensive benchmark database for peer comparison



Collaborative approach to define clear strategy

Technology Processes

(5)

Cybersecurity Risk Management

Capgemini helps organizations to protect their critical information assets using optimal

investment strategies that minimize operational risk

 Describe procedures & interfaces

 Define roles & responsibilities and KRIs

 Develop reporting

 Profile threats and vulnerabilities

 Develop questionnaires

 Conduct risk assessments with business and IT to identify and evaluate risks

 Create a holistic risk register

 Define risk mitigation measures

 Implement process

 Define scope of risk assessment

 Identify critical information assets

 Assess business impact (business impact analysis)

 Perform gap analysis and define measures

TO

-

BEDESIGN RISKASSESSMENT

&

IMPLEMENTATION VISIONING

&

AS

-

ISANALYSIS

 Policy and process description

 Role descriptions/ RACI

 Reporting templates

 Risk assessment templates

 Validated risk assessment results

 Consolidated risk register

 Measurement catalogue

 Training material & reporting

 Assessment scope

 Realistic and worst-case inherent business impact ratings

 Overview gaps/ measures

BUSINESS-FOCUSED, STRUCTURED AND PRACTICAL RISK MANAGEMENT METHODOLOGY

BASED ON RIGOROUS ASSESSMENT TO CREATE A

HOLISTIC

PROFILE

OF

DIGITAL

RISKS

Why Capgemini Consulting?



Proven best practices approach to create a holistic risk profile



Focus on business perspective (“Digital Risk”)



Practical methodology with rigorous assessment process



Best practice templates to focus on key risks

Technology Processes

2

P ro b ab il it y HIGH MEDIUM LOW

LOW MEDIUM HIGH

Impact 7 2 3 1 4 6 5 11 9a 9c 9b 9d 8 12 10 13 14b 14a Aktuelle Themen Bewertung Maßnahmen

ThemenbereichAnz.GrünGelbOrangeRotVeränderung zur Vorperiode Thema 1 20 0 2 0 #DIV/0! Thema 2 00 0 0 0 #DIV/0! Thema 3 00 0 0 0 #DIV/0! Thema 4 10 0 1 0 #DIV/0! Management Summary

Darstellung des Umsetzungsstands von risikobehandelnden Maßnahmen zu wesentlichen Risiken Überblick über aktuelle, gruppenweite Themen, z.B. Projekte, Veränderungen beim

IT-Outsourcing

Zusammenfassung der Bewertung der gruppenweiten Risiken und dem Status der Risikoindikatoren (Early Warning System)

Kommentierung R esu lt s Act ivit ies Ph ase

(6)

Cybersecurity Awareness 2.0

Awareness initiatives offered by Capgemini leverage broad communication campaigns and

targeted training for roles with high risk profiles

6

CONTENTADAPTION PLANNING

QUICKSCAN

Ph

ase

REVIEW

RISKS

,

EXISTING

AWARENESS

INITIATIVES

AND

ANALYZE

STAKEHOLDER

AND

TARGET

GROUPS

P

RAGMATIC

ADOPTION

AND

CREATION

OF

AWARENESS

CONTENT

,

OUTLINE

OF

KPI

s

AND

MULTIPLIERS

D

EFINE

TRANSFORMATION

ROADMAP

FOR

PRIORITIZED

MEASURES

Ob je ct iv es Store Front Timesheet Workforce Management Mobile CRM Mobile Worker Approvals Interactive Dashboards Mobile Executive Reports Employee Tracking Self-Service Operations Support Mobile Sales Training Documentation Collaboration Tools Mobile Service Customer Factsheets Customer Interaction Tracker Pushed Information Automated Services Product Information Assistance Services Short Term Mid Term Long Term Strategic Goal Leadership team* • Global • Europe

Joint project team

• Other projects within Company Employees Europe • Unit A • Unit B • Unit C B C Retailers Other distributors H Consumers I K

Europe Leadership team (first line leaders)

• Unit A • Unit B • Unit C

Manufactures

External Stakeholders Internal Stakeholders =

target audience G Corporate Functions • Communications • HR D Rest of Europe Organisation

• Employees other units

A E F Workers council Change Program J

The “Dark hotel” attack is targeting high-profile business travelers

48

Please remember:

Hackers use fake update notifications to get you to install malware on your computer. “Dark hotel” attack – Step by step

2

You connect to the already infected hotel Wi-Fi with your laptop

or Smartphone You receive a fake software update notification on your device An update is ready to install! You install the faked update which is a

spy software that gives hackers access to the PC

Hackers steal data, record keystrokes and infiltrate

the o network

4

Tips for using foreign Wi-Fis

1.Always use the Company VPN

connection for any transmission of

confidential data

2.Do not download or apply any updates in

foreign Wi-Fis

3.Turn off the wireless functions (Wi-Fi,

Bluetooth, GPS and NFC) of your mobile devices when you don’t need them

4.Always check if websites use the HTTPS

standard in the address bar

5.Always keep your antivirus software

up-to-date (update at Company or at home)

6.If you are unsure, use the roaming

packageof your phone or your UMTS laptop

adapter instead

3 1

Possible threats while on tour Secure usage of

wireless services Remote access

Processes Strategy &

Governance

3 Why Capgemini Consulting?



Structured, proven approach to optimize ongoing campaigns



Flexible and easy-to-adopt solutions



Extensive knowledge in change and communication mgmt



Measurable impact based on implemented KPIs

PROACTIVELY TACKLE SECURITY THREATS BY INTRODUCING POSITIVE SECURITY

(7)

Capgemini Consulting relies on a strong and global Cybersecurity capability network

within the Capgemini Group

Capgemini Group offers and capabilities

2,500+

Capgemini

resources with

Cybersecurity skills

Canada United States Mexico Brazil Argentina

All over Europe

Morocco Australia People’s Republic of China India Chile Guatemala Singapore Philippines Taiwan Vietnam United Arab Emirates Malaysia New Zealand Japan South Af rica Colombia

Cybersecurity

Awareness

Security transformation

program management

Design and implementation of

security solutions

Digital security assessment

& strategy and

risk management

Management

Security technical assessment

Transformation

(8)

Thank you.

8

Dr. Guido Kamann

Head CIO Advisory Services DACH

Capgemini Suisse S.A.

Leutschenbachstrasse 95

CH-8050 Zürich

Phone: +41 44 5602 400

E-Mail: [email protected]

Dr. Paul Lokuciejewski

Lead of Cybersecurity Consulting