Cyber Security: from threat to opportunity

From threat to opportunity / Cyber security / 1

IT ADVISORY

Cyber Security:

from threat to opportunity

www.kpmg.com/nl/cybersecurity

2 / Cyber security / From threat to opportunity

1

We are convinced that making the right decisions when it comes to cyber security can result in a competitive advantage. Being well prepared means that organisations can prepare for innovations and new market opportunities better than competitors can. Such organisations will also earn more trust from customers and other stakeholders

COMPETITIVE ADVANTAGES

To unlock this potential we need a holistic, intelligence-led, and partnership-based approach aimed at building a cyber-resilient organisation.

Examples of this potential for a competitive advantage:

Organisations that can assure their customers, stakeholders and employees that their information is properly protected are more trustworthy in the eye of the public;

Governments and large corporates demand confidence in information management and use it as a qualifier for contracts and/or partnerships;

Better cyber security results in lower costs arising from IT failures;

Visible compliance with privacy regulations strengthens the brand reputation.

Cyber security (also known as information security or information protection) is a key theme in today’s business reality. Now that the success of many organisations has proven to be dependent on digital assets, it would be easy to elaborate only on cyber security threats. The question is: does focusing on fear, uncertainty and doubt really help your organisation to move any further along in this area?

Let there be no misunderstanding: we believe it is of the utmost importance to be adequately protected against cyber threats. These threats create cyber risks that organisations need to manage as part of their enterprise risk management - in order to have a ‘licence to operate’. But it is time to look at cyber security from a different angle.

Organisations should start looking at cyber security as an opportunity that will add extra value to a company’s products and services.

John Hermans

Partner, KPMG Risk Consulting

FOREWORD

OPPORTUNITY-DRIVEN CYBER SECURITY

© 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V. From threat to opportunity / Cyber security / 3

2 / Cyber security / From threat to opportunity

4 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 5

The Chairman

Cyber security is a standing agenda item for the board. We have a robust cyber security strategy in place, regularly review our threat landscape and hold our executives accountable for their responsibilities.

The CISO

We effectively manage information risks within the organisation together with our delivery and supply partners.

We know where our critical data is stored and who has access to it.

The CEO

We are prepared to deal with security events.

Should hackers claim success via the media, we can demonstrate that we have not been subject to a breach.

The Head of Human Resources

Throughout our organisation, people have the awareness, skills and knowledge to minimise cyber risks.

We vet our contractors and carefully manage our induction and exit process.

The Chief Financial Officer

We have made targeted investments in cyber security, taking the value of our assets, our vulnerabilities and the changing threat landscape

into account.

The CIO on IT development and IT operations

All new systems, products and services are developed using

‘secure-by-design’ principles.

Effective monitoring in the value chain helps us to identify risks and minimise the impact of compromise.

Risk & Legal

Our regulatory and international certification standards are relevant and up to date. We know about the latest fines and consequences for data breaches.

The Chief Operating Officer on operations and external suppliers

We are aware of the safeguards required when adopting new business models such as

outsourcing, offshoring and cloud services. Cyber security is an integral part of our procurement process.

Following a wave of high-profile incidents, cyber security is no longer seen as just an IT issue. It is increasingly becoming a topic for the executive board.

In an ideal world, the following statements summarise the roles and responsibilities that each person in an

organisation must assume with regard to cyber security.

CLEAR

RESPONSIBILITIES

2

From threat to opportunity / Cyber security / 5

Audit commitees and Performance functions

Monitoring and reporting our organisational Monitoring and reporting our organisational status quo and areas of cyber security enables us to instil confidence.

© 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V.

4 / Cyber security / From threat to opportunity

From threat to opportunity / Cyber security / 7 6 / Cyber Security / From threat to opportunity

INTERLINKING

BUILDING BLOCKS

3

KPMG’s approach towards cyber security paints a picture of how cyber security is and should be embedded in the organisation, looking at all the building blocks required for a resilient organisation and how these interact.

U

KPMG has developed an integrated approach to help you answer these questions and develop the desired security operating model.

Legal and compliance

Regulatory and international certification standards as relevant.

Monitoring and reporting

The Board of Management getting the management information needed to effectively govern cyber security across the organisation and to effectively drive the strategic security risks.

Leadership and governance

Board demonstrating due diligence, ownership and effective management of risk.

Information risk management

The approach to achieve comprehensive and effective risk management of information throughout the organisation and its delivery and supply partners.

Human factors

The level and integration of a security culture which empowers people with the right skills, knowledge and responsibility.

Business operations and technology.

The level of physical and digital security measures implemented to address identified risks across the information value chain and to minimise the impact of compromise. This includes the development of new products, processes and services, IT operations and third party management.

Business continuity and crisis management

Preparations to detect and address security events and the ability to prevent or minimise its impact.

7 6 5 3 2 1

4

Leadership and governance

Information risk management

Human factors

Business continuity and crisis management

Legal and compliance

Monitoring and reporting

Business operations and technology

Changing Threat Landscape

Market Technological

developments Economic

developments

Market developments

Legal developments

From threat to opportunity / Cyber security / 7 6 / Cyber security / From threat to opportunity

Leadership and governance

Information risk management

Human factors

Business continuity and crisis management

Legal and compliance

Monitoring and reporting

Business operations and technology

Changing Threat Landscape

Technological developments Economic

developments

Market developments

Legal

developments

© 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V.

8 / Cyber security / From threat to opportunity © 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V. From threat to opportunity / Cyber security / 9

R

KPMG has the expertise and experience to develop a cyber security roadmap tailored to your organisation.

This roadmap shows when and how to focus on the different building blocks and which targeted investments are needed to build an intelligence-led resilient

organisation.

1. Obtain a solid understanding of the organisation’s strategy

2. Determine the security operating model & maturity level needed to achieve the strategic goals

3. Assess the current level of security maturity of each building block

4. Develop a tailored action plan for each building block

Our four step approach to determine the security operating model needed to support your business strategy:

FROM AD HOC RESPONSES TO INTELLIGENCE-BASED FOCUS

4

Tools-based

Applying tools and technologies piecemeal to assist people in reacting faster

Integrated picture

Loosely integrated with a focus on interoperability and standards, initial situational awareness

Dynamic defence

Predictive and agile, the enterprise instantiates policy and implements measures in its processes and procedures

Resilient enterprise

The enterprise has incorporated cyber resilience through its value chains, implemented cyber security measures based on strategic threat and vulnerability assessments

Reactive

& manual

People unquestioningly following doctrine and doing their best to

‘put out fires’

8 / Cyber security / From threat to opportunity

10 / Cyber security / From threat to opportunity © 2014 KPMG Advisory N.V.© 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V. From threat to opportunity / Cyber security / 11

OUR SERVICES

5

KPMG can help you understand your current state of preparedness against cyber attacks and assist you in closing any gaps. Whether from a governance, people, process or technology viewpoint, our services can help you improve your state of preparedness. To achieve that, we have developed KPMG’s Cyber Security Framework consisting of four major phases:

THREAT INTELLIGENCE

Prepare

Protect Integrate

Detect & respond

CYBER

TRAN SFORM

ATIO N

From threat to opportunity / Cyber security / 11 10 / Cyber security / From threat to opportunity

Phase 1:

Prepare

Everyone can go off and buy security solutions, but wouldn’t it be much better if someone listened to your concerns, views and questions? Someone who helps you to complete the picture of threats and opportunities? The prepare phase of KPMG’s Cyber Security Framework helps our clients to develop a cyber security strategy tailored to their specific business settings and ambitions.

The secret to success is to gain deep insights into your business strategy and understand which processes and/

or systems represent the greatest assets from a cyber security perspective. It is also important to get clarity on how much risk you are willing to take in relation to these processes and/or systems (risk appetite).

It is essential to focus on the right areas. To ensure we do this, we start by jointly determining the strategic security risks of your organisation. The central question: where can a lack of security throw a spanner in the works when it comes to the realisation of your business strategy? This marks the starting point of this tailored approach. KPMG has developed a complete model showing the different maturity levels and what to do to achieve them. Using this model we can quickly help you design a tailored plan to achieve the desired level of security maturity and bring risks back to an acceptable level.

KPMG can help your organisation in:

• Cyber security awareness: demonstrating to your stakeholders (e.g. via cyber gaming) what cyber security is all about;

• Security governance: developing or assessing the governance model needed for effective cyber security.

Verify its alignment within the three lines of defence model;

• Risk management methodology: developing a methodology that will facilitate security risk management within the organisation;

• Cyber maturity assessment: painting an integral picture of the cyber state of your organisation with our cyber maturity assessment and security compliance & in-control scan;

• Threat trends analysis: analysing your current cyber threat landscape;

• Business impact assessment: providing a pragmatic approach to identify the security risks in your key processes;

• Business continuity and recovery: establishing policies and practices for dealing with major operational disruption.

Developing and testing the recovery plans needed to face the continuity challenges;

• Security risk assessment: assess the dependence on processes & applications, threats & vulnerabilities to determine the current risks that need to be mitigated;

• Security strategy and vision development: designing a security strategy that will position cyber security as your business enabler and will realise your ambitions in the desired timeframes.

Developing an approach tailored to your specific organisation and ambitions

© 2014 KPMG Advisory N.V.

12 / Cyber security / From threat to opportunity © 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V. From threat to opportunity / Cyber security / 13 From threat to opportunity / Cyber security / 13 12 / Cyber security / From threat to opportunity

Realising effective cyber security entails ensuring a baseline level of security across the organisation and establishing tailored protection of your crown jewels and critical assets. This requires balancing preventive and detective controls in the domains of governance, people, processes and technology. The protect phase of KPMG’s Cyber Security Framework helps our clients to increase their resilience against cyber attacks in all domains.

Establishing a baseline level of security throughout the whole organisation starts with an organisation that is built on capable people and effective processes for the protection of your assets. It also means that your technology landscape of applications, internet perimeter, internal network, websites, servers and workstations is regularly assessed. You can achieve this through a combination of security tests, configuration reviews, architecture assessments and authorisation reviews.

After having established a level of ‘basic security

housekeeping’, the next step is to focus on the areas that are most important to your business for fine-tuning your security: your organisation’s crown jewels and critical assets. KPMG will help you with tailor-made actions and by implementing specific security measures regarding these areas, based on risk assessments and industry best practices.

.

KPMG can help your organisation in:

• Cyber defence operating model: designing and

implementing your defence organisation and infrastructure using the three lines of defence model;

• Secure architecture: defining or assessing the desired security architecture for processes and technology within your organisation;

• Assets, processes and resources alignment: enabling technology to link asset management, security monitoring, threat-, vulnerability-and incident management processes with the cyber strategy of your organisation;

• Security testing: assessing the security of your applications, systems and networks by ethical hackers;

• Identity and access management: designing and implementing an identity and access management infrastructure that is in control, manageable and compliant;

• Red teaming: testing your preventive and detective controls by performing a simulation of a real-world attack;

• Cloud security: security assessment, control and transformation of your cloud computing environment;

• Mobile security: security testing and advisory on your mobile applications or BYOD environment;

• Technical reviews: assessment against industry standards such as PCI-DSS.

With the global proliferation of cyber attacks, the question for organisations is not if they will be attacked but when.

The ability to effectively manage business during a major operational disruption is now a key success factor. With reputational damage occurring in an increasingly short time-span, organisations are looking for business and technical specialists who can help them design and execute incident response plans accordingly. The detect and respond phase of KPMG’s Cyber Security Framework helps our clients respond to and investigate cyber attacks.

The foundation for timely detection and response is a Security Operations Centre (SOC) that is supported by the functions of vulnerability management (to identify weaknesses in your assets), threat management (to identify and predict new attacks), and incident management (for prompt and thorough follow-up on incidents).

KPMG has the experience to help you establish robust processes and technology. Even more important, we help you ensure that the people in these processes work as one, so that cyber threats are dealt with proactively.

KPMG can help your organisation in:

• Serious gaming: organising red and blue team cyber incident response training to help you develop your responsive capabilities;

• Incident response capability development: enhancing your incident response capabilities including internal and external communications, service prioritisation and many other aspects;

• Stakeholder management: determining which stakeholders should be part of your crisis management process, what their needs and responsibilities are;

• Cyber attack detection: helping with deployment and optimisation of monitoring and sophisticated data analytics on your networks;

• Security and threat monitoring use-cases: advising on, designing and implementing security information and event management processes and architectures;

• Rapid response teams: helping you to contain, manage and recover from cyber attacks;

• Forensic evidence recovery & investigation: providing advanced digital forensics capability to gather, preserve and interpret large data sets, deleted or ephemeral data in order to prove a chain of events;

• DDoS protection: helping your organisation in dealing with DDoS attacks.

Phase 2:

Protect ^{Phase 3:} Detect & respond

Balancing threats, risks and resources

against business goals Timely detection of incidents

14 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 15

Threat

intelligence

The financial and reputational costs to recover from a cyber attack can materially impact public and private organisations. The most mature organisations anticipate cyber threats to help minimise the impact rather than merely respond to the attacks.

Matching our industry experience with our technical skills, KPMG works closely with clients to design and implement cyber intelligence functions, answering questions such as how to move from reacting to anticipating cyber attacks, how to make sense of the cyber threats we face, how to establish an effective Security Operations Center, who to share threat intelligence with and how. Our experience in the intelligence and law enforcement community gives us a unique perspective on effective intelligence capabilities and processes.

Combined with our deep technical knowledge in cyber security we:

• Work with organisations to design and implement in-house and government cyber intelligence functions and security operations

centers;

• Help optimise aspects of current intelligence functions and security

operations centers;

• Work in partnership with private intelligence and law enforcement agencies to enhance intelligence flows.

THREAT INTELLIGENCE

Prepare

Protect Integrate

Detect & respond

Cyber threats have become part of the business

environment and as such, there are risks which need to be managed. This necessitates that cyber security not be seen as a topic in isolation within the business, but as an integral part of your way of working. The integrate phase of KPMG’s Cyber Security Framework helps our clients to embed cyber security in the culture and decision- making processes to help ensure their business stays one step ahead.

Firstly we assess all key business processes to jointly determine which risks could and should be addressed in those processes. Next, using industry best practices we determine how security measures can best be embedded in the existing processes to mitigate these risks. Our specialists will then help you to implement those security measures in the daily operations of your organisation. Naturally, the main focus will be on automated controls (which can be built directly into your systems) as well as soft controls (such as cyber security awareness and training).

KPMG can help your organisation in:

• Security reporting and measurements: determining security KPIs and developing cyber security dashboards;

• Security by design: assessing R&D processes for security embedding and providing support in determining security requirements for new products and services;

• Security in culture: embedding cyber security in the decision-making process of your organisation that facilitates culture of right skills and behaviours;

• Sourcing parties: managing your sourcing parties and ensuring that third parties deal with information in line with your requirements;

• Security operating model: developing a holistic security operating model in line with your business strategy and goals.

Phase 4:

Integrate

Integrating cyber security into everything you do

© 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V. From threat to opportunity / Cyber security / 15 From threat to opportunity / Cyber security / 15 14 / Cyber security / From threat to opportunity

16 / Cyber security / From threat to opportunity From threat to opportunity / Cyber security / 17

A joint approach. Designing a plan is one thing, designing a plan which receives full support from the organisation is something entirely different. This is why we always work closely together with your team to ensure success.

Cyber security is not an IT issue.

KPMG brings together specialists in information protection and business continuity, forensic technology, risk management, privacy, organisational design, behavioural change and threat intelligence to help you manage cyber security across people, processes and technology.

Confident cyber security choices are the key to ensuring trust among customers, shareholders and employees. Our global cyber security framework provides an holistic view of the cyber security lifecycle – pre- and post-attack. It will help you develop a strategy on ‘how to balance your efforts’

and ‘where to invest’.

An intelligence-led approach. KPMG has gained a deep understanding and experience of intelligence best practices through working extensively with law enforcement and leaders in this field.

Boundaries, national or

organisational, are irrelevant to cyber security. Which is why we offer you a global network of 2000 cyber security professionals from across our 156 member firms and all industry sectors who seamlessly cooperate in multinational, cross- functional teams.

OPER ATING PRINCIPLES BEHIND OUR SERVICES

6

16 / Cyber security / From threat to opportunity

With more than 25 years of information security experience, we have been helping organsiations of all sizes from a variety of sectors:

OUR INDUSTRY SECTORS

7

From threat to opportunity / Cyber security / 17

© 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V.

Offshore

Industrial manufacturing

Chemicals

Banking

Healthcare

Retail

Pharmaceuticals

Oil & gas Insurance

Communications Engineering &

construction

Government &

public services

From threat to opportunity / Cyber security / 19 18 / Cyber security / From threat to opportunity

Our Cyber Security Framework is what distinguishes KPMG from other cyber security advisors. We view cyber security from an integrated perspective and provide solutions and recommendations suited to your business environment. For us, cyber security is an enabler for success, rather than a necessity for dealing with threats.

Our specialists know what steps need to be taken to make cyber security an integral part of the way you do business. Once this has been achieved we can subsequently help you to investigate and identify where security can be positioned to add value to your products and services.

We know how to report from a non-technical perspective.

The technical heart of cyber security may result in observations and recommendations that are only understandable to technical experts. Working with KPMG, you can expect to receive crisp and clear recommendations that address the challenges from a business perspective instead of pages of technical buzzwords.

Our ultimate aim in everything we do is to help you build a cyber- resilient organisation. It may take some time to get to this level and may involve a reiterative process. We are more than happy to guide you through all the steps along the way. You can expect our cyber security professionals to go the extra mile in order to get you there.

WE HELP YOU TO BUILD YOUR RESILIENT ORGANISATION

© 2014 KPMG Advisory N.V. © 2014 KPMG Advisory N.V.

Contact

John Hermans Partner

Tel: +31 20 656 8394

Email: hermans.john@kpmg.nl Dennis de Geus

Director

Tel: +31 20 656 8093

Email: degeus.dennis@kpmg.nl Koos Wolters

Director

Tel: +31 20 656 4048

Email: wolters.koos@kpmg.nl

kpmg.com/nl/cybersecurity

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2014 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The name KPMG, logo and ‘cutting through complexity’ are registered trademarks of KPMG International. 102014