Information Security Benchmarking 2015 - Capgemini · Information Security Benchmarking 2015 ... Information Security assessment was conducted based on a detailed maturity model.

Transform to the power of digital

Information Security Benchmarking 2015

Information Security assessment of companies in Germany, Austria and Switzerland

May 2015

Capgemini Consulting conducted a benchmarking study on Information Security to provide a thorough and balanced view of the current state of security in DACH organizations

Management summary – study design and approach

Copyright © 2015 Capgemini Consulting. All rights reserved.

2

Information Security is key for today‘s organizations. The increasing number of serious security breaches announced in the press reminds us every day of the financial and non-financial consequences a successful attack exposes business to. New business and regulatory requirements, recent trends and the increasing sophistication of cyberattackers makes this topic an even greater headache - not only for security officers but also the board.

To understand how other peers implement Information Security to protect the confidentiality, integrity and availability of data provides valuable insight for every organization. Such insights are not only helpful in recognizing current trends but also enable the quickly identification of individual strengths, areas of improvement and allow for the benchmarking across the organizations’ peer group.

In Q4 2014, Capgemini Consulting conducted an Information Security benchmarking study among companies and organi-zations in Germany, Austria and Switzerland. The 45 respondents from 10 different industry sectors provided their views on upcoming trends as well as delivered information on topics such as their security budget and organization structures.

The Information Security assessment was conducted based on a detailed maturity model. Using this model, study participants evaluated their security practice in the domains “Strategy & Governance”, “Organization & People”, “Processes” and “Technology”.

Capgemini evaluated the respondents’ answers and presents the study results from two different points of view:

– overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity in DACH

– an individual assessment for each participant where individual answers are discussed and compared against their industry peer group

Despite a high top management attention and increasing budgets, Information Security must undergo a deep transformation to improve alignment and cooperation with business

Management summary – key insights


3

High top management attention for Information Security – 75% of the respondents rated the top management’s priority on Information Security as medium or high, numerous companies even view it as one of their strengths.

Business goals not aligned with Information Security – Protection of data and prevention of system outages are considered key drivers for Information Security, while only 31% of the respondents view support of business goals as a driver for their security practice.

Security risks ignored by business decision makers – 75% of the participating companies stated that business is not involved in their IT risk management and does not consider security risks in their decision making.

Lack of security KPIs and ROI consideration – 96% of the participants rely on the results of internal and external audits to measure effectiveness of their Information Security, but only 7% use specific KPIs and merely 4% consider ROI estimates.

Unstructured security awareness programs – Increasing employee security awareness is the number one area of improvement for many companies. Only 27% of the participants characterized their awareness program as holistic, although 80% of respondents identified employees as the key source for security incidents,

Inconsistent information classification – 50% of the respondents rated their information classification as inconsistent with a lack of clearly defined classification policies and owners for each information asset.

Uncontrolled use of public clouds – 33% use public cloud services without full control of transmitted data, exposing it to potential unauthorized access. 27% of participants do not use public cloud services at all.

Increasing security budgets – More than half of the study participants (56%) expect an increase of their security budget while only 9% expect a budget decrease. The expected increase of the security budget is 10% (median).

Growing requirements and recent trends continue to pose new challenges to Cybersecurity and endanger the success of Digital Transformation for today’s companies

Cybersecurity challenges


4

Organized cybercrime with sophisticated attacks

New requirements and trends Slowly growing Cybersecurity budgets

Trends from Digital Transformation

Mobility

Business demanding higher

flexibility

Complex ecosystems (e.g.

Industry 4.0)

New regulations & laws e.g.“IT-

Sicherheitsgesetz”

Low awareness level of employees due to lack of

holistic programs

DIGITAL TRANSFORMATION

Constrained security resources

Cloud Big Data Social

Industrialization of hacking, professional attack software “as a

service”

National intelligence agencies with unlimited

resources

Employees attacked by phishing, social engineering …

Transform the power of digital

Participants and Overview of the Study

Overall Study Results

Individual Results of Security Maturity Assessment

Capgemini Consulting Cybersecurity Offerings

About Capgemini Consulting

Table of contents


5

13%

24%

22%

11%

29%

Participants’ industry sectors

Energy, Utilities & Chemicals

Financial Services

Manufacturing

Public Sector

Other Industries

69%

16%

4%

2% 7%

2%

Participants’ role

CISO/IT Security Manager

CIO

IT Service Manager

IT Application Manager

Other

Not Specified

Experts from medium- and large-sized companies across multiple industry sectors participated in the study – with a majority of participants from Germany and Austria

Participants information


6

1 Other industries include Retail, Logistics, Telco/Media/ Entertainment, Automotive

45%

34%

14% 7%

Participants’ origin*

*Number of participants n=45

Other

4% 9%

31%

18%

36%

2%

1-500 501-1,000 1,001-5,000 5,001-15,000 >15,000 Not Specified

Company sizes (number of employees)

1

Leading DAX, ATX and SMI companies, hidden champions from various industries and public sector organizations participated in the Capgemini Consulting benchmarking study

Participant peer groups


7

Financial Services Major Austrian and Swiss banks, leading insurance companies from Germany, Austria and Switzerland, service providers for financial institutes

Manufacturing DAX companies, large international manufacturer and hidden champions from Germany, Austria and Switzerland

Public Sector Major German and Austrian federal authorities and ministries, infrastructure operators and competence centers for municipals

Energy, Utilities & Chemicals Leading energy and chemical companies from DAX and ATX, international Swiss electric utilities

Other Industries Leading international retailer, logistic, telco, media and car supplier companies from Germany, Austria and Switzerland

Information Security Organization &

budget

Drivers & strengths/

pain points &

risks

Maturity assessment of all Information

Security areas

Capgemini Consulting benchmarking study evaluates all relevant areas of an organization’s Information Security practice using proven standards and industry best practices

Information Security benchmarking


8

Covers all relevant security areas

Scope of Benchmarking Study

ISO 2700x

Based on common Information Security standards and industry best practices

INFORMATION SECURITY

Technology Processes

Strategy &

Governance Organization & People

Structure of the study

http://www.itil-officialsite.com/home/home.aspx

T Y P I C A L C H A R A C T E R I S T I C S

M A T U R I T Y L E V E L

Maturity model – design principles

The benchmark evaluates the participants‘ security based on Capgemini Consulting Information Security maturity model


9

1 – AD HOC

2 – DEFINED

3 – MEASURED

4 – OPTIMIZED

To achieve reliable results, the study aims at an objective and repeatable security maturity assessment of all participants

Objectivity is achieved by assessing each Information Security component based on a clearly defined 5-level maturity model

Maturity level low high

0 – NON-EXISTENT

Ad hoc As needed Informal Loosely

defined Inconsistent

Basic Occasional

Defined process, roles, responsibilities

Documented Formal Communicated

Measured to work effectively

Monitored Use of KPIs Regular

review/ audits

Partially automated

Reactive

Not performed

Non-existent

Not installed Necessity

not understood

Continuous improvement and optimization

Best practice Risk mitigation Automated

workflow Business

enabler Proactive




– 1. Drivers & risks

– 2. Organization & budget

– 3. Overall security maturity assessment




Table of contents


10

Protection of data is the key driver for Information Security – supporting business goals and enabling Digital Transformation is of less relevance for most companies

Drivers for Information Security


11

78%

71%

69%

58%

44%

31%

16%

11%

7%

2%

2%

2%

Protection of customer data

Prevention of system/ process outage

Protection of personal data

Protection of assets and IP

Safeguard for reputation

Support for business goals

Enabler for Digital Transformtion

Strengthening competitiveness

Increase of efficiency/cost reduction

Critical infrastrcuture protection

Compliance

Legal requirements

31 % of participants only rated support of business goals as a key driver

Information Security is on the boardroom agenda – many participants see top management attention as one of their strengths

Strengths and top management attention


12

Security expertise & capabilities

Management attention & commitment

Holistic Target Operating Model/ ISMS1

Security awareness & training

Data protection based on requirements

1 ISMS: Information Security Management System

75 % of participants rated top management attention as medium to high

Ranked top strengths

Although the majority of the participants already identified its importance, several companies still lack the implementation of a holistic security awareness program

Improvement fields and awareness programs


13


Communication & collaboration

Policies & documentation

Security expertise & capabilities

Security operation center & monitoring

Ranked top improvement fields

73 % of participants consider their awareness program as unstructured

Data theft and disclosure of information represent the largest security risk – the resulting incidents are frequently caused by current and former employees

Security risks and sources for security incidents


14

11%

13%

13%

29%

47%

56%

56%

80%

Competitors

Terrorists

Visitors

Foreign nation states/national agencies

Third-party partners/suppliers

Hackers/Script kiddies

Organized crime

Current and former employees

Top risks

Sources for incidents

Data theft and disclosure

Service outage

Phishing & social engineering

Unauthorized network access

Internal and external fraud

80 % of participants consider their employees as the main source for security incidents

Increasing security awareness and training employees are considered as essential elements of Information Security to protect corporate information

High priority topics


15

44%

28%

23%

15%

13%

13%

10%

10%

10%

8%


Mobile device security

Identity & access management

Network security

Security operations center & monitoring

Holistic information security management system

Policies & documentation

Process optimization

Risk & vulnerability management

Business continuity/ disaster recovery management

44 % of respondents plan to invest into awareness campaigns in the upcoming months

Internal and external audits are by far the most applied methods to measure security effectiveness while security KPIs and ROI estimation are almost neglected

Effectiveness measurement


16

4%

7%

16%

27%

31%

33%

38%

64%

96%

Return on investment (ROI) estimation

Special key performance indicators

Number of security policies and standards

Proportion of system downtime

Feedback from management

Industry benchmarking

Measurement of Information Security Awareness

Number of security incidents

Results of audits by internal or external auditors

4 % of companies consider ROI as an effectiveness measure

ISO 2700x is the de-facto standard for Information Security in all sectors while COBIT is only sparsely implemented among the study participants

Security standards and best practices


17

100%

64%

55%

27%

18%

100%

33% 33%

17%

0%

80%

60%

80%

0% 0%

71% 71%

14%

57%

14%

73%

45%

55%

36%

0% 0%

20%

40%

60%

80%

100%

ISO 27001 ITIL BSI COBIT Other (e.g. PCI DSS)

Financial Sector Energy, Utilities, Chemicals Public Sector Manufacturing Other

ISO 2700x

Other (e.g. PCI DSS)

http://www.itil-officialsite.com/home/home.aspx

A lack of Information Security risk consideration during business decisions may result in unsecure solutions with a high potential to security breaches

IT risk management


18

7%

18%

44%

22%

9%

75 % of companies do not consider security risks in their business decisions making

Business decisions with security involvement

NON-EXISTENT

AD-HOC

DEFINED

MEASURED

OPTIMIZED

0

1

2

3

4

Maturity Levels (4 = optimized … 0 = non-existent)

An essential part of the Information Security governance are steering committees where security-related decisions are met by consensus of relevant stakeholders

Information Security governance


19

56 % of respondents defined a security steering committee with various stakeholders

20%

35% 16%

29%

0%

Involvement of relevant stakeholders

NON-EXISTENT

AD-HOC

DEFINED

MEASURED

OPTIMIZED

0

1

2

3

4


Information classification has been strongly neglected in recent years – the lack of effective classification solutions is also a key security concern for cloud computing

Information classification and cloud computing


20

4% 9%

27%

33%

27%

50 % of companies rate their data classification as inconsistent

3%

10%

38% 45%

5%

33 %

of participants allow an uncontrolled use of public cloud services

Classification

Cloud computing

NON-EXISTENT

AD-HOC

DEFINED

MEASURED

OPTIMIZED

0

1

2

3

4


NON-EXISTENT

AD-HOC

DEFINED

MEASURED

OPTIMIZED

0

1

2

3

4











Table of contents


21

0 20 40 60 80 100 120

Medium-sized companies (<= 5,000 employees)

With typically 4 FTEs, large companies have twice as much resources as medium-sized companies who work in the Information Security function

Organization – FTEs in Information Security


22

Max: 62 Min: 0.5 Median: 2

0 20 40 60 80 100 120

Max: 100 Min: 1 Median: 4

4

FTEs is the median size of Information Security organizations in large-sized companies

Large-sized companies (5,000+ employees)

56%

9%

36%

Budget increase Budget decrease

No statement

Budget changes

56% of the participating companies expect an increase of their security budget compared to the previous year by 10%

Information Security budget


23

-40 -20 0 20 40 60 80

Median: +10% Max: +67% Min: -25%

56 % of participants expect an increase of their security budget

Change of security budgets (in %)










Table of contents


24

2.5 2.2

2.1 2.0

1.7

With a typical maturity level of 2, most participants’ security areas are formally defined but lack an effective measurement and automation

Overall security maturity assessment – industry peers


25

is the highest average maturity level , achieved by Public Sector

low

high

2.5

Public Sector Financial Services

Manufacturing Energy, Utilities & Chemicals

Other industries

Mat

uri

ty L

eve

l

Public Sector Financial Services Manufacturing Energy, Utilities & Chemicals Other Industries

0,00

1,00

2,00

3,00

4,00

Overall security maturity assessment – details

Public Sector outperformed in domains “Strategy & Governance” and “Organization & People” while in “Processes” and “Technology” Financial Services showed highest maturity


26

1.1 Strategy 1.2 Governance Structure

1.3 Compliance Management

1.4 Risk Management

1.5 BCM/DRM

1.6 Audits

1.7 Data Privacy

1.8 Security Incident Reporting

2.1 Organization Structures

2.3 Employee Training and Awareness

2.4 Security Expert Training

2.5 Security Service Improvement

2.6 Cooperation with Corporate Security

2.7 Relationship with Business Units

2.8 Social Media 3.1 Identity and Access Management

3.2 Threat and Vulnerability Management 3.3 Patch Management Information Classification 3.4

Sourcing and Vendor Management 3.5 Secure Application Development 3.6

Backup 3.7

Mobile Devices 3.8

Retention and Investigation of Data 3.9

Cloud Computing 3.10

Physical User Access Management 3.11

Firewalls 4.1

Remote User Access 4.2

Network Intrusion Protection 4.3

Wireless Network 4.4

Database Security 4.5

Server and System Security 4.6

Endpoint Device Security 4.7

Application Security 4.8

Malicious Content Protection 4.9

Physical Control Systems 4.10

2.2 Roles & Responsibilities







Table of contents


27

Drivers, incident sources and measurement

COMPANY1’s security function is closely aligned to business, defining the support for business goals as a key driver for its investments


28

Prevention of system outages Support for business goals

Organized crime Visitors

Return on investment (ROI) Results of audits by internal and external auditors Industry benchmarking Measurement of Information Security awareness Feedback from management

DRIVERS FOR INFORMATION SECURITY

EXAMPLE

1 The following results represent an example of an anonymized individual assessment. COMPANY is only a placeholder.

Drivers for Information Security

Sources for incidents

Effectiveness measurements

A

B

C

SOURCES FOR INCIDENTS

A

B

C EFFECTIVENESS MEASUREMENTS

Prevention of system outages is the key driver for most members (83%) of peer group “Energy, Utilities & Chemicals”

COMPANY is the only participant in the peer group defining support for business goals as a key driver for security

In contrast to COMPANY, 50% of other participants in peer group consider protection of customer data and protection of assets and IP as a key driver for security

Organized crime is seen by COMPANY and most other peer group members as a key source for incidents

In addition, other companies from the peer group consider current/ former employees (67%) and hackers (50%) as a further incident source

COMPANY is the only in the peer group considering ROI as measure

84% of other participants consider the number of security incidents as another effectiveness measure

Strengths, improvement fields, risks and priorities

COMPANY’s improvement fields are mainly located in the domain “Processes” - access management and data classification are common improvements fields of the respondents


29

Access mgmt Compliance and req. mgmt Data classification

Access control Data classification -

Top 3 improvement fields

Top 3 priorities

Vulnerability mgmt Certified infrastructure Integrated mgmt system

Top 3 strengths

Data leakage Internal threats Complexity

Top 3 risks

1

2

3

1

2

3

1

2

3

1

2

3

Capgemini Consulting Information Security Framework

Processes

Technology

Strategy &


1 2

3 3

1

2

1

3

1

2

INFORMATION SECURITY

2

COMPANY’s individual answers Domain Mapping

EXAMPLE

Security maturity assessment – domain Strategy & Governance

With an immature IT risk management COMPANY may miss or underestimate major risks for its organization and become victim of internal and external threats


30

“1.2 Governance Structure” is below peer group average (COMPANY: 2 vs. peers: 2.47). Recommendation: Definition of security steering committee with relevant stakeholders, direct report to top management

“1.4 IT Risk Management” is significantly below peer group average (COMPANY: 1 vs. peers: 2.45). Recommendation: Definition of processes, roles & responsibilities, regular assessments, mgmt of mitigation measures, reporting, definition of KRIs

“1.6 Audits” is below peer group average (COMPANY: 2 vs. peers: 2.91). Recommendation: Definition of data collection methods for auditor support, immediate response to findings by automated process

A

C

EXAMPLE

B

COMPANY lies in 6 out of 8 areas below the peer group

average in the domain “Strategy & Governance”

0

1

2

3

4 1.1 Strategy

1.2 Governance Structure

1.3 IT Compliance Management

1.4 IT Risk Management

1.5 BCM/DRM

1.6 Audits

1.7 Data Privacy


COMPANY Financial Services

Top Performer in Peer Group Total Average (All Participants)

A

B C

Low risk Medium risk High risk No risk Capgemini’s high-level risk evaluation:


Strategy &


Security maturity assessment – domain Organization & People

A holistic Information Security awareness concept is the most effective solution to tackle the increasing number of attacks on employees


31

“2.3 Employee Training & Awareness” is below peer group average. Due to increasing importance, the average is expected to raise. Recommendation: Definition of a holistic concept, measurement of awareness and training success, use of multipliers

“2.4 Security Expert Training” is below peer group average (COMPANY: 1 vs. peers: 1.91). Recommendation: Definition of trainings plans, introduction of mandatory trainings/ certifications

“2.6 Cooperation with Corp. Sec.” is significantly below peer group average (COMPANY: 1 vs. peers: 2.45). Recommendation: Intensification of collaboration with Corporate Security, use of joint success factors

EXAMPLE

B

COMPANY lies in 7 out of 8 areas below the peer group

average in the domain “Organization & People”

A

B

0

1

2

3

4 2.1 Organization Structures

2.2 Roles & Responsibilities

2.3 Employee Training and Awareness

2.4 Security Expert Training

2.5 Security Service Improvement

2.6 Cooperation with Corporate Security

2.7 Relationship with Business Units

2.8 Social Media

COMPANY Manufacturing


A

B C

Low risk Medium risk High risk No risk Capgemini’s high-level risk evaluation:


Strategy &



32

If your organization would like to participate in Capgemini’s free Information Security study and join full

insights from Capgemini’s extensive benchmarking database, please contact

Capgemini Consulting is happy to perform a detailed and individual assessment of your Information Security practice

Dr. Paul Lokuciejewski Lead of Cybersecurity Consulting

Capgemini Deutschland GmbH Berliner Str. 76 D-63065 Offenbach

Phone: +49 69 9515 1439 E-Mail: [email protected]







Table of contents


33

Trends in Cybersecurity

With the increasing complexity of organizations and the ongoing penetration of SMACT1 technologies, a “full perimeter” protection is not feasible anymore


34

Control-centric

Prevent & protect

Perimetric defense

Zero-risk dream & compliance

People-centric

Predict, monitor & respond

Data-centric defense

Digital risks & info. life cycle

Security Strategy

People & Awareness

Security Operations

SOLUTIONS

Risk Mgmt & Information Classification

Old Paradigm New Paradigm

1 Social, Mobile, Analytics, Cloud and (Internet of) Things

Our Strategic Cybersecurity Consulting guides your organization through a secure Digital Transformation while leveraging the power of modern technologies

Capgemini Consulting Cybersecurity Portfolio (excerpt)


35

Benchmarking / Maturity Assessment

Digital Risk Management

Awareness Campaign Security Target Operating Model (ISMS)

“gain a profound understanding of your current Cybersecurity situation.”

“make risk-based decisions and protect your

business with optimal investment strategies.”

“establish effective Cybersecurity capabilities for a

holistic protection of your data and systems.”

“foster a people-centric security culture and protect against the increasing number of employee-focused attacks.”

OUR STRATEGIC CYBERSECURITY CONSULTING ADDRESSES C-LEVEL CONCERNS TO

ENABLE A SECURE DIGITAL TRANSFORMATION. IT WILL HELP YOU TO

1

4

2

3

CySIP Maturity Assessment approach

Capgemini performs its Cybersecurity & Information Protection (CySIP) Maturity Assessment based on a proven approach and standardized tools


36

Conduct focus interviews with business and IT to assess maturity

Identify vulnerabilities and gaps Benchmark with best practices Define pain points, quick wins and

long-term measures

Prioritize measures Define high-level business case Define transformation plan Align results with stakeholders Prepare decision documents

Define scope of assessment Derive strategic guidelines Determine client-specific threats Identify business-critical

information and systems

MATURITY ASSESSMENT TRANSFORMATION ROADMAP SCOPING & VISIONING

Overview of evaluated vulnerabilities and gaps

Assessed CySIP maturity Measurement catalogue

Aligned and prioritized measures High-level business case Transformation plan Final decision documents

Aligned questionnaires Defined strategic guidelines Overview of business-critical

information and systems

Imp

lem

enta

ito

n

Res

ult

s A

ctiv

itie

s

Man

age

me

nt &

Go

vern

ance

Int.

Org

aniz

atio

n &

Cli

en

t

Applications & Operating System Network & Hardware

Q4 2014 2015 2016

Analyze data privacy organization

Design IS policy framework

Outline governance principles for data

Describe governance profiles and roles

Transform to new organization

Analysis business & IT requirements

Develop security architecture model

Design technical solutions

Build and customize designed solution

Test and deploy services

Conduct risk and stakeholder analysis

Perform survey to assess awareness level

Develop awareness concept

Design awareness objects

Define business continuity strategy

Develop decision structures

Develop organization plan

Implement awareness objects

Perform 2. survey to measure effectiveness

Define business impact analysis (BIA)

Conduct business impact analysis

Formulate SLAs

Define business continuity plans

Define business continuity plans

CE v6.3 © 2007 Capgemini - All rights reserved

071217_IT ORGANIZATION AS-IS AND TO-BE_V11_TW-JW.PPT2424

The to-be organization features an org-line for functional business interaction as well as for supply management to enhance the capabilities

Org structure – To-be IT demand organization

Organization chart

Global Supply R&D

External Supply (EDM)

Business Information Manager (BIM)

HR

Controlling

Contract Management

Architect

Project Port-folio Mgmt

TechnologyInnovation

QualityMgmt

IT Strategy

Business Consulting (SAP,EDM)

Business (Key user)

Germany

France

Netherlands

R.o.W

Local ITMgmt

R&D RES-QS

Manufact.

… Global Functional Information

Management

Service Mgmt

Com.

Com. line

Communication line

Communication line R&D

RESQS

Manufact.

S&M

Global IT Management

Internal Supply (SAP, IM)

USCRIS SM EDM

Global Supply Management

• Vacant positions in Gl obal Functi onal Information Management (GFIMs) ar e re-staffed and enhanced by business consulting capabilities for SAP and EDM

• New organizational line manages Pharma-specific suppl y as well as i nternal and external provi ders

0

1

2

3

41.1 Strategy

1.2 Governance Structure

1.3 IT Compliance Management

1.4 IT Risk Management

1.5 BCM/DRM

1.6 Audits

1.7 Data Privacy


Bundesministerium für Finanzen Public Sector


C-LEVEL AND BUSINESS-ORIENTED, STRUCTURED APPROACH FOR AN ACCELERATED

INCREASE OF CLIENT’S MATURITY AND DEFINITION OF A CYBERSECURITY STRATEGY

Ph

ase

Why Capgemini Consulting?

C-Level and business-oriented for alignment with business/IT strategy Toolkit of proven questionnaires for accelerated maturity assessment

Extensive benchmark database for peer comparison Collaborative approach to define clear strategy

1

http://ciaoitalia.com/images/thermometer.gif

Cybersecurity Digital Risk Management

Capgemini helps organizations to protect their critical information assets using optimal investment strategies that minimize operational risk


37

Describe procedures & interfaces Define roles & responsibilities and

KRIs Develop reporting Profile threats and vulnerabilities Develop questionnaires

Conduct risk assessments with business and IT to identify and evaluate risks

Create a holistic risk register Define risk mitigation measures Implement process

Define scope of risk assessment Identify critical information assets Assess business impact (business

impact analysis) Perform gap analysis and define

measures

TO-BE DESIGN RISK ASSESSMENT &

IMPLEMENTATION VISIONING &

AS-IS ANALYSIS

Policy and process description Role descriptions/ RACI Reporting templates Risk assessment templates

Validated risk assessment results Consolidated risk register Measurement catalogue Training material & reporting

Assessment scope Realistic and worst-case inherent

business impact ratings Overview gaps/ measures

BUSINESS-FOCUSED, STRUCTURED AND PRACTICAL RISK MANAGEMENT METHODOLOGY

BASED ON RIGOROUS ASSESSMENT TO CREATE A HOLISTIC PROFILE OF DIGITAL RISKS


Proven best practices approach to create a holistic risk profile Focus on business perspective (“Digital Risk”)

Practical methodology with rigorous assessment process Best practice templates to focus on key risks

Pro

bab

ilit

y HIGH

MEDIUM

LOW

LOW MEDIUM HIGH

Impact

7

2

3

1

4

6

511

9a

9c9b9d

8

12

10

13

14b

14a

Aktuelle Themen

Bewertung

Maßnahmen

Themenbereich Anz. Grün Gelb Orange Rot Veränderung

zur Vorperiode

Thema 1 2 0 0 2 0 #DIV/0!

Thema 2 0 0 0 0 0 #DIV/0!

Thema 3 0 0 0 0 0 #DIV/0!

Thema 4 1 0 0 1 0 #DIV/0!

Management Summary

Darstellung des Umsetzungsstands von risikobehandelnden Maßnahmen zu wesentlichen Risiken

Überblick über aktuelle, gruppenweite Themen, z.B. IT-Projekte, Veränderungen beim IT-

Outsourcing

Zusammenfassung der Bewertung der gruppenweiten Risiken und dem Status der Risikoindikatoren

(Early Warning System)

Kommentierung

Res

ult

s A

ctiv

itie

s P

has

e

2

Cybersecurity Target Operating Model (ISMS)

We support organizations in establishing an Information Security Management System that ensures an adequate setup and development of their Cybersecurity capabilities


38


Models tailored towards your organization context Experience from operating client ISMS

Best-practices following industry standards (e.g. ISO 27001) Fast implementation due to ready-to-use assets (e.g. policies)

HOLISTIC AND RISK-BASED METHODOLOGY TO INTEGRATE CYBERSECURITY INTO YOUR

BUSINESS AND INCREASE RESILIENCE

PROCESSES & INTERFACES TECHNOLOGY & SYSTEMS PERFORMANCE METRIC

Information Security Management System – Operating Model

ORGANISATIONAL STRUCTURE GOVERNANCE MODEL ROLES & COMPETENCIES

3

Cybersecurity Awareness 2.0

Awareness initiatives offered by Capgemini leverage broad communication campaigns and targeted training for roles with high risk profiles


39

CONTENT ADAPTION PLANNING QUICK SCAN

Ph

ase

REVIEW RISKS, EXISTING AWARENESS INITIATIVES AND ANALYZE STAKEHOLDER AND

TARGET GROUPS

PRAGMATIC ADOPTION AND CREATION OF AWARENESS

CONTENT, OUTLINE OF KPIs AND MULTIPLIERS

DEFINE TRANSFORMATION

ROADMAP FOR PRIORITIZED MEASURES

Ob

ject

ives

Store Front

Timesheet

Workforce Management

Mobile CRM

Mobile

Worker

Approvals

InteractiveDashboards

Mobile Executive Reports

Employee Tracking

Self-Service Operations

Support

Mobile Sales

Training

Documentation

Collaboration Tools

Mobile Service

Customer Factsheets

Customer Interaction

Tracker

Pushed Information

AutomatedServices

Product Information

Assistance Services

Short Term

MidTerm

LongTerm

StrategicGoal

Leadership team*

• Global

• Europe

Joint project team

• Other projects within Company

Employees Europe

• Unit A

• Unit B

• Unit C

B

C

Retailers

Other distributors H

Consumers

I

K

Europe Leadership team

(first line leaders)

• Unit A

• Unit B

• Unit C

Manufactures

External Stakeholders Internal Stakeholders = target audience

G

Corporate Functions

• Communications

• HR

DRest of Europe

Organisation

• Employees other units

A

E

F

Workerscouncil

Change Program

J

The “Dark hotel” attack is targeting high-profile business travelers

48

Please remember:

Hackers use fake update notifications to get you to install malware on your computer.

“Dark hotel” attack – Step by step

2

You connect to the already

infected hotel Wi-Fi with your laptop

or Smartphone

You receive a fake software

update notification on your device

An update is ready to install!

You install the faked update which is a

spy software that gives hackers

access to the PC

Hackers steal data, record

keystrokes and infiltrate

the o network

4

Tips for using foreign Wi-Fis

1. Always use the Company VPN

connection for any transmission of

confidential data

2. Do not download or apply any updates in

foreign Wi-Fis

3. Turn off the wireless functions (Wi-Fi,

Bluetooth, GPS and NFC) of your mobile

devices when you don’t need them

4. Always check if websites use the HTTPS

standard in the address bar

5. Always keep your antivirus software up-to-

date (update at Company or at home)

6. If you are unsure, use the roaming

package of your phone or your UMTS laptop

adapter instead

3

1

Possible threats

while on tour

Secure usage of

wireless services

Remote access

capabilities Copyright © 2015 Capgemini Consulting. All rights reserved.


Structured, proven approach to optimize ongoing campaigns Flexible and easy-to-adopt solutions

Extensive knowledge in change and communication mgmt Measurable impact based on implemented KPIs

PROACTIVELY TACKLE SECURITY THREATS BY INTRODUCING POSITIVE SECURITY

BEHAVIORS THROUGH A HOLISTIC CYBERSECURITY AWARENESS CAMPAIGN

4

Examples (extract) Communication channels Format

Cybersecurity Awareness 2.0 - communication channels

A best practice mix of different channels is used to effectively communicate key messages of the awareness campaign

40


Print

Digital

Events

Poster Article in internal newspapers Information Security Handbook Booklets Leaflets Flyers

Newsletters Intranet/Web Sites/ banner/

blogs Flat screen content Online quizzes Web-based trainings Awareness movies Logon screen messages Online surveys / feedback polls

Phishing mail tests Clean desk audits Classroom trainings incl. train-

the-trainer concept Information Security Days Security breakfast/ lunch events Live-hacks Onboarding training material Management trainings

EXAMPLE

2

4

Case study – Cybersecurity Awareness campaign design and implementation

Capgemini Consulting supports a leading energy company in significantly raising the awareness for Cybersecurity of 22,000 employees in 20+ countries

41


Issue Our Client – an international energy company with approx. 28,000 employees in more than

20 countries – faced an increasing number of security breaches caused by employees Loosely performed awareness initiatives in the past showed little to no positive effects

Unknown level of employee awareness for focused awareness activities Missing local support for global implementation of security initiatives No holistic approach for a group wide, target group specific awareness campaign

Solution Conduction of a group-wide, multi-lingual online survey with 22,000+ participants Development of a holistic awareness concept based on detailed survey evaluation Design and creation of awareness objects using the right mix of communication channels Organization and conduction of Cybersecurity Awareness events and trainings Establishment of a multiplier network for an effective campaign implementation

Program management based on Capgemini’s proven methods and tools

Benefits

Increase awareness for security risks leading to adaption of positive security behaviors

Significantly decreased number of security breaches and human errors

Improved acceptance and visibility of Cybersecurity as business partner

Enforced compliance with legal and regulatory requirements

4

Cybersecurity Awareness 2.0 - why Capgemini Consulting?

Proven, easy-to-adopt solutions and an extensive project experience enable Capgemini to efficiently implement effective Information Security Awareness campaigns

42


Structured, proven approach to setup or optimize your ongoing awareness activities

Flexible and easy-to-adopt solutions for an accelerated increase of Information Security based on your needs

Benchmarking data derived from previous projects to compare with industry peers

Measurable impact based on implemented KPIs

Extensive knowledge in project, change and communication management

Global Capgemini network of security and communication experts

1

2

3

4

5

6

4







Table of contents


43


44

PEOPLE • 140,000

employees

• Offices in 44 countries

Paul Hermelin Group Chairman and CEO

COMPANY

• Listed on the Paris stock exchange (CAC-40)

• 10.1 bn € revenues (2013)

• Top 5 consultancy worldwide

• Two thirds of the world‘s largest companies are our clients

Headquarter in Paris

from a global point of view CAPGEMINI GROUP


45

Dr. Volkmar Varnhagen CEO CC Germany/Austria/Switzerland

CAPGEMINI CONSULTING GERMANY/AUSTRIA/ SWITZERLAND

GLOBAL • Strong global

network • 10.000 strategy

and management consulting experts Cyril Garcia

CEO Capgemini Consulting

Present on all continents

The strategy and transformation brand of the group CAPGEMINI CONSULTING

STRATEGIZE

IT Organizational Transformation

Cybersecurity Transformation

Digital Service Unit

Lean IT/ IT efficiency

IT Portfolio Management

IT Shared Service Center

Project Turn-around and PMO

TRANSFORM

How do you improve/ transform your IT Organization long-term?

OUR MISSION is to SUPPORT CIO's in every aspect of their work

from ASSESSMENT to STRATEGY all the way through TRANSFORMATION

To increase the Capgemini Consulting client focus and build trusted long-term relation-ships with our clients, we have designed our Service Offerings along the life-cycle of CIO’s

CIO Advisory Services


46

IT Flash Assessment

Cybersecurity Risk Assessment

IT Project/ Program Audit

Digital Day

IT Due Diligence

Post-Merger Integration IT and IT M&A Assessment

ASSESS

What is the current state of your IT Operation?

IT Strategy Development

Cybersecurity Strategy

IT Innovation Strategies

IT Digital Strategies

Mobile Strategy

Cloud Strategy

How do you position your IT Organization strategically?

Capgemini Consulting relies on a strong and global Cybersecurity capability network within the Capgemini Group

Capgemini Group offers and capabilities


47

2,500+ Capgemini

resources with Cybersecurity skills

Canada

United States

Mexico

Brazil

Argentina

All over Europe

Morocco

Australia

People’s Republicof China

India

Chile

Guatemala

Singapore

Philippines

Taiwan

Vietnam

UnitedArab Emirates

Malaysia

New Zealand

Japan

South Africa

Colombia

Cybersecurity Awareness

Security transformation program management

Design and implementation of security solutions

Digital security assessment & strategy and

risk management

Management

Security technical assessment

Transformation

Build

We constantly search for new customer solutions and provide our customers latest research and point of views on current and future topics

Capgemini Surveys and Benchmarks (examples)


48

The objective is to understand how the “digital winners” are managing (or have managed) their Digital Transformation, starting from “brick and mortar” and moving to a “digital company”, and to identify some guiding principles and best practices

International Information Security studies & POVs

IT Strategy & Change Management Digital Transformation in cooperation with MIT

Transform to the power of digital

Information Security Benchmarking 2015

Information Security assessment of companies in Germany, Austria and Switzerland

May 2015

Trends in Security 2014


49

Dr. Guido Kamann Head CIO Advisory Services DACH

Capgemini Suisse S.A. Leutschenbachstrasse 95 CH-8050 Zürich


Dr. Paul Lokuciejewski Lead of Cybersecurity Consulting

Capgemini Deutschland GmbH Berliner Str. 76 D-63065 Offenbach


Thank you.

Information Security Benchmarking 2015 - Capgemini · Information Security Benchmarking 2015 ... Information Security assessment was conducted based on a detailed maturity model.

Documents