-
0 © 2018 KPMG LLP, a UK limited liability partnership and a
member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
Overview of the i-4 programme
www.i4online.com
—
July 2018
http:www.i4online.com
-
Contents 1 What is i-4? 3
2 Overview of i -4 Member services 4
3 i -4 differentiators 5
Appendices
i Eighteen months of i -4 activities 7
ii The i-4 team 12
-
1 – What is i-4?
Keeping Members at the forefront of information security
— Founded in 1986 by Donn Parker of the Stanford Research
Institute International, the International Information Integrity
Institute (i-4) was the first knowledge and experience sharing
forum for senior information security leaders. i-4 is the leading
forum for senior information security leaders involved in
implementing sophisticated risk management and security operations,
many of whom hold the highest ranking positions within some of the
most influential global organisations.
— i-4 brings together some of the leading minds in the world of
information security and risk to help its Members stay one step
ahead of the big issues. It is at the forefront of the information
security industry, pushing the boundaries on thought leadership,
collaboration and innovation.
— The fundamental ethos of the i-4 concept is trust,
collaboration, participation, contribution and the willingness to
share not only the extensive experience of its membership community
but also their valuable intellectual property. For example a
Member, who is a leading global provider of open source
intelligence, produces a weekly report for i-4 Members of cross
industry threat intelligence.
— i-4 is a global forum with a difference, enabling Members to
tap into the latest thinking and anticipate emerging trends before
they can impact their organisations. Members are able to separate
the facts from the scare stories and get more from their investment
in security.
— Today’s security leaders face an ever-widening range of
challenges that are very much part of the top table agenda. i-4
membership helps its Members give the Board and senior management
greater assurance that valuable data is protected in a
cost-effective way.
Good value from open and honest discussion “safe environment” to
share experiences..
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
2
i -4 Member, Forum 87, March 2016
-
i-4 Member, Forum 89, October 2016
Great content and
insight. Another great
Forum, thank you.
-
-
2 – Overview of i-4 Member services
Forums
These three-day conferences take place three times a year, one
each on the west and east coasts of the US, and a third in Europe.
The emphasis is very much upon learning, sharing knowledge and
solving real problems by interacting with other Members, relevant
guests and external specialist contributors.
Regional meetings and Roundtables
Held several times a year, one-day Regional and half day
Roundtables allow Members to focus on one or two specific issues in
considerably greater detail, in some cases following up queries and
discussions raised in Forums.
Webinars
Members may not always have the time to attend events in person,
so i-4’s monthly webinars offer an ideal way to keep abreast of
important and emerging security issues.
Member queries
If a Member organisation is struggling to overcome a particular
challenge, it can readily tap into the collective power of the i-4
membership. Responses to a query are analysed, collated and then
published to the Member raising the query and to the broader
membership – all Members thereby quickly benefiting from the
collective knowledge and experience of the group. See Appendix 1
for a summary recent queries that allow Members to quickly answer
the question, “what is everyone else doing?”
Threat and Intelligence Exchange
This service provides Members with the opportunity to openly
discuss threat and intel information currently on their agenda and
explore threats, incidents and other intelligence that people are
seeing and would like to explore with other Members. This monthly
interactive, facilitated, teleconference underlines the fact that
i-4 is all about the sharing of real experience and knowledge and
getting on to the front foot with the ever changing challenges
facing the world of information security. A monthly opportunity for
all Members to air a challenge, share a challenge and collectively
address the challenge, all underpinned by the powerful ethos of
openness and sharing that runs through all i-4 activities.
i-4 website – www.i4online.com
All i-4 content, including, Forum presentations, recorded
webinars, results of Member queries and monthly Newsletters are all
made available to i-4 Members in the private section of the
website. A huge repository of many years of valuable intellectual
property, covering all aspects of information security from
strategic to tactical, from technical to people and all points in
between but linked together to provide Members with the information
and knowledge they need to stay one step ahead.
A former i 4 Member now CISO at a new organisation explains why
he has joined…
Having been a Member of i-4 for over 10 years I truly appreciate
the value membership brings to an organisation, the ability to gain
insights and share experiences, even if it is to simply confirm
that we’re all in the same boat, is invaluable.
Steve Collins i 4 Member, October 2017
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
3
http:www.i4online.com
-
-
3 – i-4 differentiators
A highly experienced team
Three of the i-4 Team Members have backgrounds as, CIOs, CISOs
and CSOs of complex global organisations and many years’ experience
in senior security roles. Each of them brings a different
perspective to i-4. This is a much greater depth than the competing
programmes – this means that i-4 provides a close match to the
needs of senior security leaders in the following ways: — Programme
content and deliverables are of a high
standard and focused on meeting the needs of senior
executives
— We are able to attract membership and participation from
higher calibre individuals, giving attendance at i-4 events a
greater value
— The experienced perspective means that our horizon scanning is
conducted through the lens of pragmatic experience – keeping it
grounded to implementable improvements in the short and medium
term, while at the same time identifying future issues in advance
and equipping the Members with front foot knowledge
Trust and intimacy
One of the firm foundations of the i-4 Programme is an operating
model and culture that encourages trust between the Members. While
this is backed by an NDA, the degree of trust that i-4 operates
under is unprecedented compared to its competitors. This means that
participants are much more willing and able to ‘tell it like it
is’. During i-4 meetings the relationship building is as important
as the content itself – we strive to create an environment where
business friendships are made and built. Most Members should leave
a meeting having made at least two good connections with peers that
will help to solve common problems in the short and long-term.
Focus on larger more complex organisations
Many of the other providers’ services are targeted at a wide
range of customers, meaning that the content delivered trends
towards the lowest common denominator. Because i-4 focuses on the
needs of senior executives at large and complex organisations the
output covers the issues that challenge these organisations – we
see the ‘basics’ as being covered by other knowledge sharing
organisations and so do not cover them regularly or in great depth.
The current membership ranges from some of the world’s largest
financial services, oil and gas, pharmaceuticals, engineering,
telecommunications, healthcare, technology and services companies.
While a small number of these also participate in other
organisations the biggest players are increasingly choosing to go
with i-4 as their sole choice. Backing by KPMG
In addition to establishing a highly experienced team, KPMG is
investing heavily in i-4: — Taking the quality of content and
deliverables to a
higher level than provided by our competitors — Driving the
growth in the number and quality of
membership — Using KPMG specialists to contribute content
and
experience and do ’heavy lifting’ on behalf of Members
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
4
I often find when I attend i-4 events that the processes and
issues I am dealing with have already been resolved by my peers,
which means I can go back to the office with a new perspective. i 4
Member, March 2015
-
Appendices
-
i – Eighteen months of i-4 activities
Forums
Forum 94, Budapest 25-27 June 2018
– The opening keynote speaker presented ‘A day in the life of a
CISO’ from their experience within a global telecoms organisation.
Their role covered many bases: enhancing diversity, inclusion,
incident response, interactions with the Board and ExCo, digital
transformation and hygiene.
– The Head of Cyber Oversight & Assurance, for an
organisation providing insurance and financial products presented a
case study on security metrics. They outlined how they measure
performance (KPIs) and capabilities to provide security assurance
to the Board.
– A Global CISO for a professional services company presented on
‘driving risk-based decision making in heterogeneous environments’.
They spoke of how protection driven by leadership allows
organisations to make decisions based on risk versus
compliance.
– A senior policing lead shared their perspective on cybercrime
through both a European and global perspective. Identifying that
collaboration with industry partners is essential to ensure shared
knowledge of the threat picture leading to enforcement
activities.
– A Head of Cyber Security Behavioural Change, presented their
approach to ‘sustaining resilient behaviours’. Their case study
outlined how the organisation is helping staff to continue to be
the first and last line of defence against cyber-attack.
– A Chief Security Officer presented on ‘their emotional journey
to cloud agility’, explaining their research to validate how
security leaders are handling the journey, focused on maturity,
perceptions, realities of trust and accountability in what is a
shared model.
– A Senior Lecturer in Psychology at a highly reputed University
explained how hardware and software solutions can only go so far in
mitigating against cyber threats. At the heart of a robust cyber
security s trategy is an acknowledgement that employees are
simultaneously both key assets and threats.
– A senior leader of a major telecoms provider spoke of their
personal experiences of building assurance programmes into complex
supply chains. They described the d ifficulty in uniformly gaining
full assurance.
– During our highly interactive Birds of a Feather sessions
knowledge and experience was shared in communicating the business
value of your cyber security budget to the Board. The second
workshop helped organisations to identify and communicate the
benefits of cyber insurance, and how to identify an approach to
ensure this best complements the wider security programme.
– A Chief Scientist spoke of the ever-greater levels o f
automation, underpinned by sophisticated, predictive algorithms are
transforming cyber defence and offense. Sharing that new solutions
promise real-time detection and mitigation of threats but
experience tells us that along with such benefits come both costs
and risks.
– On the final day there was a case study on GPS security. This
increased awareness of the threat evolution from hackers, organised
crime, terrorists, nation states, and insiders. It offered
approaches that can be applied to mitigate such threats.
– A series of presenters spoke about ‘Security Architecture as a
Business Tool’. Architecture as a discipline is all about clarity
and communication. We tend to see architectures in the form of
network diagrams and software stacks which help us optimise
security capabilities and explain coverage. But architecture can be
much more, explaining the goals and value of an information
security programme.
– Our ‘Closing Think Piece’ looked at how technologies and
methodologies can have a positive impact in combatting challenging
issues such as child abuse.
Forum 93, Las Vegas 5-7 March 2018
‒ The CISO of a global hospitality and entertainment company
operating destination resorts in Las Vegas made the key note
address. He made the point that ‘it all starts with the
architecture’, retro-fitting security is difficult and takes too
long. In addition he raised the issue of increased use of IOT such
as smart bulbs, outside of the usual security controls.
‒ A new to role CISO spoke of their first 100 days and how his
initial plan was derailed by the constant and ever changing nature
of the threat. He suggested that you should never waste the
opportunity of a good incident, capitalise on the learning and fix
it.
‒ The Director of an Oil and Gas cyber threat team shared his
experience of next generation detection and response as well as how
to recover your SOC in a disaster. They described the use of a
unifying data lake to ingest every aspect of internal and external
threat, asset and user activity, and the creation of a tool to
provide a single, consolidated view of the issue at hand and to
provide a continual dashboard of activity.
‒ In a Cloud Security session there were presentations and a
panel session with two major providers and an end user who had
implemented cloud services. There were conversations on how to on
board SaaS, use of cloud as an application as opposed to treating
it as infrastructure, the value of close working between client and
vendor and reporting capabilities.
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
6
-
i – Eighteen months of i-4 activities
‒ Day 2 began with the question ‘is it even possible to measure
cyber risk?’ Expert knowledge was shared on the purpose of
measurement, calibration and the value of collaboration. Then
followed presentations from an FS CRO talking about setting risk
appetite and from a director from a Pharma organisation
demonstrating return on investment for the adoption and
implementation of delivering risk reduction metrics to senior
business leaders.
‒ The Birds of a Feather sessions were led by industry experts
on 1. The implementation of SWIFT’s Customer Security Programme, 2.
Artificial Intelligence and Machine Learning in Cyber Security, and
3. Visualising Cyber Security Maturity.
‒ An interactive session led by senior security practitioners
looked at the evolving state of Incident and Crisis Management.
They described how, despite extensive experience, even the best
prepared teams can still seem vulnerable to the unforeseen and
oblique challenges that manifest themselves during data breach
incidents and reporting.
‒ The 3rd day saw a cross sector table top exercise sharing the
understanding of how to respond to a cyber incident
collaboratively. A session on what the regulator wants from
companies through GDPR. Then finally a thought piece on the
challenges of the move to automation of vehicles, the networking of
such systems and issues that may arise.
Forum 92, Baltimore 16-18 October 2017
– A former NSA Deputy Director opened the 92nd Forum at a
fantastic location on the waterfront in Baltimore, likening the
creep of cyber security to global warming and describing five
formative conditions that currently feed the cyber security risk
environment. The speaker warned that fear of regulatory penalties
or enforcement actions, hamper collaboration between government and
business but initiatives like the UK NCSC are beginning to show a
new way to create a safer internet umbrella.
– A Chief Operational Risk Officer from a major financial
services company shared the experience of integrating cybersecurity
in Enterprise Risk Management (ERM). Identifying a growing systemic
risk driven by a complete dependence on digitization and how their
alignment with the 3LOD model has allowed 2nd line to pull security
improvements rather than being driven by technology push. The
speaker wisely acknowledged cyber security risk i s difficult to
quantify – but they are working on it!
– Day 2 Started with a presentation from a medical device
security practitioner, describing the company’s journey and
personal experience in taking a global organisation with no focus
on security through a maturity program.
– A later session posed the question, are CISOs forced to manage
by assumption? Contending that most security tools are not fully
and effectively utilised when mapped against the security stack,
and its hard to know which ones are actually working against the
threats they face.
– A research institute discussed how the kill chain defence
aligns to waterfall development techniques while attackers use a
DevOps mentality. The presenter went on to offer a number of
security predictions that were centred on realistic implementations
of AI and introduced the concept of distributed defence to overcome
todays challenges.
– And finally, the Forum closed on a reflective note, “Cyber
Fatigue” can be a destructive element while trying to constantly
improve security. But if you feel this way, it’s worth taking a
step back and looking at the ‘big mission’ and why we do this.
Every artefact is a person, and if we get it wrong that person can
be harmed.
Forum 91, Lisbon 26 – 28 June 2017
– A senior researcher opened the Forum and took us on an AI
fictional journey from Fritz Lang’s Metropolis in 1927 via HAL to
Ghost in the Shell. The history of AI has not all been successful,
with false start after false start, until finally the combination
of big data, graphical processing units (GPUs) and deep learning
algorithms have started to show success. Areas discussed included,
anthropomorphism, AI manipulation and hybrid human defences.
Several Members used the term, “thought provoking” and commented
about how they enjoyed it. Another Member said, “Really good and
insightful view of where we might be going”
– Incredibly insightful ‘warts and all’ review of a programme to
achieve compliance with GDPR, PCI-DSS, NSID, e-Privacy and other
initiatives, describing the amount of disruption to BAU, calling
out the successes, failures and what's still on the to-do list. One
Member commented, “Excellent content rich presentation. Great to
have the truth about what worked and what didn't.”
– Another popular presentation described a practical application
of block chain technology in an Insider Threat Programme to, verify
Integrity, curate changes and enhance privacy. Members described
this as “a great next step” and an “extremely helpful
approach.”
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
7
-
i – Eighteen months of i-4 activities
Regional Meetings and Roundtables
Zero Trust Networks Roundtable, 16 July 2018
In cooperation with a Financial Sector Member, i-4 hosted a
Roundtable on the challenges presented by Zero Trust Networks
(ZTNs). Such networks abolish the idea of a trusted network inside
the corporate perimeter. It creates micro perimeters of control
around an enterprise's sensitive data assets and provides
visibility into how it uses data across its entire digital business
ecosystem. During this highly interactive session participants
shared experience on:
– The potential business pros and cons of ZTNs
– Deployment, use cases and discuss the future direction of
ZTNs
– Identified existing products and vendors
– Discussed how to protect and defend such networks
– Identified the potential role of commercial grade PKI
providers in Zero Trust
– Examined potential architectural patterns
– Examined detection and reporting of issues, threats, metrics
and risk mitigation
The output and findings of the all of our discussions are hosted
on the i-4 website for members to access.
Incident and Recovery Management Roundtable, 23 May 2018
i-4 and a Financial Sector Member hosted a roundtable on
Incident and Recovery Management. The key focus of the session was
on the response to a range of incidents, including system failure,
process failure, terrorism, physical security, natural disasters
and political disruption. In particular, those incidents that
result in media and regulatory scrutiny. We examined how recent
changes in regulation had altered organisations’ perspectives and
operating models. Attendees shared experiences on:
‒ The biggest challenges in the field of Incident and Recovery
Management
‒ How to manage your media response and the regulators
‒ Ensuring the correct people in the organisation are
informed
‒ Building capability – Planning, Training
‒ Impact on increasingly adoption of DevOps/Agile ways of
working
‒ Increased dependency on digitalisation and Cloud. How to
manage 3rd parties who become critical vendors
Network Security Roundtable, 25 April 2018
In conjunction with a Financial Sector Member, i-4 hosted a
roundtable on Network Security looking at the challenges of
implementing new security technologies and models. During this
highly interactive session, participants shared their experience
of:
‒ Current and future cloud adoption, integration and interaction
with legacy systems.
‒ Network segmentation
‒ Toolsets for cloud network security both public and
private
‒ Network Security as an ecosystem
We explored how attendees organise and integrate their people
and teams, balance in-house versus outsourced staffing and manage
the overall journey and challenges
faced by sharing experiences gained through implementation of
new technologies and cloud integration. i-4 members were able to
better understand where real value is derived, identify common
pitfalls and sense check current security operations and
architecture strategy.
Vulnerability Management, Patching and Testing, 21 November
2017
In conjunction with a Financial Sector (FS) Member, i-4 hosted a
roundtable event on Vulnerability Management, Patching and Testing.
The event opened with a presentation on the Member’s current
vulnerability management program, describing processes around
scanning, testing, patching and improvement. The Member explained
that they wanted to share experiences within the FS community and
obtain answers to some benchmark questions and challenges that are
common to organisations with similar regulatory and security
challenges. The subjects discussed included:
— Coverage and asset management challenges
— Experience of tools and their effectiveness
— Managing the volume of data
— Patching compliance and Service Level Agreements, (SLA’s)
The event was useful for attendees to gain understanding of each
others capabilities and challenges in this critical area of
information security and although attendees have somewhat unique
systems, they identified several areas for further collaboration,
including their experience in the use of common industry tools such
as, the Qualys network scanning tools and Splunk.
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
8
-
i – Eighteen months of i-4 activities
The Board, Risk Management and GDPR, 5 June 2017
In conjunction with a Member, i-4 hosted a one-day regional
event on The Board, Risk Management and GDPR. The event had
multiple sessions:
– A fascinating panel discussion on the role of the Non
Executive Director (NED) looking from both the NEDs’ and the
board’s perspective we discussed the evolving role of the NED in
information security.
– A Risk Management subject matter expert provided a detailed
explanation of the three lines of defence implementation and how it
is used across sectors
– A Member shared their GDPR readiness programme and an industry
expert’s view on some of the myths surrounding this potentially
problematic legislation
The event closed with a thought provoking presentation on the
‘No More Ransom’ Initiative. The event received fabulous feedback
and requests to repeat sessions in future events.
Webinars
Buying Cyber Risk Insurance To Support Your Information
Protection Program
The webinar discussed the significant increase of global attacks
and cyber events which requires us to look at a balanced approach
(Prevent, Detect, Respond and Predict). Risk transfer represents a
key to protecting our information element of the ”respond” area.
Cyber cover has become one of the fastest growing areas in the
insurance industry today; however, its evolving ever so quickly due
to limited actuarial data and changing threats.
Cyber Insurance – An overview
The presentation provided an overview of how cyber insurance has
evolved over the last few decades and the types of risk transfer
solutions now available. There was a discussion on how cyber risk
quantification and the challenges it represents sit in contrast to
more traditional risk areas. The presentation concluded with a
summary of what you may consider purchasing cyber insurance for and
the mechanics of the purchase process.
Blockchain and Cryptocurrencies: The Risk and the Regulator
The number of individuals and companies utilising and investing
in distributed ledger technology (blockchain) and cryptocurrencies
is proliferating. The technology is varied and often highly
innovative, however, the risks are high and rapidly evolving, as
illustrated by the increase in mining attacks, malware and
regulation within the sector. In this webinar we explored the risks
and potential safeguards associated with aspects of fraud,
cybercrime, money laundering and terrorism financing.
UBA: Our journey behind the jargon
The presenter shared a very informative 12 month proof on
concept on the application of a User Behaviour Analytics (UBA) tool
at a global organisation to address Insider Threat. This well
attended and interactive session identified legal and technical
implementation challenges and offered predictions for the
future.
Updating cryptographic protocols in critical financial
systems
The presenter described the process of updating and increasing
cryptographic complexity in the face of technological advancements;
discussing PKI, RSA and SHA algorithms, their selection and the
organisations work with academia to gain assurance on current and
future implementations.
One insecure IoT device is a nuisance, an army of them could be
our doom.
This webinar discussed the growing threat of unmanaged
operational technology, common application security flaws in IoT,
and hardware security issues, together with mitigation advice and
controls.
Threat Update Webinar
Following outreach from an external specialist threat
intelligence company, i-4 were able to connect them directly with a
UK hosting provider to identify and mitigate an ongoing data
breach. At the request of Members i-4 then provided a threat update
webinar to share indicators relating to a new and ongoing attack
pattern.
Insider Threat Assessment
A Member presentation on Insider Threats from an expert threat
intelligence provider, describing the risk posed to organisations
and real world encounters of physical, reputational, privacy and
financial risk. The presenter described recommendations to ensure
Red Flag employees are identified and monitored correctly.
Risk assessment Internal and External Processes
A Member case study highlighting the evolution of the
organisation’s strategy to risk management. Looking at methods and
approaches together with the application of frameworks to manage
external and internal risk which although have a common goal, often
require different approaches and lifecycles that borrow from the
same underlying principles.
GDPR and NIS Update
A session exploring the possible impact of the General Data
Protection Regulation (GDPR) and the Network and Information
Security Directive (NISD), identifying what needs to be done now
and in the coming year.
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
9
-
i – Eighteen months of i-4 activities
Member Queries
Getting market best practices for Supplier Assurance
‘Supplier Assurance’, sometimes also known as ‘3rd Party Risk
Mgt.’ or ‘Vendor Risk Mgt.’ is understood to provide assurance
(from a cyber or information risk perspective) for applications of
services that are delivered via a 3rd party supplier. A Member
asked how would you ensure that the controls that apply to the
‘in-house’ situation are still being met when the service is moved
outside.
Vulnerability Management
A Member reviewing options to more effectively manage
vulnerabilities based on risk asked about current challenges and
options for addressing:
– Automated patching
– Integration between vulnerability management solutions and the
service ticketing system or the system software management
solution
– Prioritisation of CVSS score without environmental factors or
system criticality
– Remediation of workstation vulnerabilities within required
timeline
Bring Your Own Devices
An organisation was reviewing its Bring Your Own Device (BYOD)
strategy and seeking an understanding of how other companies are
approached BYOD.
Low Code Applications, Robotic Process Automation and Mobile
Solutions
An i-4 member was interested in views on Low Code Applications,
Robotic Process Automation and Mobile Solutions.
Privileged Access Management
A member reviewing its overall identity strategy asked questions
around how others set their strategy and managed authentication,
seeking to understand best practices adopted by other companies for
privileged access management.
Information Security Spend
A Member, reviewing their own organisations information security
spend, requested peer comparison to understand how much IT spend
was allocated for security and where i-4 Members are focussing
their Information Security budgets and their allocation for
particular functions.
Data Classification and Handling
An i-4 Members asked what formal data classification schemes
others had adopted - Is data is categorised as to the impact of its
disclosure or modification, and handled differently depending on
the classification?
Operating Models
While reviewing their Global Cyber Security Operating Model, a
Member sought to gather high level information on how a number of
functional areas are currently delivered by other organisations,
particularly, Active Monitoring and Detection, Incident Management,
CERT & E-discovery, Infrastructure Operations, Security Testing
(Vulnerability Management and Penetration Testing) and Threat
Intelligence.
Information Security Vendor Risk Management
A Member wanted to enhance its Vendor Risk management programme
and was interested in how other i-4 Members have implemented
effective methods to assess and manage that risk. This looked a
management software, programs, processes, shared assessments,
triaging and scoping.
SOC and Device Management
Insourcing or outsourcing: This query sought to gain an
understanding of Members’ current situation and future plans in the
evolving world of cloud based services. Are people using hybrid
solutions and are they feeding and using data to and from the SOC
systems and what benefits and challenges have they met?
Remote access
This Member organisation was interested in learning more about
the approaches being adopted for provisioning remote access of
staff to the corporate network, particularly those with corporate
or staff-supplied computing devices, such as laptops or
tablets.
Public Cloud services
Although one Member organisation has a documented policy and has
deployed technology that limits the exposure of confidential data
in public clouds, this approach severely limits their use of such
services. Therefore this organisation initiated a query to find out
how other Member organisations were addressing the issue.
Use of guest networks
One organisation was re-evaluating their strategy for providing
a guest network and wanted to understand how other Members provide
such services, including its availability to guests, allowing
access to employees who choose to BYOD and for external resources
that may not be available on their core corporate networks.
Use of identity cards
The effectiveness of photo identity cards as a security control
mechanism was being assessed. The Member was keen to understand
other organisations application and use of them.
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
10
-
-
ii – The i-4 Team
Since December 2009 i-4 has been owned and operated by KPMG, who
continue to invest in and develop the programme to meet the
changing needs of its Members. Individuals from KPMG serve upon the
i-4 leadership team, which can also call on highly experienced
specialists from KPMG Member firms around the world, as well as
external security analysts and seasoned industry practitioners and
leaders.
Kevin Williams Head of the i-4 Programme
Kevin became Head of i-4 in July 2017 and brought with him more
than 25 years of experience in UK cyber law enforcement and cyber
security. He started his career with the Metropolitan Police
Service, later joining the National Crime Agency, before working in
the cyber security commercial and not-for-profit sectors with Team
Cymru. In 2008 Kevin was instrumental in the development of
national cybercrime capability. He was the lead law enforcement
advisor to UK Government for the creation of the cyber response to
the London 2012 Olympic Games, for which he received an Assistant
Commissioner's commendation. Most recently, Kevin has been
assisting the Mayor of London’s effort to help small and medium
businesses develop their digital defences and growth through the
work of the London Digital Security Centre.
Paul Taylor i-4 Sponsoring Partner
Joining KPMG in the UK as a partner in 2014, Paul is currently
working at board level with a number of global retail and
investment banks to address their cyber and information protection
challenges. Prior to joining KPMG, Paul has led the delivery of
some of the most demanding national security programmes in the UK,
operating at the very highest levels of government. He is uniquely
qualified to understand the evolving threat environment, as well as
having an exceptional track record of driving and delivering change
in complex organizations. Paul’s contribution to the world of
science technology was recognized by his election as a Fellow of
the Royal Academy of Engineering in 2013.
Being able to compare your instincts and feelings about
particular areas of information security is something you wouldn’t
get elsewhere to the same level of intellect and honest appraisal
as you do at i-4 Forums.
i 4 Member, Forum 85, June 2015
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
11
-
ii – The i-4 team
Darren Brind Events Assistant
Darren Brind joined the KPMG Cyber Security Team in 2016 to
support the Head of Sectors together with his direct reports.
Experienced in event and project management he has supported the
i-4 Team with projects including rebranding and co-chairing Threat
Intel Exchange calls and webinars, coordinating member queries and
organising Forums, Regional and Roundtable events. Darren continues
to enjoy working in Cyber Security and contributing to the success
of the i-4 team.
Montana Narrsingh i-4 Events and Projects Assistant
Montana has been with KPMG since 2013 and has been with i-4 just
over two years. Prior to this she was in the Cyber Security Bid and
Knowledge Management team. Montana is currently assisting on all
aspects of i-4 including risk management, event logistics, and
supporting current and potential Members. Montana is a first port
of call for any Member support queries.
Marissa Goulding i-4 Events Manager
Marissa is the i-4 Events Manager and has been with the
programme since 1998. Regardless of the question or help needed,
for participants in i-4 events she is the point of contact and
coordination for speakers, session chairs and – of course – i-4
Members. Marissa’s knowledge of i-4 and how to make an event run
effectively are central to i-4 Forums and other meetings delivering
real value to the i-4 Membership.
Matthew Roach i-4 Content Manager
Matthew began his career with the Metropolitan Police Service,
later joining the Serious and Organised Crime Agency and latterly
the National Crime Agency. He led the National Cyber Crime Unit's
Tactical Industry Partnerships Team to many operational successes.
Additionally, he managed several high profile, sensitive and
time-critical cybercrime and data breach incidents. During his 18
years' service, he received commendations from both Crown Court
Judges and the Agency's Director-General. More recently, Matthew
has managed cybercrime and fraud teams within the telecoms sector
and created cyber threat intelligence managed services within the
private sector. Operationally, Matthew led investigations into a
global ransomware distribution organised crime group, leading to
the first seizure of virtual currency by the National Crime Agency.
He also led the NCA’s operational response to several high profile
data breaches within the telecommunications sector.
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
12
-
ii – The i-4 team
David Morgan Senior i-4 Advisor
David is a recognized and respected thought leader in the
security and risk management industry with over 25 years experience
focusing on information security, fraud prevention, business
continuity and physical/personal security. Prior to moving into
consultancy and training & development, David held a number of
Board level executive roles including Lloyds TSB (Chief Security
Officer), ING Group (Global Head of Information Risk Management
& CISO) and Barclays (Group IT Risk & Security Director).
He has a proven track record in delivering strategic and
organizational change within large complex organizations. David has
provided strategic consulting services and interim management to a
variety of blue chip organizations in Financial Services, Energy,
Pharma, Telecoms and High Tech sectors. In addition, he has run
numerous leadership development groups and security master classes
for large multinational companies. He was an active i-4 Member for
many years, having attended his first meeting in 1995. David is
also a Director and co-founder of Security Faculty.
Paul Dorey Senior i-4 Advisor
An acknowledged thought leader in security, Paul has over 25
years of experience as a security and risk executive at Morgan
Grenfell/Deutsche Bank, Barclays Bank, and BP. He has received
several awards including Chief Security Officer of the Year, IT
Security Executive of the Year, and IT Security Hall of Fame. His
involvement with i-4 goes back to the late 1980s including a period
on the Membership Advisory Committee (MAC). He is a Visiting
Professor in Information Security at Royal Holloway, University of
London and is a director of CSO Confidential. In addition to his
speaking and lecturing activities he helps companies and government
departments in building their information security strategies, risk
governance and metrics including acting in interim CISO roles and
supporting CISOs in developing their functions. He is Chairman of
the Internet of Things Security Foundation.
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
13
-
Kevin Williams Head of i-4
T: +44 (0)7342 067430 E: [email protected]
Marissa Goulding i-4 Events Manager
T: +44 (0)7768 262727 E: [email protected]
Matthew Roach i-4 Content Manager
T: +44 (0)7464 900 773 E: [email protected]
The information contained herein is of a general nature and is
not intended to address the circumstances of any particular
individual or entity. Although we endeavour to provide accurate and
timely information, there can be no guarantee that such information
is accurate as of the date it is received or that it will continue
to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough
examination of the particular situation.
© 2018 KPMG LLP, a UK limited liability partnership and a member
firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss
entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks
of KPMG International.
mailto:[email protected]:[email protected]:[email protected]
Slide Number 1Slide Number 21 – What is i-4?2 – Overview of i-4
Member services3 – i-4 differentiatorsSlide Number 6i – Eighteen
months of i-4 activitiesi – Eighteen months of i-4 activitiesi –
Eighteen months of i-4 activitiesi – Eighteen months of i-4
activitiesi – Eighteen months of i-4 activitiesii – The i-4 Teamii
– The i-4 teamii – The i-4 teamSlide Number 15
/ColorImageDict > /JPEG2000ColorACSImageDict >
/JPEG2000ColorImageDict > /AntiAliasGrayImages false
/CropGrayImages true /GrayImageMinResolution 300
/GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true
/GrayImageDownsampleType /Bicubic /GrayImageResolution 300
/GrayImageDepth -1 /GrayImageMinDownsampleDepth 2
/GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true
/GrayImageFilter /DCTEncode /AutoFilterGrayImages true
/GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict >
/GrayImageDict > /JPEG2000GrayACSImageDict >
/JPEG2000GrayImageDict > /AntiAliasMonoImages false
/CropMonoImages true /MonoImageMinResolution 1200
/MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true
/MonoImageDownsampleType /Bicubic /MonoImageResolution 1200
/MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000
/EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode
/MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None
] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false
/PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000
0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true
/PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ]
/PDFXOutputIntentProfile () /PDFXOutputConditionIdentifier ()
/PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped
/False
/CreateJDFFile false /Description > /Namespace [ (Adobe)
(Common) (1.0) ] /OtherNamespaces [ > /FormElements false
/GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks
false /IncludeInteractive false /IncludeLayers false
/IncludeProfiles false /MultimediaHandling /UseObjectSettings
/Namespace [ (Adobe) (CreativeSuite) (2.0) ]
/PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing
true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling
/UseDocumentProfile /UseDocumentBleed false >> ]>>
setdistillerparams> setpagedevice