Download - Information Security Benchmarking 2015
Transform to the power of digital
Information Security Benchmarking 2015
Information Security assessment of companies in Germany, Austria and Switzerland
May 2015
Capgemini Consulting conducted a benchmarking study on Information Security to provide a thorough and balanced view of the current state of security in DACH organizations
Management summary – study design and approach
Copyright © 2015 Capgemini Consulting. All rights reserved.
2
Information Security is key for today‘s organizations. The increasing number of serious security breaches announced in the press reminds us every day of the financial and non-financial consequences a successful attack exposes business to. New business and regulatory requirements, recent trends and the increasing sophistication of cyberattackers makes this topic an even greater headache - not only for security officers but also the board.
To understand how other peers implement Information Security to protect the confidentiality, integrity and availability of data provides valuable insight for every organization. Such insights are not only helpful in recognizing current trends but also enable the quickly identification of individual strengths, areas of improvement and allow for the benchmarking across the organizations’ peer group.
In Q4 2014, Capgemini Consulting conducted an Information Security benchmarking study among companies and organi-zations in Germany, Austria and Switzerland. The 45 respondents from 10 different industry sectors provided their views on upcoming trends as well as delivered information on topics such as their security budget and organization structures.
The Information Security assessment was conducted based on a detailed maturity model. Using this model, study participants evaluated their security practice in the domains “Strategy & Governance”, “Organization & People”, “Processes” and “Technology”.
Capgemini evaluated the respondents’ answers and presents the study results from two different points of view:
– overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity in DACH
– an individual assessment for each participant where individual answers are discussed and compared against their industry peer group
Despite a high top management attention and increasing budgets, Information Security must undergo a deep transformation to improve alignment and cooperation with business
Management summary – key insights
Copyright © 2015 Capgemini Consulting. All rights reserved.
3
High top management attention for Information Security – 75% of the respondents rated the top management’s priority on Information Security as medium or high, numerous companies even view it as one of their strengths.
Business goals not aligned with Information Security – Protection of data and prevention of system outages are considered key drivers for Information Security, while only 31% of the respondents view support of business goals as a driver for their security practice.
Security risks ignored by business decision makers – 75% of the participating companies stated that business is not involved in their IT risk management and does not consider security risks in their decision making.
Lack of security KPIs and ROI consideration – 96% of the participants rely on the results of internal and external audits to measure effectiveness of their Information Security, but only 7% use specific KPIs and merely 4% consider ROI estimates.
Unstructured security awareness programs – Increasing employee security awareness is the number one area of improvement for many companies. Only 27% of the participants characterized their awareness program as holistic, although 80% of respondents identified employees as the key source for security incidents,
Inconsistent information classification – 50% of the respondents rated their information classification as inconsistent with a lack of clearly defined classification policies and owners for each information asset.
Uncontrolled use of public clouds – 33% use public cloud services without full control of transmitted data, exposing it to potential unauthorized access. 27% of participants do not use public cloud services at all.
Increasing security budgets – More than half of the study participants (56%) expect an increase of their security budget while only 9% expect a budget decrease. The expected increase of the security budget is 10% (median).
Growing requirements and recent trends continue to pose new challenges to Cybersecurity and endanger the success of Digital Transformation for today’s companies
Cybersecurity challenges
Copyright © 2015 Capgemini Consulting. All rights reserved.
4
Organized cybercrime with sophisticated attacks
New requirements and trends Slowly growing Cybersecurity budgets
Trends from Digital Transformation
Mobility
Business demanding higher
flexibility
Complex ecosystems (e.g.
Industry 4.0)
New regulations & laws e.g.“IT-
Sicherheitsgesetz”
Low awareness level of employees due to lack of
holistic programs
DIGITAL TRANSFORMATION
Constrained security resources
Cloud Big Data Social
Industrialization of hacking, professional attack software “as a
service”
National intelligence agencies with unlimited
resources
Employees attacked by phishing, social engineering …
Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
5
13%
24%
22%
11%
29%
Participants’ industry sectors
Energy, Utilities & Chemicals
Financial Services
Manufacturing
Public Sector
Other Industries
69%
16%
4%
2% 7%
2%
Participants’ role
CISO/IT Security Manager
CIO
IT Service Manager
IT Application Manager
Other
Not Specified
Experts from medium- and large-sized companies across multiple industry sectors participated in the study – with a majority of participants from Germany and Austria
Participants information
Copyright © 2015 Capgemini Consulting. All rights reserved.
6
1 Other industries include Retail, Logistics, Telco/Media/ Entertainment, Automotive
45%
34%
14% 7%
Participants’ origin*
*Number of participants n=45
Other
4% 9%
31%
18%
36%
2%
1-500 501-1,000 1,001-5,000 5,001-15,000 >15,000 Not Specified
Company sizes (number of employees)
1
Leading DAX, ATX and SMI companies, hidden champions from various industries and public sector organizations participated in the Capgemini Consulting benchmarking study
Participant peer groups
Copyright © 2015 Capgemini Consulting. All rights reserved.
7
Financial Services Major Austrian and Swiss banks, leading insurance companies from Germany, Austria and Switzerland, service providers for financial institutes
Manufacturing DAX companies, large international manufacturer and hidden champions from Germany, Austria and Switzerland
Public Sector Major German and Austrian federal authorities and ministries, infrastructure operators and competence centers for municipals
Energy, Utilities & Chemicals Leading energy and chemical companies from DAX and ATX, international Swiss electric utilities
Other Industries Leading international retailer, logistic, telco, media and car supplier companies from Germany, Austria and Switzerland
Information Security Organization &
budget
Drivers & strengths/
pain points &
risks
Maturity assessment of all Information
Security areas
Capgemini Consulting benchmarking study evaluates all relevant areas of an organization’s Information Security practice using proven standards and industry best practices
Information Security benchmarking
Copyright © 2015 Capgemini Consulting. All rights reserved.
8
Covers all relevant security areas
Scope of Benchmarking Study
ISO 2700x
Based on common Information Security standards and industry best practices
INFORMATION SECURITY
Technology Processes
Strategy &
Governance Organization & People
Structure of the study
T Y P I C A L C H A R A C T E R I S T I C S
M A T U R I T Y L E V E L
Maturity model – design principles
The benchmark evaluates the participants‘ security based on Capgemini Consulting Information Security maturity model
Copyright © 2015 Capgemini Consulting. All rights reserved.
9
1 – AD HOC
2 – DEFINED
3 – MEASURED
4 – OPTIMIZED
To achieve reliable results, the study aims at an objective and repeatable security maturity assessment of all participants
Objectivity is achieved by assessing each Information Security component based on a clearly defined 5-level maturity model
Maturity level low high
0 – NON-EXISTENT
Ad hoc As needed Informal Loosely
defined Inconsistent
Basic Occasional
Defined process, roles, responsibilities
Documented Formal Communicated
Measured to work effectively
Monitored Use of KPIs Regular
review/ audits
Partially automated
Reactive
Not performed
Non-existent
Not installed Necessity
not understood
Continuous improvement and optimization
Best practice Risk mitigation Automated
workflow Business
enabler Proactive
Transform the power of digital
Participants and Overview of the Study
Overall Study Results
– 1. Drivers & risks
– 2. Organization & budget
– 3. Overall security maturity assessment
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
10
Protection of data is the key driver for Information Security – supporting business goals and enabling Digital Transformation is of less relevance for most companies
Drivers for Information Security
Copyright © 2015 Capgemini Consulting. All rights reserved.
11
78%
71%
69%
58%
44%
31%
16%
11%
7%
2%
2%
2%
Protection of customer data
Prevention of system/ process outage
Protection of personal data
Protection of assets and IP
Safeguard for reputation
Support for business goals
Enabler for Digital Transformtion
Strengthening competitiveness
Increase of efficiency/cost reduction
Critical infrastrcuture protection
Compliance
Legal requirements
31 % of participants only rated support of business goals as a key driver
Information Security is on the boardroom agenda – many participants see top management attention as one of their strengths
Strengths and top management attention
Copyright © 2015 Capgemini Consulting. All rights reserved.
12
Security expertise & capabilities
Management attention & commitment
Holistic Target Operating Model/ ISMS1
Security awareness & training
Data protection based on requirements
1 ISMS: Information Security Management System
75 % of participants rated top management attention as medium to high
Ranked top strengths
Although the majority of the participants already identified its importance, several companies still lack the implementation of a holistic security awareness program
Improvement fields and awareness programs
Copyright © 2015 Capgemini Consulting. All rights reserved.
13
Security awareness & training
Communication & collaboration
Policies & documentation
Security expertise & capabilities
Security operation center & monitoring
Ranked top improvement fields
73 % of participants consider their awareness program as unstructured
Data theft and disclosure of information represent the largest security risk – the resulting incidents are frequently caused by current and former employees
Security risks and sources for security incidents
Copyright © 2015 Capgemini Consulting. All rights reserved.
14
11%
13%
13%
29%
47%
56%
56%
80%
Competitors
Terrorists
Visitors
Foreign nation states/national agencies
Third-party partners/suppliers
Hackers/Script kiddies
Organized crime
Current and former employees
Top risks
Sources for incidents
Data theft and disclosure
Service outage
Phishing & social engineering
Unauthorized network access
Internal and external fraud
80 % of participants consider their employees as the main source for security incidents
Increasing security awareness and training employees are considered as essential elements of Information Security to protect corporate information
High priority topics
Copyright © 2015 Capgemini Consulting. All rights reserved.
15
44%
28%
23%
15%
13%
13%
10%
10%
10%
8%
Security awareness & training
Mobile device security
Identity & access management
Network security
Security operations center & monitoring
Holistic information security management system
Policies & documentation
Process optimization
Risk & vulnerability management
Business continuity/ disaster recovery management
44 % of respondents plan to invest into awareness campaigns in the upcoming months
Internal and external audits are by far the most applied methods to measure security effectiveness while security KPIs and ROI estimation are almost neglected
Effectiveness measurement
Copyright © 2015 Capgemini Consulting. All rights reserved.
16
4%
7%
16%
27%
31%
33%
38%
64%
96%
Return on investment (ROI) estimation
Special key performance indicators
Number of security policies and standards
Proportion of system downtime
Feedback from management
Industry benchmarking
Measurement of Information Security Awareness
Number of security incidents
Results of audits by internal or external auditors
4 % of companies consider ROI as an effectiveness measure
ISO 2700x is the de-facto standard for Information Security in all sectors while COBIT is only sparsely implemented among the study participants
Security standards and best practices
Copyright © 2015 Capgemini Consulting. All rights reserved.
17
100%
64%
55%
27%
18%
100%
33% 33%
17%
0%
80%
60%
80%
0% 0%
71% 71%
14%
57%
14%
73%
45%
55%
36%
0% 0%
20%
40%
60%
80%
100%
ISO 27001 ITIL BSI COBIT Other (e.g. PCI DSS)
Financial Sector Energy, Utilities, Chemicals Public Sector Manufacturing Other
ISO 2700x
Other (e.g. PCI DSS)
A lack of Information Security risk consideration during business decisions may result in unsecure solutions with a high potential to security breaches
IT risk management
Copyright © 2015 Capgemini Consulting. All rights reserved.
18
7%
18%
44%
22%
9%
75 % of companies do not consider security risks in their business decisions making
Business decisions with security involvement
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
An essential part of the Information Security governance are steering committees where security-related decisions are met by consensus of relevant stakeholders
Information Security governance
Copyright © 2015 Capgemini Consulting. All rights reserved.
19
56 % of respondents defined a security steering committee with various stakeholders
20%
35% 16%
29%
0%
Involvement of relevant stakeholders
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
Information classification has been strongly neglected in recent years – the lack of effective classification solutions is also a key security concern for cloud computing
Information classification and cloud computing
Copyright © 2015 Capgemini Consulting. All rights reserved.
20
4% 9%
27%
33%
27%
50 % of companies rate their data classification as inconsistent
3%
10%
38% 45%
5%
33 %
of participants allow an uncontrolled use of public cloud services
Classification
Cloud computing
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
NON-EXISTENT
AD-HOC
DEFINED
MEASURED
OPTIMIZED
0
1
2
3
4
Maturity Levels (4 = optimized … 0 = non-existent)
Transform the power of digital
Participants and Overview of the Study
Overall Study Results
– 1. Drivers & risks
– 2. Organization & budget
– 3. Overall security maturity assessment
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
21
0 20 40 60 80 100 120
Medium-sized companies (<= 5,000 employees)
With typically 4 FTEs, large companies have twice as much resources as medium-sized companies who work in the Information Security function
Organization – FTEs in Information Security
Copyright © 2015 Capgemini Consulting. All rights reserved.
22
Max: 62 Min: 0.5 Median: 2
0 20 40 60 80 100 120
Max: 100 Min: 1 Median: 4
4
FTEs is the median size of Information Security organizations in large-sized companies
Large-sized companies (5,000+ employees)
56%
9%
36%
Budget increase Budget decrease
No statement
Budget changes
56% of the participating companies expect an increase of their security budget compared to the previous year by 10%
Information Security budget
Copyright © 2015 Capgemini Consulting. All rights reserved.
23
-40 -20 0 20 40 60 80
Median: +10% Max: +67% Min: -25%
56 % of participants expect an increase of their security budget
Change of security budgets (in %)
Transform the power of digital
Participants and Overview of the Study
Overall Study Results
– 1. Drivers & risks
– 2. Organization & budget
– 3. Overall security maturity assessment
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
24
2.5 2.2
2.1 2.0
1.7
With a typical maturity level of 2, most participants’ security areas are formally defined but lack an effective measurement and automation
Overall security maturity assessment – industry peers
Copyright © 2015 Capgemini Consulting. All rights reserved.
25
is the highest average maturity level , achieved by Public Sector
low
high
2.5
Public Sector Financial Services
Manufacturing Energy, Utilities & Chemicals
Other industries
Mat
uri
ty L
eve
l
Public Sector Financial Services Manufacturing Energy, Utilities & Chemicals Other Industries
0,00
1,00
2,00
3,00
4,00
Overall security maturity assessment – details
Public Sector outperformed in domains “Strategy & Governance” and “Organization & People” while in “Processes” and “Technology” Financial Services showed highest maturity
Copyright © 2015 Capgemini Consulting. All rights reserved.
26
1.1 Strategy 1.2 Governance Structure
1.3 Compliance Management
1.4 Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident Reporting
2.1 Organization Structures
2.3 Employee Training and Awareness
2.4 Security Expert Training
2.5 Security Service Improvement
2.6 Cooperation with Corporate Security
2.7 Relationship with Business Units
2.8 Social Media 3.1 Identity and Access Management
3.2 Threat and Vulnerability Management 3.3 Patch Management Information Classification 3.4
Sourcing and Vendor Management 3.5 Secure Application Development 3.6
Backup 3.7
Mobile Devices 3.8
Retention and Investigation of Data 3.9
Cloud Computing 3.10
Physical User Access Management 3.11
Firewalls 4.1
Remote User Access 4.2
Network Intrusion Protection 4.3
Wireless Network 4.4
Database Security 4.5
Server and System Security 4.6
Endpoint Device Security 4.7
Application Security 4.8
Malicious Content Protection 4.9
Physical Control Systems 4.10
2.2 Roles & Responsibilities
Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
27
Drivers, incident sources and measurement
COMPANY1’s security function is closely aligned to business, defining the support for business goals as a key driver for its investments
Copyright © 2015 Capgemini Consulting. All rights reserved.
28
Prevention of system outages Support for business goals
Organized crime Visitors
Return on investment (ROI) Results of audits by internal and external auditors Industry benchmarking Measurement of Information Security awareness Feedback from management
DRIVERS FOR INFORMATION SECURITY
EXAMPLE
1 The following results represent an example of an anonymized individual assessment. COMPANY is only a placeholder.
Drivers for Information Security
Sources for incidents
Effectiveness measurements
A
B
C
SOURCES FOR INCIDENTS
A
B
C EFFECTIVENESS MEASUREMENTS
Prevention of system outages is the key driver for most members (83%) of peer group “Energy, Utilities & Chemicals”
COMPANY is the only participant in the peer group defining support for business goals as a key driver for security
In contrast to COMPANY, 50% of other participants in peer group consider protection of customer data and protection of assets and IP as a key driver for security
Organized crime is seen by COMPANY and most other peer group members as a key source for incidents
In addition, other companies from the peer group consider current/ former employees (67%) and hackers (50%) as a further incident source
COMPANY is the only in the peer group considering ROI as measure
84% of other participants consider the number of security incidents as another effectiveness measure
Strengths, improvement fields, risks and priorities
COMPANY’s improvement fields are mainly located in the domain “Processes” - access management and data classification are common improvements fields of the respondents
Copyright © 2015 Capgemini Consulting. All rights reserved.
29
Access mgmt Compliance and req. mgmt Data classification
Access control Data classification -
Top 3 improvement fields
Top 3 priorities
Vulnerability mgmt Certified infrastructure Integrated mgmt system
Top 3 strengths
Data leakage Internal threats Complexity
Top 3 risks
1
2
3
1
2
3
1
2
3
1
2
3
Capgemini Consulting Information Security Framework
Processes
Technology
Strategy &
Governance Organization & People
1 2
3 3
1
2
1
3
1
2
INFORMATION SECURITY
2
COMPANY’s individual answers Domain Mapping
EXAMPLE
Security maturity assessment – domain Strategy & Governance
With an immature IT risk management COMPANY may miss or underestimate major risks for its organization and become victim of internal and external threats
Copyright © 2015 Capgemini Consulting. All rights reserved.
30
“1.2 Governance Structure” is below peer group average (COMPANY: 2 vs. peers: 2.47). Recommendation: Definition of security steering committee with relevant stakeholders, direct report to top management
“1.4 IT Risk Management” is significantly below peer group average (COMPANY: 1 vs. peers: 2.45). Recommendation: Definition of processes, roles & responsibilities, regular assessments, mgmt of mitigation measures, reporting, definition of KRIs
“1.6 Audits” is below peer group average (COMPANY: 2 vs. peers: 2.91). Recommendation: Definition of data collection methods for auditor support, immediate response to findings by automated process
A
C
EXAMPLE
B
COMPANY lies in 6 out of 8 areas below the peer group
average in the domain “Strategy & Governance”
0
1
2
3
4 1.1 Strategy
1.2 Governance Structure
1.3 IT Compliance Management
1.4 IT Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident Reporting
COMPANY Financial Services
Top Performer in Peer Group Total Average (All Participants)
A
B C
Low risk Medium risk High risk No risk Capgemini’s high-level risk evaluation:
Technology Processes
Strategy &
Governance Organization & People
Security maturity assessment – domain Organization & People
A holistic Information Security awareness concept is the most effective solution to tackle the increasing number of attacks on employees
Copyright © 2015 Capgemini Consulting. All rights reserved.
31
“2.3 Employee Training & Awareness” is below peer group average. Due to increasing importance, the average is expected to raise. Recommendation: Definition of a holistic concept, measurement of awareness and training success, use of multipliers
“2.4 Security Expert Training” is below peer group average (COMPANY: 1 vs. peers: 1.91). Recommendation: Definition of trainings plans, introduction of mandatory trainings/ certifications
“2.6 Cooperation with Corp. Sec.” is significantly below peer group average (COMPANY: 1 vs. peers: 2.45). Recommendation: Intensification of collaboration with Corporate Security, use of joint success factors
EXAMPLE
B
COMPANY lies in 7 out of 8 areas below the peer group
average in the domain “Organization & People”
A
B
0
1
2
3
4 2.1 Organization Structures
2.2 Roles & Responsibilities
2.3 Employee Training and Awareness
2.4 Security Expert Training
2.5 Security Service Improvement
2.6 Cooperation with Corporate Security
2.7 Relationship with Business Units
2.8 Social Media
COMPANY Manufacturing
Top Performer in Peer Group Total Average (All Participants)
A
B C
Low risk Medium risk High risk No risk Capgemini’s high-level risk evaluation:
Technology Processes
Strategy &
Governance Organization & People
Copyright © 2015 Capgemini Consulting. All rights reserved.
32
If your organization would like to participate in Capgemini’s free Information Security study and join full
insights from Capgemini’s extensive benchmarking database, please contact
Capgemini Consulting is happy to perform a detailed and individual assessment of your Information Security practice
Dr. Paul Lokuciejewski Lead of Cybersecurity Consulting
Capgemini Deutschland GmbH Berliner Str. 76 D-63065 Offenbach
Phone: +49 69 9515 1439 E-Mail: [email protected]
Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
33
Trends in Cybersecurity
With the increasing complexity of organizations and the ongoing penetration of SMACT1 technologies, a “full perimeter” protection is not feasible anymore
Copyright © 2015 Capgemini Consulting. All rights reserved.
34
Control-centric
Prevent & protect
Perimetric defense
Zero-risk dream & compliance
People-centric
Predict, monitor & respond
Data-centric defense
Digital risks & info. life cycle
Security Strategy
People & Awareness
Security Operations
SOLUTIONS
Risk Mgmt & Information Classification
Old Paradigm New Paradigm
1 Social, Mobile, Analytics, Cloud and (Internet of) Things
Our Strategic Cybersecurity Consulting guides your organization through a secure Digital Transformation while leveraging the power of modern technologies
Capgemini Consulting Cybersecurity Portfolio (excerpt)
Copyright © 2015 Capgemini Consulting. All rights reserved.
35
Benchmarking / Maturity Assessment
Digital Risk Management
Awareness Campaign Security Target Operating Model (ISMS)
“gain a profound understanding of your current Cybersecurity situation.”
“make risk-based decisions and protect your
business with optimal investment strategies.”
“establish effective Cybersecurity capabilities for a
holistic protection of your data and systems.”
“foster a people-centric security culture and protect against the increasing number of employee-focused attacks.”
OUR STRATEGIC CYBERSECURITY CONSULTING ADDRESSES C-LEVEL CONCERNS TO
ENABLE A SECURE DIGITAL TRANSFORMATION. IT WILL HELP YOU TO
1
4
2
3
CySIP Maturity Assessment approach
Capgemini performs its Cybersecurity & Information Protection (CySIP) Maturity Assessment based on a proven approach and standardized tools
Copyright © 2015 Capgemini Consulting. All rights reserved.
36
Conduct focus interviews with business and IT to assess maturity
Identify vulnerabilities and gaps Benchmark with best practices Define pain points, quick wins and
long-term measures
Prioritize measures Define high-level business case Define transformation plan Align results with stakeholders Prepare decision documents
Define scope of assessment Derive strategic guidelines Determine client-specific threats Identify business-critical
information and systems
MATURITY ASSESSMENT TRANSFORMATION ROADMAP SCOPING & VISIONING
Overview of evaluated vulnerabilities and gaps
Assessed CySIP maturity Measurement catalogue
Aligned and prioritized measures High-level business case Transformation plan Final decision documents
Aligned questionnaires Defined strategic guidelines Overview of business-critical
information and systems
Imp
lem
enta
ito
n
Res
ult
s A
ctiv
itie
s
Man
age
me
nt &
Go
vern
ance
Int.
Org
aniz
atio
n &
Cli
en
t
Applications & Operating System Network & Hardware
Q4 2014 2015 2016
Analyze data privacy organization
Design IS policy framework
Outline governance principles for data
Describe governance profiles and roles
Transform to new organization
Analysis business & IT requirements
Develop security architecture model
Design technical solutions
Build and customize designed solution
Test and deploy services
Conduct risk and stakeholder analysis
Perform survey to assess awareness level
Develop awareness concept
Design awareness objects
Define business continuity strategy
Develop decision structures
Develop organization plan
Implement awareness objects
Perform 2. survey to measure effectiveness
Define business impact analysis (BIA)
Conduct business impact analysis
Formulate SLAs
Define business continuity plans
Define business continuity plans
CE v6.3 © 2007 Capgemini - All rights reserved
071217_IT ORGANIZATION AS-IS AND TO-BE_V11_TW-JW.PPT2424
The to-be organization features an org-line for functional business interaction as well as for supply management to enhance the capabilities
Org structure – To-be IT demand organization
Organization chart
Global Supply R&D
External Supply (EDM)
Business Information Manager (BIM)
HR
Controlling
Contract Management
Architect
Project Port-folio Mgmt
TechnologyInnovation
QualityMgmt
IT Strategy
Business Consulting (SAP,EDM)
Business (Key user)
Germany
France
Netherlands
R.o.W
Local ITMgmt
R&D RES-QS
Manufact.
… Global Functional Information
Management
Service Mgmt
Com.
Com. line
Communication line
Communication line R&D
RESQS
Manufact.
S&M
Global IT Management
Internal Supply (SAP, IM)
USCRIS SM EDM
Global Supply Management
• Vacant positions in Gl obal Functi onal Information Management (GFIMs) ar e re-staffed and enhanced by business consulting capabilities for SAP and EDM
• New organizational line manages Pharma-specific suppl y as well as i nternal and external provi ders
0
1
2
3
41.1 Strategy
1.2 Governance Structure
1.3 IT Compliance Management
1.4 IT Risk Management
1.5 BCM/DRM
1.6 Audits
1.7 Data Privacy
1.8 Security Incident Reporting
Bundesministerium für Finanzen Public Sector
Top Performer in Peer Group Total Average (All Participants)
C-LEVEL AND BUSINESS-ORIENTED, STRUCTURED APPROACH FOR AN ACCELERATED
INCREASE OF CLIENT’S MATURITY AND DEFINITION OF A CYBERSECURITY STRATEGY
Ph
ase
Why Capgemini Consulting?
C-Level and business-oriented for alignment with business/IT strategy Toolkit of proven questionnaires for accelerated maturity assessment
Extensive benchmark database for peer comparison Collaborative approach to define clear strategy
1
Cybersecurity Digital Risk Management
Capgemini helps organizations to protect their critical information assets using optimal investment strategies that minimize operational risk
Copyright © 2015 Capgemini Consulting. All rights reserved.
37
Describe procedures & interfaces Define roles & responsibilities and
KRIs Develop reporting Profile threats and vulnerabilities Develop questionnaires
Conduct risk assessments with business and IT to identify and evaluate risks
Create a holistic risk register Define risk mitigation measures Implement process
Define scope of risk assessment Identify critical information assets Assess business impact (business
impact analysis) Perform gap analysis and define
measures
TO-BE DESIGN RISK ASSESSMENT &
IMPLEMENTATION VISIONING &
AS-IS ANALYSIS
Policy and process description Role descriptions/ RACI Reporting templates Risk assessment templates
Validated risk assessment results Consolidated risk register Measurement catalogue Training material & reporting
Assessment scope Realistic and worst-case inherent
business impact ratings Overview gaps/ measures
BUSINESS-FOCUSED, STRUCTURED AND PRACTICAL RISK MANAGEMENT METHODOLOGY
BASED ON RIGOROUS ASSESSMENT TO CREATE A HOLISTIC PROFILE OF DIGITAL RISKS
Why Capgemini Consulting?
Proven best practices approach to create a holistic risk profile Focus on business perspective (“Digital Risk”)
Practical methodology with rigorous assessment process Best practice templates to focus on key risks
Pro
bab
ilit
y HIGH
MEDIUM
LOW
LOW MEDIUM HIGH
Impact
7
2
3
1
4
6
511
9a
9c9b9d
8
12
10
13
14b
14a
Aktuelle Themen
Bewertung
Maßnahmen
Themenbereich Anz. Grün Gelb Orange Rot Veränderung
zur Vorperiode
Thema 1 2 0 0 2 0 #DIV/0!
Thema 2 0 0 0 0 0 #DIV/0!
Thema 3 0 0 0 0 0 #DIV/0!
Thema 4 1 0 0 1 0 #DIV/0!
Management Summary
Darstellung des Umsetzungsstands von risikobehandelnden Maßnahmen zu wesentlichen Risiken
Überblick über aktuelle, gruppenweite Themen, z.B. IT-Projekte, Veränderungen beim IT-
Outsourcing
Zusammenfassung der Bewertung der gruppenweiten Risiken und dem Status der Risikoindikatoren
(Early Warning System)
Kommentierung
Res
ult
s A
ctiv
itie
s P
has
e
2
Cybersecurity Target Operating Model (ISMS)
We support organizations in establishing an Information Security Management System that ensures an adequate setup and development of their Cybersecurity capabilities
Copyright © 2015 Capgemini Consulting. All rights reserved.
38
Why Capgemini Consulting?
Models tailored towards your organization context Experience from operating client ISMS
Best-practices following industry standards (e.g. ISO 27001) Fast implementation due to ready-to-use assets (e.g. policies)
HOLISTIC AND RISK-BASED METHODOLOGY TO INTEGRATE CYBERSECURITY INTO YOUR
BUSINESS AND INCREASE RESILIENCE
PROCESSES & INTERFACES TECHNOLOGY & SYSTEMS PERFORMANCE METRIC
Information Security Management System – Operating Model
ORGANISATIONAL STRUCTURE GOVERNANCE MODEL ROLES & COMPETENCIES
3
Cybersecurity Awareness 2.0
Awareness initiatives offered by Capgemini leverage broad communication campaigns and targeted training for roles with high risk profiles
Copyright © 2015 Capgemini Consulting. All rights reserved.
39
CONTENT ADAPTION PLANNING QUICK SCAN
Ph
ase
REVIEW RISKS, EXISTING AWARENESS INITIATIVES AND ANALYZE STAKEHOLDER AND
TARGET GROUPS
PRAGMATIC ADOPTION AND CREATION OF AWARENESS
CONTENT, OUTLINE OF KPIs AND MULTIPLIERS
DEFINE TRANSFORMATION
ROADMAP FOR PRIORITIZED MEASURES
Ob
ject
ives
Store Front
Timesheet
Workforce Management
Mobile CRM
Mobile
Worker
Approvals
InteractiveDashboards
Mobile Executive Reports
Employee Tracking
Self-Service Operations
Support
Mobile Sales
Training
Documentation
Collaboration Tools
Mobile Service
Customer Factsheets
Customer Interaction
Tracker
Pushed Information
AutomatedServices
Product Information
Assistance Services
Short Term
MidTerm
LongTerm
StrategicGoal
Leadership team*
• Global
• Europe
Joint project team
• Other projects within Company
Employees Europe
• Unit A
• Unit B
• Unit C
B
C
Retailers
Other distributors H
Consumers
I
K
Europe Leadership team
(first line leaders)
• Unit A
• Unit B
• Unit C
Manufactures
External Stakeholders Internal Stakeholders = target audience
G
Corporate Functions
• Communications
• HR
DRest of Europe
Organisation
• Employees other units
A
E
F
Workerscouncil
Change Program
J
The “Dark hotel” attack is targeting high-profile business travelers
48
Please remember:
Hackers use fake update notifications to get you to install malware on your computer.
“Dark hotel” attack – Step by step
2
You connect to the already
infected hotel Wi-Fi with your laptop
or Smartphone
You receive a fake software
update notification on your device
An update is ready to install!
You install the faked update which is a
spy software that gives hackers
access to the PC
Hackers steal data, record
keystrokes and infiltrate
the o network
4
Tips for using foreign Wi-Fis
1. Always use the Company VPN
connection for any transmission of
confidential data
2. Do not download or apply any updates in
foreign Wi-Fis
3. Turn off the wireless functions (Wi-Fi,
Bluetooth, GPS and NFC) of your mobile
devices when you don’t need them
4. Always check if websites use the HTTPS
standard in the address bar
5. Always keep your antivirus software up-to-
date (update at Company or at home)
6. If you are unsure, use the roaming
package of your phone or your UMTS laptop
adapter instead
3
1
Possible threats
while on tour
Secure usage of
wireless services
Remote access
capabilities Copyright © 2015 Capgemini Consulting. All rights reserved.
Why Capgemini Consulting?
Structured, proven approach to optimize ongoing campaigns Flexible and easy-to-adopt solutions
Extensive knowledge in change and communication mgmt Measurable impact based on implemented KPIs
PROACTIVELY TACKLE SECURITY THREATS BY INTRODUCING POSITIVE SECURITY
BEHAVIORS THROUGH A HOLISTIC CYBERSECURITY AWARENESS CAMPAIGN
4
Examples (extract) Communication channels Format
Cybersecurity Awareness 2.0 - communication channels
A best practice mix of different channels is used to effectively communicate key messages of the awareness campaign
40
Copyright © 2015 Capgemini Consulting. All rights reserved.
Digital
Events
Poster Article in internal newspapers Information Security Handbook Booklets Leaflets Flyers
Newsletters Intranet/Web Sites/ banner/
blogs Flat screen content Online quizzes Web-based trainings Awareness movies Logon screen messages Online surveys / feedback polls
Phishing mail tests Clean desk audits Classroom trainings incl. train-
the-trainer concept Information Security Days Security breakfast/ lunch events Live-hacks Onboarding training material Management trainings
EXAMPLE
2
4
Case study – Cybersecurity Awareness campaign design and implementation
Capgemini Consulting supports a leading energy company in significantly raising the awareness for Cybersecurity of 22,000 employees in 20+ countries
41
Copyright © 2015 Capgemini Consulting. All rights reserved.
Issue Our Client – an international energy company with approx. 28,000 employees in more than
20 countries – faced an increasing number of security breaches caused by employees Loosely performed awareness initiatives in the past showed little to no positive effects
Unknown level of employee awareness for focused awareness activities Missing local support for global implementation of security initiatives No holistic approach for a group wide, target group specific awareness campaign
Solution Conduction of a group-wide, multi-lingual online survey with 22,000+ participants Development of a holistic awareness concept based on detailed survey evaluation Design and creation of awareness objects using the right mix of communication channels Organization and conduction of Cybersecurity Awareness events and trainings Establishment of a multiplier network for an effective campaign implementation
Program management based on Capgemini’s proven methods and tools
Benefits
Increase awareness for security risks leading to adaption of positive security behaviors
Significantly decreased number of security breaches and human errors
Improved acceptance and visibility of Cybersecurity as business partner
Enforced compliance with legal and regulatory requirements
4
Cybersecurity Awareness 2.0 - why Capgemini Consulting?
Proven, easy-to-adopt solutions and an extensive project experience enable Capgemini to efficiently implement effective Information Security Awareness campaigns
42
Copyright © 2015 Capgemini Consulting. All rights reserved.
Structured, proven approach to setup or optimize your ongoing awareness activities
Flexible and easy-to-adopt solutions for an accelerated increase of Information Security based on your needs
Benchmarking data derived from previous projects to compare with industry peers
Measurable impact based on implemented KPIs
Extensive knowledge in project, change and communication management
Global Capgemini network of security and communication experts
1
2
3
4
5
6
4
Transform the power of digital
Participants and Overview of the Study
Overall Study Results
Individual Results of Security Maturity Assessment
Capgemini Consulting Cybersecurity Offerings
About Capgemini Consulting
Table of contents
Copyright © 2015 Capgemini Consulting. All rights reserved.
43
Copyright © 2015 Capgemini Consulting. All rights reserved.
44
PEOPLE • 140,000
employees
• Offices in 44 countries
Paul Hermelin Group Chairman and CEO
COMPANY
• Listed on the Paris stock exchange (CAC-40)
• 10.1 bn € revenues (2013)
• Top 5 consultancy worldwide
• Two thirds of the world‘s largest companies are our clients
Headquarter in Paris
from a global point of view CAPGEMINI GROUP
Copyright © 2015 Capgemini Consulting. All rights reserved.
45
Dr. Volkmar Varnhagen CEO CC Germany/Austria/Switzerland
CAPGEMINI CONSULTING GERMANY/AUSTRIA/ SWITZERLAND
GLOBAL • Strong global
network • 10.000 strategy
and management consulting experts Cyril Garcia
CEO Capgemini Consulting
Present on all continents
The strategy and transformation brand of the group CAPGEMINI CONSULTING
STRATEGIZE
IT Organizational Transformation
Cybersecurity Transformation
Digital Service Unit
Lean IT/ IT efficiency
IT Portfolio Management
IT Shared Service Center
Project Turn-around and PMO
TRANSFORM
How do you improve/ transform your IT Organization long-term?
OUR MISSION is to SUPPORT CIO's in every aspect of their work
from ASSESSMENT to STRATEGY all the way through TRANSFORMATION
To increase the Capgemini Consulting client focus and build trusted long-term relation-ships with our clients, we have designed our Service Offerings along the life-cycle of CIO’s
CIO Advisory Services
Copyright © 2015 Capgemini Consulting. All rights reserved.
46
IT Flash Assessment
Cybersecurity Risk Assessment
IT Project/ Program Audit
Digital Day
IT Due Diligence
Post-Merger Integration IT and IT M&A Assessment
ASSESS
What is the current state of your IT Operation?
IT Strategy Development
Cybersecurity Strategy
IT Innovation Strategies
IT Digital Strategies
Mobile Strategy
Cloud Strategy
How do you position your IT Organization strategically?
Capgemini Consulting relies on a strong and global Cybersecurity capability network within the Capgemini Group
Capgemini Group offers and capabilities
Copyright © 2015 Capgemini Consulting. All rights reserved.
47
2,500+ Capgemini
resources with Cybersecurity skills
Canada
United States
Mexico
Brazil
Argentina
All over Europe
Morocco
Australia
People’s Republicof China
India
Chile
Guatemala
Singapore
Philippines
Taiwan
Vietnam
UnitedArab Emirates
Malaysia
New Zealand
Japan
South Africa
Colombia
Cybersecurity Awareness
Security transformation program management
Design and implementation of security solutions
Digital security assessment & strategy and
risk management
Management
Security technical assessment
Transformation
Build
We constantly search for new customer solutions and provide our customers latest research and point of views on current and future topics
Capgemini Surveys and Benchmarks (examples)
Copyright © 2015 Capgemini Consulting. All rights reserved.
48
The objective is to understand how the “digital winners” are managing (or have managed) their Digital Transformation, starting from “brick and mortar” and moving to a “digital company”, and to identify some guiding principles and best practices
International Information Security studies & POVs
IT Strategy & Change Management Digital Transformation in cooperation with MIT
Transform to the power of digital
Information Security Benchmarking 2015
Information Security assessment of companies in Germany, Austria and Switzerland
May 2015
Trends in Security 2014
Copyright © 2015 Capgemini Consulting. All rights reserved.
49
Dr. Guido Kamann Head CIO Advisory Services DACH
Capgemini Suisse S.A. Leutschenbachstrasse 95 CH-8050 Zürich
Phone: +41 44 5602 400 E-Mail: [email protected]
Dr. Paul Lokuciejewski Lead of Cybersecurity Consulting
Capgemini Deutschland GmbH Berliner Str. 76 D-63065 Offenbach
Phone: +49 151 4025 0855 E-Mail: [email protected]
Thank you.