Documente Academic
Documente Profesional
Documente Cultură
the dots:
A proactive approach to
cyber security oversight
in the boardroom
kpmg.com.au
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 2
Given this environment, it is not surprising that cyber risk is now near the top of board and audit committee
agendas.
According to KPMG’s 2015 Global CEO Outlook2 study 37 percent of Australian executives are kept awake at
night by emerging technology risk and 29 percent by information security risk (cyber). Eighty eight percent
have appointed a cyber security executive or created a cyber team. Yet only 35 percent stated they were fully
prepared for a cyber event.
So a critical question for every audit committee is: What information do they require – or is most critical – in
assessing whether management is appropriately addressing cyber risk? Certainly, directors need to hear from
a chief information security officer (CISO) or chief information officer (CIO) who is knowledgeable and can help
them see the big picture. But what should be the key areas of focus?
In our experience, board members are wondering: am I asking the right questions?
How do I get comfortable? Are we doing enough? How do I know we are doing the right things?
Are we making the right decisions?
1
“The Morning Risk Report: Cyber security Responsibility Falling to Boards,” Risk & 2
“KPMG 2015 Global CEO Outlook Survey: The growth imperative in a more competitive
Compliance Journal, The Wall Street Journal, 4 March 2015, http://blogs.wsj.com/ environment” https://www.kpmg.com/Global/en/IssuesAndInsights/ArticlesPublications/ceo-
riskandcompliance/2015/03/04/ the-morning-risk-report-cybersecurity-responsibility-falling-to- outlook/Documents/global-ceo-outlook-2015-v2.pdf
boards/.
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 3
3
“ACSC Australian Cyber Security Centre 2015 Threat Report”, p 7-8 5
“Telstra’s ‘five knows of cyber security’.” Byron Connolly in CIO magazine:
4
“Spies warn, we’re under cyber attack as hacking costs $1bn.” The Australian, http://www.cio.com.au/article/583438/telstra-five-knows-cyber-security/
Information Technology News, July 29, 2015 12.00AM.
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 4
6
“2015 Global Megatrends in Cyber security”, p. 3, sponsored by Raytheon, Ponemon institute, 8
“Board members unhappy with information on IT, cyber security,” National Association
February 2015, http://www.raytheon.com/news/rtnwcm/groups/gallery/documents/content/ of Corporate Directors (NACD), December 3, 2014, http://www.nacdonline.org/AboutUs/
rtn_233811.pdf. NACDInTheNews. cfm?ItemNumber=12551.
7
Ibid., p. 4. 9
Ibid.
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 5
From a governance standpoint, how can the board be more effective, and close the loop in its information flow? The board must
always be proactive, informed, and involved without getting overwhelmed or paralysed. Based on our board outreach and education
programs, we have found these are the three most common, high-level board oversight questions asked by the executive
management and the board today:
1
The first question addresses strategic issues from the
What are the new cyber security business process and corporate objectives standpoint.
threats and risks, and how do they It is about getting an up-to-date, detailed snapshot of
affect our organisation? the current cyber threat landscape that is understood
by all. It looks at getting comfortable with cyber
security aspects of core business decisions, cutting
through the technical jargon.
2
The second question addresses tactical issues,
Is our organisation’s cyber security from a program, (technical) capability, and process
program ready to meet the perspective, and how they are cascaded throughout
challenges of today’s and tomorrow’s the organisation. It looks at whether the organisation
cyber threat landscape? is doing enough due diligence to mitigate risks,
depending on its risk profile.
3
The third question addresses the many operational
What key risk indicators should issues, clarifying, prioritising, and ultimately translating
I be reviewing at the executive them to what it really means from a risk posture point
management and board levels to of view and ultimately, closing the loop. This is “where
perform effective risk management the rubber meets the road,” and indicates how you
in this area? will know whether you are doing the right thing – so
you can sleep at night more easily.
These three questions are interrelated and allow for continuous synchronisation and integration as the board wants to remain agile
and responsive to the evolving and changing cyber threat landscape.
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 6
KPMG’s Global Cyber Maturity Framework Cyber security The application of a holistic model incorporating these
is more than a technology problem – it is a holistic one. In six domains can bring the following benefits:10
response, KPMG designed a global Cyber Maturity Framework
specifically to assist organisations in addressing these critical ■■ The reduction of the risk that the organisation will be hit
questions by combining the most relevant aspects of existing by a cyber attack from outside and the reduction of any
international cyber security standards and governance consequences of a successful attack.
frameworks.
■■ Better decisions in the field of cyber security – the provision
While we recognise the “alphabet soup” of existing framework of information on measures, patterns of attack, and incidents
options available (which are primarily IT or controls driven) are is thus enhanced.
valuable, we believe KPMG’s Cyber Maturity Framework is
■■ Clear lines of communication on the theme of cyber
a broader, more thorough, and more holistic way to address
security. Everyone knows his or her responsibilities and
board engagement and how boards can exercise their oversight
what must be done if incidents (or suspected incidents)
responsibilities.
occur.
For example, while the National Institute of Standards and
■■ A contribution to a better reputation. An organisation that
Technology (NIST) Cyber security Framework is beneficial for
is well prepared and has seriously considered the theme of
defining and assessing the control maturity of the operational
cyber security is able to communicate on this theme in a
aspects of a cyber program within the current environment,
way that inspires confidence.
KPMG’s Cyber Maturity Framework is specifically designed to
provide strategic alignment for coordinating board and non-IT ■■ The enhancement of knowledge and competences
oversight and governance. Together, both frameworks provide regarding cyber security.
mutual compatibility.
■■ The benchmarking of the organisation in the field of cyber
We regularly provide multidisciplinary assessments for boards security in relation to its peers.
that are focused on their business globally against these six
domains: In addition, we offer framework mapping that is compatible with
your other existing framework.
1. Leadership and Governance,
2. Human Factors,
10
Cyber security, a theme for the boardroom, p. 17, KPMG Advisory N.V. (the Netherlands), 2014,
authored by KPMG partner John Hermans, http://www.kpmg.com/NL/nl/IssuesAndInsights/
ArticlesPublications/Pages/Cybersecurity-a-theme-for-the-boardroom.aspx
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 7
Communication and direction flow through The objective is to allow for all communication – whether
six domains technical, legal, strategic, or operational – to be mutually
beneficial for all stakeholders. The right questions need to
Within this Cyber Maturity Framework, a strong be asked, and the details matter and need to be meaningful
communications plan is focused on the details and complexity for everyone involved. Our transformative framework, with a
of ongoing communication and direction between the board proactive approach, helps shape the proper dialogue and overall,
and management. This helps achieve a reliable flow of improves the information flow to become more transparent and
information among a broad mix of stakeholders. It is not only sustainable – thus, closing the loop.
the frequency of communication that needs to be reassessed,
but also, improving the appropriate and efficient quality of
communication when addressing risks.
LEADERSHIP AND
GOVERNANCE
Management demonstrating
due diligence, ownership,
and effective management
of risk
BOARD
ENGAGEMENT &
OVERSIGHT
OPERATIONS AND INFORMATION RISK
TECHNOLOGY MANAGEMENT
The level of control measures The approach to achieve
implemented to address thorough and effective risk
identified risks and reduce management of information
the impact of compromise throughout the organisation
and its delivery and
BUSINESS CONTINUITY supply partners
AND CRISIS MANAGEMENT
Preparations for a security
event and ability to prevent
or reduce the impact
through successful crisis and
stakeholder management
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 8
■■ Understand governance structure and have ongoing ■■ Set the tone for the culture
dialogue with executive leadership team
■■ Review patterns/trends of personnel issues
■■ Review output of capability assessment
■■ Understand training and awareness protocols
■■ Review and approve strategy and funding requests
Communication Communication
Direction Direction
■■ Define program ownership and governance structure ■■ Define culture and expectations
■■ Identify sensitive data assets and critical infrastructure ■■ Implement general training and awareness programs
■■ Perform assessment of current capabilities ■■ Define talent management and career architecture
■■ Define a strategy and approach ■■ Develop specific learning paths for key personnel
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 9
■■ Understand risk management approach and linkage to ■■ Understand current response capability
enterprise risk
■■ Review status of overall plan maturity
■■ Review and approve risk tolerance
■■ Meet with communications personnel
■■ Understand third-party supplier program
■■ Participate in table-top exercises
■■ Review and question program metrics
Communication Communication
Direction Direction
■■ Develop risk management approach and policies ■■ Assess current ability to manage cyber events
■■ Identify risk tolerance and communicate ■■ Perform analysis of risks and financial requirements
■■ Perform risk assessment and measures ■■ Assign resources and develop training
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 10
■■ Review relevancy of selected control framework ■■ Review status of overall plan maturity
Communication Communication
Direction Direction
■■ Understand current maturity of control structure ■■ Assess current ability to manage cyber events
■■ Review relevancy of selected control framework ■■ Perform analysis of risks and financial requirements
■■ Meet with CIO or equivalent to understand integration ■■ Assign resources and develop training
of cyber and information technology trends
■■ Integrate with corporate communications
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
Connecting the dots: A proactive approach to cyber security oversight in the boardroom 11
Case study
A well-defined process for board oversight of cyber security
Prior to the incident, the board had only been briefed on cyber ■■ Close the loop in information flow by leveraging the three
security on an annual basis, as part of a broader IT update from most often asked questions to address strategic, technical,
the CIO. Now the board became understandably very active in and operational issues.
trying to understand the current state of cyber security risk at
■■ KPMG’s Global Cyber Maturity Framework addresses how
the company and how it can be better managed in
to exercise board oversight responsibility in six enterprise-
the future.
wide domains with a broader holistic approach.
The company hired KPMG Cyber to perform board education
■■ An organisation’s framework should efficiently and
and a cyber maturity assessment of the organisation’s people,
appropriately address ongoing communication and direction
process, and technology controls to mitigate cyber threats and
throughout the organisation.
risks. After the initial report was complete, it was presented
to the board with a full road map of prioritised remediation ■■ Understand the enhanced value of benchmarking framework
activities designed to close short-term gaps in the security metrics and mapping the organisation’s framework against
program and execute longer-term strategies to navigate the industry standards to stay proactive and to continue to close
evolving threat landscape. the loop.
After allocating funding to the initiatives on the road map,
the board requested quarterly updates from management on
the progress of the program in addition to an ongoing look at
current operations. Management leveraged KPMG’s assistance
in developing dashboards of KPIs for board reporting; however,
given the sensitivity around the breach and the heightened
awareness of director responsibility, the board did not stop at
reviewing management’s materials.
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.Liability limited by a scheme approved under Professional Standards Legislation.
ABOUT KPMG
Contact us
Mark Tims
Partner
T: +61 2 9335 7619
E: mtims@kpmg.com.au
Gary Gill
Partner
T: +61 2 9335 7312
E: ggill@kpmg.com.au
Gordon Archibald
Partner
T: +61 2 9346 5530
E: garchibald@kpmg.com.au
kpmg.com/au/cybersecurity
This document is a revision of Connecting the dots: A proactive approach to cyber security oversight in the boardroom. Authored by Greg Bell, and
Tony Buffomante, KPMG US.
The information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of
any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner
whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product
or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation. To the extent permissible by law, KPMG and its
associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered
by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).
© 2016 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Liability limited by a scheme approved under Professional Standards Legislation.
January 2016. CRT052204A. NSW N13555ADV.