Free: CISO at the Heart of the IS Revolution

C I SO AT THE HEART OF THE I S REVOLUT ION 2019 TRENDS AND THE C I SO RADAR

What are the key points to draw from today’s welter of cyber issues? Cybersecurity is in constant flux: experiencing ever-evolving threats and regulations, but also a profound renewal of the way information systems (ISs) function. Faced with this raft of changes, distinguishing the substantive trends, and setting an appropriate cybersecurity strategy, can be challenging. With this inmind, experts fromWavestone’s cybersecurity teams meet regularly to discuss market trends, and identify core issues, new topics, and emerging technologies to be explored. This year, these reflections have resulted in an in-depth analysis of the major threads in the coming revolution, the stakes for cybersecurity functions, and an updated CISO radar. This tool is widely used by Wavestone and its clients to support stra- tegic thinking, for example, when developing master plans, holding collaborative seminars with employees to construct a specific radar for a company or business area, or to identify innovative solutions to be tested through demonstrations.

AUTHORS

This publication presents the CISO radar and offers an overview of the areas we have identified as being key for 2019, from the 120+ topics the radar covers.

METHODOLOGY The CISO radar is a tool that Wavestone has been developing and publishing each year since 2011. Three times a year, more than 40 experts meet to discuss the latest developments and key issues based on observations and experiences gained through working with Wavestone’s clients. The CISO radar covers over 120 subjects explored and analyzed by our experts. The radar contains a broad selection of the topics that CISOs must handle as part of their roles. It’s presented as a series of dials covering key themes (identity, protection, detection, risk management, compliance, and continuity) on three levels. The Mature level covers topics that every CISO can - and must - mas- ter. The Trending level covers topics currently being addressed; these are new areas where initial feedback can be shared. And the Emerging level covers topics on the horizon that are still little known or have no obvious solutions. These are included to better predict future developments and prepare for their emergence in companies.

GÉRÔME BILLOIS gerome.billois@wavestone.com

DAVID RENTY david.renty@wavestone.com

This publication was produced with contributions from Anaïs Etienne and all of Wavestone’s Cybersecurity and Digital Trust experts.

N EWS TOP I C S

on, need to invest in this theater of opera-tion using all existing means, including the most innovative ones. It won’t be enough to simply define a governance approach or attempt, in the first instance, to inventory the exposed API; they must anticipate, and have the capability, to monitor and control large numbers of APIs. A revision of the fundamentals With a profound IS revolution taking place, ever increasing regulation in force, and penalties growing exponentially, how can security functions escape from the pressure cooker they find themselves in? To enable them to do this, we’ve identified two major projects that relate to the fundamentals: These will need to be reviewed on the basis of the existing security stra- tegy. To accelerate and provide a fra- mework for the process, CISO’s can draw on the NIST Cybersecurity Fra- mework, a voluntary US framework that is becoming essential to large groups in all sectors; Conduct an in-depth review of the processes for integrating security into projects. After being modified in 2018 to meet the needs of the GDPR, these will have to be reconsidered to increase agility and flexibility. The au- thorities are playing their part in this trend, with ANSSI (the French Natio- nal Cybersecurity Agency) moderni- zing the EBIOS risk analysis metho- dology, recently named EBIOS Risk Manager, through an approach that combines compliance and attack scenarios. / Overhaul the ISSP and governance. / /

This will require adaptations that provide a high level of control over rights-mana- gement administration and IS monitoring. In a context where the infrastructures are managed by the supplier, efforts need to be focused on these three key areas. Security will need to be integrated from the point of conception of new architectures and draw on the suppliers’ bricks. Rights may need to be assigned in a more granular way to limit the risk of unauthorized access to resources. They will also have to be reviewed in auto- matic fashion to be adapted to frequent changes. The cloud also represents a corner to be tur- ned for security players, and CISOs will be on the front line in adopting—and making the most of—the market’s offerings: vulnerabi- lity assessment, access control, MFA, Identity Governance, content filtering, etc. Many of these services are already available as cre- dible cloud-based offerings. In the medium term, multi-cloud, based on two providers, will need to be considered to assure the continuity of services. API-fication: multiple new entry points to the IS Driven by the PSD2 regulation in the financial sector, API-fication affects all sectors and enables services to interact by standardizing the means of data exchange. We observe that all our clients’ security func- tions are finding it difficult to master this new challenge. While API-fication can be a lever to facilitate the security of machine-to- machine exchanges through standardization, encryption and authentication, it presents a number of risks linked to the multiplication of APIs and the larger areas they expose. In fact, even major players like Google and Facebook are having difficulties inmastering this area, as incidents in 2018 have shown.

Agility: faster, simpler, and more responsive

Large companies have begun their journey, or sometimes “forcedmarch”, toward large- scale agile operation. Faced with this trans- formation, CISOs must take ownership of these methodologies and work closely with development teams to grasp the challenges of cybersecurity. First, this coupling will enable security to be integrated into agile projects by means of Evil User Stories, secu- rity training for teams, the putting in place of continuous integration tools, and integrating intrusion tests into the development cycle. This journey is already well underway, with initial support projects proving successful. Beyond integrating cybersecurity into agile projects, cybersecurity will need to turn the corner that agility represents by integrating itself into a new operating model. Not only will cybersecurity teams be involved in this agile structure by joining Feature Teams, giving visibility to CISOs on the risks iden- tified in projects, but they’ll also be able to provide security services in agile mode. Product Owners offering security services will appear—delivering “cybersecurity as a service” within organizations. In 2019, the arrival of the first major deploy- ments will trigger a chain reaction toward Cloud-First, or, for our most advanced clients, even Cloud-Only. Beyond appli- cations, a nascent trend of infrastructure migration has begun, including for key com- ponents like Active Directories. All these advances will involve a change in the role played by ISDs. Against this backdrop, CISOs will have to adapt to the new operating model to ensure the security of configurations over time and open dia- logue with its new participants. They’ll be able to encourage the use of newauto-reme- diation and system rebuilding capabilities in the event of a security incident. Cloud: multiple, automated, and secure by default

If CISOs want to take back control of the API-fication of services, they will, from now

2

CISO AT THE HEART OF THE IS REVOLUTION

Machine learning

Fusion centers

RASP

SOC/CERT automation (SIRP/SOAR)

CASB & Cloud security store/functions

Automated & Employee driven classification

APT Hunting

Security in agile projects

Deception

Nextgen risk analysis

Business cybersecurity team

Threat Intelligence

Software providers trust

Bug Bounty

Software Defined Perimeter

ADmonitoring

Serverless application

International standards-based maturity framework

Anonymization Tokenization

Business security differentiators

Endpoint Detection & Response

CI-CD DevOps & DevSecOps

Immune systems

AI & Robot

Immersive aw areness

Firew allrules management automation

VRM

Data lake

Digital compliance governance

Client-oriented strategy

Security by design

DRM

C-level engagement

Micro segmentation

Secure agile TOM

IoT Industry 4.0

SWIFT CSP

M&A & Cybersecurity due diligence KRI &

efficiency

Containers, Microservices & API

Blockchain based trust

Patch management

ePrivacy

Security Program Management

DLP

Up-to-date & Secure Desktop Active Directory Security

Partners & Suppliers compliance

Smart Contracts

SOC/Security Outsourcing

ICS

ISMS

Cyber range purple team

Mainframe

Cyberinsurance

Governance reshaping

Secure administration Audit 360

NIS

Aw areness

Red team

Post Quantum Crypto

Compliance by design (PbD & PIA)

Security in projects

Extended Enterprise

DDoS

LPM

UMA

Secure Mobility

Centralized consent management

PAM & Pw dVault

Self-sovereign identity

Cyberattack crisis management & notification

IAM for RPA

GDPR and privacy management

eIDAS

BYOiD Employee

Unified customer privacy rights management

IAG & SoD

Agile IAM

IDaaS & Azure AD

OAuth2

Cloud first IAM

Business resilience

Crisis cyber range

Any device SSO

Customer IAM

KYC Social Login

Cyber resilience

Serverless continuity Softw are-defined infrastructure Fast IS rebuilding

User experience

Critical service providers

DRP

Predictive anti-fraud

Identity federation PKI

PSD2

Contextual & behavior based authentication Beyond Password WebAuthn. Biometrics/FIDO/Mobile

BIA

Active Directory rebuild ISO 22301

Identity & Fraud Analytics

ITSM disruption

Extreme scenarios (blacksw an) Supply chain resilience

Risk quantification

HR Crisis plan

IAMoT

Multi-cloud continuity

Nextgen access control Attributes/analytics relationships

KMS

Hybrid IAM

Cloud Recovery Services

2019 CISO radar

Token Binding

X-channel SSO

Multi organization tests

Cybersecurity as a service

Crypto Cloud & BYOK

by

BEYOND OVERHAULING THE FUNDAMENTALS, HERE ARE OUR FIVE PRIORITIES FOR ISS FUNCTIONS

/ / AI and machine learning : these technologies represent op- portunities in the medium-term. The priority for 2019, howe- ver, will be to ensure that specific risks and vulnerabilities (inference, poisoning, etc.) are taken into account in business projects that make use of AI. / / Third parties and suppliers under the microscope: many of the attacks taking place today are being observed by sup- pliers. However, this doesn’t make them any less damaging to the client company’s reputation. There’s a need then, in 2019, to better map interactions with providers in order to assess their levels of security. This is a complex task, given their number, diversity, and interconnected nature.

/ / Cloud-based cyber-resilience: the evolution of offerings enables the consideration of the cloud as a continuity solu- tion against cyber-attacks, as is already the case for emails. / / Fusion Centers , the future SOCs: these will bring together both technical and business know-how, enabling an end-to- end understanding of possible fraud or intrusions into the IS, and to respond in the best possible way. / / The end of passwords: initiatives such as the 0-password, the deployment of FIDO2, the use of biometrics within a 2FA framework, or the broader roll out of safes, can be consi- dered here.

3

Making security a differentiator for the company’s customers Security has often been considered a constraint. In 2019, it will no longer be enough to view security as an essential line of defense deployed across all companies: instead, it must be seen as a value generator for the core business. This change affects almost all business sec- tors. The banking sector is moving down this road with the implementation of dual authentication systems, dynamic crypto- grams, notifications in the event of suspi- cious transactions etc. and other sectors will have to quickly follow suit: The automotive sector, with ‘visible’ security for connected vehicles, be- fore it can move on to the autono- mous vehicles of tomorrow; / /

EME RG I NG A R E A S

/ / Telecom operators, some of which are promoting new ‘hubs’ that incor- porate cybersecurity services such as vulnerability detection; Service providers to the general pu- blic (transport, energy, water, etc.) where cybersecurity is required as part of the sales process and can be a differentiator. So, with CISOs leading, security functions must seize these opportunities to get closer to the business and demonstrate what they can offer at the heart of the organization’s activities. Leading players like Apple have adopted this approach by putting secu- rity and privacy at the center of their value propositions. / /

Anticipating and adapting to the ongoing shortage of talent There’s no magic solution here, rather a range of options to be tested in order to cope with the skills shortage. From a techni- cal standpoint: automation, cloudmigration, and establishing a strong framework that puts in place security-by-design principles, will help to limit the effort required. Similarly, the creation of security-services offerings, both nearshore and offshore, for standar- dized services can provide solutions. To meet tomorrow’s challenges, CISOs will need to foster a new dynamic in the security function by creating a stimulating, ambitious, and educative environment that empowers teams. Their objectives will need to be the creation of new vocations and a desire for internal mobility.

We hope that this example will be deve- loped further.

www.wavestone.com

In a world where knowing how to drive transformation is the key to success, Wavestone’s mission is to guide large companies and organizations in shedding new light on their most critical transformation projects, with the ambition of creating a positive impact for all stakeholders. That’s what we call “The Positive Way”. Wavestone brings together 2800 employees across 8 countries. It is amongst the leading independent firms in consulting in Europe, and the n°1 independent consulting firm in France. Wavestone is listed on Euronext, Paris, and is recognized as a Great Place To Work®.

2019 I © WAVESTONE

Page 1 Page 2 Page 3 Page 4

www.wavestone.us

Made with FlippingBook HTML5