Experience the Power of Digital Transformation in Sales for Security

How to create outlook signature

good afternoon my name's Phillip Lucas from the business and client services team here at informed solutions and I'm delighted to welcome you all and my colleague Tom wheat to this webinar as part of the digital leaders cyber resilience week just before I hand over to Tom I'd like to offer a couple of comments firstly you're here for the session with Tom so I will hand over in just a moment we have no intention of wasting time sitting out credentials in great detail Tom will say brief word about informed solutions but we respect the fact that you're not here to listen to a sales pitch secondly I just like to set out that you will not be receiving unsolicited emails and phone calls from us following the session today if you'd like to get in touch at any stage we'll respond and be happy to have a conversation but that's only if you initiate it thirdly please feel free to submit any questions during the session by the chat function please or subsequently by email and that in a very short order is the preamble dealt with I'll now hand over to Tom to take you through this afternoon's presentation thanks Phillip and thanks to everyone for making some time on a Friday to join the webinar just as a very brief introduction to myself my name is Tom weeks I'm a technical director with informed solutions I'll say very bit a very small bit about informal solutions in a second but essentially we are a digital transformation practice working across the public and private sectors and through our work in digital transformation we come into contact with a lot of cyber resilience of transformation requirements and we wanted to share some of our experiences with you just on the logistics of the presentation I've got a short set of slides that I'd like to take everybody through today should take about 20 minutes once we get through the slides we'll take a short break of about a minute or two just to give people a chance to write some questions using the chapter so that you'll go to meeting if we have some questions at the end presentation man fantastic I will do my best to answer those but if we don't we will draw the webinar to a close there so that's going to let's get stuck into this then so the main the main premise of the presentation that I wanted to talk to you about is that digital transformation and cyber resilience are two strategic themes through organizations that go hand in hand and I wanted to basically explain why we have that viewpoint based on our experience Consulting two different organizations and then once we walked you through our thoughts on why that is actually take me through a worked example of how as part of the digital transformation we address cyber resilience requirements so I think that really this presentation all being well it will be interesting to everyone who's on the webinar but I think it's particularly relevant to those people who are either planning a digital transformation or in the midst of a transformation and want to understand what role cyber resilience should play in that so a very brief bit of bit of background to inform solutions this is the only the only slide that I have about us and by way of background we were formed in 1992 we're a medium-sized organization of 60 consultants with offices in in Altrincham in Manchester London Edinburgh Sydney and Melbourne we do an awful lot of work across both the public and private sectors so examples of our clients include foreign Commonwealth office the home office the Cabinet Office in public sector and then a number of organizations in private sectors such as most coiled BHP Billiton and souther field and so we we've experienced digital transformation and we've experienced cyber resilience as part of transformation in a range of industries and sectors and we have seen some common themes along the way that it's worth worth describing to you today and sharing with you so just for the purposes of this presentation just to get going and I thought I would give you a couple of definitions that that really are you know that context for the conversation and when I talk about digital transformation cyber resilience you know we may we may have slightly different viewpoints about what the definitions are but it but this is that the perspective for the presentations builds around so when I talk about digital transformation what I'm really talking about is some kind of profound change or transformation of an organization from a perspective of its products its services that it provides and its people and its processes and that profound change is underpinned by opportunities presented by biotechnology when we talk about cyber resilience this is a relatively new perspective in the security and resilience industry and really cyber resilience brings together this idea that you know cyber security and cyber threats are something that we've all got to live with and although you can do your very best to prevent cyber events from happening and a cyber event like the cyber attack you know at some point you are inevitably going to be be harmed by that attack something is going to get through your defenses and when something does get through your defenses how well can you continue to work under business as usual how resilient are you so building on from there it's probably worth saying a bit about how digital transformation actually changes an organization and then based on those changes what does that mean for cyber resilience so digital transformation is pretty it's characterized by some or all of the things that shown on this slide here and again it really it really involves quite a profound change across a number of different parts of the organization or you know across people process and technology and often it changes not just how the organization goes about its business but also what that business is so just picking out a selection of the things on this slide I mean you you'll be able to see and read those of yourself that some of these are worth picking out more than others new and changed products and services that is a very popular reason behind people's digital transformation often people see that new technologies present the opportunity to provide new services and they want to take advantage of that opportunity and whenever you provide a new service or a new product inherently that product or service might introduce opportunities to deal with cyber resilience better or it may introduce new threats that you need to think about use of cloud services isn't also an interesting theme as part of digital transformation historically people are very used to having a lot of control over their IT estate because the IT Estate is located in their premises with the cloud as we all know what we're doing is taking advantage of of computing power that's somewhere elsewhere in the world that introduces lots of interesting problems with respect to data sovereignty you know who owns the data but also how confident and assured you can be that that data is going to be protected from cyber events the change around agile ways of working is an interesting one often people use digital transformations of vehicle for not only changing what services and products they provide but also how they build those those products and services internally and a common theme is that people people want to be able to deliver new services or change their services more frequently and more often so feasibly when you're working in an agile way you can often be introducing new risks new cyber risks more rapidly into your business and if you don't have a governance to deal with that change in that way of working then you potentially open yourself up to more and new types of risk that's all I will say on that so building out from there then if that's how digital transformation impacts an organization and changes an organization what opportunities to that change present the side resilience and I think from our experience the number one opportunity is that the digital transformation presents is that it gives you a chance to take a much more strategic approach to how you deal with cyber resilience than if you were just doing cyber resilience and outside of the transformation what we've noticed is that when people are looking at cyber resumes and it isn't part of the program of transformation it tends to be introducing ways of dealing with cyber security in a very piecemeal way so you might have a piece to one process or a piece to one technology that that improves your ability to deal with cyber threats but actually end-to-end as a business you're still quite vulnerable and more importantly the way that cyber resilience is dealt with isn't particularly elegant you know you can end up making what were quite smooth processes a little bit clunky when you just bolt little bits on here or there and what digital transformation office is the opportunity to really engineering cyber resilience and to end into your processes and technology and also your people's roles and responsibilities the second point there and the second opportunity that transformation presents for cyber is are the entities that cyber resilience is although we all probably agree it's an incredibly important topic it's not a topic that will win hearts and minds in its own right and it could be difficult to generate energy behind the organization to take the topic seriously often people still think that it cyber cyber security tax are something that happens to someone else and actually we as we all know cyber cyber security is something that can affect anybody at any time we've seen a lot of events in the news recently whereby you've got you've got ransomware events like the the wanna cry virus that are impacted more and more organizations so it's fair to assume that at some point your organization might be targets and you don't want to be complacent about how critical cybersecurity is so when you are going through a transformation you're generating a lot of a lot of platic a lot of energy in your organization to excite people about the change that's an ideal and ideal opportunity to make people aware of cyber resilience and actually what their roles and responsibilities are in managing cyber resilience related to that is the third point that while you're going through a transformation that is also an opportunity for you to make a good business case for vesting in cyber resilience so people although people acknowledge that cyber resilience is important by itself it isn't always something that people can build a super strong business case around people might award a little bit of funding for you to do something to protect the organization but they wouldn't as what award as much funding as they would if they were going about it a significant transformation of our organization so if you can build cyber resilience capabilities into your business case of transformation then ultimately you can end up with a much stronger capability for dealing with cyber threats than you would if you were just trying to do there is managed resilience outside of transformation and finally that last point there about is more of a technical point about if you're delivering your transformation in an agile way then the agile delivery method that people tend to follow actually presents a really great opportunity to force people to think about cyber resilience quite carefully as part of their day-to-day roles so if anybody's familiar with agile working and a way of working called scrum they'll be aware that scrum has the concept of the definition of done which is where if somebody is delivering a change into the business before that change goes live people have to evidence that it's satisfying for business requirements and business need that it was supposed to and that evidence is supplied by showing that they have complied with what's called a definition of and if you can build cyber resilience and cybersecurity controls into your definition if done then you're taking very good and strong steps to making sure that your your governing cyber resilience carefully and strongly as part of your transformation so those are the opportunities as we see them and have seen in the dark lines there are also a number of imperatives around cyber resilience when you're going about transformation there are a number of reasons why it's incredibly important to think about think about cyber resilience as I mentioned early cyber resilience is rarely an organization's core reason why they want to go about changing themselves often the main reason an organization wants to transform themselves is to take advantage of new products and services and the better customer engagement and the better revenue opportunities for that transformation offers but if when you go through that transformation you're not thinking about cyber resilience then you're opening yourself up to a number of risks the first risk that we see is that you don't see how your overall organizational risk profile is changing if you're not paying attention to cyber resilience when you're going through a digital transformation often your focus will be on the projects that part of your transformation and the risks that affect delivery of those projects you're very rarely thinking or people very rarely consciously think about how does all this change impact the risks that my organization as a whole is facing so the organization at the end of the transformation could be very very different from the organization at the start and it could be facing very different risks if for example you're introducing a number of new products and services into your into your portfolio each one of those products and services might prevent new avenues for somebody to exploit for example new new services that involve taking money in written in exchange for products they possibly presents an opportunity for fraud and if you're not an organization that's used to working in a digital way then those can be quite new risk that you you may not explicitly recognize unless you're thinking about cyber zillions the second imperative is resi it is that if you're if you're not careful as you go about your transformation your attack service as an organization can grow rather than shrink and when we talk about tap surface we really mean the the sum of all the all the channels that somebody could exploit using cyber technology all the things that they could use to impact your your business now digital transformation done well might introduce a lot of a lot of new technology but that technology should be ideally hardened to protect against cyber threats but unless you're really conscious of how your technology is changing your attack surface there's a risk that you introduce lots of lots of new points of vulnerability and don't harden them enough so you make it easy for the attacker to take advantage of you related to that is the third point on in the middle which is around increasing your cost to defend against the cyber event rather than someone else's cost to attack it's all be it's all very well to introduce lots of new technology and lots of business process change but if you're not thinking about the risks that that change introduces and you're not consciously thinking about how you're going to protect those changes from cyber threats then really your your your going to introduce lots more cost into your operations as opposed to reducing those costs the fourth point we've already mentioned which is if you don't think about cyber resilience explicitly you risk getting partway through your transformation or quite later on in your transformation and then you suddenly realize there's a job to do around cyber security and by then you've missed the opportunity to think about it in a strategic way and we return to this this issue about potentially bolting on cyber resilience controls as opposed to building them in and all those processes and all those services and all those products that you were hoping to make nice and slick through your channels Meishan actually end up being clunkier than he wanted and not a streamlined and finally the other imperative is that I'm sure a lot of people will be aware that there's major new legal and regulatory compliance requirements coming into the UK in the near future an example of which would be the general data protection regulation that comes into effect in in May next year and digital transformation is an ideal opportunity to manage and manage compliance with those regulations and build it into your systems right from the ground up as opposed to again bolting it on into separate systems and separate processes you can really make compliance a core part of everything you do rather than something that sits around the edges of your operations and if you're bearing that in mind as you go through your transformation and you can comply with those sorts of regulations quite cost-effectively and if anybody's actually had a look at for example the general data protection regulation you'll see that there's some actually very significant requirements that that imposes on you and it's in everybody's interest to think about how they can be dealt with as efficiently as possible so that that's the kind of summary of what we mean by digital transformation and cyber resilience and some of the opportunities and imperatives that transformation presents to cyber resilience the sort of logical next question is so if you're faced with a situation where you're trying to transform your organization and you've also been charged with thinking about cyber resilience or it's a concern that's on your mind that you want to that you want to build awareness that on top internally where do you actually start in dealing with that and cyber resilience is a very broad topic and it can be very difficult to know know where to start because it's such a maze of of standards and opinion and although it shouldn't be a topic that's just the technologists inevitably is a it is a technical discipline that takes take some work to understand and get to the bottom of so what we wanted to present here was our method for how we as part of the transformation get to grips with cyber resilience and help our clients through the journey of making themselves more resilient and what we typically do is start with a framework called the cybersecurity framework provided by the National Institute of Standards and technology's which is an American organization and the reason we choose that as our overarching framework for dealing with cyber as it is is just its its simplicity really you can see by looking at the diagram on the right that it's made up of five stages which form a life cycle and essentially it describes how an organization can go about identifying the cyber threats that it faces and the cyber risks that it faces what measures it can take to protect against that and prevent those risks from materializing then in the worst case if those risks do materialize how can they be detected how do you respond to them and how do you recover from them and that's a framework that you don't have to be a technologist to understand you don't necessarily need ten years experience and digital transformational cyber resilience to get head around that and so this makes an ideal framework for having covered if you're if you're part of the transformation having useful conversations with all the stakeholders were past that transformation as well and helping them to really understand what cyber resilience means and what it takes to deal with it another reason we like this framework is that it suits organizations of all sizes and missions so it's equally applicable to public sector it's equally applicable to private sector it it works the small organizations it works of charities it works for big blue chips it's it's a sensible framework regardless of what sort of business you're in and critically as well it's very systematic and standards-based so you can take you can take standard other cybersecurity standards such as cyber essentials which is a standard developed by the Cabinet Office or ISO 27001 which is the international standard for information security and you can take some of the controls from those standards and easily plug them into this framework as you as your understanding of cyber resilience develops so what I wanted to do now was walk you through a worked example of how we would take that framework and use it to map out the cyber resilience risks that might affect an organization as part of the transformation and then once you've got a view of those risks how do you then map out the controls that you're going to put in place to to mitigate those risks and then once you've done that how do you simulate how effective those controls are likely to be in a in a cyber resilience situation so this next slide takes that framework and it Maps out some of the typical risks that we see with respect to cyber resilience when we're we're working with clients as part of digital transformation now this isn't supposed to be an exhaustive exhaustive list of risks it's just supposed to be indicative but also give you an idea of how you could go about mapping out your cyber resilience risks at a strategic level so that when you're having commerce she's about transformation at a senior level you can have those conversations in an easily explainable way and we find that frameworks and illustrations like this are a great way to build awareness with we've very senior stakeholders often at a board level because it really helps them to understand in a top-down way what are some of the risks and threats that they need to be aware of and critically it helps them to understand that side routines isn't just a technical issue I mean actually we've got the majority of the the risks that we highly up lighted there sit at our people in process level and although we could we could certainly think of loss to sit at their technology level actually it this demonstrates that we should be paying as much if not more attention of the people and process to use so again I won't go blow blind blow through the risks that I've listed here I'll just pick out some which I think are are of interest based on our experience the person that point out is a very top one under people which is often that we see a lot you know a lack of real board level understanding about what cyber resilience is it's very often a case that the board will will feel the cyber resilience is is an IT concern but as long as they've got basic infrastructure measures in place like firewalls and secure networks then then they're good to go and although board level awareness is definitely improving we still see and we still see a lot of organizations and work with a lot of wars where they don't fully appreciate just how high up and their agenda cyber resilience should be what we were typically the things that we typically see that need most attention is that boards often think and talk about in general terms about the cyber is in is risks they face and that's good that they have a risk awareness but often what they don't have the audience just how defined is their appetite for accepting or mitigating those risks which then sets the tone for how the rest of all the organization deals with them moving on from there and another another useful risk to point out is under the processed here on the left-hand side which is often an organization to have there siloed and insular view of what their risks are often their risks are are based on people's own internal experience of how their organization works it's not based on looking outwards towards the industry and taking advantage of some of the intelligence that's out there for example provided by the National cybersecurity Center really to stay on because it's such a fast-moving area people do need to look outwards to understand what the kind of threats that they're facing and also the best and most efficient way to mitigate those threats and the last thing I'll pick out there is under technology the first the first item on the left began people talk often talk in very general terms about the attack surface and avenues of vulnerability that they have as an organization but if you ask they're a member of an IT team to walk you through in very specific terms what those what those vulnerabilities were across the organization often you wouldn't be able to get a very crisp and concise answer because they they're just not cataloged so we what we would typically recommend to people is you know as a minimum you you know the real focus is understanding of what your risks are and then you can do something about them and that sounds like a very obvious statement but from what we've seen that kind of outlook is only occurs in pockets in the organization and it doesn't really appear end-to-end so moving on from there once you have a view of your risks you can start to think about the controls that you almost put in place again there are people a process and a technology level to mitigate them and once again this isn't intended to be an exhaustive list of the controls that you should have in place or could have in place the key point to say here is that once you have a view of your risks that will really tell you where your biggest vulnerabilities are and clearly you want them you want to direct your investment into the place where you're where your vulnerabilities are highest and where your investment will have the biggest impact and so some of the controls that I've listed here they give a flavor of where from our experience people can have the biggest impact on their organization picking out some of the things that are worth talking about here in terms of how you can protect protect yourself against cyber cyber events if you look under the processed here the second item from the left at the top a cyber resilience Authority often one of the one of the constraints and risks that we in have seen the organization is that there's people think about cyber resilience in their own little areas but they don't joy not to think about the NSA and the end-to-end way that those risks impact the organization and they don't have an end-to-end way to to mitigate them having a cyber resilience Authority which brings together people from operations from technology potentially from a board level and also from the business is a great is a great vehicle for making sure that you're thinking holistically about how you deal with cyber resilience so if you were going to do and one thing from an operational level our recommendation would be to bring together a group of people who as a as a as a forum have a have a mission to think about cyber resilience and manage that through in the event that issues occur some of the other things that are worth worth picking out in here the whole idea behind cyber resilience is that you can do you can do everything you want to identify and protect against cyber threats but ultimately at some point something is going to get through your lines of defense and you're going to be in a position where you need to detect detect that issue respond to it and recover from it so a lot of the things that we see is people investing all their all their time and money up front in the identity identifying protective stages for very sensible reasons in that people think prevention is better than cure but you really do want to make sure that you balance your investment across the other later parts of the lifecycle so that you're not caught cold when it comes to recovering from an event and finally once we've got our view of risks and we've got our view of controls an exercise that we've found really useful in working of organizations just to understand how effective their capability is is to think of a think of a scenario for example a new a new severe ransomware threat like the wanna cry barrister crops up a couple of months ago and then going from left to right through life cycle simulate how your different lines of defense would hold up and deal with that situation and the critical thing to making this work and be useful exercises it's not just about saying for example okay we've got industry engagement so we'd have heard about have heard about this ransomware threat it's actually drilling down into specifics so what are the specific forums that you're engaging with that would have given you early visibility of this threat who are the people that are engaging with that with that industry forum how frequently what might be the lead time between a threat emerging and you're hearing about it you've really got to be specific in order to make this exercise effective and a lot of things that one of the things that we really learned through this exercise is that there might be individual capabilities that work well on their own so we might have for example the ability to monitor certain systems in our IT estate and learn if there are threats but actually those individual capabilities don't don't hook together well and end across the organisation to provide an effective capability for detecting responding and recovering from event so it's not just about how well do individual capabilities work it's also about how effectively they hang together and this is where you can really protect against that point I made earlier about cyber cyber resilience being something that's bolted on to transformations or as opposed to being built in it should really be a very seamless flow through these capabilities in terms of how you deal with in advance you want to think about you know what would be the timescales for working through each capability how long might it take or to go all the way from identifying something and detecting it to recovering from it and then you can play that back to the the people who have defined the organisation's risk appetite to see if that's an acceptable way of dealing with different threats so that is that that is all the slides that I have to present the preciate that I've covered a lot of ground there but very happy to take a pause now we will put ourselves on mute for a couple of minutes and give people some time to just reflect on what's being gone through and potentially ask some questions and then we will unmute ourselves after a couple of minutes and if there are questions great I'm happy to respond to those otherwise we will end the webinar there so I'll just put myself on heat now and feel free to send the questions features on the Chaves ility you