SlideShare a Scribd company logo

Cyber security financial x-ray

Download as PPTX, PDF
Jisc
Jisc

A presentation from the Jisc security conference 2018 by Paul Clayton, financial X-ray lead accountant, Jisc.

Technology
1 of 11
Cyber security financial X-ray Benchmarking your cyber security protection Paul Clayton financial X-ray lead accountant, Jisc.
An independent assessment of your activity and spend across the many areas of cyber security risk
Agenda 1. Introduction and background 2. Key challenges to institutions 3. Cyber Security Financial x-ray as a solution 4. What we do and how the service works 5. Deliverables 6. Questions?
Key challenges to institutions •Lack of transparency of ‘what’s going on’ – is there a joined up and assured security protection •No insight into what peer institutions are doing / the effort they deploy across the cyber security taxonomy, and whether you have shortfalls or gaps •The full breadth of security risk may not be appreciated •Possible need to demonstrate the full scope of security spend to senior managers / funding committees, as well as show what you’re doing here •Knowing that adequate (or inadequate) controls are in place to protect against breaches is important, especially with heavy fines for data loss and GDPR •To satisfy audit and assessment criteria 4Cyber Security Financial x-ray
Cyber Security Financial x-ray as a solution • Independent assessment of levels of activity and spend across all areas of cyber security risk • Identify gaps and vulnerabilities in cyber security defences • Benchmarking acts as an external ‘health check’ and can validate where more investment is needed, or where resource may need to be re-focussed (a lot of time on task x, very little on task y) • Via the tailored Jisc taxonomy and our consultancy we deliver significant transparency and all levers to enable a shift in resource, or perhaps leverage extra funds / budget 5Cyber Security Financial x-ray
What we do and how the service works (Once we’ve both signed the data processing & confidentiality agreement…) •Plan: establish the scope – who needs to be involved in a one hour meeting •Harvest the data we need – staff time and certain non-staff cost (where assets we take 20% of original cost) •Cost up staff time using activity-based costing •Compile the data, calculate the values, add the benchmark comparators, prepare the Report •Present back the assessment, with discussion around observations, variances, (anonymised) experiences from other institutions 6Cyber Security Financial x-ray
Total number of activities in each band 1 1 15 0 0 19 Category/area of activity Rate Min Ave Max = Min/Max % - Ave 1 2 3 4 5 6 Endpoint Protection £1.26 £0.12 £0.60 £1.26 Max 111% 0 0 0 0 0 1 Phishing protection solutions £0.21 £0.05 £0.83 £1.63 -75% 0 0 1 0 0 0 Intrusion prevention/detection systems £0.03 £0.03 £1.27 £2.71 Min -98% 0 0 1 0 0 0 Network security £0.96 £0.73 £4.06 £9.36 -76% 0 0 1 0 0 0 Bring Your Own Device (BYOD) Security £0.25 £0.00 £0.74 £1.62 -66% 0 0 1 0 0 0 Embedded device security £0.12 £0.00 £0.07 £0.15 85% 0 0 0 0 0 1 Wireless Security £0.12 £0.00 £0.33 £0.79 -64% 0 0 1 0 0 0 Access/Authentication (e.g. VPN, Citrix) £2.59 £1.27 £1.65 £2.59 Max 57% 0 0 0 0 0 1 Data Loss Prevention £0.86 £0.00 £0.40 £0.86 Max 118% 0 0 0 0 0 1 Regular Vulnerability Testing £0.93 £0.09 £1.70 £3.66 -45% 0 0 1 0 0 0 Secure System Configuration £4.63 £0.79 £2.95 £4.63 Max 57% 0 0 0 0 0 1 Incident response £1.26 £0.11 £0.69 £1.26 41% 0 0 0 0 0 1 SIEM (Security Information and Event Monitoring) £0.96 £0.28 £0.70 £1.17 38% 0 0 0 0 0 1 Other Monitoring £0.15 £0.00 £0.80 £2.87 -82% 0 0 1 0 0 0 Fines and Losses £0.17 £0.00 £0.04 £0.17 30% 0 0 0 0 0 1 Penetration testing (not s/ware dev) £0.07 £0.00 £0.43 £1.65 -84% 0 0 1 0 0 0 ISO 27001 £0.08 £0.00 £0.44 £1.23 -81% 0 0 1 0 0 0 HSCIC IG Toolkit £3.19 £0.00 £0.80 £3.19 Max 28% 0 0 0 0 0 1 PCI/DSS £1.54 £0.00 £0.59 £1.54 64% 0 0 0 0 0 1 Summary of findings – viewed against peers 7Cyber Security Financial x-ray
Summary of findings – viewed against peers •Highlights a total spend variance to peer average by risk area •Indicates where staff and non-staff costs vary more significantly away from peers •Offers opportunity to shift staff effort / budget, provides the levers to change •May indicate where key risk exists 8 SecureSys SecurityA PCI/DSS EndpointP SecureDev SIEM(Secu HSCICIGT ABOVE/BELOW PEER AVERAGE COSTS Staff Non-staff Cyber Security Financial x-ray
Variance commentary 9 Endpoint protection Total Beneficiaries 20000 Total £12 26.5% £33 73.5% £45 100.0% Above £21 Direct Costs IT % Total Devolved % Total Total (£'000s) % Total Rate Av Pool +/- £'000s Staff £12 26.5% £33 73.5% £45 100.0% £2.25 £0.50 £35 Non-Staff £0 0.0% £0 0.0% £0 0.0% £0.00 £0.68 -£14 Total staff cost of £45k relates to 5 staff in central IT (£12k), and £33k of devolved IT staff time, being from Engineering, Maths, and Computer Science mainly - equivalent of 0.5FTE borne by 5 locally-based IT staff, mainly doing xx. Overall the cost per beneficiary is over twice peer average, which is around £20 above peers. Note that there is some non-staff cost in place for at least one of the peers, and this is xxxx. Cyber Security Financial x-ray
Summary of deliverables • Benchmarking acts as a health check on activity levels and levels of IT service and protection • Highlights areas of low and high risk relative to peers • Transparency around activity levels across the many categories of security protection (per the Jisc taxonomy) enables better management and ‘balance’ of resources across the many areas of security risk going forward • Prevention is a known and can be managed, an event is so different to this.. 10Cyber Security Financial x-ray
Get in touch… Except where otherwise noted, this work is licensed under CC-BY

Recommended

Aon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsAon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsCSNP
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees
 
It msp white paper
It msp white paperIt msp white paper
It msp white paperImaging Network Technology, LLC
 
David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...
David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...
David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...Global Business Events
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 

Recommended

Aon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsAon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsCSNP
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees Aegis - What's your cybersecurity maturity score?
Six Degrees Aegis - What's your cybersecurity maturity score?Six Degrees
 
It msp white paper
It msp white paperIt msp white paper
It msp white paperImaging Network Technology, LLC
 
David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...
David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...
David Clarke, CITSO at Digital Arena - Security Benchmarking, best practise a...Global Business Events
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
AWS Summit
AWS Summit AWS Summit
AWS Summit Mark Trevor
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
Solving the cybersecurity capacity problem
Solving the cybersecurity capacity problemSolving the cybersecurity capacity problem
Solving the cybersecurity capacity problemNathan Burke
 
HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016SteveAtHPE
 
Cloud data security and GDPR compliance
Cloud data security and GDPR complianceCloud data security and GDPR compliance
Cloud data security and GDPR complianceSalim Benadel
 
ScanOnline Managed Services
ScanOnline Managed ServicesScanOnline Managed Services
ScanOnline Managed ServicesScanOnline
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 
Operational Improvements
Operational ImprovementsOperational Improvements
Operational Improvementskrkingsley
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
NiTO Ebook
NiTO EbookNiTO Ebook
NiTO EbookNiTOROMInc
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
The cloud: financial, legal and technical
The cloud: financial, legal and technicalThe cloud: financial, legal and technical
The cloud: financial, legal and technicalMorgan Hill Consultants Ltd
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentModu9
 
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docxForm Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docxalisondakintxt
 
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesHow To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesSlideTeam
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
Digital Transformation: How to Model Human Behavior in Digitization
Digital Transformation: How to Model Human Behavior in DigitizationDigital Transformation: How to Model Human Behavior in Digitization
Digital Transformation: How to Model Human Behavior in DigitizationBizagi
 
SCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitSCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitNicole Waddell
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
File000170
File000170File000170
File000170Desmond Devendran
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 

More Related Content

Similar to Cyber security financial x-ray

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
Solving the cybersecurity capacity problem
Solving the cybersecurity capacity problemSolving the cybersecurity capacity problem
Solving the cybersecurity capacity problemNathan Burke
 
HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016SteveAtHPE
 
Cloud data security and GDPR compliance
Cloud data security and GDPR complianceCloud data security and GDPR compliance
Cloud data security and GDPR complianceSalim Benadel
 
ScanOnline Managed Services
ScanOnline Managed ServicesScanOnline Managed Services
ScanOnline Managed ServicesScanOnline
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming WorldDimitrios Stergiou
 
Operational Improvements
Operational ImprovementsOperational Improvements
Operational Improvementskrkingsley
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentModu9
 
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docxForm Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docxalisondakintxt
 
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesHow To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesSlideTeam
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
Digital Transformation: How to Model Human Behavior in Digitization
Digital Transformation: How to Model Human Behavior in DigitizationDigital Transformation: How to Model Human Behavior in Digitization
Digital Transformation: How to Model Human Behavior in DigitizationBizagi
 
SCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitSCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitNicole Waddell
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 

Similar to Cyber security financial x-ray (20)

AWS Summit
AWS Summit AWS Summit
AWS Summit
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
Solving the cybersecurity capacity problem
Solving the cybersecurity capacity problemSolving the cybersecurity capacity problem
Solving the cybersecurity capacity problem
 
HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016HPE-Security update talk presented in Vienna to partners on 15th April 2016
HPE-Security update talk presented in Vienna to partners on 15th April 2016
 
Cloud data security and GDPR compliance
Cloud data security and GDPR complianceCloud data security and GDPR compliance
Cloud data security and GDPR compliance
 
ScanOnline Managed Services
ScanOnline Managed ServicesScanOnline Managed Services
ScanOnline Managed Services
 
Information Security in the Gaming World
Information Security in the Gaming WorldInformation Security in the Gaming World
Information Security in the Gaming World
 
Operational Improvements
Operational ImprovementsOperational Improvements
Operational Improvements
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
NiTO Ebook
NiTO EbookNiTO Ebook
NiTO Ebook
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
The cloud: financial, legal and technical
The cloud: financial, legal and technicalThe cloud: financial, legal and technical
The cloud: financial, legal and technical
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessment
 
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docxForm Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
Form Responses 1TimestampUntitled QuestionRisk TableRisk IDID Da.docx
 
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesHow To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
Digital Transformation: How to Model Human Behavior in Digitization
Digital Transformation: How to Model Human Behavior in DigitizationDigital Transformation: How to Model Human Behavior in Digitization
Digital Transformation: How to Model Human Behavior in Digitization
 
SCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitSCADA and Control Systems Security Summit
SCADA and Control Systems Security Summit
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
File000170
File000170File000170
File000170
 

More from Jisc

International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 
ExpertsknightOct23.pptx
ExpertsknightOct23.pptxExpertsknightOct23.pptx
ExpertsknightOct23.pptxJisc
 

More from Jisc (20)

International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 
ExpertsknightOct23.pptx
ExpertsknightOct23.pptxExpertsknightOct23.pptx
ExpertsknightOct23.pptx
 

Recently uploaded

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 

Recently uploaded (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 

Cyber security financial x-ray

  • 1. Cyber security financial X-ray Benchmarking your cyber security protection Paul Clayton financial X-ray lead accountant, Jisc.
  • 2. An independent assessment of your activity and spend across the many areas of cyber security risk
  • 3. Agenda 1. Introduction and background 2. Key challenges to institutions 3. Cyber Security Financial x-ray as a solution 4. What we do and how the service works 5. Deliverables 6. Questions?
  • 4. Key challenges to institutions •Lack of transparency of ‘what’s going on’ – is there a joined up and assured security protection •No insight into what peer institutions are doing / the effort they deploy across the cyber security taxonomy, and whether you have shortfalls or gaps •The full breadth of security risk may not be appreciated •Possible need to demonstrate the full scope of security spend to senior managers / funding committees, as well as show what you’re doing here •Knowing that adequate (or inadequate) controls are in place to protect against breaches is important, especially with heavy fines for data loss and GDPR •To satisfy audit and assessment criteria 4Cyber Security Financial x-ray
  • 5. Cyber Security Financial x-ray as a solution • Independent assessment of levels of activity and spend across all areas of cyber security risk • Identify gaps and vulnerabilities in cyber security defences • Benchmarking acts as an external ‘health check’ and can validate where more investment is needed, or where resource may need to be re-focussed (a lot of time on task x, very little on task y) • Via the tailored Jisc taxonomy and our consultancy we deliver significant transparency and all levers to enable a shift in resource, or perhaps leverage extra funds / budget 5Cyber Security Financial x-ray
  • 6. What we do and how the service works (Once we’ve both signed the data processing & confidentiality agreement…) •Plan: establish the scope – who needs to be involved in a one hour meeting •Harvest the data we need – staff time and certain non-staff cost (where assets we take 20% of original cost) •Cost up staff time using activity-based costing •Compile the data, calculate the values, add the benchmark comparators, prepare the Report •Present back the assessment, with discussion around observations, variances, (anonymised) experiences from other institutions 6Cyber Security Financial x-ray
  • 7. Total number of activities in each band 1 1 15 0 0 19 Category/area of activity Rate Min Ave Max = Min/Max % - Ave 1 2 3 4 5 6 Endpoint Protection £1.26 £0.12 £0.60 £1.26 Max 111% 0 0 0 0 0 1 Phishing protection solutions £0.21 £0.05 £0.83 £1.63 -75% 0 0 1 0 0 0 Intrusion prevention/detection systems £0.03 £0.03 £1.27 £2.71 Min -98% 0 0 1 0 0 0 Network security £0.96 £0.73 £4.06 £9.36 -76% 0 0 1 0 0 0 Bring Your Own Device (BYOD) Security £0.25 £0.00 £0.74 £1.62 -66% 0 0 1 0 0 0 Embedded device security £0.12 £0.00 £0.07 £0.15 85% 0 0 0 0 0 1 Wireless Security £0.12 £0.00 £0.33 £0.79 -64% 0 0 1 0 0 0 Access/Authentication (e.g. VPN, Citrix) £2.59 £1.27 £1.65 £2.59 Max 57% 0 0 0 0 0 1 Data Loss Prevention £0.86 £0.00 £0.40 £0.86 Max 118% 0 0 0 0 0 1 Regular Vulnerability Testing £0.93 £0.09 £1.70 £3.66 -45% 0 0 1 0 0 0 Secure System Configuration £4.63 £0.79 £2.95 £4.63 Max 57% 0 0 0 0 0 1 Incident response £1.26 £0.11 £0.69 £1.26 41% 0 0 0 0 0 1 SIEM (Security Information and Event Monitoring) £0.96 £0.28 £0.70 £1.17 38% 0 0 0 0 0 1 Other Monitoring £0.15 £0.00 £0.80 £2.87 -82% 0 0 1 0 0 0 Fines and Losses £0.17 £0.00 £0.04 £0.17 30% 0 0 0 0 0 1 Penetration testing (not s/ware dev) £0.07 £0.00 £0.43 £1.65 -84% 0 0 1 0 0 0 ISO 27001 £0.08 £0.00 £0.44 £1.23 -81% 0 0 1 0 0 0 HSCIC IG Toolkit £3.19 £0.00 £0.80 £3.19 Max 28% 0 0 0 0 0 1 PCI/DSS £1.54 £0.00 £0.59 £1.54 64% 0 0 0 0 0 1 Summary of findings – viewed against peers 7Cyber Security Financial x-ray
  • 8. Summary of findings – viewed against peers •Highlights a total spend variance to peer average by risk area •Indicates where staff and non-staff costs vary more significantly away from peers •Offers opportunity to shift staff effort / budget, provides the levers to change •May indicate where key risk exists 8 SecureSys SecurityA PCI/DSS EndpointP SecureDev SIEM(Secu HSCICIGT ABOVE/BELOW PEER AVERAGE COSTS Staff Non-staff Cyber Security Financial x-ray
  • 9. Variance commentary 9 Endpoint protection Total Beneficiaries 20000 Total £12 26.5% £33 73.5% £45 100.0% Above £21 Direct Costs IT % Total Devolved % Total Total (£'000s) % Total Rate Av Pool +/- £'000s Staff £12 26.5% £33 73.5% £45 100.0% £2.25 £0.50 £35 Non-Staff £0 0.0% £0 0.0% £0 0.0% £0.00 £0.68 -£14 Total staff cost of £45k relates to 5 staff in central IT (£12k), and £33k of devolved IT staff time, being from Engineering, Maths, and Computer Science mainly - equivalent of 0.5FTE borne by 5 locally-based IT staff, mainly doing xx. Overall the cost per beneficiary is over twice peer average, which is around £20 above peers. Note that there is some non-staff cost in place for at least one of the peers, and this is xxxx. Cyber Security Financial x-ray
  • 10. Summary of deliverables • Benchmarking acts as a health check on activity levels and levels of IT service and protection • Highlights areas of low and high risk relative to peers • Transparency around activity levels across the many categories of security protection (per the Jisc taxonomy) enables better management and ‘balance’ of resources across the many areas of security risk going forward • Prevention is a known and can be managed, an event is so different to this.. 10Cyber Security Financial x-ray
  • 11. Get in touch… Except where otherwise noted, this work is licensed under CC-BY