3. Agenda
1. Introduction and background
2. Key challenges to institutions
3. Cyber Security Financial x-ray as
a solution
4. What we do and how the service works
5. Deliverables
6. Questions?
4. Key challenges to institutions
•Lack of transparency of ‘what’s going on’ – is there a joined up and assured
security protection
•No insight into what peer institutions are doing / the effort they deploy across the
cyber security taxonomy, and whether you have shortfalls or gaps
•The full breadth of security risk may not be appreciated
•Possible need to demonstrate the full scope of security spend to senior managers
/ funding committees, as well as show what you’re doing here
•Knowing that adequate (or inadequate) controls are in place to protect against
breaches is important, especially with heavy fines for data loss and GDPR
•To satisfy audit and assessment criteria
4Cyber Security Financial x-ray
5. Cyber Security Financial x-ray as a solution
• Independent assessment of levels of activity and spend across all areas of cyber
security risk
• Identify gaps and vulnerabilities in cyber security defences
• Benchmarking acts as an external ‘health check’ and can validate where more
investment is needed, or where resource may need to be re-focussed (a lot of
time on task x, very little on task y)
• Via the tailored Jisc taxonomy and our consultancy we deliver significant
transparency and all levers to enable a shift in resource, or perhaps leverage
extra funds / budget
5Cyber Security Financial x-ray
6. What we do and how the service works
(Once we’ve both signed the data processing & confidentiality agreement…)
•Plan: establish the scope – who needs to be involved in a one hour meeting
•Harvest the data we need – staff time and certain non-staff cost (where assets we
take 20% of original cost)
•Cost up staff time using activity-based costing
•Compile the data, calculate the values, add the benchmark comparators, prepare
the Report
•Present back the assessment, with discussion around observations, variances,
(anonymised) experiences from other institutions
6Cyber Security Financial x-ray
8. Summary of findings – viewed against peers
•Highlights a total spend variance to peer average
by risk area
•Indicates where staff and non-staff costs vary
more significantly away from peers
•Offers opportunity to shift staff effort / budget,
provides the levers to change
•May indicate where key risk exists
8
SecureSys
SecurityA
PCI/DSS
EndpointP
SecureDev
SIEM(Secu
HSCICIGT
ABOVE/BELOW PEER AVERAGE COSTS
Staff Non-staff
Cyber Security Financial x-ray
9. Variance commentary
9
Endpoint protection
Total Beneficiaries 20000
Total £12 26.5% £33 73.5% £45 100.0% Above £21
Direct Costs IT % Total Devolved % Total Total (£'000s) % Total Rate Av Pool +/- £'000s
Staff £12 26.5% £33 73.5% £45 100.0% £2.25 £0.50 £35
Non-Staff £0 0.0% £0 0.0% £0 0.0% £0.00 £0.68 -£14
Total staff cost of £45k relates to 5 staff in central IT (£12k), and £33k of devolved IT staff time, being from Engineering, Maths, and Computer Science
mainly - equivalent of 0.5FTE borne by 5 locally-based IT staff, mainly doing xx. Overall the cost per beneficiary is over twice peer average, which is
around £20 above peers. Note that there is some non-staff cost in place for at least one of the peers, and this is xxxx.
Cyber Security Financial x-ray
10. Summary of deliverables
• Benchmarking acts as a health check on activity levels and levels of IT service
and protection
• Highlights areas of low and high risk relative to peers
• Transparency around activity levels across the many categories of security
protection (per the Jisc taxonomy) enables better management and ‘balance’ of
resources across the many areas of security risk going forward
• Prevention is a known and can be managed, an event is so different to this..
10Cyber Security Financial x-ray