Published on March 10, 2016
1. Architecting the As-a-Service Economy Delivering Cyber Security… …and Trust-as-a-Service Fred McClimans EVP Strategy, MD Digital Trust & Cyber Security HfS Research [email protected] An HfS Webinar Production, 18 February 2016 FRED MCCLIMANS HfS Research CHRIS MORET ATOS PHILIPPE TROUCHAUD PwC
2. © 2016 HfS Research Ltd. Fred McClimans: EVP Strategy, Managing Director of Digital Trust & Security [email protected] @fredmcclimans My Research Practice Areas for 2016: Cyber Security Digital Trust & Privacy Customer Experience Cloud & Emerging Technologies The 4 HfS Ideals of the As-a-Service Economy Impacting My Practice Holistic Security and Trust Design Thinking and CX Accessible and Actionable Data Plug and Play Digital Services Key Themes Impacting My Research Practice in 2016 The Emergence of Mass Risk Cyber Threats The Rise of Data-driven Consumer Experience and Personalization The Impact of IoT, Extended Ecosystems & Emerging Tech on Digital Trust The Confluence of Risk and Trust Management The Widening Technology/Policy Gap The Evolving Behavior of Business and Social Ecosystems
3. © 2016 HfS Research Ltd. Proprietary │Page 3 Overview • Christophe manages the CyberSecurity Global Services Line within Atos Big Data & Security, where he oversees the development of all Security Services (consulting, integration, managed security) and Security Products (IAM, Secure e-Transactions, Hardware Security Modules, Secure Communications, and Secure Distribution). This includes the security lines inherited from the Bull acquisition. Career Experience • Christophe joined the Atos Group in 2013, after 17 years in Hewlett- Packard, where he led the security outsourcing business for EMEA. After leading the security efforts for Atos Global Managed Services, Christophe joined the newly created Atos Big Data & Security service line, as leader for the CyberSecurity Global Business Line. • Prior to joining HP, Christophe started his career with Bull, kick starting the Unix Business, then joined GIPSI and finally Chorus Systems. • He teaches at Ecole Polytechnique and holds an Engineering degree from Ecole Polytechnique and Engineering, Computer Science from Supélec. [email protected] Christophe Moret, VP CyberSecurity, Atos
4. © 2016 HfS Research Ltd. Proprietary │Page 4 Overview • Philippe is the Technology, Media and Telecommunication leader for PwC France. He is responsible for all Cyber Security for both France and the EMEA region. He has also held operational IT roles within PwC. Career Experience • Philippe holds an engineer diploma from the 'Ecole des Hautes Etudes en Informatique' and is graduated from Paris VI University (Master Degree in IT) • He holds an Executive MBA [email protected] Philippe Trouchaud, Partner, Cyber Security Leader, PwC
5. © 2016 HfS Research Ltd. Proprietary │Page 5 Industry-leading Analysis & Insights www.hfsresearch.com
6. © 2016 HfS Research Ltd. Proprietary │Page 6
7. © 2016 HfS Research Ltd. Proprietary │Page 7 Reetika Joshi Research Director Analytics, Insurance and Utilities Charles Sutherland Chief Research Officer Barbra McGann EVP Business Ops & Healthcare Research Jamie Snowdon EVP Market Analysis and Forecasting Meet the HfS Research Practice Leaders Thomas Reuner MD, ITO SaaS, Automation, Cognitive Computing, Cloud Hema Santosh Principal Analyst Finance Strategies, BPO, IT Services Khalda de Souza Principal Analyst SaaS Services Fred McClimans MD Digital Trust & Cyber Security John Haworth Chairman HfS Sourcing Executive Council Pareekh Jain Research Director Engineering Services, Telecom Operations Phil Fersht CEO & Industry Analyst Melissa O’Brien Research Director Contact Ctr. and Omni- Channel BPO Derk Erbé MD Digital Business, Energy, Utilities & Resources Mike Cook Research Director HR-as-a- Service, HR Outsourcing
8. © 2016 HfS Research Ltd. Proprietary │Page 8 Q1 Analytics in Financial Services Design Thinking F&A-as-a-Service Pharma BPO SAP SuccessFactors Services Supply Chain Management Services Q2 Banking Operations Consumer Health Integration Contact Center Operations Energy Operations HR As a Service Mortgage-as-a- Service Security-as-a-Cloud ServiceNow Services Telecom Operations Q3 App Testing-as-a- Service Digital Trust-as-a- Service Intelligent Automation Services PLM Services RPO as-a-Service Workday Services Q4 As-a-Service Masters Healthcare Payer Operations Health Providers IoT Transformation Services Manufacturing-as-a- Service Omni-Channel Marketing- as-a-Service P&C Insurance-as-a- Service Procurement-as-a-Service Salesforce Services Subject to change HfS Blueprint As-a-Service Publication Schedule, 2016
9. © 2015 HfS Research Ltd. Proprietary │Page 9 Why Trust? Digital Security is not an achievable end state. Digital Trust is. Security has traditionally been a “tech” issue employed in a reactive mode with layers of technology that “lock down” the enterprise: However, as we advance through the transition from an analog to digital society, we are seeing a fundamentally different opportunity for security to be about more than protecting assets. Security’s new role isn’t to secure assets, it’s to allow assets to be leveraged and utilized! Economies are fundamentally based on trust: Buyers and sellers must have an expectation of a trusted transaction and confidence in the value of the product or service being procured. Recent waves of increasingly sophisticated, mass-impact hacks destroy not just assets, but user/consumer trust. Trust is increasingly shaped by experience and online social interactions – both of which require a strong level of information security. The way we measure trust and use security has changed: Our priorities have shifted from “protect the perimeter” to “manage the attack” – no network is 100% safe. By evaluating how a provider leverages security to enable “trust” we have the opportunity to gain clarity into the security, business, and maturity models that will drive this industry forward.
10. © 2016 HfS Research Ltd. Proprietary │Page 10 Fixed Assets Leveraged Assets 2 Design Thinking 3 Brokers of Capability 1 Write Off Legacy 4 Collaborative Engagement 7 Holistic Security 5 Intelligent Automation 6 Accessible & Actionable Data 8 Plug & Play Digital Services SOLUTION Ideals LEGACY ECONOMY AS-A-SERVICE ECONOMYCHANGE MGMT Ideals Moving into the As-a-Service Economy means changing the nature and focus of engagement between Enterprise Buyers, Service Providers, and Advisors “As-a-Service” unleashes people talent to drive new value through smarter technology and automation Enabling Trust in the As-a-Service Economy
11. © 2015 HfS Research Ltd. Proprietary │Page 11 Leveraging the Digital Trust Framework Our research has identified 8 different Digital Trust enablers within the security domain that provide the underlying “trust” structure within Managed Security Services. Security Providers must eventually support all 8. DIGITAL TRUST & Security User Engagement & Behavior Data Integrity Device Security Business & Ecosystem Alignment Identity & Privacy Platform & Performance Application Security Governance & Compliance 1 2 3 4 5 6 7 8 1. Data Integrity: End-to-end data integrity and security across all platforms (data in motion, data at rest). 2. Device Security: Monitoring and countering intrusions at the device level, including firewalls, virus detection, management, etc. 3. Application Security: Providing traditional security (e.g, encryption, VPN support, web filtering, user authentication, etc.). 4. Platform/Performance: Measured from both the ability to secure the underlying infrastructure (PaaS, SaaS, etc.) and the ability to ensure ongoing operations (resiliency, continuity of operations, processing/network performance, data recovery, etc.). 5. Identity/Privacy: Identity/Access with user-driven privacy policies and blended physical & digital identity systems. 6. Governance/Compliance: Incident management and reporting tools to measure performance and guarantee compliance. 7. Business Alignment: Fluid alignment with business unit goals and integration with ecosystem/partner security systems. 8. User Engagement: Monitoring omni-channel user/consumer activity, identification of usage/adoption inhibitors, and means to shape and reinforce positive user/consumer behavior & CX (including user ownership of security).
12. © 2015 HfS Research Ltd. Proprietary │Page 12 Mapping to the “New” Security Maturity Model LOW: No comprehensive security or digital trust strategy LOW-MODERATE: Coordinated security “essentials” (Data Integrity, Device & App security, Platform/Performance, IAM, Governance) MODERATE: Alignment of security with enterprise business goals and outcomes (e.g. BU-specific efforts, vetting of security & threat/risk within ecosystem) MODERATE-HIGH: Alignment of security with user behavior (e.g. personalization, notification, education, and behavior modification/reinforcement, basic user privacy policies) HIGH: Advanced security and trust enablers (e.g. physical/digital integration for identity, ecosystem / partner collaboration & integration for advanced threat detection, advanced privacy policies) 4 3 2 1 0 VERY HIGH: Trust & Security Framework fully integrated with (an enabler of) transformational agendas (e.g. digital transformation, customer experience, corporate trust/risk management) 5 CAPABILITIES and FOCUS MANAGEMENT TRANSITIONS Chief Trust/Risk Officer (Reports to CEO / BoD) Chief InfoSecurity Officer (Reports to CEO) Chief InfoSecurity Officer (Reports to CIO) VP / Director of Security (Reports to CIO) Anarchy Rules Assessing Alignment with the Digital Trust & Security Framework Enterprise security maturity can be measured against three scales: Capabilities & Focus, Management Structure, and Security Responses: Implementation of basic security “essentials” (Level 1: the ability to monitor and counter the typical online/digital threat) is used as a baseline – the new “table stakes.” More advanced capabilities and focus to address comprehensive digital trust and increases mass- risk attacks are important metrics in gauging security maturity levels, as it the management reporting structure, which reveals a level of executive maturity and responsibility.
13. © 2015 HfS Research Ltd. Proprietary │Page 13 THE DIMENSION OF TIME IMPACTS THE TRANSITIONAL RATE OF SECURITY MATURITY The ability to identify threats (awareness) and the ability to remediate (respond). Security Service Providers must help their clients migrate to higher levels of maturity. Balancing Capabilities & Focus Against Execution 4 3 2 1 0 5 CAPABILITIESandFOCUS NO AWARENESS NO RESPONSE ABILITY TO RESPOND DELAYED AWARENESS DELAYED RESPONSE DELAYED AWARENESS PROMPT RESPONSE PROMPT AWARENESS RAPID RESPONSE REAL-TIME AWARENESS REAL-TIME RESPONSE PREDICTIVE AWARENESS PROACTIVE INITIATIVES AWARENESS RESPONSE NIRVANA 3-5+ yrs Process-driven Enterprises Tech-driven Enterprises Progressive Enterprises 1-3 yrs Most Enterprises AND Most Providers
14. © 2016 HfS Research Ltd. Proprietary │Page 14 35% 18% 21% 20% 12% 13% 7% 43% 54% 48% 47% 52% 31% 27% 14% 21% 21% 23% 26% 31% 32% 8% 7% 10% 10% 10% 25% 34% Trust and Security Analytics & Big Data Tools & Apps Interactive / Collaborative Tools, Apps & Social Media Cloud-based / SaaS Platforms upon which to build Shareable Digital Capabilities Mobilty Tools & Applications Cognitive Computing Platforms & Machine Learning Robotic Process Automation (RPA) Tools & Apps Major Impact Some Impact Low Impact No Impact Placing Cyber Security & Digital Trust in Context… How much impact are the following digital components having on your F&A processes Source: “Re-architecting Finance” Study, HfS Research 2016 Sample: 160 Enterprise Buyers
15. © 2015 HfS Research Ltd. Proprietary │Page 15 Six Key “Trust-as-a-Service” Observations Managed Security is Generally 1.x • Both service providers and enterprise buyers are still coping with (and asking for) traditional security systems. • While emerging threats are dominating the headlines, there is still a strong urge among many to compartmentalize security issues and focus on traditional solutions that have worked (adequately) in the past. This focus may safeguard basic digital infrastructure, but it is inadequate to protect against emerging “mass risk” threats and the changing motivations of 2.0 cyber criminals. A rethinking of security maturity models is required. Security Needs a New Champion • The issues presented by 2.0 cyber criminals, coupled with an increasingly digital enterprise ecosystem, have moved beyond the traditional CISO (chief information security officer) and CRO (chief risk officer). • Securing the enterprise, and managing corporate risk, requires a reworking of how businesses, and threats, are managed – a more transformational role that spans both the horizontal enterprise ecosystem and the vertical management chain. This role, the CTRO (chief trust/risk officer) is needed to drive transformation at both the employee and board level. Innovation is “nice” • While enterprises look for security solutions, and providers, that are innovative, execution is what most organizations are looking for today. • The ability to stop threats and properly manage digital risk is still grounded in the ability of a managed security services provider to properly secure the core of an enterprise – consider this the “buy in” to the game, as traditional threats are not disappearing and theft of data/information is still the primary concern. Innovation, while nice to have, remains the nice to have aspect of cyber security. This is a mistake. I II III
16. © 2015 HfS Research Ltd. Proprietary │Page 16 Six Key “Trust-as-a-Service” Observations Satisfaction with Security is an Illusion • Cyber threats continue to confound the market, as the majority of businesses are in reactionary mode despite initiatives to secure the enterprise. • Merely maintaining (or upgrading with) the status quo places an organization at risk for innovative threats that value long-term impact (economic advantage, loss of brand trust, corporate disruption), and employ strategies that are often beyond the immediate value of data that is stolen. Enterprises must adapt to, and address, these types of threats from a holistic business and behavioral perspective. Digital Trust Requires a Commitment that Spans the Ecosystem • Addressing cyber security is only one part of the digital trust equation. • Digital trust touches on a number of different initiatives within an organization, including the close coordination of agendas such as digital transformation, improving customer experience, and appropriately management of digital and business risk. Service providers are increasingly recognizing the need for this type of embedded, holistic, approach but enterprises are still adapting to this model. IoT and Physical Security are Disruptors that Traditional Security does not Adequately Address • Managed security services are primarily focused on the monitoring of established digital channels to secure corporate information assets. • IoT (Internet of Things) devices and physical security systems (biometric scanners, access control systems) present both a security threat and an opportunity to expand legacy security systems to provide additional threat monitoring and context to digital cyber activities. IoT and physical security systems must be part of the future “security” solution. IV V VI
17. © 2015 HfS Research Ltd. Proprietary │Page 17 Six Key Challenges Facing Enterprises 2016 The Era of “Mass Risk” Attacks has Begun • Targeted attacks that inflict high damage on a large number of people. • The past year has continued the prior year’s trend of “bigger, better, badder” when it comes to high profile attacks, with major coordinated attacks in healthcare, education, banking, military/gov, and retail/CPG, with perhaps the most daring being the theft of over 20M OPM “background checks” and over 5M sets of handprints of US Federal workers. Technology can help mitigate risk but solutions must involve improved enterprise/corporate behavior. Spear Phishing 2.0 • Spear-phishing, a highly targeted version of mass phishing attacks, have refined their look, feel, and potential risk. • Much in the same way marketing firms benefit from the high level of personalized information available on the web, hackers are increasingly adding to their target “profiles” and scripting attacks that blur the lines between the digital and analog environments. We expect this to continue in 2016. State-Sponsored Cyberattacks get Real • State-sponsored attacks have become common-place. • Recent suspected “state-sponsored” hacks in 2015 have netted confidential information including individual health records, financial records, biometric/ID information, and user behavior (travel/mobility), all of which appears to be used to paint a more complete personal profile for use at a later time. This highlights the risk of “aggregated” data over time. I II III
18. © 2015 HfS Research Ltd. Proprietary │Page 18 Six Key Challenges Facing Enterprises in 2016 Extended Ecosystem Risks • Lack of coordination between “partners” increases potential risk. • While consolidated threat information is fairly well-shared, few organizations have aggressively brought members of their extended digital ecosystem to a maturity level that includes the coordinated implementation and/or monitoring of security tools and services. This is a growing risk as “less secure” partners are targeted as an alternative to direct attacks and as enterprises continue to distribute information to partners without adequate risk/need assessments. Board-level Visibility without Board-level Power • Cyberthreats are increasingly viewed as “business risk” by boards and investors. • Boards, investors, and even financial credit rating firms, have all turned their eyes to cybersecurity, recognizing it now needs to be viewed, and managed, as a corporate level risk (and opportunity). But while the interest is there, few security teams have the reporting structure or direct authority to be transformational at that level, or to engage directly with the key team members on policy and direction. We expect more “C-level” security moves in 2016. BYO-Risk • The proliferation of user devices, hardware, and #IoT equipment is problematic. • From USB sticks, wearables, and rogue printers to bluetooth accessories and #IoT-enabled hardware, the threat from compromised devices continues to grow as few devices in this class adhere to levels of security required to combat an aggressive hack. Discovering, let alone securing, these devices will be a challenge as consumer adoption and usage continues to accelerate. IV V VI
19. © 2015 HfS Research Ltd. Proprietary │Page 19 Building on Cyber Security to position Atos as the trusted digital partner
20. © 2015 HfS Research Ltd. Proprietary │Page 20 Atos + Bull + Xerox ITO: A new Global Security leader North America UK&I Key sites R&D Expert Networks Atos Global SOCs Atos Local SOCs Latin America Iberia Asia Pacific Benelux & the Nordics India, Middle East and Africa Central & Eastern Europe France Germany 4500+ Security professionals 5 Bn transactions secured/year (Worldline) 100M identities managed / day (IAM) 2M events managed each hour in our SOCs Tensmillions of lives protected in permanence by our critical systems
21. © 2015 HfS Research Ltd. Proprietary │Page 21 Atos Strategy Turning risk into value 24x7 HA Fraud Management Regulation & compliance Trust & Compliance IP protection Big Data Security Secure innovation platforms Business Reinvention Customer Privacy Mobile Security IoT Security Customer Experience Trusted workforce Trusted BPM Trusted cloud Operational Excellence Cyber Security
22. © 2015 HfS Research Ltd. Proprietary │Page 22 Atos Cyber Security Portfolio Catalogue of Services Consulting Integration Managed Security Services/SOC SOC Advisory services Security Architecture Cyber threat Management Platform Protection Security Governance Infrastructure Security Integration Atos High Performance Security SIEM Services Endpoint Protection Services Security Risk Management Identity & Access Management integration CSIRT Services Server Malware Protection services Atos-Gras Savoye Cyber Risk Management services Dedicated SOC APT detection & Remediation Vulnerability Management Services IAM Consulting services Perimeter Protection Identity & Access Management Security Audits ISO 2700X Anti-DDoS Services Secure Authentication Services Security Technical audits Intrusion Prevention Services Identity Federation Hub Penetration Testing Proxy services Password Reset Data Protection & Compliance Malware Scanning Services Trustcenter ISMS Strategy & Design Information Protection Data Loss prevention aaS Encryption services
23. © 2015 HfS Research Ltd. Proprietary │Page 23 Discussion Point The Big Picture What are the key enablers / trends for digital trust and security within the enterprise? How have cyber security challenges changed over the past 12 months, and how will they change during the current 12 months?
24. © 2015 HfS Research Ltd. Proprietary │Page 24 Discussion Point Global vs Local How do cyber security requirements and digital trust enablers differ by region (e.g., Americas, EU, AsiaPAC)? What is the role of vertical industry specialization in cyber security frameworks (e.g., F&A, Manufacturing, Healthcare, Energy, Public Sector, etc.)
25. © 2015 HfS Research Ltd. Proprietary │Page 25 Discussion Point Emerging Technologies and Models What is the potential impact of the Cloud and #BigData on cyber security? How can analytics be leveraged to improve cyber security? Does mobile-first (or mobile-only) require a rethinking of enterprise trust and cyber security?
26. © 2015 HfS Research Ltd. Proprietary │Page 26 Discussion Point #IoT – the Internet of Things How are both industrial and consumer IoT impacting digital trust and cyber security? Are there regulatory or policy issues that need to be addressed with IoT data?
27. © 2015 HfS Research Ltd. Proprietary │Page 27 Discussion Point The Trusted Ecosystem What type of partner ecosystem is required between enterprises and security services providers to protect, and leverage, business assets in the digital economy? What are the critical capabilities and value propositions that define outstanding security services?
28. © 2016 HfS Research Ltd. Proprietary │Page 28 Questions?
29. Architecting the As-a-Service Economy Delivering Cyber Security… …and Trust-as-a-Service Fred McClimans EVP Strategy, MD Digital Trust & Cyber Security HfS Research [email protected] An HfS Webinar Production, 18 February 2016 FRED MCCLIMANS HfS Research CHRIS MORET ATOS PHILIPPE TROUCHAUD PwC