Cybersecurity: Strategies for Successful Business Engagement

Transcription

1 Cybersecurity: Strategies for Successful Business Engagement Allan Boardman Cyberadvisor.London Information Security Summit Hong Kong 4-5 September 2018

2 Agenda Setting the scene Cybersecurity challenges facing business Business engagement Practical approach Conclusion Q&A

3 About the Presenter Allan Boardman CISA, CISM, CGEIT, CRISC, CA(SA), ACA, CISSP Independent Business Advisor CyberAdvisor.London Background in Audit, Risk, Security and Governance roles Chair ISACA International Audit and Risk Committee, 2014/15, member 2014/18 Chair ISACA International Credentialing Board & Career Management Board, 2011/14 Member ISACA International Board of Directors, 2011/14 Member ISACA International Strategy Advisory Council, 2011/14 ISACA International Vice President, 2012/14 Member ITGI Board of Trustees, 2012/14 Chair CISM Certification Committee 2009/11, member since 2006 Member ISACA CGEIT Certification Committee 2016/current Member ISACA Leadership Development Committee 2010/11 London Chapter President 2004/06. Chapter Board member 1999/08 Paralympics and Olympics Volunteer London 2012, Sochi 2014, Rio 2016, PyeongChang

4 OBJECTIVES Understand key challenges business face managing cybersecurity threats Adopt structured approach to help business identify cyber threats and risk scenarios Follow risk based approach to managing cyber security from business perspective Be armed with more effective tools and best practices to engage with business What I hope you ll leave with today New ideas for engaging differently with your business in your quest to help them do better with their Cybersecurity initiatives

5 SETTING THE SCENE (what is the problem?)

6

7 Most Devastating Cyberattack in History NotPetya struck on 27 th June Two powerful hacker tools working in tandem. EternalBlue penetration tool that exploits a vulnerability in a particular Windows protocol. Mimikatz proof of concept tool that demonstrated that Windows left users passwords lingering in memory. To date, it was the fastest propagating malware we ve seen. Devastating business impacts across the globe. Over $10 Billion in damages, estimates of $870M Merck, $400M FedEx, $300M Maersk, to name a few.

8 The reality is

9 We know that this is an area of concern for most directors. I don t think there are any directors that don t think cyber security is a major risk for their companies. Where they struggle is that they re not quite sure what to do about it.

10 Board members in general look at this as a technical problem that is to be solved by the propeller heads. And the propeller heads look at this as, this is a technical problem, just give me enough money, and leave me alone, and let me do my job. That s not communicating. That s not engagement.

11 Cyber is a strategic business risk, and the idea that boards somehow relinquish their oversight responsibilities because it s IT and that s too hard. Imagine if they had the same perspective with their CFO. That finance stuff, that s a little tough, we re not going to ask finance questions. I mean, that s crazy.

12 It s an interesting and exciting time. Cool new functionality got ahead of security; we need to build tech with security embedded and with holistic governance. Boards and the C-suite need to understand how tech impacts the entire enterprise.

13 CYBERSECURITY CHALLENGES FACING BUSINESS

14

15 Rapid pace of digital transformation

16 Longer and complex supply chains and business alliances

17

18 The rapid convergence of cyber crime and geopolitics

19

20

21 Innovative, well-resourced and motivated threat actors

22

23 Reliance on legacy technologies and processes

24 Aggregation of critical workloads in the cloud

25 De perimeterization of Networks

26 Have not even mentioned AI, Blockchain, IoT and other new technologies

27 Complex global data protection laws

28 Overwhelming sense of security weariness or fatigue

29

30 The endemic global shortage of skilled cyber security workforce

31 So just how do you approach this.

32 Effective and sustained cyber transformation requires strong support from the top

33 BUSINESS ENGAGEMENT

34 TYPICAL BUSINESS ENGAGEMENT. LOOK FAMILIAR?

35 IN A TYPICAL MAJOR INCIDENT, WHO WORRIES ABOUT WHAT? Business leaders: Business Risk Security team: Security Detail How bad is it? Who was it? How did they get in? What information was taken? What are the legal implications? Is it under control? What are the damages? What do we tell people? Account lockouts Failed user access attempts Web shell deletions Buffer overflows SQL injections Cross-site scripting Denial-of-service IDS/IPS events

36 WHAT THE BUSINESS WANTS Full visibility Rapid insight Business context Efficient and comprehensive response Aligned to business priorities Risk managed from business perspective Business driven security linkage

37

38 TONE AT THE TOP IS KEY If executives demonstrate eagerness and deep commitment to protecting highvalue digital assets and upholding customer digital trust, making the cyber-risk appetite an entrenched part of the enterprise s life, middle and lower ranking employees will also naturally be inclined to uphold the same virtues.

39 KEY ACTIONS THAT ENTERPRISES CAN TAKE TO SET THE TONE AT THE TOP The CEO should emphasize the significance of cyber security to the enterprise mission. CEO and Executive team should express senior leadership s unwavering commitment to maintaining a cyber-resilient enterprise. Business unit leaders should cascade the CEO s core messages to their wider teams. Senior leaders should actively participate in major cybersecurity drills. Senior executives should also send a strong message to others by rejecting requests that violate policy.

40

41 BUSINESS ENGAGEMENT APPROACH Have a clear understanding of where your business is in terms of cybersecurity transformation. Help the business find out what their most important digital assets are, where they are and who has access. Have a clear understanding of who their adversaries are that would have an interest in the organisation s data.

42

43

44 PRACTICAL APROACH

45 SO HOW DO WE ENGAGE?

46 DOES THIS ENGAGE THE BUSINESS?

47 DATA IS THE NEW FRONTIER

48 FOUR STAGE MODEL FOR ENGAGING THE BUSINESS

49 THREAT AND RISK WORKSHOP APPROACH TO PROACTIVELY IDENTIFY, TRACK AND ADDRESS THREATS Identify most critical information assets Identify threats and attack scenarios that target these assets Determine protection required Identify current controls Identify current risk exposure Agee action plan for addressing gaps

50 BUSINESS DRIVEN SECURITY STRATEGY Prioritize assets and understand their vulnerabilities. Quantify business risk and impact if those assets were compromised. Build a strategy to defend those assets with clear cost/benefit. Ensure strategy is holistic (people, process, technology). Determine gaps between what you have in place and your ideal state. Take a phased approach to addressing the gaps. Prioritize according to impact on risk posture. Constantly re-evaluate threats and vulnerabilities to tune your strategy. Have a response plan in place.

51 TOOLS AND TECHNIQUES With reference to their specific critical information asset category, ensure that the Business is well briefed on the types of threats, threat actors and their motivations Threat Categories Malware Hacking Social Misuse Error Physical Environmental Description Malicious or harmful software Deliberate attempts to access or harm Social engineering designed to deceive Unauthorised use of systems Mistakes or omissions Loss or theft of hardware Natural or human made disasters Threat Agents and Motivations Organised Crime IP, extortion, difficult to trace and prosecute Nation States corporate espionage, rogue states attacking national infrastructure to cause damage Hacktivists disruption, inspired by ideology and often case driven Insider accidental, disgruntled, driven by money or moral compass Competitor - commercial espionage and sabotage Third Parties commercial espionage and sabotage

52 TOOLS AND TECHNIQUES Brainstorm threat and attack scenarios with the Business No. Threat Scenario Likelihood Impact Risk Rating 1 Hacker exploits weakness in network and steals customer database 2 Disgruntled insider steals key intellectual property details to provide to a competitor 3 Targeted ransomware attack renders operational system inoperable 4 Employee uploads business expansion plans and strategies to public cloud platform 5 Pre release financial results are sent to journalist by a malicious insider 4 3 High 3 4 High 3 5 Very high 3 3 Medium 4 5 Very High

53 TOOLS AND TECHNIQUES Risk Heat Map and Scenarios Risk Rating Business Impact x Threat Likelihood Almost certain (5) 5 Likely (4) 1 Threat Likelihood Possible (3) Unlikely (2) Rare (1) Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5) Business Impact

54 Talking to the Board

55 TOP TIPS WHEN SPEAKING TO THE BOARD ABOUT CYBERSECURITY Give a summary of good and bad news up front. Be clear and concise, both in your discussion and in the advance materials. Be transparent and honest. Don t give unfounded assurances. If you don t know something, say so and promise to get back. Avoid tech speak and acronyms. Use analogies to aid understanding for non-cyber experts. Articulate business impact, risk, mitigations and plans. Clearly identify anything that requires board action or consideration. Do not surprise your CEO brief her or him in advance.

56 CONCLUSION

57

58 KEY POINTS TO REMEMBER Competitive risk may be bigger than cyber risk, so explore new technologies and their potential impact. Avoid becoming a roadblock that slows growth and progress. Enable the safe adoption of new technologies and processes.

59 The cyber attach wasn t a board issue because the company lost 10 million. It was a board issue because the attack made headlines and undermined our customers trust on our online systems, threatening the brand and the direction we wanted to go as a company.

60 IN SUMMARY The Executive do not require a cyber security strategy! They want a business strategy that incorporates cyber. It s not what you tell them, It s the way you tell them! Determine how to position cybersecurity as a business and commercial issue rather than just an IT issue. Finally, don t forget about Dave. Some say he is 90% of the risk. But the solution often is technology driven focusing on the 10%.

61

62 Final Final Reminder

63 QUESTIONS?

64