Ten Tenets of Security Success
|
|
- Maude Murphy
- 5 years ago
- Views:
Transcription
1 Ten Tenets of Security Success 2016 Frank Kim All Rights Reserved
2 ABOUT Frank Kim CISO, SANS Institute Curriculum Lead Management Application Security Author MGT514: Security Strategic Planning, Policy, and Leadership DEV541: Secure Coding in Java
3 #1 Create Credibility
4 Stakeholder Management Strategy As you become more successful in your career, the initiatives you run will affect more people It s likely your work will impact people who have power and influence over your projects These people can support or block you Meet with stakeholders to: Build trust Form alliances Understand what motivates them Identify what you can provide to them 4
5 Power Understanding Stakeholders Example High Keep Satisfied HR Legal Manage Closely CIO CFO CISO Power/Interest Grid Ops Team Monitor End KeepUsers Informed Low Low Interest High From mindtools.com 5
6 #2 Catch the Culture
7 Organizational Culture Culture eats strategy for breakfast. - Peter Drucker 7
8 #3 Relate to Risk
9 Precision Farming Use sensors and drones Simulate water, fertilizer, and pesticide adjustments Goal Increase yields and profit Impact Crop & pricing manipulation 9
10 Industrial Control Systems Ukrainian Power Grid Power distribution hacked 225,000 citizens w/o power Goal Supply power reliably Impact Power outage Political destabilization Decreased confidence in government 10
11 Risk Exposure Technology Risk Increasing complexity of threats results in additional exposure due to security risks Year of the breach Edward Snowden Nation States Stuxnet Advanced Persistent Threats Increasing risk due to evolving threat landscape and business requirements Organized Crime Activists Cloud Computing Big Data Internet of Things Partners Mobile Payments First Mobile App Basic Threats Insider Threats Wireless Network Introduction of Mobile Devices First web site Global network Increasing complexity of technology environment results in operational risks
12 #4 Shape the Strategy
13 Identify a Security Framework Security frameworks provide a blueprint for Building security programs Managing risk Communicating about security Many frameworks share common security concepts Examples include ISO Series ISMS requirements Code of practice Implementation guidance Measurement Risk management COBIT ENISA Evaluation Framework NIST Cybersecurity Framework 13
14 NIST Cybersecurity Framework Identify Protect Detect Respond Recover Composed of three parts Core, Implementation Tiers, Profiles Defines a common language for managing security risk Core has five Functions that provide a high-level, strategic view of the security life cycle Helps organizations ask: What are we doing today? How are we doing? Where do we want to go? When do we want to get there? 14
15 Maturity Comparison Example Identify Protect Detect Respond Current state Target state Recover Lagging Industry Leadin g 15
16 #5 Don t Show Me the Money
17 Establish a Vision Stakeholders don t value expertise They value results By understanding what they value We can learn to innovate with the business The best way to predict the future is to invent it. - Alan Kay 17
18 Mapping to Strategic Objectives Financial/Stewar dship Lower costs Increased profitability Increased revenue Customer/Stakeh older Improved compliance & regulatory Lower wait times Improved satisfaction Internal Business Process Improved availability & resiliency Increase process efficiency Lower cycle times Business innovation/new product support Organizational Capacity or Security Capability Improved knowledge & skills Improved tools & technology 18
19 Translating Security Vision & Strategy Financial/Stew ardship How much does security cost to operate? Security budget as a % of IT Budget including CAPEX, OPEX Lower costs, increased revenue, increased profitability How incidents financially impact your company Direct loss (e.g. IP, customer lists, trade secrets, loss or destruction of assets) Cost of downtime (e.g. refunds, or failed transactions) Cost of containment, recovery, and restitution Customer/Stak eholder Internal Business Process Improved compliance & regulatory (e.g. security controls of impacted systems and reporting capability) Lower wait times (e.g. meeting SLAs on evidence to HR/Legal, and on-time, on-budget delivery of projects) Improved satisfaction (e.g. responsiveness in time to remediate incidents on customer facing sites) Improved availability & resiliency (e.g. time to detect, respond, remediate outages caused by incidents) Increased process efficiency (e.g. time to remove unauthorized devices from the network) Lower cycle times (e.g. response time for customer facing security activities) Business innovation/new product support (e.g. response time for security assessments) Security Capability Improved knowledge & skills (e.g. security awareness training completion rate and/or phishing results) Improved tools & technology (e.g. false positive trends on customer visible security controls such as encryption) 19
20 #6 Deliver the Deal
21 Build Your Business Case As a manager and leader you are expected to Understand the vision and mission of the company Make security understandable to business leaders Don t just ask for the money Sell the vision and how you will solve business problems Let the case speak for itself Allow decision makers to come to their own conclusion Outline three options with various pros and cons Let them pick one 21
22 Provide Options Highlight trade-offs with business value, risk reduction, cost Option A Option B Option C Business value Risk reduction Cost $ $$ $$$ 22
23 #7 Invest in Individuals
24 Putting Leadership Into Perspective Boss Manager Leader Drives people Manages things Coach, mentors and grows people Thinks short term Thinks mid term Things long term Focused on self Focused on process Focused on people Instills fear Earns respect Generates enthusiasm Says I Says Our Says We Micromanages Delegates Motivates Places blame on roadblocks Navigates roadblocks Removes roadblocks Dictates how it s done Shows how it s done Influences how it s done Takes credit Shares credit Gives credit Commands Asks Influences Says Go Says let s go Says way to go 24
25 The Three Es of Learning Education 10% Exposure 20% Experience 70% Training Course Leadership programs Professional Conferences Online Resources Online Learning Career Education Reading Peer Learning Formal Education Increase your perspective Showcase your sills Peer Networking Career Counseling Networking workshops Informal Interviews Shadowing Use a buddy Mentor Cross-functional project Stretch task Special assignment Leadership challenge Deliver a presentation Expanding skills Teach/Coach Best practice Special initiative Special project 25
26 Career Management P.I.E. Everyone should have a piece of the P.I.E. Performance Perform exceptionally well Image Cultivate the proper image Exposure Manage their exposure so the right people will know them 26
27 Marissa Mayer on Sponsorship Work for someone who believes in you, because when they believe in you, they ll invest in you. - Marissa Mayer 27
28 #8 Make Metrics Matter
29 Metrics Hierarchy Focus & actions increase as you move up the pyramid Volume of information increases as you move down the pyramid Strategic Operational Focus Strategic Objectives Focus Analysis & Trends Type KPIs Type Metrics Implementation Balanced Scorecard Implementation Security Dashboard Technical Focus Data Type Measures Implementation Charts & Graphs 29
30 Millions Hours Security Dashboard Example # Authorized/unauthorized devices on the network Avg. time to remove unauthorized devices from the network Application Scanning Coverage 35,000 30,000 25,000 20,000 15,000 10,000 5,000 - Q1 Q2 Q3 Q4 #, Authorized Devices #,Unauthorized Devices Total Q1 Q2 Q3 Q4 Avg. time to remediate (hours) Upper Control Limit (hours) Lower Control Limit (hours) 3,000 2,500 2,000 1,500 1, Q1 Q2 Q3 Q4 Scanned Not Scanned Total Security Budget Allocation % of Products Delivered On Time and On Budget Developers Trained in Secure Coding $3 $3 $2 $2 $1 Training Services Products Budget 100% 50% Actual Upper 95% 100% 80% 60% 40% % Developers Not trained % Devolopers trained Lower 75% $1 $0 Q1 Q2 Q3 Q4 Actuals 0% Q1 Q2 Q3 Q4 Lower 55% 20% 0% Q1 Q2 Q3 Q4 Upper 95% 30
31 Balanced Scorecard Example Financial/Stewardship Customer / Stakeholder Internal Business Process Q4 % Product Development Budget Allocated to Security Target 5% Trend Increased support for legal as they piloted their case management system Q4 % of Products Delivered On Time and On Budget Target 95% Trend 18% increase over Q3 in on-time and on budget delivery. Security staffed temporary PMO team to meet goal Q4 % of Developers Training in Secure Coding Principles Target 95% Trend 5% 95% 97% 100% of flagship application developers completed training reducing overall risk to organization Q4 & YTD Security Budget Allocation Q1 Q2 Q3 Q4 Products $575,000 $597,000 $425,000 $732,000 Services $1,590,000 $1,320,000 $1,190,000 $1,090,000 Training $326,000 $315,000 $427,000 $301,000 Actuals $2,491,000 $2,232,000 $2,042,000 $2,123,000 Budget $2,190,000 $2,211,900 $2,234,019 $2,256,359 $ Variance -$301,000 -$20,100 $192,019 $133,359 YTD Target 90% Trend Customer Satisfaction 8% increase over Q3 in customer satisfaction rating of 4 or higher out of 5 possible Q4 % of Developers Attaining Certification Target 95% Trend 85% 42% Mitigation plan: Follow-up with developers after training is complete for certification 31
32 Balanced Scorecard Example Security Capability Status Trend Highlights Identify: Manage risk to systems, assets, data, and capabilities Yellow 32% increase in unauthorized devices 29% IT 3 % HR 27% increase in unauthorized software Attributed to Q4 BYOD pilot Protect: Ensure delivery of critical infrastructure services Green 12% of users failed sponsored phishing tests 15% of employees have not passed security awareness assessments Detect: Identify occurrence of a cybersecurity event Green 27% decrease in elevated access accounts 275 total elevated access accounts Respond: Take action regarding a detected cybersecurity event Green 5% of database systems with sensitive information have not been scanned by vulnerability scanners Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event Red 34% of systems not enabled with up to date antimalware Attributed to Q4 BYOD pilot 32
33 #9 Master Your Message
34 Filters to Communication Physical and psychological barriers can stop the flow of communication Culture, background, and bias Allowing past experience to change the meaning of the message Ourselves Focusing on self rather than the other person can lead to confusion and/or conflict Defensiveness, superiority, and ego Perception Barriers such as poor language skills, a persons status, etc. Stress Psychological frame of reference at the given moment 34
35 Example #1: Bad Exec Communication (DMARC) DMARC is an validation system designed to detect spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators and that the (including attachments) has not been modified during transport. It expands on two existing mechanisms, the well-known Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), coordinating their results on the alignment of the domain in the From: header field, which is often visible to end users. It allows specification of policies (the procedures for handling incoming mail based on the combined results) and provides for reporting of actions performed under those policies. Source: 35
36 Example #1: Better Exec Communication (DMARC) The solution prevents scammers from sending fraudulent to our customers. These fraudulent s result in stolen usernames, passwords, and fraudulent transactions. The solution reduces the number of stolen accounts by 20%, account fraud by 10%, and the total amount of fraudulent transactions by $1 million per year. 36
37 Example #2: Bad Exec Communication (DDoS) DDoS is an attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Distributed Denial of Service (DDoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. The DDoS attack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets. Source: 37
38 Example #2: Better Exec Communication (DDoS) All web sites are up and operational after an traffic flood attack on Friday night. Our primary web site was unavailable for two minutes because it was flooded with traffic from the Internet by cyber attackers. We immediately instituted our incident response and recovery procedures and the web site was made available with zero customer impact. 38
39 Simplify Your Message 39
40 #10 Solve Business Problems
41 Evolution of Security Leadership Old School New School IT Security IT Security Risk Management Technology Focus Regulatory, Compliance, Legal, Privacy Business Savvy Business Focus Graphic credit: 41
42 Ten Tenets of Security Success #1 Create Credibility #6 Deliver the Deal #2 Catch the Culture #7 Invest in Individuals #3 Relate to Risk #8 Make Metrics Matter #4 Shape the Strategy #9 Master Your Message #5 Don t Show Me the Money #1 0 Solve Business Problems 42
43 Thank You! Frank Presentation based on: MGT514: IT Security Strategic Planning, Policy, and Leadership
44
CISO as Change Agent: Getting to Yes
SESSION ID: CXO-W02F CISO as Change Agent: Getting to Yes Frank Kim Chief Information Security Officer SANS Institute @fykim Outline Catch the Culture Shape the Strategy Build the Business Case 2 #1 Catch
More informationTen Tenets of CISO Success
SESSION ID: STR-W04 Ten Tenets of ISO Success Frank Kim Founder ThinkSec @fykim www.frankkim.net #1 atch the ulture Organizational ulture ulture eats strategy for breakfast. - Peter Drucker 3 #2 Relate
More informationCISO Success Strategies: On Becoming a Security Business Leader
SESSION ID: CXO W03 CISO Success Strategies: On Becoming a Security Business Leader Frank Kim CISO SANS Institute @fykim Outline Build Your Business Case Rocket Your Relationships Master Your Message 2
More informationCybersecurity, safety and resilience - Airline perspective
Arab Civil Aviation Commission - ACAC/ICAO MID GNSS Workshop Cybersecurity, safety and resilience - Airline perspective Rabat, November, 2017 Presented by Adlen LOUKIL, Ph.D CEO, Resys-consultants Advisory,
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationEmerging Issues: Cybersecurity. Directors College 2015
Emerging Issues: Cybersecurity Directors College 2015 Agenda/Objectives Define Cybersecurity Cyber Fraud Trends/Incidents FFIEC Cybersecurity awareness initiatives Community Bank expectations FFIEC Cybersecurity
More informationBREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE
BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE 31st Annual SoCal ISSA Security Symposium Wendy T. Wu Vice President Agenda + CISO: Then and Now + Who are the Stakeholders and What Do They Care About?
More informationEMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS
Information Technology Shared Service Team North Dakota Cyber Security Across North Dakota Threats and Opportunities 15 September 2018 EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS AGENDA SIRN / FirstNet
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationNebraska CERT Conference
Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology
More informationOTA Strategic Update Building & Amplifying April 5, 2017
OTA Strategic Update Building & Amplifying April 5, 2017 Reminders OTA Members Only Chatham House Rules Will be Recorded for Member Access Updated 4/7/17 OTA Strategic Update Building & Amplifying Craig
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationHow To Build or Buy An Integrated Security Stack
SESSION ID: PDIL-W03 How To Build or Buy An Integrated Security Stack Jay Leek CISO Blackstone Haddon Bennett CISO Change Healthcare Defining the problem 1. Technology decisions not reducing threat 2.
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationThe Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It
The Credential Phishing Handbook Why It Still Works and 4 Steps to Prevent It Introduction Phishing is more than 20 years old, but still represents more than 90% of targeted attacks. The reason is simple:
More informationBRING EXPERT TRAINING TO YOUR WORKPLACE.
BRING EXPERT TRAINING TO YOUR WORKPLACE. ISACA s globally respected training and certification programs inspire confidence that enables innovation in the workplace. ISACA s On-Site Training brings a unique
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationGDPR: The Day After. Pierre-Luc REFALO
GDPR: The Day After Pierre-Luc REFALO The speaker: Pierre-Luc REFALO Global Head of Strategic Cybersecurity Consulting 25+ years in Information & Cyber Security consultancy CISO for SFR & Vivendi Universal
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationInstitute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI
Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1 CAE Communications and Common Audit Committee
More informationCISO View: Top 4 Major Imperatives for Enterprise Defense
CISO View: Top 4 Major Imperatives for Enterprise Defense James Christiansen Chief Information Security Officer Evantix, Inc. Gary Terrell CIPP Chief Information Security Officer Adobe Session ID: Star
More informationCybersecurity. Securely enabling transformation and change
Cybersecurity Securely enabling transformation and change Contents... Cybersecurity overview Business drivers Cybersecurity strategy and roadmap Cybersecurity in practice CGI s cybersecurity offering Why
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationMITIGATE CYBER ATTACK RISK
SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationPONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY
PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY Benchmark research sponsored by Raytheon. Independently conducted by Ponemon Institute LLC. February 2018 2018 Study on
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT
ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT 1 BY HUSSEIN K. ISINGOMA CISA,FCCA,CIA, CPA, MSC,BBS AG. ASSISTANT COMMISSIONER/INTERNAL AUDIT MINISTRY OF FINANCE, PLANNING AND ECONOMIC
More informationSecurity Metrics Framework
HP Enterprise Services Metrics Framework Richard Archdeacon October 2012 Effective Spending: Better metrics allow intelligent spending on security that matters The current primary focus of information
More informationTop Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program
SESSION ID: GRC-W03 Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program Chris Houlder CISO Autodesk, Inc. @chrishoulder chris.houlder@autodesk.com Husam Brohi Director, Cybersecurity
More informationState Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017
State Governments at Risk: State CIOs and Cybersecurity CSG Cybersecurity and Privacy Policy Academy November 2, 2017 About NASCIO National association representing state chief information officers and
More informationCredit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank
Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Introduction The 6,331 credit unions in the United States face a unique challenge when it comes to cybersecurity.
More informationalign security instill confidence
align security instill confidence cyber security Securing data has become a top priority across all industries. High-profile data breaches and the proliferation of advanced persistent threats have changed
More informationwhitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk
whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk Assure the board your company won t be the next data breach Introduction A solid vulnerability management program is critical
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationJeff Wilbur VP Marketing Iconix
2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online
More informationPresented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0
Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationCYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018
CYBER FRAUD & DATA BREACHES 16 CPE s May 16-17, 2018 Cyber fraud attacks happen; they can t all be stopped. The higher order question must be how can we, as fraud examiners and assurance professionals,
More informationWhat is ISO ISMS? Business Beam
1 Business Beam Contents 2 Your Information is your Asset! The need for Information Security? About ISO 27001 ISMS Benefits of ISO 27001 ISMS 3 Your information is your asset! Information is an Asset 4
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationHow will cyber risk management affect tomorrow's business?
How will cyber risk management affect tomorrow's business? The "integrated" path towards continuous improvement of information security Cyber Risk as a Balance Sheet Risk exposing Board and C-Levels 2018
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationCaribbean Cyber Security: Not Only Government s Responsibility
Caribbean Cyber Security: Not Only Government s Responsibility AWARENESS AND VIGILANCE IS EVERYBODY S RESPONSIBILITY Preseted at: ICT Symposium Antigua and Barbuda March 2017 Caribbean Cyber Security Events
More informationRetail Security in a World of Digital Touchpoint Complexity
Retail Security in a World of Digital Touchpoint Complexity Author Greg Buzek, President of IHL Services Sponsored by Cisco Systems Inc. Featuring industry research by Previously in part 1 and part 2 of
More informationFTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.
FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who
More informationLes joies et les peines de la transformation numérique
Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationOA Cyber Security Plan FY 2018 (Abridged)
OA Cyber Security Plan FY 2018 (Abridged) 1 Table of Contents Vision... 3 Goals, Strategies, and Tactics... 5 Goal #1: Create a Culture that Fosters the Adoption of Cyber Security Best Practices... 5 1.1
More informationRSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE
WHITEPAPER RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE CONTENTS Executive Summary........................................ 3 Transforming How We Think About Security.......................... 4 Assessing
More informationCYBER SECURITY AIR TRANSPORT IT SUMMIT
CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER
More informationCyber Security and Data Protection: Huge Penalties, Nowhere to Hide
Q3 2016 Security Matters Forum Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide Alan Calder Founder & Executive Chair IT Governance Ltd July 2016 www.itgovernance.co.uk Introduction
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationBoston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018
Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security BRANDEIS UNIVERSITY PROFESSOR ERICH SCHUMANN MAY 2018 1 Chinese military strategist Sun Tzu: Benchmark If you know your
More informationitsm003 v.3.0 DxCERTS IT & NIST Cybersecurity Digital Transformation (Dx) Enterprise Training Curriculum
itsm003 v.3.0 DxCERTS IT & NIST Cybersecurity Digital Transformation (Dx) Enterprise Training Curriculum Agenda and Objectives The Digital Transformation (Dx) Problem NISTCSF.COM Cybersecurity Curriculum
More informationIBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation
IBM X-Force 2012 & CISO Survey Cyber Security Threat Landscape 1 2012 IBM Corporation IBM X-Force 2011 Trend and Risk Report Highlights The mission of the IBM X-Force research and development team is to:
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationStaffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today
Security Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today Staff Augmentation, Executive Staffing, Flex Staffing Achieving our main goal
More informationFlorida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government
Florida Government Finance Officers Association Staying Secure when Transforming to a Digital Government Agenda Plante Moran Introductions Technology Pressures and Challenges Facing Government Technology
More informationHow to Conduct a Business Impact Analysis and Risk Assessment
How to Conduct a Business Impact Analysis and Risk Assessment By Larry Pedrazoli Business Recovery Analyst Miller Brewing Company February 2006 Project Management Institute, La Crosse, WI Chapter Agenda
More informationA Disciplined Approach to Cyber Security Transformation
A Disciplined Approach to Cyber Security Transformation Information Protection and Business Resiliency December 2014 Key takeaways from today s cyber security discussion 1. Our colleagues are not waving
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationGujarat Forensic Sciences University
Gujarat Forensic Sciences University Knowledge Wisdom Fulfilment Cyber Security Consulting Services Secure Software Engineering Infrastructure Security Digital Forensics SDLC Assurance Review & Threat
More informationState of Cloud Survey GERMANY FINDINGS
2011 State of Cloud Survey GERMANY FINDINGS CONTENTS Executive Summary... 4 Methodology... 6 Finding 1: Cloud security is top goal and top concern.................................. 8 Finding 2: IT staff
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationSecuring Digital Transformation
September 4, 2017 Securing Digital Transformation DXC Security Andreas Wuchner, CTO Security Innovation Risk surface is evolving and increasingly complex The adversary is highly innovative and sophisticated
More informationCybersecurity and Nonprofit
Cybersecurity and Nonprofit 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer 3 3 Cybersecurity and Nonprofit
More informationRole of BC / DR in CISRP. Ramesh Warrier Director ebrp Solutions
Role of BC / DR in CISRP Ramesh Warrier Director ebrp Solutions You have been HACKED Now what? Incident Response Incident HANDLING Incident RESPONSE Incident HANDLING Assessment Containment Eradication
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationBringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016
Bringing cyber to the Board of Directors & C-level and keeping it there Dirk Lybaert, Proximus September 9 th 2016 Dirk Lybaert Chief Group Corporate Affairs We constantly keep people connected to the
More informationThink Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe
Think Oslo 2018 Where Technology Meets Humanity Oslo Felicity March Cyber Resilience - Europe Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity
More informationSupply Chain Integrity and Security Assurance for ICT. Mats Nilsson
Supply Chain Integrity and Security Assurance for ICT Mats Nilsson The starting point 2 B Internet users 85% Population coverage 5+ B Mobile subscriptions 10 years of Daily upload E-Books surpassing Print
More informationMission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS
Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS Stephanie Poe, DNP, RN-BC CNIO, The Johns Hopkins Hospital and Health System Discussion Topics The Age of Acceleration Cyber
More informationREPORT. proofpoint.com
REPORT proofpoint.com Email fraud, also known as business email compromise (BEC), is one of today s greatest cyber threats. These socially engineered attacks seek to exploit people rather than technology.
More informationKey Findings from the Global State of Information Security Survey 2017 Indonesian Insights
www.pwc.com/id Key Findings from the State of Information Security Survey 2017 n Insights Key Findings from the State of Information Security Survey 2017 n Insights By now, the numbers have become numbing.
More informationThe Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1
The Cyber Threat Bob Gourley, Partner, Cognitio June 22, 2016 How we think. 1 About This Presentation Based on decades of experience in cyber conflict Including cyber defense, cyber intelligence, cyber
More informationCybersecurity Session IIA Conference 2018
www.pwc.com/me Cybersecurity Session IIA Conference 2018 Wael Fattouh Partner PwC Cybersecurity and Technology Risk PwC 2 There are only two types of companies: Those that have been hacked, and those that
More informationMOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner
MOBILE SECURITY 2017 SPOTLIGHT REPORT Group Partner Information Security PRESENTED BY OVERVIEW Security and privacy risks are on the rise with the proliferation of mobile devices and their increasing use
More informationSecuring the User: Winning Hearts & Minds to Drive Secure Behavior
Securing the User: Winning Hearts & Minds to Drive Secure Behavior Thomas Skill, CIO University of Dayto Spencer Mott, CIO-CISO Amg Dawn Sherizad, product manager of security, Macy Eleanor Dallaway, Editor
More informationInternet of Things Toolkit for Small and Medium Businesses
Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors
More informationAZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments
AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES To Secure Azure and Hybrid Cloud Environments Introduction Cloud is at the core of every successful digital transformation initiative. With cloud comes new
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationIT risks and controls
Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles
More informationModerator: Presenters: Ross Albert Damon D Levine
SOA Antitrust Disclaimer SOA Presentation Disclaimer Session 7: Cyber Risk Management: From the Inside and the Outside Moderator: Presenters: Ross Albert Damon D Levine A Holistic Approach to Cyber Risk
More informationJune 2 nd, 2016 Security Awareness
June 2 nd, 2016 Security Awareness Security is the degree of resistance to, or protection from, harm. if security breaks down, technology breaks down Protecting People, Property and Business Assets Goal
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More information