How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Transcription

1 How to Optimize Cyber Defenses through Risk-Based Governance Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

2 The Goal: Risk-Based Operationalization Incident Management IT/IS Management Vendor Management Policy Management Enterprise Risk Management Compliance Management Audit Management Financial Reporting Business Continuity

3 By the Numbers Total data protection may be an impossible objective. 1,093 data breaches occurred in ,601,939 records exposed 2 63% of confirmed data breaches involved weak, default, or stolen passwords 3 (i.e. governance) Too often, companies react to external threats by spending billions on technology solutions, without addressing the root-cause governance issue. 1 Identity Theft Resource Center, Data Breach Reports 2016 Year End 2 Ponemon Institute, The Cost of Malware Containment 3 Verizon, 2016 Data Breach Investigations Report

4 What is the Governance Challenge? IT is separated from entitlement management. Individual departments and process owners know who has access to which platforms and services, and who the key administrators are. 1 Verizon, 2016 Data Breach Investigations Report

5 Training Isn t Enough It goes beyond security policies and training. Within two months of password security training: Only 20% of employees will adequately strengthen their passwords. 26% of employees will improve their passwords, not following best practices. The remaining 54% will maintain inadequate password quality, leaving themselves and the company vulnerable.

6 Neither is Insurance You can outsource the process, but you can t outsource the risk. Insurance policies alone aren t safety nets. 32,500 records breached Had cyber insurance Insurance provider attained a judicial ruling to waive $4.1M claim for failure to meet minimum required practices.

7 How to Operationalize a Risk-Based Approach

8 The Challenge: Complexity Many groups hold pieces of the puzzle, but most organizations can t put the fill picture together. Finance Vendor Management IT Security HR Audit Knows assets and process owner allocation but no method or system to share information Has no system to manage authorized assets or share information Does not have a complete list of company assets with logins so they cannot control or monitor password quality Has no method or system to notify application administrators of user entitlement changes Has entitlement policy but no user access list mapped to company assets with login

9 Policies Must Be Operationalized Organizations must operationalize their policies in order for them to be effective, by taking a holistic approach and involving the right roles in the organization. Role IT Security IT & Finance Vendor Management / Procurement Human Resources Process Owner User Insight & Accountability Security Policy + Incident Monitoring Asset Management Asset Authorization Hiring, Termination + Role Changes Entitlement Management + Access Rights Password Usage

10 Traditional, Silo d Approach

11 Apply a Risk-Based Approach

12 Applying this Process to Cyber Identify Assess Mitigate Monitor Departmental Security Risks at the Front-Lines Readiness Frameworks & Standards i.e. NIST, SANS, ISO, COBIT What is the impact and likelihood to our business? How prepared are we to meet these guidelines? Which controls, policies and procedures mitigate risks and manage guidelines? What are our gaps? How effectively are these control activities managing our risks? i.e. Testing (Pen, Intrusion), Incident Management, Metrics

13 The Solution Risk Manager provides the Board evidence of the ERM program s effectiveness in cyber. To do this, involve the IT group. 1 2) Identify IT-related assets & services with finance. 2 1) Security and password policies are maintained by IT. 3 3) Engage with process owners about assets, access rights & administration. 4) Collaborate with process owners to identify related IT vendors ) Meet with legal/compliance to adjust vendor contracts. 6) Operationalization is achieved with ERM & process owner engagement! 6

14 Manage Cybersecurity Operationalization

15 Questions?

16 About Steven Minsky Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model Steven is the CEO of LogicManager, author of the RIMS Risk Maturity Model, and a speaker on many ERM and GRC topics. You can reach Steven on Twitter, or him at steven.minsky@logicmanager.com.