CYBERSECURITY SAVE YOUR BOTTOM LINE IBC Annual Convention Anne Benigsen, Bankers Bank of the West

Transcription

1 CYBERSECURITY SAVE YOUR BOTTOM LINE I t s n o t a l l a b o u t m o n e y - r e a l l y 1

2 WHO AM I? 24 years in IT. 10 years in IS. 7 years in banking. Small business. Large business. Government. Entertainment industry. Retail. Liberal artsy college. And a partridge in a pear tree. 2

3 3

4 UNDERSTANDING PEOPLE COMMUNICATING 4

5 WE GET IT! Cybersecurity is a top 3 concern among CEO's PWC 2017 CEO Survey 5

6 OR DO WE? MONEY ISN T EVERYTHING The human factor is for controls and vulnerabilities is 6

7 UNDERSTANDING IT SECURITY THREAT TO ORGANIZATION Do non-security professionals in your organization understand the IT security threats that your organization faces today? 13% 3% 33% 17% 3% 25% % % 9% 45% Yes, and they are supportive of IT security initiatives Yes, but they have to be dragged into the security discussion It's a mixed bag, some of them are, some of them aren't There are a few who get it, but most of them are clueless What threats? Data UBM survey of security professionals, June

8 UNDERSTANDING PEOPLE COMMUNICATING 8

9 DEFINING: CYBERSECURITY 9

10 FFIEC NIST ISACA 10

11 IS THIS WHAT WE THINK OF? 11

12 JUNE 2014 NOV 2014 FEB 2015 FFIEC makes Cybersecurity a separate part of its website Cybersecurity assessment information released Business Continuity Booklet updated APRIL 2016 NOV 2015 JUNE 2015 Retail Payments Booklet revised Management Booklet Redone Cybersecurity Assessment Tool JULY 2016 SEPT 2016 OCT 2016 MAY 2017 InTREx released Information Security Booklet Redone CAT FAQ released CAT 1.1 released 12

13 Where are we? Cybersecurity is part of: Board Reports Risk Management Senior Management Responsibility 13

14 WE MOVED TOO FAST NEED TO WALK BEFORE WE RUN $120 Billion Cybersecurity market was $3.5 Billion $3.5 Billion Cybersecurity market is projected $120 Billion Cybersecurity Ventures 14

15 8 to 10 Financial industry is likely more Peak Resources

16 AVOID ONE-USE TOOLS CONTROLS CAN HAVE MULTIPLE USES 16

17 WE NEED GREATER UNDERSTANDING: USE ANALOGIES 17

18 COMMON UNDERSTANDING 18

19 UNDERSTANDING PEOPLE COMMUNICATING 19

20 COMMUNICATION BUSINESS OR CYBERSECURITY? 2007 Cybersecurity did not rank in top 10 in C-suite concerns 2017 Cybersecurity was #1 (or top 3) in C-suite concerns 20

21 SECURITY PROFESSIONALS GREATEST CONCERNS Social engineering Phishing, vishing, social network exploits Targeted threats Attacks that are targeted directly at the organization Malware Malware that evades signature-based defenses like anti-virus Ransomware Extortion like ransomware that is perpetuated by outsiders 03 Accidental data leaks People who fail to follow policy and leak data 06 Data theft / sabotage Data leaks that were done by insiders maliciously 21 UBM survey of security professionals, June 2017

22 01 Compliance with regulation 04 Vulnerabilities of Applications SECURITY GREATEST AMOUNT OF MONEY SPENT Social Engineering Accurately measure organization s security posture or risk Internal mistakes that cause loss of compliance to industry/regulators Malware that evades signaturebased defenses 22 UBM survey of security professionals, June 2017

23 MONEY SPENT RANKED BY I.S. STAFF Compliance with regulation Social Engineering Accurately measure organization s security posture or risk Vulnerabilities of Applications Internal mistakes that cause loss of compliance to industry/regulators Malware that evades signature-based defenses 23

24 BRIDGING THAT GAP THE NEED FOR EDUCATION Blackhat 2 / 70 FS-ISAC 9 /

25 OUR DIFFERENCES WHY DON T THE IS/IT FOLK UNDERSTAND OUR INDUSTRY? Most colleges only require 2 classes concerning business or communication for a BS in technology 25

26 DO THEY KNOW AS MUCH ABOUT BANKING AS YOU DO ABOUT TECH? 26

27 INVESTING IN YOUR TEAM IS/IT ARE BANKERS, TOO! (BUT THEY MAY NEED A LITTLE HELP) 27

28 INVESTING IN YOUR TEAM Understanding business = understanding budget 17% 4% 42% 14% 8% 36% % Sufficient Security Budget Does your organization have enough security budget to defend itself against current threats? 42% Yes No, we are little under budget No, we are severely hampered by a lack of funding Can you do spare some change? UBM survey of security professionals, June

29 TRAINING How comfortable are your staff? 5% 1% 8% 2% 33% 33% % 57% Sufficient Training Do you personally have enough training and skills to handle current threats and perform all of the security job functions that are required of you? Yes, I have all the skills I need to do my job No, I can manage most tasks but I could still use some training No, I feel ill-prepared for many of the threats or tasks I face each day What training? UBM survey of security professionals, June

30 UNDERSTANDING YOUR MSSP = BETTER FOR BUSINESS Keeping them up to date on regulation and security Measurables Watching the watchmen 30

31 TIME, NOT MONEY The business of community banking. Common understanding. On the page with priorities. Strategic planning. 31

32 KNOWING WHEN To say stop 32

33 CONCERNS Let s try it. 33

34 CONTACT ME ANNE BENIGSEN F V P I S & I T, B A N K E R S B A N K O F T H E W E S T abenigsen@bbwest.com 34