BOARD DIRECTOR CONCERNS ABOUT CYBER AND TECHNOLOGY RISK

Transcription

1 BOARD DIRECTOR CONCERNS ABOUT CYBER AND TECHNOLOGY RISK 5 September 2017 Rob Clyde, CISM, NACD Board Leadership Fellow Managing Director, Clyde Consulting LLC Vice-Chair, ISACA Executive Chair White Cloud Security Executive Advisor to BullGuard and HyTrust

2 Board of Director s View Source: NACD Board of Directors Survey 2

3 3

4 NACD Cyber Risk Oversight Handbook for Board Directors Five key principles for Board Directors: 1. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise wide cyber risk management framework with adequate staffing and budget. 5. Board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. 4

5 Where Has the Board Allocated Most Tasks Related to Cyber Risk? Source: NACD Public Company Governance Survey 5

6 Cyber Risk Oversights Board Practices Performed In Last 12 Months Source: NACD Public Company Governance Survey 6

7 Which Members of Management Report to The Board About State of Cybersecurity Source: NACD Public Company Governance Survey 7

8 Guidelines for Talking to the Board Give summary of good and bad news right up front (don t hold the punchline) Be clear and concise both in your discussion and the advance materials for board packet Be transparent and honest. Don t give unfounded assurances If you don t know something, say so and promise to get back to them Avoid low level tech speak and acronyms Use analogies to aid understanding for non cyber experts Articulate business impact, risk, mitigations and plans Clearly identify anything that requires board action or consideration Do not surprise your CEO brief CEO in advance 8

9 Advice in Preparing for Presenting to the Board Understand what the board wants to hear from you and what defines success? What is the big goal of your presentation? What is the takeaway you want board members to have (feel, say, do afterwards) When preparing metrics, you should answer key questions: Are we getting better or worse? Trends Are we in good or bad shape compared to our goals and/or industry benchmarks? Describe regulatory or IT audit concerns, risks, and mitigations Less is more: what should you leave out? Know your subject and recent big industry and cyber related news Practice with CEO or other executive and ask them for likely board questions If possible, get to know board members at social events or dinner before board meeting 9

10 Cyber Risk Heat Map Example (Retail Industry) Source: NACD Cyber Risk Oversight Director s Handbook 10

11 Example: Executive Risk Summary Dashboard (Financial Services Industry) Source: NACD Cyber Risk Oversight Director s Handbook 11

12 Example: Executive Risk Dashboard Business Unit Summary Source: NACD Cyber Risk Oversight Director s Handbook 12

13 Other Possible Board Level Metrics Mean time to detect an incident Mean time to respond to an incident Key 3 to 5 vulnerability metrics summarized over monthly or quarterly time periods Training and certification metrics (also show goals and trends) % security staff trained, % certified (CISM, CSX, CISSP, etc.) % IT security staff trained, % certified (CSX Fundamentals, etc.) % IT Audit staff trained, % certified (CISA) 13

14 Ransomware Exploding 14

15 Should The Board Authorize Paying Ransoms? What is your policy for paying a Ransom if your data or systems are held hostage by Ransomware? Who should authorize such a policy? Board? Board delegates this to management? Policy could indicate if and under what conditions a ransom might be paid and who should authorize it What are the ethical, reputational, and regulatory issues? 15

16 NACD Handbook on Basic Cybersecurity Controls Four basic cybersecurity controls effective in preventing 85% of cyber intrusions 1. Restricting user installation of applications ( whitelisting ) 2. Ensuring that operating system is pushed current updates 3. Ensuring software apps are regularly updated 4. Restricting administrative privileges App Control recommended as #1 Mitigation strategy Source: NACD Cyber Risk Oversight Director s Handbook 16

17 Next Generation Whitelisting trusted app technology Run only trusted apps or scripts Experts you trust Pull rather than push trust lists to ensure updates Handles application updates automatically Apps you trust Allow trust of applications, application families (e.g., Microsoft Office), or software publishers Crowdsourcing allow individuals and organizations to publish their own trusted app lists Software you trust Allow organization to control which lists to use Source: White Cloud Security 17

18 Impact of Technologies Board may not be aware of opportunity and risk for new technologies Don t just focus on security risk Opportunity and competitive risk of not adopting new technology may be even more significant Discuss how to mitigate security risks and safely adopt new technologies 18

19 Internet of Things Artificial Intelligence Quantum Computing Let s explore some technologies and how we might discuss the opportunities and risks at the board level. 19

20 Internet of Things (or sensors or everything) 8 Billion IoT Devices Today Source: BullGuard 2016 IoT Survey internet ofthings consummer security and privacyconcerns.html Gartner predicts 26 Billion IoT Devices by

21 Smart TVs as Spies? Keep track of what is watched? Listen to conversations in room? WikiLeaks claims CIA Weeping Angel covertly does this Video the room? Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition. Samsung Visio to pay $2.2M for collecting and selling customer data 21

22 Connected Cars Are at Risk Fiat Chrysler has issued a safety recall affecting 1.4m vehicles in the US, after security researchers showed that one of its cars could be hacked. On Tuesday, tech magazine Wired reported that hackers had taken control of a Jeep Cherokee via its internet connected entertainment system 22

23 Connected Cars Are at Risk As the researchers stated, the remote hacks likely work on all Tesla models, but on the parked Model S P85, the researchers remotely opened the sunroof, turned on the turn signal, and changed the position of the driver s seat. 23

24 24

25 FTC Charges D Link Put Consumers Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras Device-maker s alleged failures to reasonably secure software created malware risks and other vulnerabilities FOR RELEASE January 5, 2017 The Federal Trade Commission filed a complaint against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers privacy at risk. 25

26 DEF CON: IoT Village Total of 113 vulnerabilities found in two DEF CON events 50 different devices 39 brand name manufacturers 75% of tested smart locks easily compromised (attacker can open) Source: breaches/iot village at def con 24 uncovers extensive security flaws inconnected devices/d/d id/

27 IoT data as evidence? Fitness devices indicate you are asleep and level of activity Smart thermostat detects when you leave home Smart home security detects when doors are unlocked and relocked Automotive telemetry used to detect when, where and how fast you drove Smart autos may record conversations in car Alexa and similar devices hear conversations 27

28 How Might You Discuss The Internet of Things with The Board? 28

29 29

30 What are AI and Machine learning? Source: Symantec, RSA 2017, Combatting Advanced Cybersecurity Threats with AI and Machine Learning 30

31 Example Machine Learning: Pedestrian Detection 62% of IT and Cybersecurity professionals think AI will increase security risk AI: A self driving car 31 Source: Symantec, RSA 2017, Combatting Advanced Cybersecurity Threats with AI and Machine Learning, ISACA 2016 State of Cybersecurity Survey 31

32 DARPA Cyber Grand Challenge at DEFCON teams competing with individual supercomputers with Machine Learning programs Attacking other systems and defending your own Mayhem took the top prize of $2M Is the future of hacking AI? Is the future of cyber defense AI? 32

33 33

34 How Might You Discuss AI and Machine Learning with The Board? 34

35 Quantum Computing May Break Today s Encryption Source: D Wave Systems Source: IBM 35

36 36

37 U.S. NIST Post Quantum Crypto project At risk from Quantum attack: Public key Block chain Digital signature creation and validation Project to develop quantumresistant cryptography Also see: quantum crypto/ 37

38 How Might You Discuss Quantum Computing with The Board? 38

39 Conclusion Realize that most boards: are very concerned about cybersecurity are not very confident about their organization s cyber risk Make sure you understand the business Learn how to talk about cyber risks and security at board level Understand that opportunity of competitive risk may be bigger than cyber risk Learn about new technologies and their potential impact Avoid just saying no or becoming a roadblock that slows growth and progress Enable safely adopting new technologies and processes 39

40 Questions? 40

41 Rob Clyde, CISM, NACD Board Leadership Fellow Board of Directors, ISACA International Executive Chair, Board of Directors, White Cloud Security Managing Director, Clyde Consulting LLC Executive Advisor to BullGuard and HyTrust Web Site: 41