The new cybersecurity operating model
|
|
- Sybil Hampton
- 5 years ago
- Views:
Transcription
1 The new cybersecurity operating model Help your organization become more resilient and reach its business goals. 1 slalom.com
2 Struggling to meet security goals While the digital economy is providing major opportunities to lower costs, increase revenue, and improve customer satisfaction, it s also drastically exposing businesses to more inventive and advanced cyber attacks. This is why many companies are investing large amounts of money and resources to develop comprehensive cybersecurity roadmaps. In fact, Gartner predicts that the global spend on security will increase to $93 billion in Yet many companies are failing to meet their security goals. Why? In many cases, security organizations fail to evolve their structure and how they operate to support corporate goals. In these cases, information security (infosec) isn t a part of corporate strategy or a business enabler; it s just a supporting function and shared service. So how do you create a security operating model that makes your company more resilient and supports your business goals? By strategically building and managing infosec s relationship to the business. Here are the five key principles of a security operating model that will enable your organization to do just that. 2 slalom.com
3 1. Extend shared ownership of cyber risks across the business Business stakeholders and asset owners often share the same view: that the infosec team is responsible for managing security risks and protecting digital assets across the entire enterprise. However, this belief is instilling the wrong behaviors and culture, leading to employees with a limited understanding of cyber risks and how they re managed. And if employees don t understand risk management, the broader organization can t effectively manage cyber risks. In addition to leading by example, infosec leaders have the opportunity to define leadership, education, and communication strategies to promote shared responsibility and high performance around specific behaviors. Create a function dedicated to security awareness and training It should become a daily habit for every employee to help protect their organization against cybersecurity threats. To create this habit, they need education and training delivered in a way that sticks with them. Create a dedicated function to educate employees, contractors, and leaders across your entire enterprise on their security responsibility. These education campaigns should be a combination of communication and training tailored to different audiences. 3 slalom.com
4 Security awareness trainings are often taken online, very quickly, and immediately forgotten. Instead, organizations should incorporate gamification, like rewards and competition, into trainings and tailor the training to change specific behaviors. It s also important to develop processes to deliver cohesive and regular communication to avoid information overload and ensure that the new trainings work. As this function matures and the level of risk awareness increases, test campaigns must become more and more sophisticated to continually improve security and risk awareness. Incorporate risk awareness trainings Going a step further, infosec leaders should conduct risk awareness trainings for the most eager employees. These prompt employees to identify which activities have the highest likelihood of risks resulting in adverse events, and how to prioritize impact. By tailoring awareness trainings to incorporate risk, security leaders can help employees think in terms of problem-solving and identifying risk, not just memorizing what actions not to take. Employees can t own risks if they don t understand how risk management works. Once they start thinking about risks, however, they begin enforcing the right security behaviors and culture. 4 slalom.com
5 2. Promote the role of infosec within the enterprise Typically, infosec is seen as a technology topic. The infosec program is embedded within IT, performing tactical and operational activities often centered around compliance management. But this type of structure limits the organizational reach of infosec leaders and hinders their capacity to directly engage and collaborate with the business. The absence of business engagement has a direct impact on the ability to develop an infosec program and strategy that s tailored to support business requirements. It also creates a lack of executive awareness and support, which poses challenges for infosec leaders to elevate cybersecurity issues to the C-suite. It s important to develop a stand-alone infosec program that promotes the role of the infosec organization across the C-suite and the broader enterprise, ensuring that cybersecurity risks are fully assessed, understood, and considered as top strategic issues directly reported to the board. Infosec capabilities can therefore be aligned to the strategic priorities, and in return increase leadership understanding and sponsorship of the necessary investments required to manage the security risks. Organizations should treat cybersecurity risks the same way they do other critical business risks: by frequently briefing the C-suite on cybersecurity issues so they can make informed 5 slalom.com
6 risk decisions. In addition, executive oversight and sponsorship should focus enterprise attention and effort on cybersecurity issues by providing adequate resources (e.g., budget) to implement and monitor a comprehensive infosec strategy. " Too many industries are vulnerable to cyber attacks for employees to not think about protecting company assets, and too many businesses see their time-to-market delayed by security reviews for infosec to avoid partnering with the business." In the last few years, a proliferation of materials and guidance have surfaced to engage boards on cybersecurity topics. For example, the National Association of Corporate Directors (NACD) releases guidance on board cybersecurity leadership. One of its guiding principles explained that organizations should approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Sharing these resources and tips with executives will help infosec teams get executive sponsorship for their efforts. 6 slalom.com
7 3. Move from a compliance management to a strategic advisory role Security, compliance, and risk are three discrete efforts, but are often conflated under the same program. When not communicated correctly to the rest of the organization, they can all feel like compliance. If organizations drive their security and risk initiatives from a compliance perspective, it takes on a requirements-heavy approach, which won t necessarily increase security resilience. When a risk-based approach drives security initiatives, resource alignment is more likely to be well balanced, by focusing on the high-priority risks. It s also easier for employees across the rest of the business to understand why some security activities are more important than others. Moving to a risk-based approach isn t a new concept, but organizations still struggle with realigning traditional security efforts within this context. Organizations that strike the balance well frame their infosec organizations as consultative practices that support the rest of the business. Like any consultant, however, infosec has to resist the temptation to give guidance or instructions without taking the time to understand the complexity of the business drivers. The ideal result of a consultative practice is when the organization is able to strategically manage security risk. It can also identify and communicate clear justifications for accepting certain risks in their environment, and support organizing teams and resources to address their most critical risks first. Security is included as a requirement alongside other functional requirements for application builds and design sprints. And the business starts to internalize that 7 slalom.com
8 products are brittle and may incur technical debt, unless security becomes part of the design. So how does infosec become a strategic advisor to the rest of the business? First, infosec must accept that its role is to help the business build and run. Infosec must understand where security goals differ from goals of development teams or infrastructure teams. Infosec should work with business units to map enterprise security risks to organizations and specific roles who will become partners in owning the risks. This change is an outgrowth of executive and often boardlevel involvement to set the tone and priorities around cyber risk as part of an organization s larger business risk management programs. 4. Empower external engagement Infosec needs to be able to clearly articulate its narrative (i.e., mission, direction, and strategic objectives) to elicit action from its stakeholders. The cybersecurity and technology landscape is changing so quickly that an organization should have a strategy for how it wants its security approach to be seen and perceived, and to drive industry relations among other external business partners and stakeholders. One of the most powerful ways an organization can share its security priorities and influence others is through engaging 8 slalom.com
9 external partners, like universities, research labs, and industry groups. Organizations in highly regulated spaces can find themselves in victim mode, struggling to understand new policies, regulatory requirements, and pushing back against regulators. Organizations that provide critical infrastructure services may also be the target of orchestrated attack campaigns occurring across entire industries. This can create a reactive security culture, where infosec gets in the habit of scrambling to respond to new requirements and therefore struggles to keep up with competitors and peers. " It should become a daily habit for every employee to help protect their organization against cybersecurity threats. To create this habit, they need education and training delivered in a way that sticks with them." Also, organizations may have some resources set aside to buy memberships into information sharing and analysis centers (ISACs), and participate in conferences, but may not always have a strategy behind the spend. The result is minimal understanding of the effect these investments have on the rest of the organization. To combat this, create a specific security engagement function for addressing this reactive versus proactive struggle. 9 slalom.com
10 Establish a dedicated function whether it s part of one person s job description or a small team within infosec to create a strategy for driving external priorities and influencing sector-wide policies and regulations. Being able to show a return on investment is key to the success of the external engagement function. To make engagement successful, infosec must define its desired engagement outcomes for each stakeholder, and how those goals support the vision of the broader organization and the infosec function. By conducting rigorous stakeholder analysis to identify barriers and mutual opportunities, infosec can then prioritize which stakeholders it needs to spend the most time influencing, partnering with, or educating. For example, we worked with a leading utility company to perform a detailed external stakeholder assessment. We reviewed over 30 stakeholders, ranging from government and regulatory agencies to research institutes, based on defined assessment criteria and scoring metrics. The results of the assessment were used to define the overall engagement strategy, enabling the infocsec team to lead and influence security discussions and activities across the industry in the U.S. 5. Enable business integration and cross-functional collaboration Risk and security management capabilities should be distributed and embedded within the enterprise. Specifically, infosec professionals should be dedicated to one or multiple business units while being part of a central infosec team. This creates a greater cross-functional integration and enables the 10 slalom.com
11 entire enterprise to be aligned on top security risks. Infosec can then take an active role in strategic planning activities, strengthening organizational alignment by understanding and supporting the broader business roadmap and helping align it to the company risk tolerance. When infosec and the business are aligned, it benefits both. Business units get dedicated security resources that understand their strategic objectives and business needs, and security can deepen its business integration, providing security solutions that fulfil both risk management and business strategies. For example, assigning a security engineer to support web development or security devices in distributed retail stores helps that individual develop trusted relationships and learn critical requirements at a detailed level. This level of knowledge then enables him or her to provide more targeted support and advocate for that group within infosec. It also enables security requirements to be included in product design meetings, sprint plans, or strategic roadmaps. However, many organizations don t have the capacity within the security team to focus on several lines of business. When this is the case, organizations can still create assignments for security members to focus on specific parts of the business and develop deeper specialties in those areas. They can also look into supplementing security teams with volunteers security champions from parts of the business who want to maintain an open channel of communication with the infosec 11 slalom.com
12 team and start to spread best practices within their own teams as their level of security knowledge grows. Because different parts of the business move forward at different speeds, distributing risk and security responsibility across the organization and equipping teams to feel that they own their own risks becomes crucial to meeting the challenge of under-resourced security teams. Success: How do you know if it s working? The ultimate goal of this new security operating model is to achieve a greater level of integration between infosec and the business. As organizations pursue this goal, they have to get to a greater level of transparency and performance reporting to prove that the new model is effectively managing risk. Organizations starting out with traditionally siloed infosec groups can begin with simple engagement metrics as infosec seeks to partner better with the business. These metrics can track the degree of proactive outreach from the business to infosec for questions and consultation, and where in the project (or product) lifecycle these forms of outreach occur. Ultimately, effective metrics depend on data quality and meaningful reduction in risk. But unfortunately, the most compelling metrics around risk reduction often can t be tracked because the data is too difficult to collect. Organizations can start with an exercise of identifying what data is available, how reliable it is, and the level of effort required to remediate data availability/quality issues. 12 slalom.com
13 This exercise is valuable for infosec to understand the overall health of the data landscape they rely on to perform their duties. It can also be used as a catalyst to drive accountability from asset owners to increase overall data quality. As your infosec team matures and adopts the new operating model, it has to continually review and assess metrics to ensure their relevance in decision-making and to track business outcomes, such as risk mitigation and security awareness. A win for security and the business Too many industries are vulnerable to cyber attacks for employees to not think about protecting company assets, and too many businesses see their time-to-market delayed by security reviews for infosec to avoid partnering with the business. Infosec teams should invest in better internal and external partnerships internally to ensure the longevity and success of the company, and externally to glean important cybersecurity information and influence the broader security landscape to drive changes in regulations, policies, research, standards, and frameworks development. The result: organizations that will be able to reach their business goals faster and more securely than ever before. 13 slalom.com
14 About the author Raph Casadel is a solution principal within Slalom s business advisory services practice in San Francisco. Raph has over eight years of international management consulting experience translating broad organizational vision into how business should be structured and operate to meet their strategic objectives. He s passionate about building effective organizational change through operating model design and implementation. Adrienne Allen, who is no longer with Slalom, co-wrote this piece. 14 slalom.com
15 About Slalom Slalom is a purpose-driven consulting firm that helps companies solve business problems and build for the future, with solutions spanning business advisory, customer experience, technology, and analytics. We partner with companies to push the boundaries of what s possible together. Founded in 2001 and headquartered in Seattle, WA, Slalom has grown organically to over 5,000 employees. We were named one of Fortune s 100 Best Companies to Work For in 2018 and are regularly recognized by our employees as a best place to work. You can find us in 27 cities across the U.S., U.K., and Canada. Learn more at slalom.com Slalom, LLC. All rights reserved. slalom.com
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationCanada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?
Canada Highlights Cybersecurity: Do you know which protective measures will make your company cyber resilient? 21 st Global Information Security Survey 2018 2019 1 Canada highlights According to the EY
More informationSOLUTION BRIEF Virtual CISO
SOLUTION BRIEF Virtual CISO programs that prepare you for tomorrow s threats today Organizations often find themselves in a vise between ever-evolving cyber threats and regulatory requirements that tighten
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationCybersecurity. Securely enabling transformation and change
Cybersecurity Securely enabling transformation and change Contents... Cybersecurity overview Business drivers Cybersecurity strategy and roadmap Cybersecurity in practice CGI s cybersecurity offering Why
More informationBoston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018
Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security BRANDEIS UNIVERSITY PROFESSOR ERICH SCHUMANN MAY 2018 1 Chinese military strategist Sun Tzu: Benchmark If you know your
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationA Methodology to Build Lasting, Intelligent Cybersecurity Programs
EBOOK Risk-Centric Cybersecurity Management : A Methodology to Build Lasting, Intelligent Cybersecurity Programs A Brinqa ebook Think InfoSec is ready to keep your enterprise secure through the next transformative
More informationDefense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility
Strategic Plan 2020 Addendum, April 2017 Our Agency, Our Mission, Our Responsibility [2] DSS Strategic Plan Addendum 2020 Addendum The DSS Strategic Plan 2020 is designed to support the agency s continuous
More informationHow to choose the right Data Governance resources. by First San Francisco Partners
How to choose the right Data Governance resources by First San Francisco Partners 2 Your organization is unique. It has its own strengths, opportunities, products, services and customer base. Your culture
More informationRSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE
WHITEPAPER RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE CONTENTS Executive Summary........................................ 3 Transforming How We Think About Security.......................... 4 Assessing
More informationSymantec Data Center Transformation
Symantec Data Center Transformation A holistic framework for IT evolution As enterprises become increasingly dependent on information technology, the complexity, cost, and performance of IT environments
More informationSix Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP
Six Weeks to Security Operations The AMP Story Mike Byrne Cyber Security AMP 1 Agenda Introductions The AMP Security Operations Story Lessons Learned 2 Speaker Introduction NAME: Mike Byrne TITLE: Consultant
More informationTHE CYBERSECURITY LITERACY CONFIDENCE GAP
CONFIDENCE: SECURED WHITE PAPER THE CYBERSECURITY LITERACY CONFIDENCE GAP ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE Despite the fact that most organizations are more aware of cybersecurity risks
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More information2018 MANAGED SECURITY SERVICE PROVIDER (MSSP): BENCHMARK SURVEY Insights That Inform Decision-Making for Retail Industry Outsourcing
2018 MANAGED SECURITY SERVICE PROVIDER (MSSP): BENCHMARK SURVEY Insights That Inform Decision-Making for Retail Industry Outsourcing Powered by the Retail ISAC, A Division of the R-CISC Overview Last October,
More informationCybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment
Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment SWG G 3 2016 v0.2 ISAO Standards Organization Standards Working Group 3: Information Sharing Kent Landfield, Chair
More informationSTRATEGY STATEMENT OF QUALIFICATIONS
STRATEGY STATEMENT OF QUALIFICATIONS STOK IS YOUR VALUES- ALIGNED PARTNER IN THE DISCOVERY, CO-CREATION, AND DELIVERY OF HIGH- PERFORMANCE SPACES Salesforce Tower San Francisco, CA SERVICES LEED Platinum
More informationMITIGATE CYBER ATTACK RISK
SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations
More informationHPH SCC CYBERSECURITY WORKING GROUP
HPH SCC A PRIMER 1 What Is It? The cross sector coordinating body representing one of 16 critical infrastructure sectors identified in Presidential Executive Order (PPD 21) A trust community partnership
More informationThe State of Cybersecurity and Digital Trust 2016
The State of Cybersecurity and Digital Trust 2016 Identifying Cybersecurity Gaps to Rethink State of the Art Executive Summary Executive Summary While the advent of digital technology has fueled new business
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationIBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation
IBM X-Force 2012 & CISO Survey Cyber Security Threat Landscape 1 2012 IBM Corporation IBM X-Force 2011 Trend and Risk Report Highlights The mission of the IBM X-Force research and development team is to:
More informationThe University of Queensland
UQ Cyber Security Strategy 2017-2020 NAME: UQ Cyber Security Strategy DATE: 21/07/2017 RELEASE:0.2 Final AUTHOR: OWNER: CLIENT: Marc Blum Chief Information Officer Strategic Information Technology Council
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationGOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles
More informationHow To Build or Buy An Integrated Security Stack
SESSION ID: PDIL-W03 How To Build or Buy An Integrated Security Stack Jay Leek CISO Blackstone Haddon Bennett CISO Change Healthcare Defining the problem 1. Technology decisions not reducing threat 2.
More informationAgile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners
Agile Master Data Management TM : Data Governance in Action A whitepaper by First San Francisco Partners First San Francisco Partners Whitepaper Executive Summary What do data management, master data management,
More informationM&A Cyber Security Due Diligence
M&A Cyber Security Due Diligence Prepared by: Robert Horton, Ollie Whitehouse & Sherief Hammad Contents Page 1 Introduction 3 2 Technical due diligence goals 3 3 Enabling the business through cyber security
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationThe Fine Art of Creating A Transformational Cyber Security Strategy
SESSION ID: CXO-R11 The Fine Art of Creating A Transformational Cyber Security Strategy Jinan Budge Principal Security & Risk Analyst Forrester Research Andrew Rose Chief Security Officer Vocalink, A Mastercard
More informationA new approach to Cyber Security
A new approach to Cyber Security Feel Free kpmg.ch We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward.
More informationWhite Paper. View cyber and mission-critical data in one dashboard
View cyber and mission-critical data in one dashboard Table of contents Rising cyber events 2 Mitigating threats 2 Heighten awareness 3 Evolving the solution 5 One of the direct benefits of the Homeland
More informationHow to get the Enterprise to Understand the Value of Security
PART 1 of 2 Insight into Security Leader Success How to get the Enterprise to Understand the Value of Security A SEC Research Finding Intended Audience This presentation is intended for security leaders
More informationData Governance Quick Start
Service Offering Data Governance Quick Start Congratulations! You ve been named the Data Governance Leader Now What? Benefits Accelerate the initiation of your Data Governance program with an industry
More informationBuilding UAE s cyber security resilience through effective use of technology, processes and the local people.
WHITEPAPER Security Requirement WE HAVE THE IN-HOUSE DEPTH AND BREATH OF INFORMATION AND CYBER SECURIT About Us CyberGate Defense (CGD) is a solution provider for the full spectrum of Cyber Security Defenses
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationLeading our discussion today
Defending the Digital Retailer for NRFTech 2014 July 22, 2014 Leading our discussion today Security Leadership and Points of Contact Security and Infrastructure Services Leadership Kevin Richards NA Security
More informationFundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL
Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL Shifting budgets and responsibilities require IT and physical security teams to consider fundamental change in day-to-day
More informationWHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.
Learning Objectives and Course Descriptions: FOUNDATION IN IT SERVICE MANAGEMENT This official ITIL Foundation certification course provides you with a general overview of the IT Service Management Lifecycle
More informationInstitute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI
Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1 CAE Communications and Common Audit Committee
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationDecember 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development
December 10, 2014 Statement of the Securities Industry and Financial Markets Association Senate Committee on Banking, Housing, and Urban Development Hearing Entitled Cybersecurity: Enhancing Coordination
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationwhitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk
whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk Assure the board your company won t be the next data breach Introduction A solid vulnerability management program is critical
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationRSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief
RSA Solution Brief Managing Risk Within Advanced Security Operations RSA Solution Brief How do you advance your security operations function? Increasingly sophisticated security threats and the growing
More informationDemystifying GRC. Abstract
White Paper Demystifying GRC Abstract Executives globally are highly focused on initiatives around Governance, Risk and Compliance (GRC), to improve upon risk management and regulatory compliances. Over
More informationDATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI
DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI EXECUTIVE SUMMARY The shortage of cybersecurity skills Organizations continue to face a shortage of IT skill
More informationASHRAE. Strategic Plan STARTING APPROVED BY ASHRAE BOARD OF DIRECTORS JUNE 24, 2014
ASHRAE Strategic Plan STARTING 2014 APPROVED BY ASHRAE BOARD OF DIRECTORS JUNE 24, 2014 2 ASHRAE Strategic Plan STARTING 2014 INTRODUCTION ASHRAE has committed to a strategic planning process designed
More informationPanelists. Moderator: Dr. John H. Saunders, MITRE Corporation
SCADA/IOT Panel This panel will focus on innovative & emerging solutions and remaining challenges in the cybersecurity of industrial control systems ICS/SCADA. Representatives from government and infrastructure
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationIncident Response Services to Help You Prepare for and Quickly Respond to Security Incidents
Services to Help You Prepare for and Quickly Respond to Security Incidents The Challenge The threat landscape is always evolving and adversaries are getting harder to detect; and with that, cyber risk
More informationSecuring the Internet of Things (IoT) at the U.S. Department of Veterans Affairs
Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs Dominic Cussatt Acting Deputy Assistant Secretary / Chief Information Security Officer (CISO) February 20, 2017 The Cyber
More informationSupporting the Cloud Transformation of Agencies across the Public Sector
SOLUTION SERVICES Supporting the Cloud Transformation of Agencies across the Public Sector BRIEF Digital transformation, aging IT infrastructure, the Modernizing Government Technology (MGT) Act, the Datacenter
More informationPAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY
WHITEPAPER PAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY CONTENTS Executive Summary........................................ 3 The Cybersecurity and Business Risk Survey..........................
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationImproving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN
Improving Data Governance in Your Organization Faire Co Regional Manger, Information Management Software, ASEAN Topics The Innovation Imperative and Innovating with Information What Is Data Governance?
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationHow to Underpin Security Transformation With Complete Visibility of Your Attack Surface
How to Underpin Security Transformation With Complete Visibility of Your Attack Surface YOU CAN T SECURE WHAT YOU CAN T SEE There are many reasons why you may be considering or engaged in a security transformation
More informationEnterprise GRC Implementation
Enterprise GRC Implementation Our journey so far implementation observations and learning points Derek Walker Corporate Risk Manager National Grid 1 Introduction to National Grid One of the world s largest
More informationCredit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank
Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Introduction The 6,331 credit unions in the United States face a unique challenge when it comes to cybersecurity.
More informationGoverning cyber security risk: It s time to take it seriously Seven principles for Boards and Investors
www.pwc.co.uk Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors Dr. Richard Horne Cyber Security Partner PwC January 2017 Board governance is often
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationProfessional Services for Cloud Management Solutions
Professional Services for Cloud Management Solutions Accelerating Your Cloud Management Capabilities CEOs need people both internal staff and thirdparty providers who can help them think through their
More informationState Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017
State Governments at Risk: State CIOs and Cybersecurity CSG Cybersecurity and Privacy Policy Academy November 2, 2017 About NASCIO National association representing state chief information officers and
More informationState of South Carolina Interim Security Assessment
State of South Carolina Interim Security Assessment Deloitte & Touche LLP Date: October 28, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is
More informationThe challenges of the NIS directive from the viewpoint of the Vienna Hospital Association
The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association page 1 Cybersecurity Strategy Essential Points The norms, principles and values that the City of Vienna and the
More informationThe value of visibility. Cybersecurity risk management examination
The value of visibility Cybersecurity risk management examination Welcome to the "new normal" Cyberattacks are inevitable. In fact, it s no longer a question of if a breach will occur but when. Cybercriminals
More informationSecuring the User: Winning Hearts & Minds to Drive Secure Behavior
Securing the User: Winning Hearts & Minds to Drive Secure Behavior Thomas Skill, CIO University of Dayto Spencer Mott, CIO-CISO Amg Dawn Sherizad, product manager of security, Macy Eleanor Dallaway, Editor
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More information2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014
2014 -Specific Plan Guidance Guide for Developing a -Specific Plan under NIPP 2013 August 2014 How to Use this Guidance This page provides a roadmap to assist critical infrastructure partners in navigating
More informationMoving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification
A CLOSER LOOK Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationFOR FINANCIAL SERVICES ORGANIZATIONS
RSA BUSINESS-DRIVEN SECURITYTM FOR FINANCIAL SERVICES ORGANIZATIONS MANAGING THE NEXUS OF RISK & SECURITY A CHANGING LANDSCAPE AND A NEW APPROACH Today s financial services technology landscape is increasingly
More informationSTRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government
ATIONAL STRATEGY National Strategy for Critical Infrastructure Government Her Majesty the Queen in Right of Canada, 2009 Cat. No.: PS4-65/2009E-PDF ISBN: 978-1-100-11248-0 Printed in Canada Table of contents
More informationCYBERSECURITY RESILIENCE
CLOSING THE IN CYBERSECURITY RESILIENCE AT U.S. GOVERNMENT AGENCIES Two-thirds of federal IT executives in a new survey say their agency s ability to withstand a cyber event, and continue to function,
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More information13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)
AGENDA ADDENDU TE REGULAR EETING OF TE AUDIT COITTEE COITTEE PUBLIC SESSION Tuesday, June 6, 2017 6:30 P.. Pages 13. Staff Reports 13.f Toronto Catholic District School Board's IT Strategic Review - Draft
More information2 The IBM Data Governance Unified Process
2 The IBM Data Governance Unified Process The benefits of a commitment to a comprehensive enterprise Data Governance initiative are many and varied, and so are the challenges to achieving strong Data Governance.
More information2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT
2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT THYCOTIC 2018 GLOBAL CHANNEL PARTNER SURVEY Channel Partner survey highlights client cybersecurity concerns and opportunities for
More informationToday s cyber threat landscape is evolving at a rate that is extremely aggressive,
Preparing for a Bad Day The importance of public-private partnerships in keeping our institutions safe and secure Thomas J. Harrington Today s cyber threat landscape is evolving at a rate that is extremely
More informationRe: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1
January 19, 2018 VIA EMAIL: cyberframework@nist.gov Edwin Games National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899 Re: McAfee s comments in response
More informationSales Presentation Case 2018 Dell EMC
Sales Presentation Case 2018 Dell EMC Introduction: As a member of the Dell Technologies unique family of businesses, Dell EMC serves a key role in providing the essential infrastructure for organizations
More informationNational Policy and Guiding Principles
National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework
More informationNavigating the Clouds Fortifying ITIL for Cloud Governance
Navigating the Clouds Fortifying ITIL for Cloud Governance DECEMBER 2011 Cloud adoption promises to be an interesting journey for an enterprise with its luring benefits of on-demand models enabling faster
More information