The Business Value of including Cybersecurity and Vendor Risk in ERM
|
|
- Constance Norris
- 5 years ago
- Views:
Transcription
1 The Business Value of including Cybersecurity and Vendor Risk in ERM Yo Delmar, Vice President, Customer Engagement, MetricStream RMA GCOR XI April 4 5, 2017 Hyatt Regency, Cambridge, MA Tuesday 2:30 pm
2 Challenge Risk leaders must bring visibility and encourage meaningful dialogue around the size, scale and scope of the most urgent risks facing their organizations
3 Need Programs that align directly with strategic objectives and address not only risks, but also opportunities for competitive advantage add tremendous value to the business.
4 Let s Look. At how emerging risks from vendors and cybersecurity in the 'extended enterprise' hit business value at its center and demand inclusion in ERM programs.
5 Vendor and Cyber Risk Directly Impact Business Performance Business Risks Contractual Risk Risk Domains Financial Stability Disruption Transaction / Operational Vendor Risks Cyber Risks Reputation IT Security Geo-political Compliance 5
6 Losses Due to Vendors Has your organization experienced a significant risk exposure due to a third party in the last 18 months? 21% Loss incidents of respondents 5 of greater than $10million 79% Source: MetricStream Research Yes No 6
7 What was the loss impact in U.S. dollars? Please rate the impact of the risk exposure 8.3% 25.0% 25.0% 8.3% 8.3% 25.0% 58.3% 41.7% Less than $1 million Greater than $10 million $1 million to $10 million Don't know Source: MetricStream Research High Medium Low Don't know 7
8 Cyber Risk Source: MetricStream Research
9 Number of Cyberattacks NUMBER OF CYBERSECURITY ATTACKS FACED BY YOUR ORGANIZATION WITHIN THE PAST 12 MONTHS? ARE THESE ATTACKS INCREASING OR DECREASING COMPARED TO PREVIOUS YEARS? UNKNOWN 33.8% 14.7% % 16.2% % 0% 10% 20% 30% 40% 100% 50% 0% 55.9% 2.9% 14.7% 22.1% 4.4% INCREASING DECREASING ABOUT THE SAME UNKNOWN OTHERS 66.2% of the organizations have faced at least one cybersecurity attack within last one year 33.8% are unware of the number of attacks faced Attacks have increased in the past year for 56 % of the organizations Source: MetricStream Research
10 Recent Attacks Which Concern the Most WITH RESPECT TO YOUR CYBERSECURITY READINESS, WHICH OF THE FOLLOWING MAJOR CYBER ATTACKS THAT OCCURRED WITHIN THE PAST YEAR CONCERN YOU THE MOST? SWIFT SYSTEM ATTACKS MORGAN STANLEY DOW JONES WELLS FARGO SCOTTRADE OTHERS CARBANAK 7.4% 10.3% 10.3% 13.2% 13.2% 19.1% 26.5% 0% 5% 10% 15% 20% 25% 30% Recent SWIFT system attacks concern most of the organizations Source: MetricStream Research 10
11 1 st of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 11
12 Does your enterprise have a dedicated third party risk management (TPRM) function? Overall Company Size-wise Yes 44.3% Yes 55.7% No No 0% 20% 40% 60% 80% Source: MetricStream Research 5,001 and greater 251-5,000 employees 12
13 Is third-party risk management in your enterprise currently included within other risk management or compliance programs? 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Overall Enterprise IT risk Compliance Business risk management management continuity management management Anti-bribery Source: MetricStream Research 80% 60% 40% 20% 0% Company Size-wise 251-5,000 employees 5,001 and greater Enterprise risk management IT risk management Compliance management Business continuity management Anti-bribery 13
14 Cybersecurity Managed as a Component of ERM Is cybersecurity a formal part of the enterprise risk management program for your organization? 7.4% 91.2% Cybersecurity is a part of ERM program for more than 90% of the organizations Yes No Source: MetricStream Research
15 Scope of the Cybersecurity Program Is the scope of your cybersecurity program internal or does it cover third parties as well? 8.8% 20.6% 70.6% For 71% of the organizations, the scope of their cybersecurity program covers third-parties as well Internal to the organization Includes third-parties Unsure/Don t know Source: MetricStream Research
16 Reporting for Cybersecurity Function TO WHICH ORGANIZATION DOES THE CYBERSECURITY FUNCTION REPORT DIRECTLY? OFFICE OF THE CSO OR CISO 55.9% OFFICE OF THE CHIEF RISK OFFICER 20.6% SENIOR LEADERSHIP (CEO OR CFO) 11.8% BOARD OF DIRECTORS 5.9% 0% 10% 20% 30% 40% 50% 60% For majority of organizations (56%), the cybersecurity function reports to CSO/CISO Source: MetricStream Research
17 Board/CEO Involvement What level of involvement do the board of directors and CEO have in your cybersecurity program? (7 = highly involved, 1 = not involved) 30% 25% 20% 15% 10% 5% 0% 25.0% 26.5% 22.1% 19.1% 20.6% 13.2% 16.2% 10.3% 11.8% 5.9% 4.4% 5.9% % 7.4% Board Involvement CEO Involvement Source: MetricStream Research 17
18 Who within your organization is ultimately responsible for third party risk management? Corporate Audit Executive 3% Other 18% Chief Compliance Officer 16% Chief Information Officer 5% Source: MetricStream Research Chief Risk Officer 32% Chief Procurement officer 10% 18 Chief Information Security Officer 12% Chief Legal Officer 4%
19 Which of the following best describes your third party repository? 60% 50% 40% Comprehensively covers all third parties for all regions and business functions in the enterprise Inconsistently covers some third parties, but not others 30% 20% 10% Is tailored to a specific set of third parties or a specific business function, but does not cover all third parties of the enterprise Other 0% 251-5,000 employees 5,001 and greater Source: MetricStream Research
20 2 nd of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 20
21 What are the most significant criteria for determining whether to place a third party in the highest risk tier? 0% 10% 20% 30% 40% 50% 60% 70% 80% Critical component or service 71% Potential for disruption to operations 55% Regulatory requirement 41% Spend Limited availability of alternative sources 28% 31% Country risks 12% Size of company Other We do not risk tier third parties 5% 5% 3% Source: MetricStream Research 21
22 Which risk parameters are most important when evaluating third parties? 0% 10% 20% 30% 40% 50% 60% 70% 80% Data protection/privacy Financial viability Ability to maintain service levels Regulatory compliance requirements IT Security Business continuity risks Vendor s management (experience, turnover) Vendor s regulatory and legal environment Additional vendors in the vendor s supply chain Business model compatibility Vendor s employees Geopolitical environment Trustworthiness of public disclosures Architectural compatibility Currency fluctuations 19% 16% 12% 9% 5% 3% 3% 2% Source: MetricStream Research 22 33% 45% 59% 59% 57% 57% 67%
23 How often do you assess third parties in Various Risk tiers? 60% 50% 40% 30% 20% 10% 0% Highest risk tier Never Overall At least quartery Other Second highest risk tier At least monthly At least yearly Third and lower risk tiers Source: MetricStream Research How often do you assess third parties in Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 4% 24% At least quartery 33% 16% At least yearly 50% 52% Never 0% 0% Other 13% 8% How often do you assess third parties in Second Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 0% 12% At least quartery 8% 24% At least yearly 54% 48% Never 4% 0% Other 33% 16% How often do you assess third parties in the Third Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 0% 12% At least quartery 4% 4% At least yearly 42% 48% Never 4% 12% Other 50% 24% 23
24 Does your organization perform continuous monitoring of third parties? Don t know, 3.4% No, 8.6% OVERALL Yes - All parties, all the time, 34.5% Some (only highest risk third parties), 27.6% Occasionally (incon sistently applied), 25.9% Source: MetricStream Research 24
25 Actors Compromised In An Attack WHICH OF THE FOLLOWING ACTORS WERE COMPROMISED IN YOUR ORGANIZATION DURING AN ATTACK? 60% 50% 40% 30% 20% 10% 0% 48.5% EMPLOYEES (CURRENT & FORMER) 22.1% CUSTOMERS 13.2% 11.8% 10.3% 8.8% OTHER THIRD- PARTIES (CONSULTANTS, VENDORS, ETC.) PARTNERS IT SERVICE PROVIDERS SUPPLIERS Primary sources for cyber attacks Employees, customers, partners, suppliers and other third-parties Source: MetricStream Research 25
26 After an incident, what measures have been taken to prevent future risk incidents? 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% Collaborate with the third party Re-assess the risk of the third party Modify contract terms Increase the frequency of assessments Reduce business volume Temporarily suspend business relationship Terminate the business relationship Source: MetricStream Research 26
27 Readiness to Share Cybersecurity Information How prepared is your enterprise to share cybersecurity information with government agencies/regulators, and others in the industry? 60% 40% 20% 0% 50.7% 38.8% 35.8% 31.3% 6.0% 17.9% 7.5% 11.9% Unprepared Somewhat Prepared Prepared Already sharing Government Agencies/Regulators Others in the industry 75% of the organizations are either prepared or somewhat prepared to share their cybersecurity information with the government, but only 18% are already doing so 82% of them are either prepared or somewhat prepared to share this information with their peers in the industry, but only 12% are already doing so Source: MetricStream Research 27
28 Cyber Security Program Maturity Source: MetricStream Research
29 3 rd of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 29
30 The Business Value Balancing Act Direct Risk People Failures COST BENEFIT Efficiencies Governance Opportunity Future Ready Difficult to Calculate Cost Difficult To See The Benefits Why Building a Business Case For GRC Is Complicated Bad News is Big News When a GRC Program fails it gains higher visibility and impacts the brand value/reputation. An impact which difficult to quantify. No News is Good News When an effective GRC program is in place it will operate seamlessly without hindering the business of the organization.
31 Seven Steps to Business Value 7. Accrued Benefits 1. Strategic Alignment 2. Needs Business value ultimately depends on the vision and scope of the GRC program, organizational readiness and speed of deployment. 6. Investment s 3. Readiness The goal of most organizations is optimize business value by choosing the level of investments across a portfolio of initiatives that support strategic objectives. 5. Roadmap 4. Value
32 1. Align with Strategic Objectives Identify Organization s Strategic Goals Identify Values which are critical Strategic Goal Achievement Identify key Risks to the enterprise goals, objectives and values Articulate Business Objectives for every level of the organization Identify Risks to Business Objectives at each level of the organization Enterprise Business Unit Business Unit Risk Risk Risk Risk Business Risk Risk
33 2. Understand and Prioritize Needs * See OCEG CRO at the Center
34 2. Understand and Prioritize Needs * See OCEG CRO at the Center
35 3. Measure Maturity and Readiness
36 4. Value: The Benefit Side 1 Risk Align to Performance Goals Risk Identification, Analysis, Intelligence Losses Remediation 2 3 Efficiencies Governance Rationalized Controls Redundancy Rationalize Systems Decision Making Culture Reporting Agility BENEFITS 4 Domains Cycle Time Personnel and Systems Streamlining Resource Allocation Scale Efficiencies
37 4. Value: The Cost Side 1 Direct Consulting Services Hardware and Software Cost Implementation and Support cost COST People Failures Opportunity Direct Personnel cost Contributors from business Management Effort Reporting Cost Staff for Support Regulatory fines Business Interruption Losses Market Cap Erosion Fraud related losses Losses due to Risk Blindness Misses Opportunities Misaligned Strategy Poor business risk management
38 5. Roadmap Consider Time to Value on the Roadmap Governance and Plan Applications Portfolio Eco-system Integration Considerations App Considerations Platform Considerations
39 6. Investments: Make the Case
40 7. Accrue Realized Benefits Business Case Continuous Improvement Continuous Rollout Realized Benefits
41 A Little Bit About Automation.. Then Recommendations
42 For what purposes would you apply (or are applying) a third party risk management software solution? (Average rating) On-boarding and due diligence of third parties Tracking vendor KPI and KRI Manage contracts, track compliance to contracts Create a single system of vendors across the enterprise Proactively identify and mitigate risks Replace old or home-grown solutions Avoid spreadsheet chaos Improve visibility across the extended value chain Ensure compliance to regulations Ensure business continuity Source: MetricStream Research 42
43 What technology do you use for third party risk management? (select all that apply) 50.0% 45.0% 40.0% 35.0% 30.0% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% Office productivity software (e.g., spreadsheets) Knowledge management software (e.g., SharePoint) In-house built software Third party risk management software on a GRC platform Third party risk management software on a procurement platform Niched third party risk management software Other (please explain) Source: MetricStream Research 43
44 Tools Utilized to Combat Cybersecurity WHAT TOOLS DO YOU UTILIZE IN YOUR CYBERSECURITY PROGRAM? VULNERABILITY MANAGEMENT IT RISK MANAGEMENT BUSINESS CONTINUITY MANAGEMENT SECURITY AND INFORMATION EVENT MANGEMENT MULTI-FACTOR AUTHENTICATION THREAT INTELLIGENCE IT GRC 38.2% 51.5% 82.4% 79.4% 79.4% 70.6% 63.2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Some of the most commonly used tools are for vulnerability management (82.4%), IT risk management (79.4%), business continuity management (79.4%), and security and information event management (70.6%)
45 Standards Adopted for Cybersecurity WHICH STANDARDS HAVE YOU ADOPTED TO MANAGE CYBERSECURITY RISK? NIST CYBERSECURITY FRAMEWORK ISO 27001/27002 COBIT FFIEC CYBERSECURITY ASSESSMENT TOOL SANS CIS CRITICAL SECURITY CONTROLS COSO ISF STANDARD OF GOOD PRACTICE FOR ISO RFC % 2.9% 13.2% 30.9% 27.9% 25.0% 45.6% 45.6% 42.6% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% NIST Cybersecurity Framework and ISO 27001/27002 are the two most widely adopted standards for managing cybersecurity risk
46 Aligning Vendor, Cyber Risks with ERM Programs Top Down Approach Identify which vendors and assets are critical to achieving business objectives Bottom Up Approach Identify risks to systems, assets and data the vendor supports. Identify vendor personnel risks Track KPIs and Vendor KRIs Assess how vendor and cyber risks impact the business objective KPIs Promote Business Value Show how the program improves business performance - Disruption of operations, regulatory risks, social storms, privacy and data protection, FCPA Identify business processes and vendor present risk relationships to IT and enterprise risks Logical integration 46
47 Thank you
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationRethinking Information Security Risk Management CRM002
Rethinking Information Security Risk Management CRM002 Speakers: Tanya Scott, Senior Manager, Information Risk Management, Lending Club Learning Objectives At the end of this session, you will: Design
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationSOLUTION BRIEF Virtual CISO
SOLUTION BRIEF Virtual CISO programs that prepare you for tomorrow s threats today Organizations often find themselves in a vise between ever-evolving cyber threats and regulatory requirements that tighten
More informationHow To Build or Buy An Integrated Security Stack
SESSION ID: PDIL-W03 How To Build or Buy An Integrated Security Stack Jay Leek CISO Blackstone Haddon Bennett CISO Change Healthcare Defining the problem 1. Technology decisions not reducing threat 2.
More informationPresented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0
Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationBackground FAST FACTS
Background Terra Verde was founded in 2008 by cybersecurity, risk and compliance executives. The founders believed that the market needed a company that was focused on using security, risk and compliance
More informationIT risks and controls
Università degli Studi di Roma "Tor Vergata" Master of Science in Business Administration Business Auditing Course IT risks and controls October 2018 Agenda I IT GOVERNANCE IT evolution, objectives, roles
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationIncentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO
White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationSecuring Your Digital Transformation
Securing Your Digital Transformation Security Consulting Managed Security Leveraging experienced, senior experts to help define and communicate risk and security program strategy using real-world data,
More informationCISO as Change Agent: Getting to Yes
SESSION ID: CXO-W02F CISO as Change Agent: Getting to Yes Frank Kim Chief Information Security Officer SANS Institute @fykim Outline Catch the Culture Shape the Strategy Build the Business Case 2 #1 Catch
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationCombating Cyber Risk in the Supply Chain
SESSION ID: CIN-W10 Combating Cyber Risk in the Supply Chain Ashok Sankar Senior Director Cyber Strategy Raytheon Websense @ashoksankar Introduction The velocity of data breaches is accelerating at an
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationCyber Resilience. Think18. Felicity March IBM Corporation
Cyber Resilience Think18 Felicity March 1 2018 IBM Corporation Cyber Resilience Cyber Resilience is the ability of an organisation to maintain its core purpose and integrity during and after a cyber attack
More informationMITIGATE CYBER ATTACK RISK
SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationCYBER SECURITY AIR TRANSPORT IT SUMMIT
CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER SECURITY AIR TRANSPORT IT SUMMIT SHARING GOOD PRACTICES VIVIEN EBERHARDT, SITA CYBER SECURITY CYBER
More informationKey Findings from the Global State of Information Security Survey 2017 Indonesian Insights
www.pwc.com/id Key Findings from the State of Information Security Survey 2017 n Insights Key Findings from the State of Information Security Survey 2017 n Insights By now, the numbers have become numbing.
More informationNext Generation Policy & Compliance
Next Generation Policy & Compliance Mason Karrer, CISSP, CISA GRC Strategist - Policy and Compliance, RSA Core Competencies C33 2013 Fall Conference Sail to Success CRISC CGEIT CISM CISA Introductions...
More informationTop Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program
SESSION ID: GRC-W03 Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program Chris Houlder CISO Autodesk, Inc. @chrishoulder chris.houlder@autodesk.com Husam Brohi Director, Cybersecurity
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationChanging the Game: An HPR Approach to Cyber CRM007
Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc. Learning Objectives At the end
More informationCISO Success Strategies: On Becoming a Security Business Leader
SESSION ID: CXO W03 CISO Success Strategies: On Becoming a Security Business Leader Frank Kim CISO SANS Institute @fykim Outline Build Your Business Case Rocket Your Relationships Master Your Message 2
More informationSafeguarding company from cyber-crimes and other technology scams ASSOCHAM
www.pwc.com Safeguarding company from cyber-crimes and other technology scams ASSOCHAM Rahul Aggarwal - Director The new digital business ecosystem is complex and highly interconnected The new business
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationBusiness Context: Key for Successful Risk Management
Business Context: Key for Successful Risk Management Philip Aldrich, CISSP, CISM, CISA, CRISC, CIPP Program Director, Risk Management EMC Event Alert Finding Incident Law Vulnerability Regulation Audit
More informationSix Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP
Six Weeks to Security Operations The AMP Story Mike Byrne Cyber Security AMP 1 Agenda Introductions The AMP Security Operations Story Lessons Learned 2 Speaker Introduction NAME: Mike Byrne TITLE: Consultant
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationWhat It Takes to be a CISO in 2017
What It Takes to be a CISO in 2017 Doug Copley Deputy CISO Sr. Security & Privacy Strategist February 2017 IMAGINE You re the CISO In Bangladesh Of a bank On a Friday when you re closed You realize 6 huge
More informationM&A Cyber Security Due Diligence
M&A Cyber Security Due Diligence Prepared by: Robert Horton, Ollie Whitehouse & Sherief Hammad Contents Page 1 Introduction 3 2 Technical due diligence goals 3 3 Enabling the business through cyber security
More informationDo You Know Your Organization's Top 10 Security Risks?
SESSION ID: GRC-F01 Do You Know Your Organization's Top 10 Security Risks? Min-Hwei Liu Director, Information Security, Aetna 14,300 Network alerts # of Applications # of Servers Monitored What does the
More informationGOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI CONTENTS Overview Conceptual Definition Implementation of Strategic Risk Governance Success Factors Changing Internal Audit Roles
More informationTAN Jenny Partner PwC Singapore
1 Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore PwC Singapore is honoured to be invited to contribute to the development of this guideline. Cybersecurity Risks
More informationTable of Contents. Sample
TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 4 1.1 GOALS AND OBJECTIVES... 5 1.2 REQUIRED REVIEW... 5 1.3 APPLICABILITY... 5 1.4 ROLES AND RESPONSIBILITIES SENIOR MANAGEMENT AND BOARD OF DIRECTORS...
More informationHow Cisco IT Improved Development Processes with a New Operating Model
How Cisco IT Improved Development Processes with a New Operating Model New way to manage IT investments supports innovation, improved architecture, and stronger process standards for Cisco IT By Patrick
More informationMitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment
Mitigating Risk with Ongoing Cybersecurity Risk Assessment Scott Moser CISO Caesars Entertainment CSO50 Presentation Caesars Entertainment Cybersecurity Risk Management Scott Moser Chief Information Security
More informationIntegrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise
February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise Tejas Katwala CEO
More informationReady, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan
Ready, Willing & Able Michael Cover, Manager, Blue Cross Blue Shield of Michigan Agenda 1. Organization Overview 2. GRC Journey Story 3. GRC Program Roadmap 4. Program Objectives and Guiding Principals
More informationWhite Paper. How to Write an MSSP RFP
White Paper How to Write an MSSP RFP https://www.solutionary.com (866) 333-2133 Contents 3 Introduction 3 Why a Managed Security Services Provider? 5 Major Items to Consider Before Writing an RFP 5 Current
More informationKent Landfield, Director Standards and Technology Policy
Kent Landfield, Director Standards and Technology Policy How would you represent your entire risk landscape to your senior management? And how would you get there? A Changing Landscape Drives Security
More informationBusiness continuity management and cyber resiliency
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency Introductions Eric Wunderlich,
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationSOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY
RSA ARCHER BUSINESS RESILIENCY INTRODUCTION Organizations are becoming a complex tapestry of products and services, processes, technologies, third parties, employees and more. Each element adds another
More informationQuantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets
Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets CRM008 Speakers: Chris Cooper, VP, Operational Risk Officer; RGA Reinsurance Company Steven Tabacek, President, RiskLens, Inc. Learning
More informationINTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.
2019 SIEM REPORT INTRODUCTION Security Information and Event Management (SIEM) is a powerful technology that allows security operations teams to collect, correlate and analyze log data from a variety of
More informationDigital Service Management (DSM)
Digital Service Management (DSM) A Proactive, Collaborative and Balanced Approach for Managing, Improving and Securing an Enterprise Digital Service Portfolio itsm003 v.3.0 Agenda and Objectives What is
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )
ISACA Pasitikėjimas informacinėmis sistemomis ir jų nauda Certification Details for Certified in the Governance of Enterprise IT (CGEIT ) Dainius Jakimavičius, CGEIT ISACA Lietuva tyrimų ir metodikos koordinatorius
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More informationHow to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model
How to Optimize Cyber Defenses through Risk-Based Governance Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model The Goal: Risk-Based Operationalization Incident Management IT/IS
More informationCISM Certified Information Security Manager
CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management
More informationOracle Buys Automated Applications Controls Leader LogicalApps
Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracle s Governance, Risk and Compliance Suite with Real-time Policy Enforcement October 26, 2007 Disclaimer The following is
More informationBuilding YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services
Building YOUR Privacy Program: One Size Does Not Fit All Justine Gottshall Partner, InfoLawGroup, LLP Chief Privacy Officer, Signal Jgottshall@infolawgroup.com Adam Nelson Executive Consultant Global Data
More informationwhitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk
whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk Assure the board your company won t be the next data breach Introduction A solid vulnerability management program is critical
More informationHCL GRC IT AUDIT & ASSURANCE SERVICES
HCL GRC IT AUDIT & ASSURANCE SERVICES Overview The immense progress made in information and communications technology offers enterprises outstanding benefits. However this also results in making the risk
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationLeading our discussion today
Defending the Digital Retailer for NRFTech 2014 July 22, 2014 Leading our discussion today Security Leadership and Points of Contact Security and Infrastructure Services Leadership Kevin Richards NA Security
More informationCybersecurity. Securely enabling transformation and change
Cybersecurity Securely enabling transformation and change Contents... Cybersecurity overview Business drivers Cybersecurity strategy and roadmap Cybersecurity in practice CGI s cybersecurity offering Why
More informationState of South Carolina Interim Security Assessment
State of South Carolina Interim Security Assessment Deloitte & Touche LLP Date: October 28, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is
More informationA Framework for Managing Crime and Fraud
A Framework for Managing Crime and Fraud ASIS International Asia Pacific Security Forum & Exhibition Macau, December 4, 2013 Torsten Wolf, CPP Head of Group Security Operations Agenda Introduction Economic
More informationCybersecurity, safety and resilience - Airline perspective
Arab Civil Aviation Commission - ACAC/ICAO MID GNSS Workshop Cybersecurity, safety and resilience - Airline perspective Rabat, November, 2017 Presented by Adlen LOUKIL, Ph.D CEO, Resys-consultants Advisory,
More informationBackground FAST FACTS
Background Terra Verde was founded in 2008 by cyber security, risk and compliance executives. The founders believed that the market needed a company that was focused on using security, risk and compliance
More informationRun the business. Not the risks.
Run the business. Not the risks. RISK-RESILIENCE FOR THE DIGITAL BUSINESS Cyber-attacks are a known risk to business. Today, with enterprises becoming pervasively digital, these risks have grown multifold.
More informationSELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats
SELLING YOUR ORGANIZATION ON APPLICATION SECURITY Navigating a new era of cyberthreats Selling Your Organization on Application Security 01 It's no secret that cyberattacks place organizations large and
More informationIan Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria
Ian Speller CISM PCIP MBCS Head of Corporate Security at Sopra Steria Information Risk in the Real World Realistic security management on a tight budget Or some things I have done to make the security
More informationCYBER RISK MANAGEMENT
CYBER RISK MANAGEMENT AND BEST PRACTICES Heather Fields, JD, CHC, CCEP (414) 298-8166 hfields@reinhartlaw.com 1000 North Water Street, Suite 1700, Milwaukee, WI 53202 www.reinhartlaw.com 0 Agenda Role
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationPONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY
PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY Benchmark research sponsored by Raytheon. Independently conducted by Ponemon Institute LLC. February 2018 2018 Study on
More informationThe new cybersecurity operating model
The new cybersecurity operating model Help your organization become more resilient and reach its business goals. 1 slalom.com Struggling to meet security goals While the digital economy is providing major
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationAligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert
Aligning IT, Security and Risk Management Programs Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert Challenges to Risk Management & Governance Balancing extensive requirements
More informationRSA Advanced Cyber Defence Summit
Lee Edge Head Archer Business UK&I RSA Advanced Cyber Defence Summit London 30-April-2015 1 64% 8% 2014 Gartner CEO and Senior Executive Survey: 'Risk-On' Attitudes Will Accelerate Digital Business. 2
More informationRobert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group
Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group Presentation Objectives Introductions Cyber security context Cyber security in the maritime sector Developing cybersecurity
More informationRisk Advisory Academy Training Brochure
Academy Brochure 2 Academy Brochure Cyber Security Our Cyber Security trainings are focused on building your internal capacity to leverage IT related technologies more confidently and manage risk and uncertainty
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationTransformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018
Transformation in Technology Barbara Duck Chief Information Officer Investor Day 2018 Key Takeaways 1Transformation in Technology driving out cost, supporting a more technologyenabled business Our new
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationAUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03
AUDIT REPORT Network Assessment Audit Audit Opinion: Needs Improvement Date: December 15, 2014 Report Number: 2014-IT-03 Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationEnterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018
Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018 Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk
More informationConvergence of BCM and Information Security at Direct Energy
Convergence of BCM and Information Security at Direct Energy Karen Kemp Direct Energy Session ID: GRC-403 Session Classification: Advanced About Direct Energy Direct Energy was acquired by Centrica Plc
More informationDriving Global Resilience
Driving Global Resilience Steve Mellish FBCI Chairman, The Business Continuity Institute Monday December 2nd, 2013 Business & IT Resilience Summit New Delhi, India Chairman of the Business Continuity Institute
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationSteps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.
Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m. The cyber threats are no longer a question of if, but when, a breach will occur. It is important
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationBREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE
BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE 31st Annual SoCal ISSA Security Symposium Wendy T. Wu Vice President Agenda + CISO: Then and Now + Who are the Stakeholders and What Do They Care About?
More informationSession ID: CISO-W22 Session Classification: General Interest
Session ID: CISO-W22 Session Classification: General Interest Pain Points What are your two biggest information security-related pain points?* Mobile Device Security Security Awareness Training User Behavior
More information