A better vision for information security

Transcription

1 A better vision for information security Kenneth Chodnicki COO Deep Run Security 8 Market Place, Suite 410 Baltimore, MD kchodnicki@deeprunsecurity.com MCMC: Cambridge, MD June 23,

2 Deep Run Security, located in Baltimore, MD, is the industry s thought leader in helping firms become secure by providing understanding and insight into all aspects of their cyber security profile: Process/People/Technology. MCMC: Cambridge, MD June 23,

3 CYBER SECURITY WHAT TO DO? The Status Quo! Trying to out run the Bear! 3

4 EXECUTIVE ROLE IN CYBER RISK BUSINESS STRATEGY = STRATEGIC RISK PLAN + BUSINESS PLAN Cyber Risk Planning has become an island: outside Business & Strategic Risk Planning 4

5 EXECUTIVES MANAGE RISK BUT CEO s viewed operational and compliance risk as the biggest concern to their company However, 2/3 CEO s did not equate Operational Risk with Cyber Risk Only 1/3 viewed Cyber Risk as a base threat KPMG 2016 Survey: Cybersecurity A failure of Imagination by CEO s 5

6 WHO WOULD HACK CONCRETE? Construction Breaches? You Bet: Whiting Turner 2016 Vendor breached for employees W-2 s Children & beneficiaries info taken Turner Construction 2016 Phished for employee data on all employees Central Concrete Supply, Calf. - Phished 6

7 SURELY YOU DO NOT MEAN ME? Hey, We have a plan, I have hired an I/T guy Only 14% of CISO s report to business line executive (CEO, CFO, COO) Only 40% of CEO s said the CIO is part of the inner strategy circle KPMG 2016 Survey: Cybersecurity A failure of Imagination by CEO s 7

8 WHY THIS DICHOTOMY? 1. Technical Speak vs Business Speak In most cases, cyber risk is given to a SME not a business leader Language tends to lean towards technical speak Whenever I speak with my CIO, they start to blast me with technical explanations and I struggle to translate it. CFO, Large Research Hospital 8

9 WHY THIS DICHOTOMY? 2. Data is not Normalized 9

10 WHY THIS DICHOTOMY? 3. Cyber Risk Strong Customer Experience & Revenue $1 spent on Strategic Risk you know how to measure the ROI $1 spent on Cyber Risk you are not sure how to measure your ROI Because in most cases the way we look at cyber risk is the best thing that ever happens to us is nothing happens. 10

11 EXECUTIVES- WHERE ARE YOU EXPOSED? CREATING A COMPLETE PICTURE Your BIGGEST threat by far is Operational & Process Risk Traditional security focuses cyber assessments on Technical Risk 10% of cyber breaches Operational & Compliance Risk (Human & Process Errors) Technology 90% of all breaches occur due to Human or Business Process Error* - Small Sub s - 3 rd Party Supplier - Prime with weak I/T system - CEO/COO/VP of Sales - Billing - Cust. Service Teams * 2015 Verizon DBIR 11

12 3 STEPS TO THE RIGHT APPROACH 1. Move Cyber Risk to the mainland STRATEGIC RISK (SR) = BUSINESS RISK (BR) + CYBER RISK (CR) 12

13 3 STEPS TO THE RIGHT APPROACH 2. Develop a Road Map a. Understand Business Goals and Objectives Analysis of Strengths and Weaknesses Remember: Audit Security b. Expand the Spectrum Vendors Third Party Evolving Markets c. Adapt your Business Leadership tools Track Measure Report 13

14 3 STEPS TO THE RIGHT APPROACH 3. Lead from the top a. Take ownership - Cyber Savvy Executive team (notice we did not say technically savvy) b. Integrate into corporate culture c. Do It Now! 14

15 TIPS TO PROTECT FROM PHISHING 1: Look at your for anomalies. Visually scan the , put it into context. Would this person/company approach you in the way the reads? Is the grammar and word usage in context? Look at the from address, do both sides of make sense? If it seems at all wrong, even without a direct reason, close out of the and report it to IT. 2 : Hover, don t click. As you hover over a link, the link address will appear at the bottom of your browser. Ask yourself if the address (between and the next / match the context of the and action? If the is from UPS/FedEx, and you hover over the track this shipment does it show Or 15

16 TIPS TO PROTECT FROM PHISHING 3: Never click on an attachment with a file type of:.zip,.com,.exe,.pif, and any type you are not familiar with. Attachments are bad.you need to assure yourself everything is, without a single doubt, correct before clicking on an attachment. To open a file with these types, you need 100% verification from the sender that they sent you an and attachment. As in, while on the phone with the sender, OK, send me the now, Got it, thanks kind of verification. 4 : Doing nothing is a good answer. Ask yourself if taking a chance is worth the very existence of your company. Report your suspicion to your IT staff. Tell them you will not touch the until they approve. Don t forward the to the sender asking if it is a valid your coworker is as apt to make the same mistake as you. Either send them a fresh , or give them a call. 16

17 A better vision for information security Deeprunsecurity.com 17