Moderator: Presenters: Ross Albert Damon D Levine

Similar documents
MITIGATE CYBER ATTACK RISK

Cybersecurity for Health Care Providers

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CISO as Change Agent: Getting to Yes

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

INTELLIGENCE DRIVEN GRC FOR SECURITY

Designing and Building a Cybersecurity Program

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Changing the Game: An HPR Approach to Cyber CRM007

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Why you should adopt the NIST Cybersecurity Framework

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Rethinking Information Security Risk Management CRM002

The NIST Cybersecurity Framework

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Next Generation Policy & Compliance

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

The Business Value of including Cybersecurity and Vendor Risk in ERM

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Addressing the elephant in the operating room: a look at medical device security programs

SOC for cybersecurity

Continuous protection to reduce risk and maintain production availability

RSA NetWitness Suite Respond in Minutes, Not Months

CYBER RESILIENCE & INCIDENT RESPONSE

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

SOLUTION BRIEF Virtual CISO

Rethinking Cybersecurity from the Inside Out

Automating the Top 20 CIS Critical Security Controls

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

SIEM: Five Requirements that Solve the Bigger Business Issues

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Securing Your Digital Transformation

Cyber Hygiene: A Baseline Set of Practices

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Fabrizio Patriarca. Come creare valore dalla GDPR

Copyright 2016 EMC Corporation. All rights reserved.

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Incident Response Table Tops

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Framework for Improving Critical Infrastructure Cybersecurity

Do You Know Your Organization's Top 10 Security Risks?

K12 Cybersecurity Roadmap

Background FAST FACTS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Best Practices in ICS Security for System Operators

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

THE POWER OF TECH-SAVVY BOARDS:

TSC Business Continuity & Disaster Recovery Session

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets

NCSF Foundation Certification

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Helping the C-Suite Define Cyber Risk Appetite. The executive Imperative

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Kent Landfield, Director Standards and Technology Policy

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

How will cyber risk management affect tomorrow's business?

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

White Paper. View cyber and mission-critical data in one dashboard

Cybersecurity, safety and resilience - Airline perspective

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

CA Security Management

SECURITY INCIDENT MANAGEMENT. Solution Primer. Jenn Black. Senior Research AnalystSolutions Research and Development Office of the CISO, Optiv

FOR FINANCIAL SERVICES ORGANIZATIONS

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Security and Privacy Governance Program Guidelines

The Resilient Incident Response Platform

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

The University of Queensland

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

FISMA Cybersecurity Performance Metrics and Scoring

Transcription:

SOA Antitrust Disclaimer SOA Presentation Disclaimer Session 7: Cyber Risk Management: From the Inside and the Outside Moderator: Presenters: Ross Albert Damon D Levine

A Holistic Approach to Cyber Risk Management Damon Levine, CFA, ARM, CRCMP, Open FAIR Director, Focal Point Data Risk ERM Symposium April 19, 2018

Disclaimer: The views expressed herein are those of the presenter and not necessarily those of Focal Point Data Risk

Today s Goal: Pragmatism vs. This Incidence response requires both situation awareness and tiered remediation actions for proportional response. Workflow is taskoriented and requires real-time alert correlation, activity log analysis, traffic capture and analysis, and suspect file detonation for security analysts to perform deep-dive evidence analysis to reach decisive conclusions. The variety of specialized multi-vendor security tools, a frictionless integration surface and ease of use with an economy of clicks is essential for total remediation at the compromised network' and infected system level to restore normalcy and trustworthiness of operations. - http://www.taasera.com/blog/cyber-security-essentials-enterprise-risk-management Written by AI Program? 3

What Did the AI Writer Get Right? Situational awareness: understanding exposures across LOBs, locations, & functions Real-time detection and response: awareness-to-action speed is of the essence Practical remediation: time, expense, and the human element Risk-informed decisions: risks to business objectives, including protections against downside are critical (e.g. $, reputation, operations) 4

Situational Awareness ERM s (vaunted) portfolio view: because cyber risks may be correlated and/or linked causally, one needs an enterprise view of risk across: LOBs, locations, products, and, strategic execution, compliance, regulatory, privacy, and (other) operational risks Many organizations do not have an accurate, comprehensive view of their IT assets, vendors, and other third parties that can expose the company to IT risks; an organizational intelligence is needed to address these visibility challenges and leverage them in decision-making ERM emphasizes a risk ID and reporting mechanism which delivers: prompt and actionable information for risk prevention and/or post-event containment 5

Need for Portfolio View 6

Technology-forward Cyber Risk Management Position/Title Considerations RISK ID: Bottom-up, Domain Focused IT and LOBs Struggle to Prioritize risks Ad-Hoc RISK RESPONSE 7

Business-back Cyber Risk Management Essential Ops, Biz Enablers, Value Drivers Critical Digital Assets RISK ID: Operational & Strategic RISK QUANT: Value-based Prioritization RISK RESPONSE 8

Obsolescence of the Traditional Cyber Risk Approach 9

Measurement in ERM: the Primary Decision Driver From colors to dollars: soft or qualitative scales do not aggregate or compare effectively, and therefore, do not enable informed decisions Leading vs. lagging KRIs, dollar metrics (e.g. GAAP/STAT earnings, capital, ROE, distributable earnings, company value) Risk appetite/limit reporting, and remediation protocol Metric-driven culture 10

Caveats on KRI https://www.rsaconference.com/writable/presentations/file_upload/trm-w07-one-failure-leads-to-anotherdeveloping-leading-indicators-for-security-threats-and-risks-final.pdf 11

Something for the Actuaries 12

13 Dollar Quantification of Cyber Risk: FAIR Approach

Further Support for an Enterprise Risk Approach Complexity, human element, and malicious incentives drive a chaotic and rapidly evolving cyber risk profile & attack surface Cyber risks are therefore: difficult to effectively identify and quantify, challenging to avoid, and intertwined with previously unrelated risk exposures Critical operational risk events can set in motion a chain of adverse consequences including loss of business continuity, revenue loss, fines, litigation, and brand/reputational damage 14

Practical Prevention of Pervasive People Problems The human element is a significant challenge: we all want to click things Tap into natural human ego and laziness: 1) test reactions and score by department, 2) make things as simple as possible, but not simpler 15

Walking the Walk Massive policies and onerous SOPs may be comprehensive but will they be followed? Consider tension between IT risk priorities and business" objectives If compliance with internal guidelines is a lengthy process, you may end up with shadow risk management tools 16

Hallmarks of an ERM Approach Cybersecurity governance Executive/leadership support and defined roles and responsibilities Principle of least privilege Creation of processes, policies, and standards; linked across the company Inventory of IT assets and the portfolio view Risk ID and remediation (including identification and protection of your crown jewels ) Quick response/containment to security events and incidents Continuous learning and adaptation to the threat landscape Pragmatic use of risk appetite/limit notions 17

The 4S s of the Board: Synergies, Schooling, Survival, and Satisfaction The Board needs verifiable proof of robust cyber risk management and those in IT risk management can leverage this to their benefit The Board s oversight role for risk controls and their typical focus on cyber can be leveraged to improve risk ID, assessment, and messaging Most Board members need quantification which relevant and non-technical; the metrics useful to ERM (e.g., earnings, cashflow, ROE, etc.) should be used for cyber Education of a stakeholder is often a key foundation for effectively conveying the critical messages of your risk analysis Because they have investor interests in mind (not just company survival ), Boards will view risk management as a tool to drive performance and an asset view (business-back) of cyber will resonate 18

What Trump and Obama Have in Common? Golf and 19

NIST-CSF Identify: Use organizational understanding to minimize risk to systems, assets, data and capabilities. Protect: Design safeguards to limit the impact of potential events on critical services and infrastructure. Detect: Implement activities to identify the occurrence of a cybersecurity event. Respond: Take appropriate action after learning of a security event. Recover: Plan for resilience and the timely repair of compromised capabilities and services. 20

NIST Implies a Holistic View 21

Is NIST it for IT?! https://fcw.com/articles/2017/07/25/cio-perspective-erm-cyber-spires.aspx?m=2&page=2 22

Holistic (Cyber) Health The limitations of vaccination Wellness Educated Employees Advanced Prevention Faster Recovery 23

Adapting the RIMS Risk Maturity Model (RMM) 24

Strategic Context Treating cyber risk apart from other business risks renders it overly technical, mysterious and separate Placing it in a strategic context shows how cyber risk relates to other risks. It also shows how management s acceptance of specific cyber risks will assist or fail to assist in creating value Enables senior managers to define and align their interests and roles in cyber risk management, leading to informed cyber risk response decisions 25

26 oh yeah GDPR

Additional Cyber Risk Management Reading https://cyberbalancesheet.com/ https://focal-point.com/services/advisors/audit-andadvisory/enterprise-risk-management https://www.linkedin.com/pulse/nobody-expects-spanish-inquisitiongdpr-you-damon/ http://ermvalue.com/ 27

References https://www.cfoinnovation.com/white-paper/12360/taking-aim-cyber-risk http://www.isaca.org/cyber/cyber-security-articles/pages/maintaining-aholistic-risk-based-cybersecurity-program.aspx?utm_referrer= https://www.cybrary.it/0p3n/holistic-risk-based-approach-cybersecurity/ https://www.darkreading.com/vulnerabilities---threats/a-holistic-approachto-cybersecurity-wellness-3-strategies/a/d-id/1326120? 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback