BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Similar documents
Cyber Risks in the Boardroom Conference

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Cybersecurity and the Board of Directors

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Larry Clinton President & CEO (703)

Incident Response and Cybersecurity: A View from the Boardroom

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

CISO Success Strategies: On Becoming a Security Business Leader

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

CYBER RISK MANAGEMENT

SOLUTION BRIEF Virtual CISO

INTELLIGENCE DRIVEN GRC FOR SECURITY

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Clarity on Cyber Security. Media conference 29 May 2018

Data Breach Preparation and Response. April 21, 2017

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

MITIGATE CYBER ATTACK RISK

What It Takes to be a CISO in 2017

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

CISO View: Top 4 Major Imperatives for Enterprise Defense

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

The Fine Art of Creating A Transformational Cyber Security Strategy

Awareness and training programs OPTUS MACQUARIE UNIVERSITY CYBER SECURITY HUB

Turning Risk into Advantage

Sage Data Security Services Directory

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

DeMystifying Data Breaches and Information Security Compliance

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

9 TH SOUTHERN INDIA INFORMATION TECHNOLOGY FAIR (SIITF) THEME : EMERGING TECHNOLOGIES TO CREATE NEWER MARKETS

Demonstrating Compliance in the Financial Services Industry with Veriato

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Are we breached? Deloitte's Cyber Threat Hunting

It s Not If But When: How to Build Your Cyber Incident Response Plan

Building a Resilient Security Posture for Effective Breach Prevention

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

M&A Cyber Security Due Diligence

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Cyber Security Program

What to do if your business is the victim of a data or security breach?

Bringing Cybersecurity to the Boardroom Bret Arsenault

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m.

CYBER SECURITY AIR TRANSPORT IT SUMMIT

DATA BREACH NUTS AND BOLTS

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Pave the way: Build a value driven SAP GRC roadmap March 2015

Angela McKay Director, Government Security Policy and Strategy Microsoft

Cyber Risk Having better conversations on cyber

Big data privacy in Australia

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

a publication of the health care compliance association MARCH 2018

CISO as Change Agent: Getting to Yes

Run the business. Not the risks.

BHConsulting. Your trusted cybersecurity partner

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

Information Security Governance and IT Governance

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

To Audit Your IAM Program

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Cybersecurity in Higher Ed

SOC Summit June 6, Strengthening Capacity in Cyber Talent sans.org/cybertalent

NERC Staff Organization Chart Budget 2019

Global cybersecurity and international standards

THE POWER OF TECH-SAVVY BOARDS:

Cybersecurity The Evolving Landscape

The Evolving Threat to Corporate Cyber & Data Security

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

CYBER SOLUTIONS & THREAT INTELLIGENCE

Cyber Security and Cyber Fraud

Orlando, FL September 23-27, Your School Has Been Breached Now What? Cyber Incident Simulation Exercise

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.ca

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Security is it a boardroom issue?

A new approach to Cyber Security

The State of the Hack. Kevin Mandia MANDIANT

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Incident Response Services

Cybersecurity for Health Care Providers

NERC Staff Organization Chart Budget 2019

Rethinking Information Security Risk Management CRM002

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Information Security Risk Strategies. By

CCISO Blueprint v1. EC-Council

Hacking and Cyber Espionage

Transcription:

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE 31st Annual SoCal ISSA Security Symposium Wendy T. Wu Vice President Agenda + CISO: Then and Now + Who are the Stakeholders and What Do They Care About? (Stakeholder Analysis) + How to Engage the Stakeholders? + How to Get Support from the Company Executives? + Working with Law Enforcement 2 1

CISO: Then and Now The Role of the CISO Then: + Purely IT/technical job System/network admin or CS + Reported to CIO only + No interaction with other business functions Now: + Role has evolved + More complex (or wellrounded) + Must be tech savvy + business savvy + Must also advise CIO, GC, CCO, Board 4 2

Role of the CISO Now + Need to understand company assets in order to measure risk/exposure + Must have buy-in from the BOD for a robust, effective cybersecurity program + Not just budget issues; need leadership to endorse and socialize cyber policy throughout company Who are the Stakeholders (and What Do They Care About)? 3

Stakeholder Analysis What do they care about: + Best interest of the company. + Business enablement i.e., willing to support if the investment assists them achieve operational/market goals (and security at the same time) How are they different? + Priorities (focus + responsibility) + Perspectives + Technical expertise and understanding (or the lack thereof) They don t know what they don t know 7 Stakeholder Analysis At a Glance GC CPO/CCO CFO CEO/BOD + Liability + Notice and reporting obligations Regulators Consumers + Litigation risk + Outside counsel + Law enforcement + Concerned with processes that handle sensitive data PII Credit cards/pci HIPPA + Related compliance issues + Business performance + Earnings + Forecasting + Budgeting + Answer to shareholders/ investors + Global operations (CEO) + Growth of company + Reputation 8 4

How to Engage the Stakeholders? How to Engage? Demonstrate and communicate the value of information security and risk management in financial terms to business executives 10 5

How to Engage? + Speak like a business professional, not IT Can t talk about indicators of compromise or malware + Use business terms that are familiar to executives E.g., financial risk, exposure, reputation, productivity Example: companies are moving into or considering transitioning data to the Cloud for financial savings and operational efficiency, but information security is key, as well as benefit. How to Engage? + Changes in global data protection laws and greater regulatory scrutiny can be used to your advantage Companies now must consider devoting greater resources to information security + Goal: Make the execs comfortable, if not willing, to spend money on data security 6

How (not) to Engage? + Warning: Don t be a hero, i.e., trying to save the company from all the bad hackers Phases of CISO Engagement 7

Build Phase Support Goal: Build credibility (so people will trust your decision-making) 15 What s the Approach? + Ask for meetings, informal discussions + Look for internal training with other business/ departments heads Don t forget Marketing, HR Find out what their objectives are, what matters to them Time consuming but valuable + Key: Be proactive. Start discussions before having to make decisions and deal with problems. 16 8

What s the Approach? + Find out what has been done, previous assessments and results If nothing, find out why Don t be alarmist + Engage with the IT team = people doing the work, first responder When (not if) an incident happens; must work with both sides + Need to know critical data Where the data is flowing, who has access/needs to have access 17 What s the Approach? + Need to understand risk Obtain independent, risk-based security assessment Focus on governance and operation Recommend priorities Need independence to ensure objectivity + Key: must understand that cyber risks extend beyond IT to all areas of the enterprise compliance, legal, regulatory + Need to understand the organization s tolerance E.g., budget, culture, hierarchy/structure Security measures should not negatively impact productivity + Present (and have execs participate) in dialogue around the risk/impact of those findings 18 9

Operate Phase Support Goal: Obtain support from execs during security operations (and continue to build credibility) 19 What s the Approach? + Expand your understanding of risk beyond IT Legal, audit, compliance requirements Operations policies + Alignment and conflict with audit and compliance Understand that an audit would be based on a specific regulation or standard and determining whether the company is in compliance Need to prioritize security execution above audit where such policies and controls are stronger as a result 20 10

Incident Response Support Goal: Obtain support from execs while reacting to cyber incident 21 What s the Approach? + Execs should not be hearing from you for the first time + Best chance for success = CISO who can effectively engage with leadership + Resources and support will enable security experts to do their job + Understand the role of law enforcement When to bring in LE? Pros and cons 22 11

Get to Know Law Enforcement + Opportunities to get to know local LE/FBI cyber before a cyber incident Business Email Compromise Working Group USAO Cyber Summit for GCs, CIOs, CISO Orange County Regional Computer Forensics Laboratory (OCRCFL) + LE places a high priority on victim interests, avoid revictimizing through unwarranted disclosure of information + Some mechanism to protect sensitive information, e.g., grand jury process, protective orders 23 Working with Law Enforcement + Need to get information ASAP and in real time + Data can be destroyed in an instant; important to notify early and give agents access to data + Agents may have seen the same conduct or indicators of malicious activity in other cases and can make connections to identify possible targets + Cooperation is critical because the threat you face includes hackers with unlimited resources and/or full backing of their government. 24 12

Stroz Friedberg is a specialized risk management firm built to help clients solve complex challenges prevalent in today s digital, connected and regulated world. Our focus is on cybersecurity, with leading experts in digital forensics, incident response and security science; investigations; ediscovery; and due diligence. 13

Thank You. Wendy T. Wu Vice President T: +1 310.623.3283 M: +1 310.926.5190 Where We Are 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback