Helping the C-Suite Define Cyber Risk Appetite The executive Imperative
Welcome Steve Schlarman GRC Strategist CISSP, CISM @steveschlarman
Executive Priorities Growth is the highest priority. 54 % 25 % Technology initiatives are second priority. Business Growth & Technology From Gartner s report The 2015 CEO and Senior Executive Survey: Committing to Digital
Risk Convergence The business relies on technology like never before. Business and Digital strategies are intertwined. To be successful in today s market, organizations must address cyber risk and business risk together. Technology risk is a board level topic.
The Imperative According to Deloitte Cyber Risk Services: The fundamental things that organizations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk. Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver and then make more informed decisions.
Appetite Calorie offset Explaining Cyber Risk Appetite Appetite a natural desire to satisfy a need Snacks Dinner Lunch Calorie intake Boxing Weight Lifting Running Breakfast Walking
Appetite Residual Risk What is Cyber Risk Appetite? Cyber Risk the potential of loss or harm related to technical infrastructure or the use of technology within an organization. Appetite the aggregate level of cyber risk that an organization is willing to accept, or to avoid, in order to achieve its business objectives Business Tech Shadow IT Cloud IT Infrastructure Inherent Risk GRC IT Services Resiliency Security
The 4 Quadrants of Cyber Risk Internal Malicious Unintentional External
The 4 Quadrants of Cyber Risk Internal Malicious: Deliberate acts of sabotage, theft or other malfeasance committed by employees and other insiders. Internal Unintentional: Acts leading to damage or loss stemming from human error committed by employees and other insiders. External Malicious: The most publicized cyber risk; pre-meditated attacks from outside parties, including criminal syndicates, hacktivists and nation states External Unintentional: Accidental, non-deliberate, incidents involving external parties that cause loss or damage to business.
The 4 Quadrants of Cyber Risk Internal Malicious: Deliberate acts of sabotage, theft or other malfeasance committed by employees and other insiders. Monitoring and Detection External Malicious: The most publicized cyber risk; pre-meditated attacks from outside parties, including criminal syndicates, hacktivists and nation states Internal Unintentional: Acts leading to damage or loss stemming from human error committed by employees and other insiders. Risk Treatments & Internal Controls External Unintentional: Accidental, non-deliberate, incidents involving external parties that cause loss or damage to business. Environment
RSA Strategic Focus: the capabilities that matter most now Monitoring and Detection VISIBILITY & ANALYTICS Detect threats / make responders faster RISK INTELLIGENCE Understand business impact / prioritize effectively Risk Treatments & Internal Controls IDENTITY & ACCESS ASSURANCE Environment Address the most consequential attack vector
RSA Strategic Focus: the capabilities that matter most now VISIBILITY & ANALYTICS Detect threats / make responders faster RISK INTELLIGENCE Understand business impact / prioritize effectively IDENTITY & ACCESS ASSURANCE Address the most consequential attack vector
Cybersecurity Poverty Index Risk Findings: RSA Cybersecurity Poverty Index 2016 24 % MATURE 45 % AD HOC The least developed capability across the survey is an organization s ability to catalog, assess, and mitigate risk. 45% of those surveyed described their capabilities in this area as nonexistent or ad hoc, with only 24% believing that they have mature or mastered capabilities in this domain. 12
Which technology strategies are creating risk? How does our security strategy scale? Where is cyber risk in the big picture? Who is in the discussion? What should the risk culture of the organization be? What risks am I willing to accept? CISO CEO CIO CRO Business Operations
Principles of Cyber Risk Appetite Common risk taxonomy Vernacular of risk Tone from the top Prioritization and understanding of assets Technology & Business infrastructure Relationships between Business and Technology What is most important? Thresholds and Tolerance Acceptable levels of risk Sign-off/delegated authority for risk acceptance Exception monitoring Preparation for Cyber events Security Incident Response Disaster Recovery and Business Continuity Crisis Management
Planning Your Journey Siloed point solutions, multiple management consoles, basic reporting Managed integrated security, expanded visibility, improved analysis/metrics Advantaged fully risk aware, identify opportunity Meet regulatory obligations Compliance Manage known & unknown risks Risk Make risk-based decisions Opportunity
Final Thoughts Discuss and define appetites and tolerances Understand and prioritize assets Plan your journey
Thank You Steve Schlarman GRC Strategist CISSP, CISM @steveschlarman
EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.