Helping the C-Suite Define Cyber Risk Appetite. The executive Imperative

Similar documents
RSA Advanced Cyber Defence Summit

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

INTELLIGENCE DRIVEN GRC FOR SECURITY

RSA Cybersecurity Poverty Index : APJ

RSA Cybersecurity Poverty Index

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

FOR FINANCIAL SERVICES ORGANIZATIONS

Cyber Resilience. Think18. Felicity March IBM Corporation

What matters in Cyber Security

MITIGATE CYBER ATTACK RISK

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Certified Information Security Manager (CISM) Course Overview

Enterprise GRC Implementation

TAKING COMMAND OF YOUR GRC JOURNEY WITH RSA ARCHER

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Next Generation Policy & Compliance

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

RSA NetWitness Suite Respond in Minutes, Not Months

Table of Contents. Sample

Cyber Security Technologies

A Data-Centric Approach to Endpoint Security

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

Securing Your Digital Transformation

THE POWER OF TECH-SAVVY BOARDS:

Risk Advisory Academy Training Brochure

CISO as Change Agent: Getting to Yes

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

TSC Business Continuity & Disaster Recovery Session

David Fletcher Co-Principal Investigator Western Management & Consulting LLC Albuquerque, NM

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Combating Cyber Risk in the Supply Chain

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Moving Workloads to the Public Cloud? Don t Forget About Security.

SECURITY REDEFINED. Managing risk and securing the business in the age of the third platform. Copyright 2014 EMC Corporation. All rights reserved.

SIEM: Five Requirements that Solve the Bigger Business Issues

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cyber Security Incident Response Fighting Fire with Fire

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Operationalizing the Three Principles of Advanced Threat Detection

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Introducing Cyber Observer

A View From the Top. Mark Hughes BT Group Security Director

Changing the Game: An HPR Approach to Cyber CRM007

Address C-level Cybersecurity issues to enable and secure Digital transformation

OPERATIONAL RISK MANAGEMENT: A GUIDE TO HARNESS RISK WITH ENTERPRISE GRC

Designing and Building a Cybersecurity Program

Business Context: Key for Successful Risk Management

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

FFIEC Cybersecurity Assessment Tool

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

The Deloitte-NASCIO Cybersecurity Study Insights from

Kent Landfield, Director Standards and Technology Policy

Advanced IT Risk, Security management and Cybercrime Prevention

Dell EMC Isolated Recovery

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Business resilience in the face of cyber risk. By Roger Ostvold and Brian Walker

Cybersecurity. Securely enabling transformation and change

DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

Level Access Information Security Policy

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

RSA IT Security Risk Management

The Fine Art of Creating A Transformational Cyber Security Strategy

Cybersecurity Session IIA Conference 2018

RSA ADVANCED SOC SERVICES

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Doxxing, Dissidents, And. Digital Extortion. Fortify Your Digital Risk Defenses. Nick Hayes, Senior Analyst

Cybersecurity and the Board of Directors

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Are You Protected. Get Ahead of the Curve

Sage Data Security Services Directory

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

Cyber risk Getting the boardroom focus right

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Cyber Resilience: Developing a Shared Culture. Sponsor Guide

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Background FAST FACTS

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Cyber Information Sharing

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Building a BC/DR Control Library and Regulatory Response Program

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

Cybersecurity for Health Care Providers

PAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY

Why you should adopt the NIST Cybersecurity Framework

Closing the Hybrid Cloud Security Gap with Cavirin

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Emerging Technologies The risks they pose to your organisations

Transcription:

Helping the C-Suite Define Cyber Risk Appetite The executive Imperative

Welcome Steve Schlarman GRC Strategist CISSP, CISM @steveschlarman

Executive Priorities Growth is the highest priority. 54 % 25 % Technology initiatives are second priority. Business Growth & Technology From Gartner s report The 2015 CEO and Senior Executive Survey: Committing to Digital

Risk Convergence The business relies on technology like never before. Business and Digital strategies are intertwined. To be successful in today s market, organizations must address cyber risk and business risk together. Technology risk is a board level topic.

The Imperative According to Deloitte Cyber Risk Services: The fundamental things that organizations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk. Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver and then make more informed decisions.

Appetite Calorie offset Explaining Cyber Risk Appetite Appetite a natural desire to satisfy a need Snacks Dinner Lunch Calorie intake Boxing Weight Lifting Running Breakfast Walking

Appetite Residual Risk What is Cyber Risk Appetite? Cyber Risk the potential of loss or harm related to technical infrastructure or the use of technology within an organization. Appetite the aggregate level of cyber risk that an organization is willing to accept, or to avoid, in order to achieve its business objectives Business Tech Shadow IT Cloud IT Infrastructure Inherent Risk GRC IT Services Resiliency Security

The 4 Quadrants of Cyber Risk Internal Malicious Unintentional External

The 4 Quadrants of Cyber Risk Internal Malicious: Deliberate acts of sabotage, theft or other malfeasance committed by employees and other insiders. Internal Unintentional: Acts leading to damage or loss stemming from human error committed by employees and other insiders. External Malicious: The most publicized cyber risk; pre-meditated attacks from outside parties, including criminal syndicates, hacktivists and nation states External Unintentional: Accidental, non-deliberate, incidents involving external parties that cause loss or damage to business.

The 4 Quadrants of Cyber Risk Internal Malicious: Deliberate acts of sabotage, theft or other malfeasance committed by employees and other insiders. Monitoring and Detection External Malicious: The most publicized cyber risk; pre-meditated attacks from outside parties, including criminal syndicates, hacktivists and nation states Internal Unintentional: Acts leading to damage or loss stemming from human error committed by employees and other insiders. Risk Treatments & Internal Controls External Unintentional: Accidental, non-deliberate, incidents involving external parties that cause loss or damage to business. Environment

RSA Strategic Focus: the capabilities that matter most now Monitoring and Detection VISIBILITY & ANALYTICS Detect threats / make responders faster RISK INTELLIGENCE Understand business impact / prioritize effectively Risk Treatments & Internal Controls IDENTITY & ACCESS ASSURANCE Environment Address the most consequential attack vector

RSA Strategic Focus: the capabilities that matter most now VISIBILITY & ANALYTICS Detect threats / make responders faster RISK INTELLIGENCE Understand business impact / prioritize effectively IDENTITY & ACCESS ASSURANCE Address the most consequential attack vector

Cybersecurity Poverty Index Risk Findings: RSA Cybersecurity Poverty Index 2016 24 % MATURE 45 % AD HOC The least developed capability across the survey is an organization s ability to catalog, assess, and mitigate risk. 45% of those surveyed described their capabilities in this area as nonexistent or ad hoc, with only 24% believing that they have mature or mastered capabilities in this domain. 12

Which technology strategies are creating risk? How does our security strategy scale? Where is cyber risk in the big picture? Who is in the discussion? What should the risk culture of the organization be? What risks am I willing to accept? CISO CEO CIO CRO Business Operations

Principles of Cyber Risk Appetite Common risk taxonomy Vernacular of risk Tone from the top Prioritization and understanding of assets Technology & Business infrastructure Relationships between Business and Technology What is most important? Thresholds and Tolerance Acceptable levels of risk Sign-off/delegated authority for risk acceptance Exception monitoring Preparation for Cyber events Security Incident Response Disaster Recovery and Business Continuity Crisis Management

Planning Your Journey Siloed point solutions, multiple management consoles, basic reporting Managed integrated security, expanded visibility, improved analysis/metrics Advantaged fully risk aware, identify opportunity Meet regulatory obligations Compliance Manage known & unknown risks Risk Make risk-based decisions Opportunity

Final Thoughts Discuss and define appetites and tolerances Understand and prioritize assets Plan your journey

Thank You Steve Schlarman GRC Strategist CISSP, CISM @steveschlarman

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback