RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Similar documents
Cyber Risk Having better conversations on cyber

Cyber Threat Landscape April 2013

Governance Ideas Exchange

and managed. It took the crisis for business leaders to fully appreciate the extent of their exposure within the interconnected global

TAN Jenny Partner PwC Singapore

CYBER INSURANCE: MANAGING THE RISK

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Moving from Prevention to Detection March 2017

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Enterprise resilience and the role of Standards

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Cyber Risks in the Boardroom Conference

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

A CFO s Guide to Cyber Security in the Coming Year

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

The Cyber Savvy CEO Getting to grips with today s growing cyber-threats

Clarity on Cyber Security. Media conference 29 May 2018

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Turning Risk into Advantage

The State of Cybersecurity and Digital Trust 2016

Emerging Technologies The risks they pose to your organisations

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Run the business. Not the risks.

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

2018 MANAGED SECURITY SERVICE PROVIDER (MSSP): BENCHMARK SURVEY Insights That Inform Decision-Making for Retail Industry Outsourcing

Public vs private cloud for regulated entities

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Cybersecurity. Securely enabling transformation and change

Cybersecurity and Hospitals: A Board Perspective

Cyber Crime Seminar 8 December 2015

Cyber Espionage A proactive approach to cyber security

G7 Bar Associations and Councils

THE POWER OF TECH-SAVVY BOARDS:

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Cyber Resilience. Think18. Felicity March IBM Corporation

Building a Resilient Security Posture for Effective Breach Prevention

Jeff Wilbur VP Marketing Iconix

9 TH SOUTHERN INDIA INFORMATION TECHNOLOGY FAIR (SIITF) THEME : EMERGING TECHNOLOGIES TO CREATE NEWER MARKETS

Secure the value chain. Risk management in the omnichannel consumer and retail environment

Cybersecurity Protecting your crown jewels

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RSA NetWitness Suite Respond in Minutes, Not Months

4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW

Cybersecurity The Evolving Landscape

a publication of the health care compliance association MARCH 2018

Sales Presentation Case 2018 Dell EMC

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Cyber Security. It s not just about technology. May 2017

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

M&A Cyber Security Due Diligence

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Onapsis: The CISO Imperative Taking Control of SAP

Angela McKay Director, Government Security Policy and Strategy Microsoft

Internet of Things (IoT) Securing the Connected Ecosystem

What is ISO ISMS? Business Beam

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

Are we breached? Deloitte's Cyber Threat Hunting

CYBER RESILIENCE & INCIDENT RESPONSE

Sage Data Security Services Directory

Must Have Items for Your Cybersecurity or IT Budget in 2018

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

The University of Queensland

CYBER SOLUTIONS & THREAT INTELLIGENCE

Cyber Security Incident Response Fighting Fire with Fire

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

CYBERSECURITY. Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack

Vulnerability Assessments and Penetration Testing

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

with Advanced Protection

Cyber security and awareness for non-financial services. 24/25 May 2017

Continuous protection to reduce risk and maintain production availability

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

The public sector s cybersecurity imperative

NCSF Foundation Certification

GDPR: A QUICK OVERVIEW

Protecting your next investment: The importance of cybersecurity due diligence

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

50% 45% 40% 25% 20% 15%

Policy Session 4 Identifying Risk: An abundance of Potential Shock Waves

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cyber Security: An Internal Audit Perspective Eoin Hayes

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Combating Cyber Risk in the Supply Chain

Transcription:

www.pwc.com RIMS Perk Session 2015 - Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015 Los Angeles RIMS

Agenda Introductions What is Cybersecurity? Crown jewels The bad actors Securing Informational Assets (IAs) Computer Emergency Response Team (CERT) Incident Response (IR) plan 2

Introductions Jeff Phillps, Managing Director, Charles White, Director, 3

Highlights from Survey s 61% CEOs fastest-growing concern 61% of CEO s around the globe are concerned about cyberthreats. 70% Protecting Intellectual Property 70% of organisations expressed concern about their inability to protect intellectual property or confidential customer data 53% 4% Cybersecurity tools of utmost strategic importance 53% of CEOs consider cybersecurity very important to their organization Investing in cybersecurity The average 2014 information security budget dipped to $4.1 million, down 4% compared to 2013. Sources: 1-18 th Annual Global CEO Survey 2-2015 Global State of Information Security 3-6 th Annual Digital IQ Survey 4

What is cybersecurity? Cybersecurity represents many things to many different people Key characteristics and attributes of cybersecurity: Broader than just information technology and extends beyond the enterprise Increasingly vulnerable due to technology connectivity and dependency An outside-in view of the threats and business impact facing an organization Shared responsibility that requires cross functional disciplines in order to plan, protect, defend, react and respond It is no longer just an IT challenge it is a business imperative! 5

The cyber challenge now extends beyond the enterprise Global Business Ecosystem Environmental Customer Consumer Economic Industry/ Competitors Enterprise JV/ Partners Technology Suppliers Service Providers The Evolution: Technology-led innovation has enabled business models to evolve The extended enterprise has moved beyond supply chain and consumer integration Connectivity and collaboration now extends to all facets of business Leading to: A dynamic environment that is increasingly interconnected, integrated, and interdependent Where changing business drivers create opportunity and risk RIMS Perk Session 2015 - Protecting Pressures and the changes Crown which Jewels create opportunity and risk 6

Scope of cybersecurity Technology domain convergence Information Technology Operational Technology Consumer (Products and Services) Technology Computing resources and connectivity for processing and managing data to support organizational functions and transactions Systems and related automation assets for the purpose of monitoring and controlling physical processes and events or supporting the creation and delivery of products and services Computing resources and connectivity integrated with or supporting external end-user focused products and services Cybersecurity encompasses all three technology types 7

Crown jewels What do you notice about these jewels? 8

Crown jewels - definition What is a crown jewel? Definition - the most valuable or attractive thing in a collection or group (Merriam Webster dictionary) An Informational Asset (IA) The asset, that if you lost it, you lose your: Competitive advantage Intellectual property rights Brand reputation Ability to conduct business 9

Crown jewels - Examples Industry Hospital / Healthcare Retailer Trading firm Insurance firm Technology firm Law firm Military / defense Telecom provider Crown jewel Patient records / PCI data Client PCI / email / personal data Trading servers Insurance claim data / investment servers Intellectual property Client data / Intellectual property Intellectual property / intelligence Call processing and billing servers 10

The actors and the information they target Adversary What s most at risk? Nation State Industrial Control Systems (SCADA) Emerging technologies Hacktivists Payment card and related information / financial markets Advanced materials and manufacturing techniques Organized Crime Energy data Healthcare, pharmaceuticals, and related technologies Business deals information R&D and / or product design data Insiders Health records and other personal data Information and communication technology and data Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011. Motives and tactics evolve and what adversaries target vary depending on the organization and the products and services they provide. 11

Securing Informational Assets (IAs) Risk process: Identify assets Threats Vulnerabilities Likelihood Productivity impact Cost Compensating controls Risk migrating controls (Cyber insurance, 3 rd party contracts, indemnifications, etc.) 12

Securing IAs - considerations Today, data breaches and data losses are unavoidable. In today s world, you continue with defenses, however Prioritize security, assets, and users what/who s most important? How fast can you respond? How can you expand and grow, and still respond to cyber risks? 13

Securing IAs - considerations Do you completely understand all your assets, and where they are? Does every employee need access to everything? Does every department need access to everyone else s assets? How do you protect? How do you monitor? Don t assume the regular entries are the only entry points 14

Evolving perspectives Considerations for businesses adapting to the new reality Historical IT Security Perspectives Scope of the challenge Limited to your four walls and the extended enterprise Ownership and accountability Adversaries characteristics Information asset protection Today s Leading Cybersecurity Insights Spans your interconnected global business ecosystem IT led and operated Business-aligned and owned; CEO and board accountable One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain Defense posture Protect the perimeter; respond if attacked Security intelligence and information sharing Organized, funded and targeted; motivated by economic, monetary and political gain One-size-fits-all approach Prioritize and protect your crown jewels Plan, monitor, and rapidly respond when attacked Keep to yourself Public/private partnerships; collaboration with industry working groups 15

Computer Emergency Response Team (CERT) Ensure you have formed a CERT, and the team consists of: Legal (GC) General Counsel, Outside Counsel Risk (CRO) Chief Risk Officer, Risk Manager, Internal audit, board representative Technology officer (CIO) Chief Information Officer Security officer (CISO) Chief Information Security Officer HR Accounting / finance Sales and Marketing Public relations Physical security Computer / network security Server manager Ecommerce manager Database manager Network manager PC / helpdesk manager Supply chain manager 16

Incident response (IR) plan Have a clear plan of action, in the event of an incident Documented CERT should be familiar with the IR plan Update regularly 17

Recap of key points to consider 1 The global business ecosystem has changed the risk landscape Business models have evolved, creating a dynamic environment that is increasingly interconnected, integrated, and interdependent - necessitating the transformation of your security practices to keep pace. 2 3 Focus on securing high value information and protecting what matters most Know your adversary motives, means, and methods Rather than treating everything equally, you should identify and enhance the protection of your crown jewels while maintaining a consistent security baseline within their environment. Sophisticated adversaries are actively exploiting cyber weaknesses in the business ecosystem for economic, monetary or political gain requiring threat intelligence, proactive monitoring and deep response capabilities. 4 Embed cybersecurity into board oversight and executive-level decision making Creating an integrated, business aligned security strategy and program requires awareness and commitment from the highest executive levels of the organization in order to apply the appropriate resources and investments. 18

Remember, all jewels are different, but no less valuable This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback