How to Optimize Cyber Defenses through Risk-Based Governance Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model
The Goal: Risk-Based Operationalization Incident Management IT/IS Management Vendor Management Policy Management Enterprise Risk Management Compliance Management Audit Management Financial Reporting Business Continuity
By the Numbers Total data protection may be an impossible objective. 1,093 data breaches occurred in 2016 1 36,601,939 records exposed 2 63% of confirmed data breaches involved weak, default, or stolen passwords 3 (i.e. governance) Too often, companies react to external threats by spending billions on technology solutions, without addressing the root-cause governance issue. 1 Identity Theft Resource Center, Data Breach Reports 2016 Year End 2 Ponemon Institute, The Cost of Malware Containment 3 Verizon, 2016 Data Breach Investigations Report
What is the Governance Challenge? IT is separated from entitlement management. Individual departments and process owners know who has access to which platforms and services, and who the key administrators are. 1 Verizon, 2016 Data Breach Investigations Report
Training Isn t Enough It goes beyond security policies and training. Within two months of password security training: Only 20% of employees will adequately strengthen their passwords. 26% of employees will improve their passwords, not following best practices. The remaining 54% will maintain inadequate password quality, leaving themselves and the company vulnerable.
Neither is Insurance You can outsource the process, but you can t outsource the risk. Insurance policies alone aren t safety nets. 32,500 records breached Had cyber insurance Insurance provider attained a judicial ruling to waive $4.1M claim for failure to meet minimum required practices.
How to Operationalize a Risk-Based Approach
The Challenge: Complexity Many groups hold pieces of the puzzle, but most organizations can t put the fill picture together. Finance Vendor Management IT Security HR Audit Knows assets and process owner allocation but no method or system to share information Has no system to manage authorized assets or share information Does not have a complete list of company assets with logins so they cannot control or monitor password quality Has no method or system to notify application administrators of user entitlement changes Has entitlement policy but no user access list mapped to company assets with login
Policies Must Be Operationalized Organizations must operationalize their policies in order for them to be effective, by taking a holistic approach and involving the right roles in the organization. Role IT Security IT & Finance Vendor Management / Procurement Human Resources Process Owner User Insight & Accountability Security Policy + Incident Monitoring Asset Management Asset Authorization Hiring, Termination + Role Changes Entitlement Management + Access Rights Password Usage
Traditional, Silo d Approach
Apply a Risk-Based Approach
Applying this Process to Cyber Identify Assess Mitigate Monitor Departmental Security Risks at the Front-Lines Readiness Frameworks & Standards i.e. NIST, SANS, ISO, COBIT What is the impact and likelihood to our business? How prepared are we to meet these guidelines? Which controls, policies and procedures mitigate risks and manage guidelines? What are our gaps? How effectively are these control activities managing our risks? i.e. Testing (Pen, Intrusion), Incident Management, Metrics
The Solution Risk Manager provides the Board evidence of the ERM program s effectiveness in cyber. To do this, involve the IT group. 1 2) Identify IT-related assets & services with finance. 2 1) Security and password policies are maintained by IT. 3 3) Engage with process owners about assets, access rights & administration. 4) Collaborate with process owners to identify related IT vendors. 4 5 5) Meet with legal/compliance to adjust vendor contracts. 6) Operationalization is achieved with ERM & process owner engagement! 6
Manage Cybersecurity Operationalization
Questions?
About Steven Minsky Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model Steven is the CEO of LogicManager, author of the RIMS Risk Maturity Model, and a speaker on many ERM and GRC topics. You can reach Steven at @SteveMinsky on Twitter, or email him at steven.minsky@logicmanager.com.