How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Similar documents
INTELLIGENCE DRIVEN GRC FOR SECURITY

Rethinking Information Security Risk Management CRM002

Cybersecurity Auditing in an Unsecure World

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Defense in Depth Security in the Enterprise

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

To Audit Your IAM Program

External Supplier Control Obligations. Cyber Security

Cyber Risks in the Boardroom Conference

Cybersecurity in Higher Ed

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Incident Response and Cybersecurity: A View from the Boardroom

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Why you should adopt the NIST Cybersecurity Framework

Certified Information Security Manager (CISM) Course Overview

Defensible and Beyond

A Framework for Managing Crime and Fraud

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

2017 RIMS CYBER SURVEY

Building a Resilient Security Posture for Effective Breach Prevention

Combating Cyber Risk in the Supply Chain

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Math is Hard: Compliance to Continuous Risk Management

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

You knew the job was dangerous when you took it! Defending against CS malware

Business continuity management and cyber resiliency

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

locuz.com SOC Services

NW NATURAL CYBER SECURITY 2016.JUNE.16

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

CCISO Blueprint v1. EC-Council

MITIGATE CYBER ATTACK RISK

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Protect Your Organization from Cyber Attacks

THE POWER OF TECH-SAVVY BOARDS:

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

Cyber Resilience. Think18. Felicity March IBM Corporation

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

The Cyber War on Small Business

Cyber Fraud What can you do about it?

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

FDIC InTREx What Documentation Are You Expected to Have?

Digital Health Cyber Security Centre

The Business Value of including Cybersecurity and Vendor Risk in ERM

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Department of Management Services REQUEST FOR INFORMATION

Vendor Risk Management. How to Confront Third-Party Cyber Risk in Your Supply Chain

IT risks and controls

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

From Russia With Love

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

What It Takes to be a CISO in 2017

Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

Do You Know Your Organization's Top 10 Security Risks?

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

DATA CENTER IT/OT SECURITY FOR DATA CENTERS FOXGUARD SOLUTIONS 2285 PROSPECT DRIVE CHRISTIANSBURG, VA FOXGUARDSOLUTIONS.COM

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Cyber Protections: First Step, Risk Assessment

How will cyber risk management affect tomorrow's business?

How to Assess the Financial Impact of Cyber Risk

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

The Impact of Cybersecurity, Data Privacy and Social Media

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Larry Clinton President & CEO (703)

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Cyber Security Maturity Model

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Cybersecurity 2016 Survey Summary Report of Survey Results

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Sage Data Security Services Directory

Nebraska CERT Conference

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Data Loss Prevention:

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

WHITE PAPER. Data Erasure for Enterprise SSD: Believe It and Achieve It

SECURITY INCIDENT MANAGEMENT. Solution Primer. Jenn Black. Senior Research AnalystSolutions Research and Development Office of the CISO, Optiv

Transcription:

How to Optimize Cyber Defenses through Risk-Based Governance Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

The Goal: Risk-Based Operationalization Incident Management IT/IS Management Vendor Management Policy Management Enterprise Risk Management Compliance Management Audit Management Financial Reporting Business Continuity

By the Numbers Total data protection may be an impossible objective. 1,093 data breaches occurred in 2016 1 36,601,939 records exposed 2 63% of confirmed data breaches involved weak, default, or stolen passwords 3 (i.e. governance) Too often, companies react to external threats by spending billions on technology solutions, without addressing the root-cause governance issue. 1 Identity Theft Resource Center, Data Breach Reports 2016 Year End 2 Ponemon Institute, The Cost of Malware Containment 3 Verizon, 2016 Data Breach Investigations Report

What is the Governance Challenge? IT is separated from entitlement management. Individual departments and process owners know who has access to which platforms and services, and who the key administrators are. 1 Verizon, 2016 Data Breach Investigations Report

Training Isn t Enough It goes beyond security policies and training. Within two months of password security training: Only 20% of employees will adequately strengthen their passwords. 26% of employees will improve their passwords, not following best practices. The remaining 54% will maintain inadequate password quality, leaving themselves and the company vulnerable.

Neither is Insurance You can outsource the process, but you can t outsource the risk. Insurance policies alone aren t safety nets. 32,500 records breached Had cyber insurance Insurance provider attained a judicial ruling to waive $4.1M claim for failure to meet minimum required practices.

How to Operationalize a Risk-Based Approach

The Challenge: Complexity Many groups hold pieces of the puzzle, but most organizations can t put the fill picture together. Finance Vendor Management IT Security HR Audit Knows assets and process owner allocation but no method or system to share information Has no system to manage authorized assets or share information Does not have a complete list of company assets with logins so they cannot control or monitor password quality Has no method or system to notify application administrators of user entitlement changes Has entitlement policy but no user access list mapped to company assets with login

Policies Must Be Operationalized Organizations must operationalize their policies in order for them to be effective, by taking a holistic approach and involving the right roles in the organization. Role IT Security IT & Finance Vendor Management / Procurement Human Resources Process Owner User Insight & Accountability Security Policy + Incident Monitoring Asset Management Asset Authorization Hiring, Termination + Role Changes Entitlement Management + Access Rights Password Usage

Traditional, Silo d Approach

Apply a Risk-Based Approach

Applying this Process to Cyber Identify Assess Mitigate Monitor Departmental Security Risks at the Front-Lines Readiness Frameworks & Standards i.e. NIST, SANS, ISO, COBIT What is the impact and likelihood to our business? How prepared are we to meet these guidelines? Which controls, policies and procedures mitigate risks and manage guidelines? What are our gaps? How effectively are these control activities managing our risks? i.e. Testing (Pen, Intrusion), Incident Management, Metrics

The Solution Risk Manager provides the Board evidence of the ERM program s effectiveness in cyber. To do this, involve the IT group. 1 2) Identify IT-related assets & services with finance. 2 1) Security and password policies are maintained by IT. 3 3) Engage with process owners about assets, access rights & administration. 4) Collaborate with process owners to identify related IT vendors. 4 5 5) Meet with legal/compliance to adjust vendor contracts. 6) Operationalization is achieved with ERM & process owner engagement! 6

Manage Cybersecurity Operationalization

Questions?

About Steven Minsky Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model Steven is the CEO of LogicManager, author of the RIMS Risk Maturity Model, and a speaker on many ERM and GRC topics. You can reach Steven at @SteveMinsky on Twitter, or email him at steven.minsky@logicmanager.com.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback