Larry Clinton President & CEO Internet Security Alliance

Similar documents
How to Assess the Financial Impact of Cyber Risk

Larry Clinton President & CEO (703)

LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE office (703) cell (202)

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Clarity on Cyber Security. Media conference 29 May 2018

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Larry Clinton President & CEO (703)

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cyber Risks in the Boardroom Conference

Larry Clinton President Internet Security Alliance

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT:

THE POWER OF TECH-SAVVY BOARDS:

CYBER RISK MANAGEMENT

Building a Threat Intelligence Program

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

The Evolving Threat. Today s cyber security challenges and solutions

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

CISO as Change Agent: Getting to Yes

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

2017 RIMS CYBER SURVEY

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

CYBER RESILIENCE & INCIDENT RESPONSE

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Critical Security Controls. COL Stef Horvath MNARNG Oct 21, 2015

Changing the Game: An HPR Approach to Cyber CRM007

The CERT Top 10 List for Winning the Battle Against Insider Threats

CYBERSECURITY SAVE YOUR BOTTOM LINE IBC Annual Convention Anne Benigsen, Bankers Bank of the West

A CFO s Guide to Cyber Security in the Coming Year

The Cyber War on Small Business

Cybersecurity Overview

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

NERC Staff Organization Chart

2016 KPMG AS, a Norwegian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG

What is ISO ISMS? Business Beam

Bringing Cybersecurity to the Boardroom Bret Arsenault

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Defending Our Digital Density.

TAN Jenny Partner PwC Singapore

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

REPORT. proofpoint.com

CYBERSECURITY AND THE BOARD OF DIRECTORS TIPS FOR SECURING SUPPORT FOR YOUR CYBER RISK MANAGEMENT PROGRAM

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

2017 Annual Meeting of Members and Board of Directors Meeting

Turning Risk into Advantage

Cyber Security Incident Response Fighting Fire with Fire

Cyber Risk and Third Party Risk Management. Lisa Murphy First Horizon National Corporation

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets

Adaptive & Unified Approach to Risk Management and Compliance via CCF

CCISO Blueprint v1. EC-Council

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

Cyber Resilience. Think18. Felicity March IBM Corporation

The Insider Threat Center: Thwarting the Evil Insider

NERC Staff Organization Chart Budget 2019

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Samu Konttinen, CEO, F-Secure WE ARE F-SECURE. 1 F-Secure

NERC Staff Organization Chart Budget 2018

FTSE 350 Cyber Governance Health Check Tracker Report. November 2013

Cybersecurity Session IIA Conference 2018

Big Data Cybersecurity Analytics Research Report Sponsored by Cloudera

2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB)

Cybersecurity. Securely enabling transformation and change

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

CYBERSECURITY. Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack

Cybersecurity is a Journey and Not a Destination: Developing a risk management culture in your business. Thursday, May 21, 2015

Could the BIGGEST Threat to Your Business be INSIDE Your Company?

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Effective Cyber Incident Response in Insurance Companies

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Department of Homeland Security Updates

NERC Staff Organization Chart Budget 2019

Mastering The Endpoint

Cybersecurity and Hospitals: A Board Perspective

Cyber Security Maturity Model

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Reducing Cybersecurity Costs & Risk through Automation Technologies

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Uncovering the Risk of SAP Cyber Breaches

Cybersecurity Fundamentals

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cybersecurity 2016 Survey Summary Report of Survey Results

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

LAB2 R12: Optimize Your Supply Chain Cyber Security

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Transcription:

Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

Sr. Management & Cyber Security Good News!!! Pricewaterhouse Coopers survey of 9,000 executives published September 2011 Executives were confident in their ability to secure their information systems and bullish about cyber security spending 43% had confidence in their security protocals 50% expected their companies to spend increasing amounts of money on cyber security

Now the Harsh Reality Only 13% of the Executives polled by PWC actually had done what is considered to be adequate security. Most executives didn t have an overall security strategy, had not reviewed the effectivness of their strategy or knew what types of breaches had hit them in the past 12 months. Only 1 in 3 said their companies had a policy for dealing with employee use of social media

Digital Growth? Sure Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and online commerce. The continued expansion of the digital lifestyle is already built into almost every company s assumptions for growth. ---Stanford University Study, July 2006

The APT----Average Persistent Threat The most sophisticated, adaptive and persistent class of cyber attacks is no longer a rare event APT is no longer just a threat to the public sector and the defense establishment this year significant percentages of respondents across industries agreed that APT drives their organizations security spending. PricewaterhouseCoopers Global Information Security Survey September 2011

% Who Say APT Drives Their Spending 43% Consumer Products 45% Financial services 49% entertainment and media 64% industrial and manufacturing sector 49% of utilities PWC 2011 Global Information Security Survey

Are we thinking of APT all wrong? Companies are countering the APT principally through virus protection (51%) and either intrusion detection/prevention solutions (27%) PWC 2011 Conventional information security defenses don t work vs. APT. The attackers successfully evade all anti-virus network intrusion and other best practices, remaining inside the targets network while the target believes they have been eradicated. ---M-Trend Reports 2011

We Are Not Winning Only 16% of respondents say their organizations security policies address APT. In addition more than half of all respondents report that their organization does not have the core capabilities directly or indirectly relevant to countering this strategic threat.

Digital Defense ------ Not So Much 23% of CTOs did not know if cyber losses were covered by insurance. 34% of CTOs thought cyber losses would be covered by insurance----and were wrong. SONY v Zurich insurance---when comprehensive doesn t mean comprehensive (CGL policies) The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security. ---Source: DHS Chief Economist Scott Borg

We are not cyber structured In 95% of companies the CFO is not directly involved in information security 2/3 of companies don t have a risk plan 83% of companies don t have a cross organizational privacy/security team Less than ½ have a formal risk management plan 1/3 of the ones who do don t consider cyber in the plan In 2010 50%-66% of US Companies are deferring or reducing investment in cyber security

Corp Cyber Practices Are Degrading

Why is this the case? The vast majority of Sr management---and the majority of all employees---are digital immigrants Cyber Security is not, just, an IT problem Insiders (including lawyers and PR/sales Execs) are the single biggest cyber security vulnerability Most children learns their cyber behavior from their parents who learn it at work The enterprise space is a key educational space

What to do Good News: We know a lot about how to solve this problem--80-90% can be solved by using best practices and standards most don t due to cost Focus on Enterprise Education so companies understand total financial cyber risk ISA-ANSI program (which is free) provides a pathway to do this

50 Questions Every CFO Should Ask (2008) It is not enough for the information technology workforce to understand the importance of cyber security; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts. President s Cyber Space Policy Review May 30, 2009 page 15 ISA-ANSI Project on Financial Risk Management of Cyber Events: 50 Questions Every CFO should Ask ----including what they ought to be asking their General Counsel and outside counsel. Also, HR, Bus Ops, Public and Investor Communications & Compliance

Financial Management of Cyber Rick (2010)

ANSI-ISA Program Outlines an enterprise wide process to attack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Operations/technology strategies Communications strategies Risk Management/insurance strategies

What CFO needs to do Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk management plan Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and reform based on EW feedback

Human Resources Recruitment Awareness Remote Access Compensate for cyber security Discipline for bad behavior Manage social networking Beware of vulnerability especially from IT and former employees

Legal/Compliance Cyber Issues What rules/regulations apply to us and partners? Exposure to theft of our trade secrets? Exposure to shareholder and class action suits? Are we prepared for govt. investigations? Are we prepared for suits by customers and suppliers? Are our contracts up to date and protecting us?

Operations/IT What are our biggest vulnerabilities? Re-evaluate? What is the maturity of our information classification systems? Are we complying with best practices/standards How good is our physical security? Do we have an incident response plan? How long till we are back up?---do we want that? Continuity Plan? Vendors/partners/providers plan?

Communications Do we have a plan for multiple audiences? --general public --shareholders --Govt./regulators --affected clients --employees ---press

Insurance Risk Management Are we covered?----are we sure????????? What can be covered How do we measure cyber losses? D and O exposure? Who sells cyber insurance & what does it cost? How do we evaluate insurance coverage?

Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback