The Business Value of including Cybersecurity and Vendor Risk in ERM

Similar documents
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Rethinking Information Security Risk Management CRM002

INTELLIGENCE DRIVEN GRC FOR SECURITY

SOLUTION BRIEF Virtual CISO

How To Build or Buy An Integrated Security Stack

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Turning Risk into Advantage

Background FAST FACTS

IT risks and controls

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Building a Resilient Security Posture for Effective Breach Prevention

Securing Your Digital Transformation

CISO as Change Agent: Getting to Yes

NCSF Foundation Certification

FDIC InTREx What Documentation Are You Expected to Have?

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity and the Board of Directors

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Combating Cyber Risk in the Supply Chain

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

THE POWER OF TECH-SAVVY BOARDS:

Cyber Resilience. Think18. Felicity March IBM Corporation

MITIGATE CYBER ATTACK RISK

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Next Generation Policy & Compliance

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

SOC for cybersecurity

Changing the Game: An HPR Approach to Cyber CRM007

CISO Success Strategies: On Becoming a Security Business Leader

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Business Context: Key for Successful Risk Management

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

What It Takes to be a CISO in 2017

M&A Cyber Security Due Diligence

Do You Know Your Organization's Top 10 Security Risks?

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

TAN Jenny Partner PwC Singapore

Table of Contents. Sample

How Cisco IT Improved Development Processes with a New Operating Model

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

White Paper. How to Write an MSSP RFP

Kent Landfield, Director Standards and Technology Policy

Business continuity management and cyber resiliency

Best Practices in Securing a Multicloud World

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Digital Service Management (DSM)

NYDFS Cybersecurity Regulations

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

Certified Information Systems Auditor (CISA)

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

CISM Certified Information Security Manager

Oracle Buys Automated Applications Controls Leader LogicalApps

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

HCL GRC IT AUDIT & ASSURANCE SERVICES

Reinvent Your 2013 Security Management Strategy

Leading our discussion today

Cybersecurity. Securely enabling transformation and change

State of South Carolina Interim Security Assessment

A Framework for Managing Crime and Fraud

Cybersecurity, safety and resilience - Airline perspective

Background FAST FACTS

Run the business. Not the risks.

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

Ian Speller CISM PCIP MBCS. Head of Corporate Security at Sopra Steria

CYBER RISK MANAGEMENT

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

The new cybersecurity operating model

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

RSA Advanced Cyber Defence Summit

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Risk Advisory Academy Training Brochure

Cyber Risks in the Boardroom Conference

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

Canada Life Cyber Security Statement 2018

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Convergence of BCM and Information Security at Direct Energy

Driving Global Resilience

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Session ID: CISO-W22 Session Classification: General Interest

Transcription:

The Business Value of including Cybersecurity and Vendor Risk in ERM Yo Delmar, Vice President, Customer Engagement, MetricStream RMA GCOR XI April 4 5, 2017 Hyatt Regency, Cambridge, MA Tuesday 2:30 pm

Challenge Risk leaders must bring visibility and encourage meaningful dialogue around the size, scale and scope of the most urgent risks facing their organizations

Need Programs that align directly with strategic objectives and address not only risks, but also opportunities for competitive advantage add tremendous value to the business.

Let s Look. At how emerging risks from vendors and cybersecurity in the 'extended enterprise' hit business value at its center and demand inclusion in ERM programs.

Vendor and Cyber Risk Directly Impact Business Performance Business Risks Contractual Risk Risk Domains Financial Stability Disruption Transaction / Operational Vendor Risks Cyber Risks Reputation IT Security Geo-political Compliance 5

Losses Due to Vendors Has your organization experienced a significant risk exposure due to a third party in the last 18 months? 21% Loss incidents of respondents 5 of greater than $10million 79% Source: MetricStream Research Yes No 6

What was the loss impact in U.S. dollars? Please rate the impact of the risk exposure 8.3% 25.0% 25.0% 8.3% 8.3% 25.0% 58.3% 41.7% Less than $1 million Greater than $10 million $1 million to $10 million Don't know Source: MetricStream Research High Medium Low Don't know 7

Cyber Risk Source: MetricStream Research

Number of Cyberattacks NUMBER OF CYBERSECURITY ATTACKS FACED BY YOUR ORGANIZATION WITHIN THE PAST 12 MONTHS? ARE THESE ATTACKS INCREASING OR DECREASING COMPARED TO PREVIOUS YEARS? UNKNOWN 33.8% 14.7% 51-100 5.9% 16.2% 0-10 29.4% 0% 10% 20% 30% 40% 100% 50% 0% 55.9% 2.9% 14.7% 22.1% 4.4% INCREASING DECREASING ABOUT THE SAME UNKNOWN OTHERS 66.2% of the organizations have faced at least one cybersecurity attack within last one year 33.8% are unware of the number of attacks faced Attacks have increased in the past year for 56 % of the organizations Source: MetricStream Research

Recent Attacks Which Concern the Most WITH RESPECT TO YOUR CYBERSECURITY READINESS, WHICH OF THE FOLLOWING MAJOR CYBER ATTACKS THAT OCCURRED WITHIN THE PAST YEAR CONCERN YOU THE MOST? SWIFT SYSTEM ATTACKS MORGAN STANLEY DOW JONES WELLS FARGO SCOTTRADE OTHERS CARBANAK 7.4% 10.3% 10.3% 13.2% 13.2% 19.1% 26.5% 0% 5% 10% 15% 20% 25% 30% Recent SWIFT system attacks concern most of the organizations Source: MetricStream Research 10

1 st of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 11

Does your enterprise have a dedicated third party risk management (TPRM) function? Overall Company Size-wise Yes 44.3% Yes 55.7% No No 0% 20% 40% 60% 80% Source: MetricStream Research 5,001 and greater 251-5,000 employees 12

Is third-party risk management in your enterprise currently included within other risk management or compliance programs? 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Overall Enterprise IT risk Compliance Business risk management management continuity management management Anti-bribery Source: MetricStream Research 80% 60% 40% 20% 0% Company Size-wise 251-5,000 employees 5,001 and greater Enterprise risk management IT risk management Compliance management Business continuity management Anti-bribery 13

Cybersecurity Managed as a Component of ERM Is cybersecurity a formal part of the enterprise risk management program for your organization? 7.4% 91.2% Cybersecurity is a part of ERM program for more than 90% of the organizations Yes No Source: MetricStream Research

Scope of the Cybersecurity Program Is the scope of your cybersecurity program internal or does it cover third parties as well? 8.8% 20.6% 70.6% For 71% of the organizations, the scope of their cybersecurity program covers third-parties as well Internal to the organization Includes third-parties Unsure/Don t know Source: MetricStream Research

Reporting for Cybersecurity Function TO WHICH ORGANIZATION DOES THE CYBERSECURITY FUNCTION REPORT DIRECTLY? OFFICE OF THE CSO OR CISO 55.9% OFFICE OF THE CHIEF RISK OFFICER 20.6% SENIOR LEADERSHIP (CEO OR CFO) 11.8% BOARD OF DIRECTORS 5.9% 0% 10% 20% 30% 40% 50% 60% For majority of organizations (56%), the cybersecurity function reports to CSO/CISO Source: MetricStream Research

Board/CEO Involvement What level of involvement do the board of directors and CEO have in your cybersecurity program? (7 = highly involved, 1 = not involved) 30% 25% 20% 15% 10% 5% 0% 25.0% 26.5% 22.1% 19.1% 20.6% 13.2% 16.2% 10.3% 11.8% 5.9% 4.4% 5.9% 1 2 3 4 5 6 7 11.8% 7.4% Board Involvement CEO Involvement Source: MetricStream Research 17

Who within your organization is ultimately responsible for third party risk management? Corporate Audit Executive 3% Other 18% Chief Compliance Officer 16% Chief Information Officer 5% Source: MetricStream Research Chief Risk Officer 32% Chief Procurement officer 10% 18 Chief Information Security Officer 12% Chief Legal Officer 4%

Which of the following best describes your third party repository? 60% 50% 40% Comprehensively covers all third parties for all regions and business functions in the enterprise Inconsistently covers some third parties, but not others 30% 20% 10% Is tailored to a specific set of third parties or a specific business function, but does not cover all third parties of the enterprise Other 0% 251-5,000 employees 5,001 and greater Source: MetricStream Research

2 nd of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 20

What are the most significant criteria for determining whether to place a third party in the highest risk tier? 0% 10% 20% 30% 40% 50% 60% 70% 80% Critical component or service 71% Potential for disruption to operations 55% Regulatory requirement 41% Spend Limited availability of alternative sources 28% 31% Country risks 12% Size of company Other We do not risk tier third parties 5% 5% 3% Source: MetricStream Research 21

Which risk parameters are most important when evaluating third parties? 0% 10% 20% 30% 40% 50% 60% 70% 80% Data protection/privacy Financial viability Ability to maintain service levels Regulatory compliance requirements IT Security Business continuity risks Vendor s management (experience, turnover) Vendor s regulatory and legal environment Additional vendors in the vendor s supply chain Business model compatibility Vendor s employees Geopolitical environment Trustworthiness of public disclosures Architectural compatibility Currency fluctuations 19% 16% 12% 9% 5% 3% 3% 2% Source: MetricStream Research 22 33% 45% 59% 59% 57% 57% 67%

How often do you assess third parties in Various Risk tiers? 60% 50% 40% 30% 20% 10% 0% Highest risk tier Never Overall At least quartery Other Second highest risk tier At least monthly At least yearly Third and lower risk tiers Source: MetricStream Research How often do you assess third parties in Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 4% 24% At least quartery 33% 16% At least yearly 50% 52% Never 0% 0% Other 13% 8% How often do you assess third parties in Second Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 0% 12% At least quartery 8% 24% At least yearly 54% 48% Never 4% 0% Other 33% 16% How often do you assess third parties in the Third Highest Risk Tier? 251-5,000 employees 5,001 and greater At least monthly 0% 12% At least quartery 4% 4% At least yearly 42% 48% Never 4% 12% Other 50% 24% 23

Does your organization perform continuous monitoring of third parties? Don t know, 3.4% No, 8.6% OVERALL Yes - All parties, all the time, 34.5% Some (only highest risk third parties), 27.6% Occasionally (incon sistently applied), 25.9% Source: MetricStream Research 24

Actors Compromised In An Attack WHICH OF THE FOLLOWING ACTORS WERE COMPROMISED IN YOUR ORGANIZATION DURING AN ATTACK? 60% 50% 40% 30% 20% 10% 0% 48.5% EMPLOYEES (CURRENT & FORMER) 22.1% CUSTOMERS 13.2% 11.8% 10.3% 8.8% OTHER THIRD- PARTIES (CONSULTANTS, VENDORS, ETC.) PARTNERS IT SERVICE PROVIDERS SUPPLIERS Primary sources for cyber attacks Employees, customers, partners, suppliers and other third-parties Source: MetricStream Research 25

After an incident, what measures have been taken to prevent future risk incidents? 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% Collaborate with the third party Re-assess the risk of the third party Modify contract terms Increase the frequency of assessments Reduce business volume Temporarily suspend business relationship Terminate the business relationship Source: MetricStream Research 26

Readiness to Share Cybersecurity Information How prepared is your enterprise to share cybersecurity information with government agencies/regulators, and others in the industry? 60% 40% 20% 0% 50.7% 38.8% 35.8% 31.3% 6.0% 17.9% 7.5% 11.9% Unprepared Somewhat Prepared Prepared Already sharing Government Agencies/Regulators Others in the industry 75% of the organizations are either prepared or somewhat prepared to share their cybersecurity information with the government, but only 18% are already doing so 82% of them are either prepared or somewhat prepared to share this information with their peers in the industry, but only 12% are already doing so Source: MetricStream Research 27

Cyber Security Program Maturity Source: MetricStream Research

3 rd of 3 Key Questions: Let s Dive a Little Deeper Where Do Vendor and Cyber Risk Sit in Risk Program? Where does Vendor and Cyber risk sit in the overall program? Who is responsible for it? Where is key information? How Do We Measure and Respond to Risk? What parameters are important? How often to measure? How do we respond and learn from incidents? What is the Business Value and How Can We Improve? How may vendor or cyber risk derail our business strategy? How can we measure value? How can we rapidly mature to improve business performance? 29

The Business Value Balancing Act Direct Risk People Failures COST BENEFIT Efficiencies Governance Opportunity Future Ready Difficult to Calculate Cost Difficult To See The Benefits Why Building a Business Case For GRC Is Complicated Bad News is Big News When a GRC Program fails it gains higher visibility and impacts the brand value/reputation. An impact which difficult to quantify. No News is Good News When an effective GRC program is in place it will operate seamlessly without hindering the business of the organization.

Seven Steps to Business Value 7. Accrued Benefits 1. Strategic Alignment 2. Needs Business value ultimately depends on the vision and scope of the GRC program, organizational readiness and speed of deployment. 6. Investment s 3. Readiness The goal of most organizations is optimize business value by choosing the level of investments across a portfolio of initiatives that support strategic objectives. 5. Roadmap 4. Value

1. Align with Strategic Objectives Identify Organization s Strategic Goals Identify Values which are critical Strategic Goal Achievement Identify key Risks to the enterprise goals, objectives and values Articulate Business Objectives for every level of the organization Identify Risks to Business Objectives at each level of the organization Enterprise Business Unit Business Unit Risk Risk Risk Risk Business Risk Risk

2. Understand and Prioritize Needs * See OCEG CRO at the Center

2. Understand and Prioritize Needs * See OCEG CRO at the Center

3. Measure Maturity and Readiness

4. Value: The Benefit Side 1 Risk Align to Performance Goals Risk Identification, Analysis, Intelligence Losses Remediation 2 3 Efficiencies Governance Rationalized Controls Redundancy Rationalize Systems Decision Making Culture Reporting Agility BENEFITS 4 Domains Cycle Time Personnel and Systems Streamlining Resource Allocation Scale Efficiencies

4. Value: The Cost Side 1 Direct Consulting Services Hardware and Software Cost Implementation and Support cost COST 2 3 4 People Failures Opportunity Direct Personnel cost Contributors from business Management Effort Reporting Cost Staff for Support Regulatory fines Business Interruption Losses Market Cap Erosion Fraud related losses Losses due to Risk Blindness Misses Opportunities Misaligned Strategy Poor business risk management

5. Roadmap Consider Time to Value on the Roadmap Governance and Plan Applications Portfolio Eco-system Integration Considerations App Considerations Platform Considerations

6. Investments: Make the Case

7. Accrue Realized Benefits Business Case Continuous Improvement Continuous Rollout Realized Benefits

A Little Bit About Automation.. Then Recommendations

For what purposes would you apply (or are applying) a third party risk management software solution? (Average rating) On-boarding and due diligence of third parties Tracking vendor KPI and KRI Manage contracts, track compliance to contracts Create a single system of vendors across the enterprise Proactively identify and mitigate risks Replace old or home-grown solutions Avoid spreadsheet chaos Improve visibility across the extended value chain Ensure compliance to regulations Ensure business continuity 0.00 0.50 1.00 1.50 2.00 2.50 Source: MetricStream Research 42

What technology do you use for third party risk management? (select all that apply) 50.0% 45.0% 40.0% 35.0% 30.0% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% Office productivity software (e.g., spreadsheets) Knowledge management software (e.g., SharePoint) In-house built software Third party risk management software on a GRC platform Third party risk management software on a procurement platform Niched third party risk management software Other (please explain) Source: MetricStream Research 43

Tools Utilized to Combat Cybersecurity WHAT TOOLS DO YOU UTILIZE IN YOUR CYBERSECURITY PROGRAM? VULNERABILITY MANAGEMENT IT RISK MANAGEMENT BUSINESS CONTINUITY MANAGEMENT SECURITY AND INFORMATION EVENT MANGEMENT MULTI-FACTOR AUTHENTICATION THREAT INTELLIGENCE IT GRC 38.2% 51.5% 82.4% 79.4% 79.4% 70.6% 63.2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Some of the most commonly used tools are for vulnerability management (82.4%), IT risk management (79.4%), business continuity management (79.4%), and security and information event management (70.6%)

Standards Adopted for Cybersecurity WHICH STANDARDS HAVE YOU ADOPTED TO MANAGE CYBERSECURITY RISK? NIST CYBERSECURITY FRAMEWORK ISO 27001/27002 COBIT FFIEC CYBERSECURITY ASSESSMENT TOOL SANS CIS CRITICAL SECURITY CONTROLS COSO ISF STANDARD OF GOOD PRACTICE FOR ISO 15408 RFC 2196 4.4% 2.9% 13.2% 30.9% 27.9% 25.0% 45.6% 45.6% 42.6% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% NIST Cybersecurity Framework and ISO 27001/27002 are the two most widely adopted standards for managing cybersecurity risk

Aligning Vendor, Cyber Risks with ERM Programs Top Down Approach Identify which vendors and assets are critical to achieving business objectives Bottom Up Approach Identify risks to systems, assets and data the vendor supports. Identify vendor personnel risks 2 1 3 5 4 Track KPIs and Vendor KRIs Assess how vendor and cyber risks impact the business objective KPIs Promote Business Value Show how the program improves business performance - Disruption of operations, regulatory risks, social storms, privacy and data protection, FCPA Identify business processes and vendor present risk relationships to IT and enterprise risks Logical integration 46

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback