THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS



Similar documents
State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

I D C A N A L Y S T C O N N E C T I O N

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Enterprise Security Tactical Plan

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Leveraging Network and Vulnerability metrics Using RedSeal

Cybersecurity The role of Internal Audit

Italy. EY s Global Information Security Survey 2013

How To Understand And Manage Cybersecurity Risk

Confident in our Future, Risk Management Policy Statement and Strategy

Business Continuity for Cyber Threat

How To Handle A Threat From A Corporate Computer System

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

The Path Ahead for Security Leaders

The Value of Vulnerability Management*

Middle Class Economics: Cybersecurity Updated August 7, 2015

Click to edit Master title style

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

FFIEC Cybersecurity Assessment Tool

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Into the cybersecurity breach

Organizational Structure What Works

Blending Corporate Governance with. Information Security

CYBER SECURITY, A GROWING CIO PRIORITY

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Enterprise Risk Management

Cybersecurity in the States 2012: Priorities, Issues and Trends

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

The Cloud Balancing Act for IT: Between Promise and Peril

Seamus Reilly Director EY Information Security Cyber Security

Defending Against Data Beaches: Internal Controls for Cybersecurity

Bridging the HIPAA/HITECH Compliance Gap

Cybersecurity and internal audit. August 15, 2014

Continuous Network Monitoring

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

THE TOP 4 CONTROLS.

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Developing a robust cyber security governance framework 16 April 2015

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

A Primer on Cyber Threat Intelligence

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Report on CAP Cybersecurity November 5, 2015

BIG SHIFT TO CLOUD-BASED SECURITY

Integrated Risk Management:

Security Controls Implementation Plan

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Helping Enterprises Succeed: Responsible Corporate Strategy and Intelligent Business Insights

15 Principles of Project Management Success

NIST Cybersecurity Framework & A Tale of Two Criticalities

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

Domain 1 The Process of Auditing Information Systems

fs viewpoint

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

PRIORITIZING CYBERSECURITY

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Some Thoughts on the Future of Cyber-security

The promise and pitfalls of cyber insurance January 2016

Information Security Management System for Microsoft s Cloud Infrastructure

ISE Northeast Executive Forum and Awards

Strategic Plan FY FY July 10, 2014

Wilhelmenia Ravenell IT Manager Eli Lilly and Company

Statement of. Mike Sena. President, National Fusion Center Association. Director, Northern California Regional Intelligence Center (NCRIC)

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

STREAM Cyber Security

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

2011 Forrester Research, Inc. Reproduction Prohibited

Information Technology Risk Management

How ERM programs evolve

CyberSecurity Solutions. Delivering

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager

Minimizing Risk Through Vulnerability Management. Presentation for Rochester Security Summit 2015 Security Governance Track October 7, 2015

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

Transcription:

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Download the entire guide and follow the conversation at SecurityRoundtable.org

Collaboration and communication between technical and nontechnical staff, business lines and executives Wells Fargo & Company Rich Baich, CISO You can have brilliant ideas, but if you can t get them across, your ideas won t get you anywhere. Lee Iacocca Delivering results is a key metric of success for any leader. Exceeding revenue goals, meeting hiring and retention goals, or ensuring operational budget goals are well known and understood results. These goals are clear, easily measurable, and most importantly all individuals understand their role in achieving these results. These goals often are established with limited collaboration and a single communication to the appropriate leaders with minimal tolerance associated with not achieving the goals. The language used when establishing these goals and publishing the results transcends technical and nontechnical executives. This information must be understood and actionable; regardless of the executives background, having this information available allows them to make an informed decision. Leaders need the right information, at the right time to collaborate, communicate, and ultimately make the best decision. Information enables the executive to use a decision process or framework of reasoning to help rationalize the data and choose the best course of action. As the topic of cybersecurity rapidly moves to the top of every C-level executive s agenda, cyber leaders must embrace the importance of collaboration and communication while building bridges to ensure decisions are understood and actionable. Establish a cyber risk decision framework We live in a time of acute and persistent threats to our national security, our economy, and our global communities. The number of reported cyber incidents continues to grow. The threat of a cyber catastrophic event continues to lurk in the distance. New cyber vulnerabilities are reported each day and the frequency of zero-day threats is increasing. New victims make the headlines 1

CYBER RISK AND WORKFORCE DEVELOPMENT weekly. As a result, cyber leaders continue to be asked if their organizations are spending enough to address cyberthreats. To answer this question, cyber leadership must have the facts to establish a decision framework to guide them. Having a firewall, purchasing the latest technologies, growing the number of cyber professionals, and having information security policies do not adequately provide all the information needed to answer this question. Knowing what data to collect, demonstrating the ability to get the data in a timely fashion, operationalizing the data, and ensuring the data get to the right decision maker can provide an actionable framework. The following are a few examples of what information is needed to enable a framework: What risks will be mitigated if these additional funds are provided Specific cyberthreats are known, monitored, and integrated into the risk prioritization decision process. Vulnerabilities are identified, prioritized, remediated, and validated in a timely manner. Critical assets are well known, accountability is clear, and responsibility to ensure those assets meet defined protection criteria are met. The likelihood of a specific exploit, attack, or significant occurrence is understood and utilized in the cyber risk prioritization framework. Having trustworthy data is the foundation to all cybersecurity decision frameworks. It is important to have a framework to help support the fundamental changes required to enhance cyber practices and enable communication. Scenario: Cyber risk decision framework Today, the media announces a new zero-day exploit that has been identified. Business executives want to know: What do they need to do to respond to the exploit? How vulnerable are their products and solutions to this exploit? Is there any potential for business impact to customers or suppliers? Do they need to contact their third parties to see if they are secure? Will this affect their ability to service their own third-party relationships? Using the following framework formula to explain an approach could be helpful: Risk = Vulnerability Threat Asset Value Probability of Occurrence Having the trustworthy data readily available can allow cyber executives to quickly and confidently communicate throughout the organization and the third parties. For example, a quick query of the asset inventory indicates there are 50 instances of this exploit in the current infrastructure and five within the third-party ecosystem. Of those 50 internal instances, only three are external facing, and the remaining 47 are internal to the network. All the third-party instances are internal to the partner s network. The associated vendor to the zero-day exploit has provided a patch and recommended an immediate application of the patch. The internal cyberthreat team has reviewed the external intelligence, and there are already indications of potential miscreants scanning for the newly identified vulnerabilities. Additional intelligence and analysis suggest exploit code is already being crafted to take advantage of this new exploit. If successful, the exploit can be used to deliver malicious code throughout the organization providing kinetic and nonkinetic damage to an organization. Armed with this information, cyber leadership can quickly move to gain consensus, communicate recommendations, and influence the mitigation activities required to address the threat. Defining your stakeholders Trustworthy data are a key foundation to establishing cybersecurity creditability. 2

COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES Performance of executives, regardless if they work in a line of business, in corporate staff, or in technology, is often measured by results. Achieving results in cybersecurity requires others taking action. Effective leaders can motivate groups of like-minded people to come together and rally behind a cause to achieve a goal. Finding those individuals in the organization is critical to success. Identifying individuals who will become stakeholders in the cybersecurity journey provide the support needed to drive change. The following is a list of potential stakeholders to consider: chief executive officer (CEO) chief financial officer (CFO) chief auditor chief administration officer (CAO) chief communication officer (CCO) chief risk officer (CRO) member(s) of the board of directors chief information officer line of business leader audit committee chief technology officer (CTO) line of business leaders, CIO, CTO, risk leaders In addition to individual stakeholders, establishing a cybersecurity steering committee with cross-organizational representation can provide an additional platform for collaboration and communication. The purpose of the committee should be to promote cybersecurity awareness, provide a forum in which cybersecurity topics can be discussed, and to solicit cyber feedback to help evolve cyber practices and mature over time. In addition, the committee will seek to identify cybersecurity topics that may affect the broader applicable industry and the emerging trends that may affect the organization. The cybersecurity committee could: 1. review cybersecurity strategic direction and planned initiatives 2. discuss major milestones for cybersecurity initiatives that are in process of being deployed 3. assess business impact of material cybersecurity program changes 4. discuss lessons learned and situations in which program adjustment is prudent 5. identify potential areas of conflict and/or resource constraints between cybersecurity program and business priorities 6. discuss impacts from and/or to the larger applicable industry. Stakeholders want the facts and reassurance that the information being reporting is trustworthy and actionable. Risk management is everyone s responsibility, and individuals take great pride when helping reduce risk. Proactively removing risk before the risk evolves in negative consequence is a significant measurement for success. Providing a stakeholder with the data that clearly demonstrate a risk was remediated before it was significant will win the trust of most individuals. Scenario: Defi ning stakeholders You have been asked by a line of business leader to provide information regarding a third party before a contract is signed. Due diligence is done for third parties before any contracts are signed; that is a leading industry practice. However, what if you and your cybersecurity team were able to provide cyber intelligence that suggests the potential third-party partner is on a top-five easiestto-hack organization list being posted in credible underground forums? Having information without being able to make it actionable often results in a very heavy paper weight being created. In this scenario, having the cyber intelligence to provide the stakeholders helped provide transparency into cyber risks that can produce measured results. Maintaining a results-oriented mentality coupled with the right stakeholder group can help enable a cyber support culture. Delivering the message Effective communication, especially during a time of change, requires frequent touchpoints. Having a communicator or a communication 3

CYBER RISK AND WORKFORCE DEVELOPMENT team specifically aligned with the cybersecurity team can provide immense benefits. There is delicate balance associated with the frequency and content that is communicated to stakeholders. The fundamental goal is to tell the cybersecurity story throughout the organization through clear, concise, targeted communications through the most effective dissemination channels. Some will want more frequent communications, whereas others will desire less communication. Some will prefer pull communications and others will want the information pushed to them. Cultural appetite, tone from the top, and organizational commitment help drive the various required communication delivery techniques to ensure stakeholders are aware. Some examples include the following: publish monthly newsletters to various stakeholders create a robust intranet presence with tools and communications celebrate success stories of collaborative achievements provide platforms for cyber champion recognition track, measure, and report the effectiveness of the communications through a cyber communication dashboard Having a venue into the corporate communications team provides cybersecurity the opportunity to align, influence, and enable the influx of cybersecurity into normal business communications. It is critical that the corporate crisis communication team be part of the cybersecurity incident response team because of the potential reputational impact associated with a significant cyber incident. During a time of crisis, concise and timely communications to key stakeholders and customers can often be the difference between an incident being managed and an incident being exaggerated. Tactically positioning the cybersecurity story within the organization through effective education and awareness while addressing the latest trends in cybersecurity can help build collaboration by demonstrating how individuals can partner with cybersecurity to address customer needs. Regardless of the industry, customers want to know their information is safe and the organization that has their data has a clear plan to achieve that goal. Adding cybersecurity reminders in existing individual customer communications begins to demonstrate that commitment to the customer. It takes a long time to earn trust, but it only takes a second to lose it. This also holds true for internal stakeholders. Often the information and measurement of results reported by the cybersecurity team may not be perceived as positive news. For example, the cybersecurity team may implement new technology that provides an enhanced visibility into the health and hygiene of various technology assets. If these assets have never had this improved visibility, it is possible that the results may provide awareness of critical vulnerabilities or weakness associated with the platform. Consequently, when reporting these results, others may take offense to these perceived negative results. However, this is a great opportunity to educate leadership by explaining that it is far better to find these opportunities internally rather than be told about these vulnerability gaps from a law enforcement representative. Don t pass up the opportunity to build a champion; one champion can quickly lead to two, which, in turn, can often grow to thousands. Conclusion During times of conflict it is proven those countries that have aligned themselves with the right allies have prevailed and overcome grave challenges. These are challenging times; cyberthreats are real and present significant risks for most organizations. Communicating these risks to technical and nontechnical executives can often be a daunting task that requires additional background and context to successfully communicate the message. Executives are results driven and appreciate other executives who are proactive when dealing with risks. The ability to provide 4

COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES trustworthy data and a cyber decision support framework enables cyber executives to translate a new language to other executives. These actions can positively enhance cybersecurity s internal reputation by strengthening trust and credibility across the organization. Taking the time to include, educate, and collaborate with stakeholders can build alliances. Having the right information is powerful, and those stakeholders who get accurate, timely, and meaningful data will have the opportunity to lead change. SecurityRoundtable.org 5

CYBER RISK AND WORKFORCE DEVELOPMENT Wells Fargo & Company 420 Montgomery Street San Francisco, California 94104 Tel +1 800 869 3557 Web www.wellsfargo.com RICH BAICH Chief Information Security Officer Rich Baich is Wells Fargo s Chief Information Security Officer. Prior to joining Wells Fargo, he was a Principal at Deloitte & Touche, where he led the Global Cyber Threat and Vulnerability Management practice. Mr. Baich s security leadership roles include retired Naval Information Warfare Officer, Senior Director for Professional Services at Network Associates (now McAfee) and after 9/11, as Special Assistant to the Deputy Director for the National Infrastructure Protection Center (NIPC) at the Federal Bureau of Investigation (FBI). He recently retired after 20+ years of military service serving in various roles such as a Commander in the Information Operations Directorate at NORAD/Northern Command Headquarters; Commanding Officer Navy Information Operations Center (NIOC), Denver, Colorado; Special Assistant at the National Reconnaissance Office (NRO), Real Time Military Analysis Center, the Reserve Armed Forces Threat Center, the Center for Information Dominance, and the Information Operations Technology Center (IOTC) within the National Security Agency (NSA). Mr. Baich was also selected as an advisor for the 44th President s Commission on Cybersecurity. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information