Cyber Security and the Convergence of Risk Management FunctionsGary Harbison – Monsanto CISOJune 19, 2015

2

SUMMARYAgenda• Monsanto Overview• Cyber Threat Landscape• Popular Attack Types• Convergence of Risk Management Functions • What You Can Do to Protect Yourself

Key Takeaways• Threats continue to evolve…Security

Organizations must evolve with them• Taking a true risk based approach drives

synergies between programs• Be involved and partner with your security

departments…you can protect your company and yourself at home

3

Monsanto - Working Together for Sustainable Agriculture

3

Bringing a broad range of solutions to help nourish our growing world

Collaborating to help tackle some of the world’s biggest challenges• Rising Populations• Changing Economies & Diets• Limited Farmland• Changing Climate

4

Our Solutions for Sustainable Agriculture

Plant Breeding

Biotechnology

Crop Protection

Precision Agriculture

Our toolkit includes:

5

The Global Cyber Threat Landscape Continues to Increase in Velocity & Complexity

ATTACKERSgo undetected for

229 DaysSource:2014 Mandiant Report

CYBER ATTACKScould cost the global economy

$3 TRILLIONin lost productivity & growth

Source:mckinsey& co. 2014 report

More than……

140 Countrieshave some level of cyber weapon development program

Source:fortune.com

average cost of a data breach

$3.5 MILLLIONincreased 15% over the past year

Source: 2014 study Phonemon Institute

Data breaches tracked hit a record high in 2014 at 783…a 27.5% increase over 2013 -ITRC 2014 Breach List

In 2014, many consumers began feeling “breach fatigue”…and 2015 is on another record setting pace

6

Understanding Your Adversaries

SkilledEfficientPatientMotivated

Pre-2009

Focus on defense against this scope of attackers

Attackers looked for easy targets

Address the basics

Be better than the next company and they will move on

Elite Attackers

Skilled Aggressors•Talented•Bigger Agenda•Enables •Masses

The Masses•Use tools others develop

•Desire Status

•Want to be a part of something

Cyber Espionage

Cyber Warfare

Cyber Crime

Hacktivist

Evolution of Threats •Well Funded, focused on high dollar assets like Intellectual Property

•Highly skilled/patient, State Sponsored•Evolve with their targets

Cyber Espionage

•Highly skilled and patient•Focused on strategic targets•Aligned with a much larger agenda

Cyber Warfare

•Highly skilled and patient•Focused on easily monetized assets•Well versed in Global Cybercrime Laws

Cyber Crime

•Want to be a part of the cause•Focused on embarrassment of target•Less skilled, but organized and motivated

Hacktivist

•Often Cyber Espionage related•Data Leakage/Data Theft•Inadvertent insider mistakes

Internal

Malware/APT/Phishing

internet

you

internal network

1 ATTACKER

malware

3

4

5

2

Popular form of Attack

Many Variations

Distributed Denial of Service (DDOS)Disrupts BusinessIntense Web TrafficOverloads the Network

VICTIM

ATTACKER

CONTROLLER

zombiezombiezombie

zombiezombiezombiezombie

A Balanced Adversarial Driven Philosophy

9

High

Med

Low

Noise to Detect

Difficulty of Compromise

Ope

ratin

g S

urfa

ce

O S

Goal: Reduce the operating surface of the adversaries

Time

Reduce NTD•Minimize “Dwell Time”•Intelligence & Sharing•Monitoring of Key Assets•Fusion of Intelligence•Behavioral Based Threat Analytics

Increase DOC•Basic Security Hygiene•Secure by Design Approach•Vulnerability Management•Improved Access Controls•Continuous Security Testing & Improvement

Convergence of Risk Management Programs Drives Synergies &

Increases Effectiveness

10

DETERSecurity Testing

Perimeter SecurityEndpoint Protection

Basic Hygiene & LCM

DETECTCyber Intelligence

Security MonitoringExternal Collaboration

Acceptable Use Monitoring

CONTAINIncident Response

Data Loss PreventionPrivacy Breach ResponseCrisis Management Team

RECOVERRoot Cause Analysis

Continuous ImprovementBusiness Continuity Planning

Engage & Communicate

Stages of Cyber Security

Governance &

Compliance M

anagement

Privacy and IoT Emerging As Focus AreasThree Questions in Privacy

How Do You Protect the Data?

How Do You Use the Data?

Are you Compliant with Global Regulations?

Willingne

ssBene

fit Trust Risk

New Capabilities Result in Consumer Decisions

All rights reserved: PC Magazine₁Product shot provided by Samsung₂Product shot provided by Nike₃

₁

₂ ₃

Site Continuity

Business Continuity Requires Cross Functional Alignment and Business Ownership

BCM Team

Work Force Resilience

ERM Team

IT Disaster Recovery

Assessment Management Responsibility

Mitigation Reporting

Maintenance

Visibility Consistency Coordination

OversightAuthority

Accountability

Crisis Management Team

• Align BCM with business strategy• Provide BCM Governance• Provide metrics and reporting• Conduct training and awareness• Drive BIA refresh

• Align DR with BC requirements• Develop/update DR plans• Coordinate DR Tests• Report on DR status

• Site emergency response plans • Coordinate with local authorities

(PD, Fire, EMT)• Conduct site tests• Provide metrics and reporting

• Identification of Resources• Cross Training• Succession Planning• Periodic Training/Update

• BCM oversight• Sponsor BIA refresh

• BC/DR Plan Activation• Crisis communications• Command and control

12

13

Synergies Achieved Through Alignment of Risk Management Programs

Cyber Security Program Deter Detect Respond Recover

Privacy Program Data Protection Data Use

Legal & Regulatory Compliance

Business Continuity Management

Business Impact

Analysis

Disaster Recovery

Site Continuity

Workforce Resilience

Enterprise Risk

Crisis Managemen

t Team

Incident Response

Intelligence Fusion Center

Risk Stakeholders

Clear Delineation of Risks Becomes More DifficultUnifying Processes Drives Consistency and Preparedness

Your Digital FootprintDid you know…

for these types of attacks

individuals LIKE YOUindividuals LIKE YOU

Can Be The TargetFor these types of attacks

EVERY DAY over

1 Million adultsbecome cyber crime victims

Source: symantec.com

BEWAREof what you share

THINK BEFORE YOU POSTDo your Research- Google Yourself

How to Identify Suspicious EmailReview it

Look for things that are out of the ordinary

or unexpected

Be cautious of soliciting emails from an unfamiliar source*Sense of urgency

Report Suspicious EmailTo Your Security Team

phishing-report@us-cert.gov

HOVER-OVER LINKSwith your mouse to view the URL

SECURE ONLINE ACCOUNTSFree Credit Report

PROTECT YOUR DEVICESLocate-Lock-Backup-Update

ONLINE BEHAVIORBe Skeptical

What Can You Do @ Home?

annualcreditreport.com

You are a target, if it seems out of the ordinary, question it.

Keep your systems and security software up to date

JOIN THE CAUSE Help fight cyber crime

Stay Informed

Consider Identity Theft Protection

Research Ways to Protect Yourself and Your Family-- Google “top cyber tips for your family”—

Have the Conversation and Educate Your Children

What Can You Do @ Work?Partner to Protect

START SECUREEarly Engagement

LEAD BY EXAMPLEBe an InfoSec Advocate

Build in security up front

Trust Your IntuitionIf something looks strange, report

to your security teamTAKE THE OPPORTUNITY Get involved-learn-ask

Engage with your security team and help spread the word

SAY SOMETHINGSEE SOMETHING

Read and Understand Your Security Policies, Acceptable Use Policies, and Make Protecting your Company a Priority

18

Thank YouGary Harbison

gary.harbison@monsanto.com314-694-5802