Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
-
Upload
lerner-consulting -
Category
Business
-
view
188 -
download
0
Transcript of Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Privileged and Confidential Information Twitter:@RevInnovator
CyberSecurity Five Ways for Boards to Prepare
October 2015
Privileged and Confidential Information Twitter:@RevInnovator
The Last Year of High Profile Breaches
1
11,000,000 Bank Accounts Social Security Numbers
80,000,000 Social Security Numbers eMail Addresses Physical Addresses
47,000 Proprietary Info Employee info
109,000,000 Credit Cards eMail Addresses
83,000,000 eMail Addresses Physical Addresses
145,000,000 eMail Addresses Physical Addresses Login CredenIals
110,000,000 Credit Card Numbers
Source: Bloomberg.com -‐ A Quick Guide to the Worst Corporate Hack AQacks
Privileged and Confidential Information Twitter:@RevInnovator
High Profile Firings: Not Just IT
2
Mailroom Employee Highmark
MDF Transcription Boston Medical Group
Two hospital workers Georgia Hospital
“Terrific Employee” Goold Health System
Target CIO – Beth Jacobs Maricopa County Community
College District – Miguel Corozo The Texas State Comptroller's
office – Susan Combs
Target CEO Gregg Steinhafel The Utah state Department of
Technology Service
Privileged and Confidential Information Twitter:@RevInnovator 3
A primary responsibility of every board is to secure the future of the organization.
- Tom Horton – Boards & Directors
Privileged and Confidential Information Twitter:@RevInnovator
The New Normal
• Every company is an IT Company • Every company is a Big Data Company • BYOX will continue to grow • Most security is perimeter security • ~25% of HIPAA breaches involve a trusted
partner – That number is poised to increase as business
associates are now liable under the new HIPAA rule
4
Privileged and Confidential Information Twitter:@RevInnovator
Top Three Industry Breaches
5
Number of Incidents Confirmed Data Loss
Total Small Large Unknown Total Small Large Unknown
Public 50,315 19 49,596 700 303 6 241 56
InformaIon 1,496 36 34 1,426 95 13 17 65
Financial 642 44 177 421 277 33 136 108
Dollar loss is difficult to calculate
Boards and Executives care about business impact
Privileged and Confidential Information Twitter:@RevInnovator 6
Privileged and Confidential Information Twitter:@RevInnovator
30 years later: Why do Companies still #Fail?
• Security and Compliance treated as “IT problems” and not as core Business Operations
• Security spend is perceived as a burden expense – Consider it in the same as your Accounting function
• Most compliance and security needs primarily addresses the complex internal IT requirements – Governance, human and wider partner network
vulnerabilities are lightly considered
7
Privileged and Confidential Information Twitter:@RevInnovator
According to a 2014 Verizon Report, only 10% of Merchants/Service
Providers were fully compliant with DSS 2.0 standards*
8
*Verizon 2014 Pci Compliance Report - http://www.verizonenterprise.com/pcireport/2014/
Compliance ≠ Security!
Privileged and Confidential Information Twitter:@RevInnovator
Five Mandates for the Board
Understanding
People
Process
Technology
Preparedness
9
• Understanding – What are the risks? – Chain of trust? – Do they understand Cyber?
• People – Are the right people in place? – Do they have the resources they need? – Do they understand the companies
strategic risks? • Process
– Is there are breach response plan? – Do you have partners ready to support? – How often is it tested?
• Technology – Cyber-risk is not an IT problem. – IT is one of the enablers
• Preparedness – Is business continuity ready? – Is it tested? – Are out-of-band methods in place?
Privileged and Confidential Information Twitter:@RevInnovator
Cyber Insurance is a Reality
10
Privileged and Confidential Information Twitter:@RevInnovator
Example of a Prepared Team
11
April 2014: A Dutch teenage girl sends a “prank” tweet threatening American Airlines. American Airlines’ response was direct and got media airplay.
@AmericanAir tweeted “@QueenDemetriax_ Sarah, we take these threats very seriously. Your IP
address and details will be forwarded to security and the FBI.”
@QueenDemetriax_ tweeted "@AmericanAir hello my name's Ibrahim and I'm from Afghanistan. I'm part of Al Qaida and on June 1st I'm gonna do
something really big bye.”
Privileged and Confidential Information Twitter:@RevInnovator
Five Questions for Executives and Boards
• Is an up to date security framework in place?
• Does a breach response plan exist? • How much does (cyber) insurance cover? • Are both internal and external (partner)
resources considered? • Do employee’s understand their role in
relation to company security?
12
excel lence.perspect ive. innovat ion.
Privileged and Confidential Information Twitter:@RevInnovator
NACD Five Principles 1. Cyber security is an enterprise-wide risk management
issues, not just an IT problem. 2. Address the serious legal consequences of cyber risks. 3. Cyber security must be addressed with professionals
and given board-level priority. 4. Directors must advise management to take all steps
necessary to comprehensively address cyber risk with personnel and resources.
5. Determine how your organization would deal with a breach and whether liability can be addressed via insurance.
14