Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board

Privileged and Confidential Information Twitter:@RevInnovator

CyberSecurity Five Ways for Boards to Prepare

October 2015


The Last Year of High Profile Breaches

1

11,000,000 Bank Accounts Social Security Numbers

80,000,000 Social Security Numbers eMail Addresses Physical Addresses

47,000 Proprietary Info Employee info

109,000,000 Credit Cards eMail Addresses

83,000,000 eMail Addresses Physical Addresses

145,000,000 eMail Addresses Physical Addresses Login CredenIals

110,000,000 Credit Card Numbers

Source: Bloomberg.com -‐ A Quick Guide to the Worst Corporate Hack AQacks


High Profile Firings: Not Just IT

2

Mailroom Employee Highmark

MDF Transcription Boston Medical Group

Two hospital workers Georgia Hospital

“Terrific Employee” Goold Health System

Target CIO – Beth Jacobs Maricopa County Community

College District – Miguel Corozo The Texas State Comptroller's

office – Susan Combs

Target CEO Gregg Steinhafel The Utah state Department of

Technology Service

Privileged and Confidential Information Twitter:@RevInnovator 3

A primary responsibility of every board is to secure the future of the organization.

- Tom Horton – Boards & Directors


The New Normal

•  Every company is an IT Company •  Every company is a Big Data Company •  BYOX will continue to grow •  Most security is perimeter security •  ~25% of HIPAA breaches involve a trusted

partner – That number is poised to increase as business

associates are now liable under the new HIPAA rule

4


Top Three Industry Breaches

5

Number of Incidents Confirmed Data Loss

Total Small Large Unknown Total Small Large Unknown

Public 50,315 19 49,596 700 303 6 241 56

InformaIon 1,496 36 34 1,426 95 13 17 65

Financial 642 44 177 421 277 33 136 108

Dollar loss is difficult to calculate

Boards and Executives care about business impact

Privileged and Confidential Information Twitter:@RevInnovator 6


30 years later: Why do Companies still #Fail?

•  Security and Compliance treated as “IT problems” and not as core Business Operations

•  Security spend is perceived as a burden expense – Consider it in the same as your Accounting function

•  Most compliance and security needs primarily addresses the complex internal IT requirements – Governance, human and wider partner network

vulnerabilities are lightly considered

7


According to a 2014 Verizon Report, only 10% of Merchants/Service

Providers were fully compliant with DSS 2.0 standards*

8

*Verizon 2014 Pci Compliance Report - http://www.verizonenterprise.com/pcireport/2014/

Compliance ≠ Security!


Five Mandates for the Board

Understanding

People

Process

Technology

Preparedness

9

•  Understanding –  What are the risks? –  Chain of trust? –  Do they understand Cyber?

•  People –  Are the right people in place? –  Do they have the resources they need? –  Do they understand the companies

strategic risks? •  Process

–  Is there are breach response plan? –  Do you have partners ready to support? –  How often is it tested?

•  Technology –  Cyber-risk is not an IT problem. –  IT is one of the enablers

•  Preparedness –  Is business continuity ready? –  Is it tested? –  Are out-of-band methods in place?


Cyber Insurance is a Reality

10


Example of a Prepared Team

11

April 2014: A Dutch teenage girl sends a “prank” tweet threatening American Airlines. American Airlines’ response was direct and got media airplay.

@AmericanAir tweeted “@QueenDemetriax_ Sarah, we take these threats very seriously. Your IP

address and details will be forwarded to security and the FBI.”

@QueenDemetriax_ tweeted "@AmericanAir hello my name's Ibrahim and I'm from Afghanistan. I'm part of Al Qaida and on June 1st I'm gonna do

something really big bye.”


Five Questions for Executives and Boards

•  Is an up to date security framework in place?

•  Does a breach response plan exist? •  How much does (cyber) insurance cover? •  Are both internal and external (partner)

resources considered? •  Do employee’s understand their role in

relation to company security?

12

excel lence.perspect ive. innovat ion.


NACD Five Principles 1.  Cyber security is an enterprise-wide risk management

issues, not just an IT problem. 2.  Address the serious legal consequences of cyber risks. 3.  Cyber security must be addressed with professionals

and given board-level priority. 4.  Directors must advise management to take all steps

necessary to comprehensively address cyber risk with personnel and resources.

5.  Determine how your organization would deal with a breach and whether liability can be addressed via insurance.

14

Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board

Business

Transcript of Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board