SlideShare ist ein Scribd-Unternehmen logo

7350_RiskWatch-Summer2015-Maligec

C
Christine Maligec, CRM-E, CRIS
1 von 4
Downloaden Sie, um offline zu lesen
Risk Watch Summer 2015 The Conference Board of Canada 7 Perspectives From Those in the Business T his article is the second of three in a series on cyber risk. In the first article, we focused on how to start the conversation on cyber risk within an organization using SWIFT and scenario analyses. We identified that the conversation needed to engage cross- functional professionals to get a better sense of the enterprise-wide loss control and mitigation needs. For this article, we centre on the current state of cyber risks from the perspective of those who work in this sphere and, as part of their responsibilities, have intimate interactions with this threat. We conducted interviews and captured the responses in a question-and-answer format. One company (which we called TELCO) asked us to guard its identity. We have also generalized the responses to protect the participants from cyber threats and possible negative attention from stakeholders. Christine Maligec was the interviewer, identified below as CM. About the Interviewees TELCO The first participating interviewee is a telecommunications company, TELCO. The company engaged several cross- functional professionals internally to contribute an overall perspective to this article. “Data breach … loss of integrity in your systems … recovery plans do not suc- ceed. The Home Depot and Sony hacking incidents are good examples of what keeps us up at night.” Tim McCreight Our second contributor is Tim McCreight, Director of Enterprise Information Security at SUNCOR Energy Services Inc. Tim has extensive experience in devel- oping and utilizing business continuity and disaster recovery plans throughout his career as a physical and IT security professional. “We continue to ask ‘what if’ questions of our organizations and lead scenario discussions to try to stay ahead of evolv- ing threats and systems vulnerabilities. I think all security professionals want to make sure that as a professional, we are less reactive and are working toward prevention and detection to reduce the effects of a threat. In a previous role, we used to have analysts who would track and trend specific events, which we provided as a dashboard for leadership. However, the greatest value seen from this data was when synthesized to become intelligence to learn more about a latent, advanced, persistent threat. The way I have always approached it is to try to focus on maintaining services and to keep the entrusted information safe and secure.” Scott Pidduck As Senior Underwriter for QBE Canada, Scott Pidduck assesses cyber risk and knows its value from the claims he pays on behalf of clients. His Canadian and global view of cyber risk allows him a front-row advantage to the evolution of this threat. “Recently the CRA performed a “phish- ing” exercise with over 16,000 employees. Seventy-eight per cent did not click on the link, but 22 per cent did—even though they were advised of the exercise in advance. This could be very detrimental to any company’s systems should an outside source get access via the same methods.” THE INTERVIEWS: EIGHT QUESTIONS AND RESPONSES 1. CM: Do you think senior leaders, in general, have an understanding of what cyber risk means? What is holding leaders and the board back from understanding cyber risk: understanding uncertainty of the risk, technical knowledge, or both? TELCO: “Technology executives” have a good or better understanding; more so than business executives in their peer group in our organiza- tion. There are a number of factors affecting leaders from understanding this risk—including data quality, trending, benchmarking, and lack of relevant risk models.  TIM: Five years ago, most lead- ers might not have had the same By Christine Maligec The Current State of Cyber Risk
Risk Watch Summer 2015 The Conference Board of Canada8 awareness as they do now. Today, senior leaders have become more aware of this risk and we are seeing a greater profile for chief informa- tion security officers (CISOs) within organizations, including regular updates to their board of directors. A combination of factors, such as a lack of knowledge about the types of threats, user behaviour (training), and controls that contribute to the success or failure of these systems and their relationships seems to be a challenge for leaders, but the desire to learn is there. SCOTT: I think they have a better understanding of what cyber risk means than they did before. It is very much a discussion topic at board levels due, in large part, to the massive (i.e., Target, Home Depot) breaches in the media. I feel that there still is some uncertainty of the threat, but with the landslide of information on this subject over the past couple of years, I feel the uncertainty is relinquishing. 2. CM: What would you say is the biggest barrier to any organization protecting itself from cyber risks and how can we bridge the dis- cussion and acumen within our organizations without scaring key decision-makers? TELCO: In the broadest sense, it would have to be the capital, like everything else, or the lack of commitment of capital. For many, security is an after-thought—more specifically, lack of security skills and capacity (capacity in terms of timelines and human capacity to identify, implement, and operate key controls). Risk and information security profes- sionals need to increase their profile in the organization by being a key player in decision-making commit- tees and/or have direct access to board of directors, board-level risk committees, and executive spon- sored committees. From a work perspective, integrate cyber risk into a holistic risk view with ERM and consistent language—Threat, Vulnerability, and Impact—and par- ticipate in more benchmarking. TIM: The human failures of con- trols are, in my personal opinion, one of the biggest barriers. The lack of awareness of the evolution of the threats and the misconception of technology controls gives the end user a false sense of security. Although the technology is better than it was a few years ago, it is not perfect. As well, not fully test- ing the business continuity/disaster recovery plans with realistic assump- tions and stakeholder expectations for getting back up and running affects the success of any program. There is a need to invest in specific training on topics like Software as a Service (SaaS), Microsoft Office, Dropbox, and phishing, as well as general cyber security training for all staff. The combination of both targeted and specific train- ing not only helps users become more efficient, but also protects an organization from victimization by corporate information leaks on social media or sensitive documents found unprotected on SaaS sites. 3. CM: How would you describe a “bad day” from a cyber threat perspective? TIM: In my career, I endured a few bad days: external intrusions, natural disasters, human failures of con- trols, loss of a data centre, and key passwords compromised. However, the worst day I would not want to see is a major release of health care data. It is such a personal and private intrusion. SCOTT: From a cyber underwriter’s perspective, a bad day would be a collapse of a large Cloud comput- ing company (e.g., Google, Amazon, and Rackspace). This could create a number of systemic issues within the commercial sector. System out- sourcing becomes something very common for the corporate world due a number of factors—security, costs/ budgets, limited office space, and efficiency, most of all. What we, as an insurance company, look to is not just individual loss scenarios, but a systemic scenario such as the above. 4. CM: What are the most common threats you or your colleagues are experiencing? TIM: Organized crime is still a com- mon source of threat. Cyber crime is an inexpensive way to operate with- out violence. The risk of prison is relatively low while the payoff could be in the millions, if not billions. SCOTT: What we are seeing in the marketplace with relation to cyber claims are hacking-related events (denial-of-service attacks (DDoS), phishing, malware, Cryptolocker extortion, social engineering, etc.). The next biggest threat we are seeing is employee-related breaches. This could be as simple as a misplaced laptop or lost USB key, but also
Risk Watch Summer 2015 The Conference Board of Canada 9 could be a rogue employee who is taking and selling specific data or providing access to information to others for their individual gain. 5. CM: What gives you hope that you or your organization will not experi- ence such an event? TELCO: We have strong, experi- enced security leadership that act- ively participates in industry-sharing events, targeted communication, and education and awareness, which gives us comfort. In addition, our solid governance and comprehensive programs for the controls, policies, collaborative business involvement in security strategy, and a good pro- file with direct access to board and executive-level committees help with “tone at the top.” TIM: Information security profes- sionals are starting to drive home the message of being resilient. We have changed our messaging to be more realistic so that it is not a matter of “if” but “when.” In addition, when leaders are making calls to engage you for information in the decision- making process, it proactively closes the gaps in your programs. 6. CM: How does an organization stay ahead of this rapidly evolving threat? TELCO: Sharing cyber threat infor- mation with internal and external partners as well as participating in industry forums. Because the “bad guys” are already good at this, we have to be equal or better. Ensure the sensors are on and information is consolidated and analyzed. We investigate alerts and take action to shore up defences as required. Hold executives accountable for controls and compliance. Conduct regular security testing on all assets and suppliers. SCOTT: The irony is that most companies spend roughly 10 per cent of their time focusing on system security, and the “bad guys” spend 100 per cent of their time trying to break in. Having network assess- ments performed on a consistent basis helps to identify potential vul- nerabilities in your system. This can be somewhat costly to most insureds, but having the results to help build your system security strength can save you greatly over the long term. Another way to stay ahead is to have a well-structured and detailed incident response plan that is in practice. Always prepare for the worst and practise the organization’s response often. 7. CM: Where do you see the oppor- tunity in cyber risk? TIM: The opportunity would be if we get the concept of cyber risk into post-secondary institutions and make it a part of mandatory learning for those who are looking at work in web design, media, and information technology/systems. It ought to be fundamental learning early on before students apply their training in the real world, but we are not there yet. Also, having security practitioners learn to speak other business lan- guages and communications skills so they can connect better with business leaders. SCOTT: The opportunity comes from awareness and knowledge- sharing of this risk between organizations. In the past five years, I have seen the evolving acu- men of this risk that comes from executives and professionals having dialogue with other organizations. The information-sharing is pro- actively identifying vulnerabilities and threats. 8. CM: How do you see cyber threats evolving in the future? TELCO: Threats will evolve to be quicker and more sophisticated. And we will find it harder and harder to catch up—choking productivity, as the directions of technology evolve- ment and security needs are moving in the opposite direction. We will likely see increased targeting of the “weak links”: supply chain/external users, end-user behaviour, and call centres. There will be a focus on the mobile platforms and smartphones with an increase in state-sponsored cyber attacks. TIM: The interest focused on an asset varies, depending on who is trying to acquire information or do harm to your organization. More and more professionals in my field are seeing breaches of not only credit card data, but birth/death records, health care files, and lists of political contributors. “Shame” campaigns in the social media with “hot button issues” is one way this information is used. This could affect many people from contributing to democracy or put forth very embarrassing, personal information on someone that could affect them for the rest of their life. SCOTT: Cyber risks will develop further than just the hacking of systems and theft of personal and
Risk Watch Summer 2015 The Conference Board of Canada10 corporate information. There have been more and more articles around state-sponsored cyber attacks. I feel that this is just the tip of the iceberg and cyber warfare is very much a growing concern for governments all over the world. Also with the increasing reliability and build-out of the “Internet of things,” this is just another access point for cyber crim- inals to access and harm individuals. INTERVIEWEES With over 30 years of operational experience in the IT and physical secur- ity realms, Tim has extensive theoretical and practical experience with security for today’s digital age. Tim’s focus is not just on building great systems, but on developing business continuity and disaster recovery plans to make sure his organization can continue to add value to its customers. Tim is very forward- thinking in his constantly evolving line of work. He recently completed his master’s in science (security & risk management) with Merit. Tim is also a regular contributor to Canadian Security Magazine and is the Regional Vice- President for Region 6C (Saskatchewan, Alberta, and British Columbia) of the American Society of Industrial Security (ASIS). Tim is a Director at Large for (ISC)2 Alberta, and is a member of two ASIS International Committees: the Information Technology Security Council and the Critical Infrastructure Working Group. Tim McCreight, MSc, CISSP, CPP, CISA Director Enterprise Information Security SUNCOR Energy After completing his business admin- istration diploma, Scott began his insurance career at ACE Canada as an errors and omissions (E&O) underwriter. Over the past decade, Scott has looked at E&O risks from both a Canadian and global perspective. He has gained extensive knowledge of the professional liability risks facing individuals and businesses across a broad spectrum of industries, most significantly in the tech- nology, media, and cyber areas. Since joining QBE in 2012, Scott has worked in partnership with brokers, sharing his knowledge of the ever-changing risks of professionals and businesses, and devel- oping market-leading solutions to best address those risks. Scott Pidduck Senior Underwriter, QBE Canada Christine Maligec is currently the Risk Officer at Alberta Blue Cross. With over 12 years of risk management experience, Christine is able to bridge her understanding across multiple industries and disciplines to look at risk from a holistic perspective. In 2014, Christine started an informal, grassroots ERM networking group in Edmonton. In addition, she supports the Strategic Risk Council by co-chairing its mentoring and coaching initiative as well as sitting on an advisory and executive committee. As an active Risk & Insurance Management Society (RIMS) member, Christine has been involved with her local RIMS chapter for almost a decade and is presently the social and events chair. Christine Maligec, CRM-E, CRIS Risk Officer, Alberta Blue Cross

Empfohlen

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
NACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedNACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedPrista Corporation
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletterDominic Vogel
 

Empfohlen

White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
NACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedNACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedPrista Corporation
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletterDominic Vogel
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st centuryThe Economist Media Businesses
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Silvia Cardona
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 

Weitere ähnliche Inhalte

Was ist angesagt?

What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyCasey Fleming
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Silvia Cardona
 

Was ist angesagt? (19)

What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity Literacy
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st century
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014
 

Ähnlich wie 7350_RiskWatch-Summer2015-Maligec

How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital FutureCognizant
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Devendra kashyap
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docxLyndonPelletier761
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docxherminaprocter
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Matthew Rosenquist
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyMelloney Jewell
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_readingseadeloitte
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessibleCharmaine Servado
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityReading Works Detroit
 

Ähnlich wie 7350_RiskWatch-Summer2015-Maligec (20)

How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Securing the Digital Future
Securing the Digital FutureSecuring the Digital Future
Securing the Digital Future
 
How boards can lead the cyber-resilient organisation
How boards can lead the cyber-resilient organisation How boards can lead the cyber-resilient organisation
How boards can lead the cyber-resilient organisation
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
 
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx130C h a p t e r10 Managing IT-Based Risk11 This c.docx
130C h a p t e r10 Managing IT-Based Risk11 This c.docx
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_reading
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in Cybersecurity
 

7350_RiskWatch-Summer2015-Maligec

  • 1. Risk Watch Summer 2015 The Conference Board of Canada 7 Perspectives From Those in the Business T his article is the second of three in a series on cyber risk. In the first article, we focused on how to start the conversation on cyber risk within an organization using SWIFT and scenario analyses. We identified that the conversation needed to engage cross- functional professionals to get a better sense of the enterprise-wide loss control and mitigation needs. For this article, we centre on the current state of cyber risks from the perspective of those who work in this sphere and, as part of their responsibilities, have intimate interactions with this threat. We conducted interviews and captured the responses in a question-and-answer format. One company (which we called TELCO) asked us to guard its identity. We have also generalized the responses to protect the participants from cyber threats and possible negative attention from stakeholders. Christine Maligec was the interviewer, identified below as CM. About the Interviewees TELCO The first participating interviewee is a telecommunications company, TELCO. The company engaged several cross- functional professionals internally to contribute an overall perspective to this article. “Data breach … loss of integrity in your systems … recovery plans do not suc- ceed. The Home Depot and Sony hacking incidents are good examples of what keeps us up at night.” Tim McCreight Our second contributor is Tim McCreight, Director of Enterprise Information Security at SUNCOR Energy Services Inc. Tim has extensive experience in devel- oping and utilizing business continuity and disaster recovery plans throughout his career as a physical and IT security professional. “We continue to ask ‘what if’ questions of our organizations and lead scenario discussions to try to stay ahead of evolv- ing threats and systems vulnerabilities. I think all security professionals want to make sure that as a professional, we are less reactive and are working toward prevention and detection to reduce the effects of a threat. In a previous role, we used to have analysts who would track and trend specific events, which we provided as a dashboard for leadership. However, the greatest value seen from this data was when synthesized to become intelligence to learn more about a latent, advanced, persistent threat. The way I have always approached it is to try to focus on maintaining services and to keep the entrusted information safe and secure.” Scott Pidduck As Senior Underwriter for QBE Canada, Scott Pidduck assesses cyber risk and knows its value from the claims he pays on behalf of clients. His Canadian and global view of cyber risk allows him a front-row advantage to the evolution of this threat. “Recently the CRA performed a “phish- ing” exercise with over 16,000 employees. Seventy-eight per cent did not click on the link, but 22 per cent did—even though they were advised of the exercise in advance. This could be very detrimental to any company’s systems should an outside source get access via the same methods.” THE INTERVIEWS: EIGHT QUESTIONS AND RESPONSES 1. CM: Do you think senior leaders, in general, have an understanding of what cyber risk means? What is holding leaders and the board back from understanding cyber risk: understanding uncertainty of the risk, technical knowledge, or both? TELCO: “Technology executives” have a good or better understanding; more so than business executives in their peer group in our organiza- tion. There are a number of factors affecting leaders from understanding this risk—including data quality, trending, benchmarking, and lack of relevant risk models.  TIM: Five years ago, most lead- ers might not have had the same By Christine Maligec The Current State of Cyber Risk
  • 2. Risk Watch Summer 2015 The Conference Board of Canada8 awareness as they do now. Today, senior leaders have become more aware of this risk and we are seeing a greater profile for chief informa- tion security officers (CISOs) within organizations, including regular updates to their board of directors. A combination of factors, such as a lack of knowledge about the types of threats, user behaviour (training), and controls that contribute to the success or failure of these systems and their relationships seems to be a challenge for leaders, but the desire to learn is there. SCOTT: I think they have a better understanding of what cyber risk means than they did before. It is very much a discussion topic at board levels due, in large part, to the massive (i.e., Target, Home Depot) breaches in the media. I feel that there still is some uncertainty of the threat, but with the landslide of information on this subject over the past couple of years, I feel the uncertainty is relinquishing. 2. CM: What would you say is the biggest barrier to any organization protecting itself from cyber risks and how can we bridge the dis- cussion and acumen within our organizations without scaring key decision-makers? TELCO: In the broadest sense, it would have to be the capital, like everything else, or the lack of commitment of capital. For many, security is an after-thought—more specifically, lack of security skills and capacity (capacity in terms of timelines and human capacity to identify, implement, and operate key controls). Risk and information security profes- sionals need to increase their profile in the organization by being a key player in decision-making commit- tees and/or have direct access to board of directors, board-level risk committees, and executive spon- sored committees. From a work perspective, integrate cyber risk into a holistic risk view with ERM and consistent language—Threat, Vulnerability, and Impact—and par- ticipate in more benchmarking. TIM: The human failures of con- trols are, in my personal opinion, one of the biggest barriers. The lack of awareness of the evolution of the threats and the misconception of technology controls gives the end user a false sense of security. Although the technology is better than it was a few years ago, it is not perfect. As well, not fully test- ing the business continuity/disaster recovery plans with realistic assump- tions and stakeholder expectations for getting back up and running affects the success of any program. There is a need to invest in specific training on topics like Software as a Service (SaaS), Microsoft Office, Dropbox, and phishing, as well as general cyber security training for all staff. The combination of both targeted and specific train- ing not only helps users become more efficient, but also protects an organization from victimization by corporate information leaks on social media or sensitive documents found unprotected on SaaS sites. 3. CM: How would you describe a “bad day” from a cyber threat perspective? TIM: In my career, I endured a few bad days: external intrusions, natural disasters, human failures of con- trols, loss of a data centre, and key passwords compromised. However, the worst day I would not want to see is a major release of health care data. It is such a personal and private intrusion. SCOTT: From a cyber underwriter’s perspective, a bad day would be a collapse of a large Cloud comput- ing company (e.g., Google, Amazon, and Rackspace). This could create a number of systemic issues within the commercial sector. System out- sourcing becomes something very common for the corporate world due a number of factors—security, costs/ budgets, limited office space, and efficiency, most of all. What we, as an insurance company, look to is not just individual loss scenarios, but a systemic scenario such as the above. 4. CM: What are the most common threats you or your colleagues are experiencing? TIM: Organized crime is still a com- mon source of threat. Cyber crime is an inexpensive way to operate with- out violence. The risk of prison is relatively low while the payoff could be in the millions, if not billions. SCOTT: What we are seeing in the marketplace with relation to cyber claims are hacking-related events (denial-of-service attacks (DDoS), phishing, malware, Cryptolocker extortion, social engineering, etc.). The next biggest threat we are seeing is employee-related breaches. This could be as simple as a misplaced laptop or lost USB key, but also
  • 3. Risk Watch Summer 2015 The Conference Board of Canada 9 could be a rogue employee who is taking and selling specific data or providing access to information to others for their individual gain. 5. CM: What gives you hope that you or your organization will not experi- ence such an event? TELCO: We have strong, experi- enced security leadership that act- ively participates in industry-sharing events, targeted communication, and education and awareness, which gives us comfort. In addition, our solid governance and comprehensive programs for the controls, policies, collaborative business involvement in security strategy, and a good pro- file with direct access to board and executive-level committees help with “tone at the top.” TIM: Information security profes- sionals are starting to drive home the message of being resilient. We have changed our messaging to be more realistic so that it is not a matter of “if” but “when.” In addition, when leaders are making calls to engage you for information in the decision- making process, it proactively closes the gaps in your programs. 6. CM: How does an organization stay ahead of this rapidly evolving threat? TELCO: Sharing cyber threat infor- mation with internal and external partners as well as participating in industry forums. Because the “bad guys” are already good at this, we have to be equal or better. Ensure the sensors are on and information is consolidated and analyzed. We investigate alerts and take action to shore up defences as required. Hold executives accountable for controls and compliance. Conduct regular security testing on all assets and suppliers. SCOTT: The irony is that most companies spend roughly 10 per cent of their time focusing on system security, and the “bad guys” spend 100 per cent of their time trying to break in. Having network assess- ments performed on a consistent basis helps to identify potential vul- nerabilities in your system. This can be somewhat costly to most insureds, but having the results to help build your system security strength can save you greatly over the long term. Another way to stay ahead is to have a well-structured and detailed incident response plan that is in practice. Always prepare for the worst and practise the organization’s response often. 7. CM: Where do you see the oppor- tunity in cyber risk? TIM: The opportunity would be if we get the concept of cyber risk into post-secondary institutions and make it a part of mandatory learning for those who are looking at work in web design, media, and information technology/systems. It ought to be fundamental learning early on before students apply their training in the real world, but we are not there yet. Also, having security practitioners learn to speak other business lan- guages and communications skills so they can connect better with business leaders. SCOTT: The opportunity comes from awareness and knowledge- sharing of this risk between organizations. In the past five years, I have seen the evolving acu- men of this risk that comes from executives and professionals having dialogue with other organizations. The information-sharing is pro- actively identifying vulnerabilities and threats. 8. CM: How do you see cyber threats evolving in the future? TELCO: Threats will evolve to be quicker and more sophisticated. And we will find it harder and harder to catch up—choking productivity, as the directions of technology evolve- ment and security needs are moving in the opposite direction. We will likely see increased targeting of the “weak links”: supply chain/external users, end-user behaviour, and call centres. There will be a focus on the mobile platforms and smartphones with an increase in state-sponsored cyber attacks. TIM: The interest focused on an asset varies, depending on who is trying to acquire information or do harm to your organization. More and more professionals in my field are seeing breaches of not only credit card data, but birth/death records, health care files, and lists of political contributors. “Shame” campaigns in the social media with “hot button issues” is one way this information is used. This could affect many people from contributing to democracy or put forth very embarrassing, personal information on someone that could affect them for the rest of their life. SCOTT: Cyber risks will develop further than just the hacking of systems and theft of personal and
  • 4. Risk Watch Summer 2015 The Conference Board of Canada10 corporate information. There have been more and more articles around state-sponsored cyber attacks. I feel that this is just the tip of the iceberg and cyber warfare is very much a growing concern for governments all over the world. Also with the increasing reliability and build-out of the “Internet of things,” this is just another access point for cyber crim- inals to access and harm individuals. INTERVIEWEES With over 30 years of operational experience in the IT and physical secur- ity realms, Tim has extensive theoretical and practical experience with security for today’s digital age. Tim’s focus is not just on building great systems, but on developing business continuity and disaster recovery plans to make sure his organization can continue to add value to its customers. Tim is very forward- thinking in his constantly evolving line of work. He recently completed his master’s in science (security & risk management) with Merit. Tim is also a regular contributor to Canadian Security Magazine and is the Regional Vice- President for Region 6C (Saskatchewan, Alberta, and British Columbia) of the American Society of Industrial Security (ASIS). Tim is a Director at Large for (ISC)2 Alberta, and is a member of two ASIS International Committees: the Information Technology Security Council and the Critical Infrastructure Working Group. Tim McCreight, MSc, CISSP, CPP, CISA Director Enterprise Information Security SUNCOR Energy After completing his business admin- istration diploma, Scott began his insurance career at ACE Canada as an errors and omissions (E&O) underwriter. Over the past decade, Scott has looked at E&O risks from both a Canadian and global perspective. He has gained extensive knowledge of the professional liability risks facing individuals and businesses across a broad spectrum of industries, most significantly in the tech- nology, media, and cyber areas. Since joining QBE in 2012, Scott has worked in partnership with brokers, sharing his knowledge of the ever-changing risks of professionals and businesses, and devel- oping market-leading solutions to best address those risks. Scott Pidduck Senior Underwriter, QBE Canada Christine Maligec is currently the Risk Officer at Alberta Blue Cross. With over 12 years of risk management experience, Christine is able to bridge her understanding across multiple industries and disciplines to look at risk from a holistic perspective. In 2014, Christine started an informal, grassroots ERM networking group in Edmonton. In addition, she supports the Strategic Risk Council by co-chairing its mentoring and coaching initiative as well as sitting on an advisory and executive committee. As an active Risk & Insurance Management Society (RIMS) member, Christine has been involved with her local RIMS chapter for almost a decade and is presently the social and events chair. Christine Maligec, CRM-E, CRIS Risk Officer, Alberta Blue Cross