SlideShare ist ein Scribd-Unternehmen logo

Cybersecurity Roadmap Development for Executives

Krist Davood - Principal - CIO
Krist Davood - Principal - CIO

Secrets to managing your Duty of Care in an ever- changing world. How well do you know your risks? Are you keeping up with your responsibilities to provide Duty of Care? How well are you prioritising Cybersecurity initiatives? Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives. Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello. The seminar will cover: • Fiduciary responsibility • How to efficiently deal with personal liability and the threat of court action • The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making • How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action

Technologie
1 von 30
Downloaden Sie, um offline zu lesen
Cybersecurity Roadmap Development Krist Davood
Personal Liability Fiduciary Responsibility Client problems Cyber Security, the landscape 1 2 3 4 Cybersecurity Executive Dashboard 5 Vicarious Liability 6 Case Studies 7 Agenda What needs can we address? 8
3 Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security. Cyber Security, the landscape
Cyber Security, the landscape of people will plug a USB drive they have found on the ground into their computer. 50% is all it takes for attackers to compromise an organisation, 60% of the time. 6minutes behind the US and the UK, from 17 examined in a report on banking "botnets”. 3RD MOST-TARGETED of phishing messages were opened (up from 23%) and in 13% of those cases, the recipient clicked to open the malicious attachment or link. 30% Despite 93% of firms taking steps to protect their business from digital threats, two-thirds have been a victim of cyber crime in the past 2 years 5 QUICK FACTS ON CYBER CRIME
Cyber Security, the landscape • Far from being a technological problem, lack of cybersecurity means that the aftermath of a cybersecurity attack sits with Executives and Board members who may not have the right level of technical security knowledge. • This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap within an organisation. • A number of case studies will be presented that demonstrate how to establish and achieve a set of measurable security objectives and a governance framework which facilitates practical decisions and spend.
Client Problems First, some definitions: Threat: expressed or demonstrated intent to harm an asset or cause it to become unavailable Vulnerability: a flaw in the measures you take to secure an asset Exploit: a software program that has been developed to attack an asset by taking advantage of a vulnerability Risk: the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability
Client Problems
Client Problems The Dark Web, enabling hackers with a means to harm using commodised software. Anonymised access Facilitation of criminal activities where hackers can be hired to hack organisations and individuals Stolen data such as credit card information Exploits that can be used by low skilled hackers who only need to access exploit programs with basic instructions
Client Problems Cyber Security is more relevant than ever in the face of Digital Disruption Mobility: Any time/device/where access to business systems • Business need to protect against vulnerabilities across any device Big Data: Data is open and available • How do you ensure that only authorised people access the data in the right way IoT (Internet of Things): • E.g. Care sector disruption via in-home monitoring • A new landscape of vulnerabilities and exploits Smart TV: • E.g. Activation of microphone allows for remote parties to listen to private discussions
Client Problems Regulatory matters: PCI-DSS (Payments Card Industry Data Security Standards) • E.g. Government agencies, Councils, Utilities Australian Privacy Principles • Enforced by the office of the Australian Information Commissioner ISO 27K set of standards is part of a growing family of Information Security Management Systems (ISMS) standards
While IT and cybersecurity risks have evolved and intensified, security strategies have not kept pace with today's mounting risks - and fewer still understand their vulnerabilities, according to The Global State of Information Security (GSIS)® Survey 2016. Client Problems
What's needed is a new model of cybersecurity, one that is driven by the knowledge of vulnerabilities and threats. In other words, advising our clients of the risk of cybersecurity and helping them define appropriate policies to mitigate them. Clients are looking to identify ‘what’ their problems are so they can make a decision on what risks to deal with. This can only be done by linking cybersecurity to risk management. Client Problems
Our clients are likely, according to the GSIS survey, rank the assessment of security risks, inadequate policies and insufficient standards of third- parties as one of their highest priorities. A cybersecurity risk assessment is part of the solution in mitigating these risks. Client Problems
Former mid-market executive directors and co-founders Carl and Alex Woerndle highlight how a cyberattack meant they were legally liable for a cyberattack against their business so damaging it destroyed their once prospering firm, Distribute.IT and sent nearly sent them into bankruptcy. Background: Distribute.IT was founded in 2002 by brothers Carl and Alex Woerndle and by 2011 were providing services to clients across Australia and overseas. However, mid-2011 the business suffered a cyberattack. The initial breach occurred at approximately at 5pm on Friday June 3, 2011, Carl received a call from his CIO alerting him to a breach in the company’s network. The hacker had managed to bypass the company’s entire security protocol. Cybersecurity from an Executive’s perspective Client Problems
At 4:30pm on Saturday 11 June Distribute.IT’s network was attacked again. The internal team began noticing servers were being deleted as well as the backups. The final straw occurred when the IT team were locked out of the network meaning their only option was to ‘pull the plug’. The governance, compliance and vicarious liability issues happened immediately within 3 days after the second attack despite most services having been restored. These reactive measures were not enough as they weren’t able to demonstrate to the authorities that they had policies and procedures in place to ensure the confidentiality, integrity and accessibility of their data. Client Problems
Fiduciary Responsibility • Fiduciary Responsibility, in the context of cybersecurity, is the requirement to keep corporate information confidential and to ensure data is handled with a degree of care, skill, and caution. • Should the Board or a member of the executive team be found of breaching their duty of care then they may be up for Vicarious Liability* (i.e. when senior officers can be held criminally liable for the lack of due care and due diligence). • Convictions are more likely when an organisation isn’t able to concisely and accurately outline their approach to duty of care and due diligence. * an example is Mistmorn Pty Ltd (In Liq) v Yasseen and Corporations Act 2001, section 180(1 and 2)
Most Cybersecurity Threats, and their Impact, is surprisingly not about technology…its about people
How to Deal with Personal Liability • Board members and executives have fiduciary duties, which require them to monitor and address corporate risks – including cybersecurity threats. • Executives and directors are beginning to realise they need to make difficult cybersecurity choices in a complex legal and regulatory environment, because guarding against every avenue of potential attack is neither feasible nor a cost-effective cybersecurity risk management strategy. • Its incumbent for executives/board members to demonstrate that they are monitoring cybersecurity risks e.g. if a customer’s personal details are critical then all technology carrying this data is included in a cybersecurity executive dashboard at Audit Committee meetings. • The proactive management of cybersecurity risk allows an Executive and/or Board member to qualify for Cybersecurity Liability Insurance.
Cybersecurity Dashboard: How to bridge the gap so you can demonstrate ‘Duty of Care’ Executive and Confirm Cybersecurity Risk has been mitigated Remediation Plan Root Cause Analysis 1) Implement a Cybersecurity Dashboard based on your firm’s regulatory needs 2) Categorise your data based on level of the compliance 3) Identify data that must be legislatively protected and find the data’s touchpoints within the organisation 4) Ensure the touchpoints are protected by your cybersecurity policies 5) Work with an external firm to ensure you have a complete set of policies
Defence against Vicarious Liability • Demonstrable proof of the Board’s or executive team’s duty of care is admissible in court as a complete, thorough and concise set of Policy documents exist prior to the date of the alleged incident. • Policies are important reference documents for the resolution of legal disputes about the Board’s or management’s due diligence. Policies are documents that act as a clear statement of management’s intent and is the link between regulatory, legal and IT requirements. • An affluent policy is written at a reasonable reading level to minimize technical jargon and includes management terminology unique to the company, yet conforms to regulatory standards and has management approval. • Some basic rules must be followed when shaping a policy: – Never conflict with law – Stand up in court – Properly supported and administered
Defence against Vicarious Liability • Cybersecurity Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation. (NIST SP800-30) • therefore…… • Policies which reverse engineer the vulnerability and demonstrate that the Board and Executives’ reasonable steps to avoid a breach will have demonstrated due care and due diligence.
Case Study An existing firm client (anonymous) • Compromised by a spoofed email that aimed to have funds transferred (via Pitcher Partners) to a beneficiary account belonging to the hacker • Reliance on external computer networks was part of the problem Australian Super • Development of an IT Security Operations Dashboard for the organisation’s Technical Governance Committee (TGC) • The Dashboard presented metrics to the TGC to enable them to decide on corrective action through investments to remediate, change course and strengthen the organisation’s security posture
Security Foundations (Prevent) Tactical Response (Prosecute) Managed Security (Prevent) Case Study: A Major Retailer Tactical response to cybercrime Hacking Data exfiltration Information privacy and data protection Intrusion System policies and Security currency ID theft
Case Study: Linking the Major Retailer’s Cybersecurity Policy to Risk Management frameworks This involved an three week review of the Administrative Controls of the environment. ADMINISTRATIVE CONTROLS • Policies • Standards • Procedures • Guidelines • Personnel screening • Security awareness training OPERATIONAL CONTROLS • Processes (business and security) • Physical access control • Safety equipment (UPS, backup) • DRP/BCP TECHNICAL CONTROLS • Logical access control • Encryption • Security devices • Identity management • Authentication PHYSICAL CONTROLS • Facility protection • Security guards • Locks, monitoring, environmental controls • Intrusion detection ADMINISTRATIVE CONTROLS OPERATIONAL CONTROLS TECHNICAL CONTROLS PHYSICAL CONTROLS COMPANY INFORMATION ASSETS
Case Study: A Major Retailer The approach undertaken uses the guidelines in NIST SP 800-30, PCIDSS v3.2, ISO 27013, ISO27039, ISO 2700x and ISO31000. Approach of this Engagement The policies assessment is quite broad and evaluates the Confidentiality, Integrity and Accessibility of data. The policies cover a reasonable range of topic areas covering data security, infrastructure and back-end IT services. A more thorough approach is taken after the initial review to engage relevant non-IT stakeholders via interviews, questionnaires and observations in order to develop a deeper understanding of the procedures required to action the policies.
What needs can we address? Executive Cybersecurity Dashboard creation Cybersecurity Policy Gap Analysis and Rectification Review and development of Cyber Security policies We support our clients define their IT Security posture and plan to ensure protection of their most sensitive assets (e.g. Data, Systems) from internal and external threats Assessments against guidelines and standards such as PCIDSS, CIS, NIST SP 800-30, ISO 27013, ISO27039, ISO 2700x and ISO31000 Cybersecurity Strategy
What needs can we address? What is our differentiated value proposition? • We have existing clients whose businesses we understand • A firm of auditors with proven frameworks to review and assess against standards • We have existing clients such as Councils, Utilities and Government entities that are subject to regulatory requirements
Next Steps Engage with an independent service provider to review your IT Policies Create an Executive Cybersecurity Dashboard Identify data which can not be leaked from a regulatory and compliance perspective Data leakage is not limited to systems; ensure personnel know how to handle sensitive data Personal Liability: Increase your insurance coverage to include Cybersecurity Create a Cybersecurity Strategy to allow the Executive Team to prioritise what data and systems need to be protected
Cybersecurity Roadmap Development for Executives

Empfohlen

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 

Empfohlen

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
seadeloitte
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
DESTROYER39
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
EC-Council
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Security operation center
Security operation centerSecurity operation center
Security operation center
MuthuKumaran267
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
ADGP, Public Grivences, Bangalore
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Doreen Loeber
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
HB Litigation Conferences
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 

Was ist angesagt? (20)

Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 

Ähnlich wie Cybersecurity Roadmap Development for Executives

Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015
sarah kabirat
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
Sarah Jarvis
 
DIGITAL EMPOWERMENT ASSIGNMENT.docx
DIGITAL EMPOWERMENT ASSIGNMENT.docxDIGITAL EMPOWERMENT ASSIGNMENT.docx
DIGITAL EMPOWERMENT ASSIGNMENT.docx
HateMe9
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
Rachel Anne Carter
 

Ähnlich wie Cybersecurity Roadmap Development for Executives (20)

The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Introduction to Incident Response Management
Introduction to Incident Response ManagementIntroduction to Incident Response Management
Introduction to Incident Response Management
 
DIGITAL EMPOWERMENT ASSIGNMENT.docx
DIGITAL EMPOWERMENT ASSIGNMENT.docxDIGITAL EMPOWERMENT ASSIGNMENT.docx
DIGITAL EMPOWERMENT ASSIGNMENT.docx
 
Cybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docxCybersecurity Challenges in the Modern Digital Landscape.docx
Cybersecurity Challenges in the Modern Digital Landscape.docx
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Cybersecurity Roadmap Development for Executives

  • 2. Personal Liability Fiduciary Responsibility Client problems Cyber Security, the landscape 1 2 3 4 Cybersecurity Executive Dashboard 5 Vicarious Liability 6 Case Studies 7 Agenda What needs can we address? 8
  • 3. 3 Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security. Cyber Security, the landscape
  • 4. Cyber Security, the landscape of people will plug a USB drive they have found on the ground into their computer. 50% is all it takes for attackers to compromise an organisation, 60% of the time. 6minutes behind the US and the UK, from 17 examined in a report on banking "botnets”. 3RD MOST-TARGETED of phishing messages were opened (up from 23%) and in 13% of those cases, the recipient clicked to open the malicious attachment or link. 30% Despite 93% of firms taking steps to protect their business from digital threats, two-thirds have been a victim of cyber crime in the past 2 years 5 QUICK FACTS ON CYBER CRIME
  • 5. Cyber Security, the landscape • Far from being a technological problem, lack of cybersecurity means that the aftermath of a cybersecurity attack sits with Executives and Board members who may not have the right level of technical security knowledge. • This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap within an organisation. • A number of case studies will be presented that demonstrate how to establish and achieve a set of measurable security objectives and a governance framework which facilitates practical decisions and spend.
  • 6. Client Problems First, some definitions: Threat: expressed or demonstrated intent to harm an asset or cause it to become unavailable Vulnerability: a flaw in the measures you take to secure an asset Exploit: a software program that has been developed to attack an asset by taking advantage of a vulnerability Risk: the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability
  • 8. Client Problems The Dark Web, enabling hackers with a means to harm using commodised software. Anonymised access Facilitation of criminal activities where hackers can be hired to hack organisations and individuals Stolen data such as credit card information Exploits that can be used by low skilled hackers who only need to access exploit programs with basic instructions
  • 9. Client Problems Cyber Security is more relevant than ever in the face of Digital Disruption Mobility: Any time/device/where access to business systems • Business need to protect against vulnerabilities across any device Big Data: Data is open and available • How do you ensure that only authorised people access the data in the right way IoT (Internet of Things): • E.g. Care sector disruption via in-home monitoring • A new landscape of vulnerabilities and exploits Smart TV: • E.g. Activation of microphone allows for remote parties to listen to private discussions
  • 10. Client Problems Regulatory matters: PCI-DSS (Payments Card Industry Data Security Standards) • E.g. Government agencies, Councils, Utilities Australian Privacy Principles • Enforced by the office of the Australian Information Commissioner ISO 27K set of standards is part of a growing family of Information Security Management Systems (ISMS) standards
  • 11. While IT and cybersecurity risks have evolved and intensified, security strategies have not kept pace with today's mounting risks - and fewer still understand their vulnerabilities, according to The Global State of Information Security (GSIS)® Survey 2016. Client Problems
  • 12. What's needed is a new model of cybersecurity, one that is driven by the knowledge of vulnerabilities and threats. In other words, advising our clients of the risk of cybersecurity and helping them define appropriate policies to mitigate them. Clients are looking to identify ‘what’ their problems are so they can make a decision on what risks to deal with. This can only be done by linking cybersecurity to risk management. Client Problems
  • 13. Our clients are likely, according to the GSIS survey, rank the assessment of security risks, inadequate policies and insufficient standards of third- parties as one of their highest priorities. A cybersecurity risk assessment is part of the solution in mitigating these risks. Client Problems
  • 14. Former mid-market executive directors and co-founders Carl and Alex Woerndle highlight how a cyberattack meant they were legally liable for a cyberattack against their business so damaging it destroyed their once prospering firm, Distribute.IT and sent nearly sent them into bankruptcy. Background: Distribute.IT was founded in 2002 by brothers Carl and Alex Woerndle and by 2011 were providing services to clients across Australia and overseas. However, mid-2011 the business suffered a cyberattack. The initial breach occurred at approximately at 5pm on Friday June 3, 2011, Carl received a call from his CIO alerting him to a breach in the company’s network. The hacker had managed to bypass the company’s entire security protocol. Cybersecurity from an Executive’s perspective Client Problems
  • 15. At 4:30pm on Saturday 11 June Distribute.IT’s network was attacked again. The internal team began noticing servers were being deleted as well as the backups. The final straw occurred when the IT team were locked out of the network meaning their only option was to ‘pull the plug’. The governance, compliance and vicarious liability issues happened immediately within 3 days after the second attack despite most services having been restored. These reactive measures were not enough as they weren’t able to demonstrate to the authorities that they had policies and procedures in place to ensure the confidentiality, integrity and accessibility of their data. Client Problems
  • 16. Fiduciary Responsibility • Fiduciary Responsibility, in the context of cybersecurity, is the requirement to keep corporate information confidential and to ensure data is handled with a degree of care, skill, and caution. • Should the Board or a member of the executive team be found of breaching their duty of care then they may be up for Vicarious Liability* (i.e. when senior officers can be held criminally liable for the lack of due care and due diligence). • Convictions are more likely when an organisation isn’t able to concisely and accurately outline their approach to duty of care and due diligence. * an example is Mistmorn Pty Ltd (In Liq) v Yasseen and Corporations Act 2001, section 180(1 and 2)
  • 17. Most Cybersecurity Threats, and their Impact, is surprisingly not about technology…its about people
  • 18. How to Deal with Personal Liability • Board members and executives have fiduciary duties, which require them to monitor and address corporate risks – including cybersecurity threats. • Executives and directors are beginning to realise they need to make difficult cybersecurity choices in a complex legal and regulatory environment, because guarding against every avenue of potential attack is neither feasible nor a cost-effective cybersecurity risk management strategy. • Its incumbent for executives/board members to demonstrate that they are monitoring cybersecurity risks e.g. if a customer’s personal details are critical then all technology carrying this data is included in a cybersecurity executive dashboard at Audit Committee meetings. • The proactive management of cybersecurity risk allows an Executive and/or Board member to qualify for Cybersecurity Liability Insurance.
  • 19. Cybersecurity Dashboard: How to bridge the gap so you can demonstrate ‘Duty of Care’ Executive and Confirm Cybersecurity Risk has been mitigated Remediation Plan Root Cause Analysis 1) Implement a Cybersecurity Dashboard based on your firm’s regulatory needs 2) Categorise your data based on level of the compliance 3) Identify data that must be legislatively protected and find the data’s touchpoints within the organisation 4) Ensure the touchpoints are protected by your cybersecurity policies 5) Work with an external firm to ensure you have a complete set of policies
  • 20. Defence against Vicarious Liability • Demonstrable proof of the Board’s or executive team’s duty of care is admissible in court as a complete, thorough and concise set of Policy documents exist prior to the date of the alleged incident. • Policies are important reference documents for the resolution of legal disputes about the Board’s or management’s due diligence. Policies are documents that act as a clear statement of management’s intent and is the link between regulatory, legal and IT requirements. • An affluent policy is written at a reasonable reading level to minimize technical jargon and includes management terminology unique to the company, yet conforms to regulatory standards and has management approval. • Some basic rules must be followed when shaping a policy: – Never conflict with law – Stand up in court – Properly supported and administered
  • 21. Defence against Vicarious Liability • Cybersecurity Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation. (NIST SP800-30) • therefore…… • Policies which reverse engineer the vulnerability and demonstrate that the Board and Executives’ reasonable steps to avoid a breach will have demonstrated due care and due diligence.
  • 22.
  • 23. Case Study An existing firm client (anonymous) • Compromised by a spoofed email that aimed to have funds transferred (via Pitcher Partners) to a beneficiary account belonging to the hacker • Reliance on external computer networks was part of the problem Australian Super • Development of an IT Security Operations Dashboard for the organisation’s Technical Governance Committee (TGC) • The Dashboard presented metrics to the TGC to enable them to decide on corrective action through investments to remediate, change course and strengthen the organisation’s security posture
  • 24. Security Foundations (Prevent) Tactical Response (Prosecute) Managed Security (Prevent) Case Study: A Major Retailer Tactical response to cybercrime Hacking Data exfiltration Information privacy and data protection Intrusion System policies and Security currency ID theft
  • 25. Case Study: Linking the Major Retailer’s Cybersecurity Policy to Risk Management frameworks This involved an three week review of the Administrative Controls of the environment. ADMINISTRATIVE CONTROLS • Policies • Standards • Procedures • Guidelines • Personnel screening • Security awareness training OPERATIONAL CONTROLS • Processes (business and security) • Physical access control • Safety equipment (UPS, backup) • DRP/BCP TECHNICAL CONTROLS • Logical access control • Encryption • Security devices • Identity management • Authentication PHYSICAL CONTROLS • Facility protection • Security guards • Locks, monitoring, environmental controls • Intrusion detection ADMINISTRATIVE CONTROLS OPERATIONAL CONTROLS TECHNICAL CONTROLS PHYSICAL CONTROLS COMPANY INFORMATION ASSETS
  • 26. Case Study: A Major Retailer The approach undertaken uses the guidelines in NIST SP 800-30, PCIDSS v3.2, ISO 27013, ISO27039, ISO 2700x and ISO31000. Approach of this Engagement The policies assessment is quite broad and evaluates the Confidentiality, Integrity and Accessibility of data. The policies cover a reasonable range of topic areas covering data security, infrastructure and back-end IT services. A more thorough approach is taken after the initial review to engage relevant non-IT stakeholders via interviews, questionnaires and observations in order to develop a deeper understanding of the procedures required to action the policies.
  • 27. What needs can we address? Executive Cybersecurity Dashboard creation Cybersecurity Policy Gap Analysis and Rectification Review and development of Cyber Security policies We support our clients define their IT Security posture and plan to ensure protection of their most sensitive assets (e.g. Data, Systems) from internal and external threats Assessments against guidelines and standards such as PCIDSS, CIS, NIST SP 800-30, ISO 27013, ISO27039, ISO 2700x and ISO31000 Cybersecurity Strategy
  • 28. What needs can we address? What is our differentiated value proposition? • We have existing clients whose businesses we understand • A firm of auditors with proven frameworks to review and assess against standards • We have existing clients such as Councils, Utilities and Government entities that are subject to regulatory requirements
  • 29. Next Steps Engage with an independent service provider to review your IT Policies Create an Executive Cybersecurity Dashboard Identify data which can not be leaked from a regulatory and compliance perspective Data leakage is not limited to systems; ensure personnel know how to handle sensitive data Personal Liability: Increase your insurance coverage to include Cybersecurity Create a Cybersecurity Strategy to allow the Executive Team to prioritise what data and systems need to be protected