Marc Brawner is a Principal with Kroll's Cyber Security & Investigations team. In this presentation to the Tennessee Bankers Association, Marc explains the key roles & responsibilities of the information security and information technology teams for increased cyber security
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Information Security vs IT - Key Roles & Responsibilities
1. Who has the ball in
[Cyber | IT | Information] Security?
Marc Brawner
Principal
Cyber Security and Investigations
Nashville, TN
2. Proprietary and Confidential — External Use Only2
Marc Brawner
With over 23 years of experience in information technology, including 18 years focused on cyber security, Marc is
a true expert in cyber risk management, incident response, and forensic investigations. He brings an
extraordinary level of experience and knowledge, having led or participated in hundreds of cyber security matters
at organizations around the USA and abroad.
Today, Marc oversees the practice's endpoint threat monitoring and analysis team, while also leading and
supporting complex incident investigations, and providing guidance on a range of technology and cyber security
matters to Kroll colleagues and clients worldwide.
Marc returned to Kroll in 2013 after spending seven years at Marsh & McLennan Companies, a Fortune 200 firm,
where he led its global information security incident response and risk assessment teams. Earlier in his career at
Kroll, Marc implemented and managed a variety of technology and security solutions, developed and implemented
policy and regulatory compliance programs, and managed information technology teams.
Marc is a Tennessee native and holds a bachelor’s degree in Computer Science from Lipscomb University, along
with several industry certifications, including: Core PCI Forensic Investigator and Qualified Security Assessor, PCI
Security Standards Council (PFI/QSA); Certified Information Systems Security Professional (CISSP); Certified in
Risk and Information Systems Control (CRISC).
Principal
Cyber Security & Investigations
mbrawner@kroll.com
3. Proprietary and Confidential — External Use Only3
Who we are
Kroll is the leading global provider of risk and investigative services,
helping clients anticipate, detect, mitigate, and respond to risk.
TRUSTEDPARTNER
+40
• Help clients make confident risk
management decisions about:
people, assets, operations and security
• Provide an unparalleled range
of services and solutions
77% DIVERSE
years
EXPERTISEFORTUNE100
• Regularly work on the most complex and
highest profile matters in the world
• Extensive global network allows us to
efficiently and effectively address
challenging situations
Former members of law enforcement
agencies including the FBI, US Secret
Service, Dept. of Homeland Security, Dept.
of Defense, Dept. of Justice, Ministry of
Defense. Other expertise includes:
computer forensic analysts, forensic
accountants, information security analysts,
former prosecutors, business intelligence
analysts, and investigative journalists.
4. Proprietary and Confidential — External Use Only4
Global, expert team
Kroll has offices in 20 countries and
more than 30 cities
Language fluency includes:
Arabic, Bengali, Chinese, English, French, German,
Hindi, Japanese, Portuguese, Punjabi, Russian, and Spanish
Expertise includes:
Cyber Risk Management, Due Diligence & Compliance Management, Business
Intelligence & Investigations, Security Risk Management
Licenses / Certifications include:
Payment Card Industry Data Security Standard (PCI DSS), Qualified Security
Assessor (QSA), Certified Information Systems Security Professional (CISSP),
Certified Business Continuity Professional (CBCP)
5. Proprietary and Confidential — External Use Only5
Best Cyber Security
Provider
2017 National Law Journal Reader
Choice Survey
“[Kroll] is capable of being a one-
stop shop for multiple services
relating to breach response,
from forensic investigations to
support for clients in litigation
issues.
THE FORRESTER WAVE™: CUSTOMER DATA BREACH NOTIFICATION AND
RESPONSE SERVICES, Q4 2017
Best Litigation Dispute
Advisory Services
Consultant
2017 National Law Journal
Reader Choice Survey
Cyber security solutions
Some recent awards and recognitions
Best Corporate
Investigations
Provider
2017 National Law Journal Reader
Choice Survey
“Leader” in Customer
Data Breach and
Notification
THE FORRESTER WAVE™: CUSTOMER DATA
BREACH NOTIFICATION AND RESPONSE
SERVICES, Q4 2017
6. Proprietary and Confidential — External Use Only6
Why does your institution need an information technology program?
Why does your institution need an information security program?
Understand key differences between Information Technology and
Cyber/Information Security
Review roles and responsibilities
Review industry guidance and trends
Review board level considerations
Discuss modern threats and defenses
Session Agenda
8. Proprietary and Confidential — External Use Only8
Information Technology
Design, implement and operate critical business technology
Servers
Workstations
Networks
Telephony and communication tools
Business applications
Manage electronic data and information storage
Develop strategic technology plans and objectives consistent with business
needs
10. Proprietary and Confidential — External Use Only10
Information Security
Security
Resilience from harm
Information Security
Program, process, and activities designed to protect
the confidentiality, integrity, and availability of
information.
Cyber Security
Focus on digital information and systems
11. Proprietary and Confidential — External Use Only11
Information Security Triad
Confidentiality
IntegrityAvailability
12. Proprietary and Confidential — External Use Only12
Information security
…is the process by which a financial institution protects the creation, collection,
storage, use, transmission, and disposal of sensitive information, including the
protection of hardware and infrastructure used to store and transmit such
information.
…promotes the commonly accepted objectives of confidentiality, integrity, and
availability of information and is essential to the overall safety and soundness of
an institution.
FFIEC Guidance
13. Proprietary and Confidential — External Use Only13
Information security exists to provide protection from malicious and non-
malicious actions that increase the risk of adverse effects on earnings,
capital, or enterprise value.
The potential adverse effects can arise from the following:
Disclosure of information to unauthorized individuals.
Unavailability or degradation of services.
Misappropriation or theft of information or services.
Modification or destruction of systems or information.
Records that are not timely, accurate, complete, or consistent.
Source: FFIEC IT Examination Handbook (2016)
FFIEC Guidance
14. Proprietary and Confidential — External Use Only14
IT
Operations
• Store
• Process
• Transmit
• Access
Information
Security
• Understand
Risk
• Appropriately
Secure
• Monitor
Information Security and IT Ops
15. Proprietary and Confidential — External Use Only15
IT Operations
IT
Security/Risk
Management
Confidentiality
Integrity
Delivery
Availability
Balancing Act
16. Proprietary and Confidential — External Use Only16
Develop and implement IT strategy
Oversee IT budget
IT acquisition, development, training
IT architecture
Planning
Supporting lines of business strategy
Roles and Responsibilities – CIO/CTO/IT Manager
17. Proprietary and Confidential — External Use Only17
Management and mitigation of information security risks
Implementing information security strategy
Address current and emerging risks
Work with business on information flows, risks, and protection
Championing security awareness and training
Roles and Responsibilities – CISO/ISO/Risk Mgr
18. Proprietary and Confidential — External Use Only18
Roles and Responsibilities
Develop and implement IT strategy
Oversee IT budget
IT acquisition, development, training
IT architecture
Planning
Supporting lines of business strategy
Management and mitigation of
information security risks
Implementing information security
strategy
Address current and emerging risks
Work with business on information
flows, risks, and protection
Championing security awareness
and training
Building external relationships
IR Planning
CIO/CTO/IT Manager CISO/CSO/Risk Manager
19. Proprietary and Confidential — External Use Only19
“While in the past, the office of the CISO was considered a technology
function, the role has become a strategic and integral part of the business
management team.”
“The CISO should be an enterprise-wide risk manager, rather than a
production resource devoted to IT operations.”
Why?
CISO Evolution
21. Proprietary and Confidential — External Use Only21
Tool Based Strategy?
Technical
Controls
Operations Governance
Most Data Breaches Occur When This Strategy Is Used!
22. Proprietary and Confidential — External Use Only22
Most Effective Strategy to Mitigate Risk!
Governance Operations
Technical
Controls
23. Proprietary and Confidential — External Use Only23
Information security officers should report directly to the board or senior
management
NOT IT operations management
Ensures appropriate segregation of duties
Information security officers should be responsible for responding to security
events by ordering emergency actions to protect the institution and its
customers from imminent loss of information; managing the negative effects
on the confidentiality, integrity, availability, or value of information; and
minimizing the disruption or degradation of critical services.
FFIEC: Reporting Structure
24. Proprietary and Confidential — External Use Only24
Frequent conflicts of interest
Too many ‘hats’ for one person, team, or role
Increased complexity of technology
Increased complexity of threats and vulnerabilities
Different skills, education and training paths
Often follows tool-based strategy
Often minimizes or misses subtle clues of exposure
Incident management
What happens during a crisis?
Pitfalls of IT driven information security
25. Proprietary and Confidential — External Use Only25
The board, or designated board committee,
should be responsible for:
overseeing the development, implementation, and
maintenance of the institution’s information
security program;
holding senior management accountable for its
actions.
FFIEC: Role of the Board of Directors
26. Proprietary and Confidential — External Use Only26
Consider prior evolution of board to address and validate financial statement
accuracy
Proliferation of cybersecurity risks now trumps financial accounting risks
Increasing Board Oversight
27. Proprietary and Confidential — External Use Only27
Cybersecurity risks pose grave threats to investors, our capital markets, and
our country…
Regulation S-K ... Require a company to disclose the extent of its board of
directors’ role in the risk oversight of the company…
“To the extent cybersecurity risks are material to a company’s business,
we believe this discussion should include the nature of the board’s role in
overseeing the management of that risk.”
“We believe disclosures regarding a company’s cybersecurity risk
management program and how the board of directors engages with
management on cybersecurity issues allow investors to assess how a board of
directors is discharging its risk oversight responsibility…”
https://www.sec.gov/rules/interp/2018/33-10459.pdf
Recent SEC Guidance – February 26, 2018
28. Proprietary and Confidential — External Use Only28
A key question in 2018 is not, “Do we have a security
program”
Rather, “Is our program actually working to reduce risk as
intended?”
Board Oversight
29. Proprietary and Confidential — External Use Only29
Create a cyber security committee (similar to audit
committee)
Add cyber expertise to board
Engage third party to conduct annual review (similar to
accounting audit) and participate in strategy
Require management reporting and feedback
Board Modernization
https://corpgov.law.harvard.edu/2018/03/31/cybersecurity-the-secs-wake-up-
call-to-corporate-directors/
30. Proprietary and Confidential — External Use Only30
Absolutely!
Leading security advisory and incident response firms offer
Exposure to ongoing threats, real-world incidents, and what works (or
doesn’t)
Neutral understanding of business risk without politics
Articulate effective risk management priorities and practices based on
experience
Can’t fully shift responsibility, however.
What about Outsourcing?
32. Proprietary and Confidential — External Use Only32
Where is your sensitive/ regulated data?
Creation
Transmission
Reproduction
Physical
Transport
Storage
Disposal
Intellectual
Property
33. Proprietary and Confidential — External Use Only33
20 CSC is Minimum Standard
The 20 Critical Security Controls “identify a minimum
level of information security that all organizations that
collect or maintain personal information should meet.
The failure to implement all the Controls that
apply to an organization’s environment constitutes a
lack of reasonable security.
California Data Breach Report (Feb 2016) Attorney Gen. Kamala D. Harris
34. Cyber Threat Landscape
THREATS
• Criminals / criminal
organizations
• Terrorists / non-
government
organizations
• Hacktivists
• Foreign governments
• Employees
• Regulatory penalties
• Reputational damage
• Financial loss
TARGETED
ASSETS
• Customer
• Personal
information
• Health Data
• Account data
• Financial system
functions- AR & AP
• Financial assets
• Employee PII
• Intellectual property
• Network bandwidth
ATTACK
METHODS
• Spearphishing
• Web site attacks
• Social engineering
• DDoS
• Data destruction
• Data alteration
35. TRADITIONAL
TOOLS
• Antivirus
• Network Firewall
• IDS
• Helpdesk
• Policies
• SOC
MODERN
TOOLS
• Endpoint Monitoring
• Threat Hunting
• Managed Detection/IR
• Application firewall
• User Behavior Analytics
Modern Cyber Tools
Building a higher level cyber security program
36. Proprietary and Confidential — External Use Only36
What is Your Narrative?
Reasonable Measures Implemented
Attacker Used Extraordinary Methods
Able to Rapidly Detect and Respond Effectively
Assumption of Breach
37. Proprietary and Confidential — External Use Only37
Narrative
Have a narrative before an incident
Choose and implement a cybersecurity framework
Use governance structures to operationalize the
framework
Fund appropriately based on risk tolerance
Infosec Maturity = detect and respond capability
38. Proprietary and Confidential — External Use Only38
Summary
Cybersecurity today is a board-level issue, more than ever
IT is not the primary stakeholder for managing
cybersecurity risk
Dedicated resources are required
Leverage independent third party expertise to right-size
program and validate effectiveness
Modern tools are essential, but governance comes first
Assume breach – have a response plan and defensible
narrative
39. Proprietary and Confidential — External Use Only39
Additional Kroll Resources
https://www.kroll.com/en-us/intelligence-center
Discuss examples of how we’ve done this – finsvcs
CISO advisory services
FFIEC: Although the use of outsourcing may change the location of certain activities from financial institutions to thirdparty service providers, outsourcing does not change the regulatory expectations for an effective information security program