September 25th 2014 - IDC Event Croke Park Dublin - Paul C Dwyer CEO Cyber Risk International delivering an extract from the "Cyber lessons from the front lines" seminar.
CRI Extract from "Cyber Lessons from the Front lines"
1. Cyber Executive Briefing
Presenter: Paul C Dwyer
CEO – Cyber Risk International
Date: September 25th 2014
IDC Security Event - Ireland
2. Paul C Dwyer
Paul C Dwyer is an internationally recognised information security expert with over
two decades experience and serves as President of ICTTF International Cyber
Threat Task Force and Co Chairman of the UK NCA National Crime Agency Industry
Group. A certified industry professional by the International Information Systems
Security Certification Consortium (ISC2) and the Information System Audit &
Control Association (ISACA) and selected for the IT Governance Expert Panel.
Paul is a world leading Cyber Security GRC authority. He has been an advisor to
Fortune 500 companies including law enforcement agencies, military (NATO) and
recently advised DEFCOM UK at Westminster Parliament.
He has worked and trained with organisations such as the US Secret Service,
Scotland Yard, FBI, National Counter Terrorism Security Office (MI5), is approved by
the National Crime Faculty and is a member of the High Tech Crime Network
(HTCN).
Paul C Dwyer CEO
Cyber Risk International
10. Who’s a Target?
• Chinese 12th Five-Year Plan, Seven Priority Industries
– New energy
– Life sciences
– Next generation IT
– Energy conservation and environment protection
– High-end equipment manufacturing
– New materials
– New-energy vehicle (NEVs)
• Other targets
– Legal disputes
– M&A and negotiations
– Government policy and defense
– Defamation or human rights advocacy
11. Cyber Risks for You
• Tangible Costs
– Loss of funds
– Damage to Systems
– Regulatory Fines
– Legal Damages
– Financial Compensation
• Intangible Costs
– Loss of competitive advantage (Stolen IP)
– Loss of customer and/or partner trust
– Loss of integrity (compromised digital assets)
– Damage to reputation and brand
Quantitative vs. Qualitative
14. Regulatory and Legal
EU Data Privacy Directive
EU Network
Information
Security
Directive
European Convention on
Cybercrime
400+ Others
– 10,000+
Controls –
175 Legal
Jurisdictions
Your
Organisation
15. Responsibility – Convention Cybercrime
All organisations need to be aware of the Convention’s provisions in article 12,
paragraph 2:
‘ensure that a legal person can be held liable where the lack of supervision or
control by a natural person…has made possible the commission of a criminal
offence established in accordance with this Convention’.
In other words, directors can be responsible for offences committed by their
organisation simply because they failed to adequately exercise their duty of care.
16. Cyber is a Strategic Issue
Strategic Level
Operational
Level
Technical Level
16
Macro Security
Micro Security
How do cyber attacks affect, policies,
industry, business decisions?
What kind of policies, procedures and
business models do we need?
How can we solve our security
problems with technology?
17. Board Room Discussion
•Loss of market share and reputation
•Legal Exposure CEO
•Audit Failure
•Fines and Criminal Charges
•Financial Loss CFO/COO
•Loss of data confidentiality, CIO integrity and/or availability
CHRO •Violation of employee privacy
•Loss of customer trust
•Loss of brand reputation CMO
Increasingly companies are appointing CRO’s and CISO’s with a direct line to the audit committee.
22. Further Cyber Tips
• Awareness at C-Suite Level
• Recognition you will be attacked
• Understand what are the biggest threats
• Understand which assets are at greatest risk
• Well balanced cyber defence – no such things as 100% secure
• Agree risk appetite – exposure - metrics
• Good Intel
• Mix processes prevention, detection and response