SlideShare a Scribd company logo

Cybersecurity in the Boardroom

Marko Suswanto
Marko Suswanto

A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies.

Technology
1 of 17
Download to read offline
Technology Risk E-Book Audit | Tax | Advisory | Risk | Performance Cybersecurity in the Boardroom A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies nn Six Critical Questions to Assess Cybersecurity Readiness nn Ten Principles of Corporate Governance for Management and the Board nn Five Steps to Establish and Maintain a Cybersecurity Road Map nn Plus: Seven Crowe Insights to Share on LinkedIn
Cybersecurity in the Boardroom 2www.crowehorwath.com Boards of directors have extremely limited capacity for taking on new areas of oversight. Given that constraint, it is noteworthy that cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Company executives and top management used to be responsible for meeting the ongoing strategic challenges in their industries. For example, being an oil executive was sufficient experience for running an oil company, being a retail executive was sufficient for running a retail firm, and so on. The demands on management have changed with the times. The digital age has brought about a convergence such that no matter the industry, executives now struggle with a set of common concerns related to technology strategy and information security. Across widespread, globalized supply chains, organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent. This digital convergence opens profitable opportunities and markets but brings with it additional risks and exposures. CEOs and other high-level executives need a starting point for understanding and responding to growing board-level concerns about cybersecurity. To help with this objective, Crowe Horwath LLP examines why the subject has escalated to the board level and how executives should guide their board members in thinking about cybersecurity issues. Introduction Cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
Cybersecurity in the Boardroom 3www.crowehorwath.com Cybersecurity Readiness: Is Your Organization Prepared? According to The Institute of Internal Auditors Research Foundation (IIARF), the critical questions to consider when assessing the cybersecurity readiness of a board of directors are1 : nn Does the organization use a security framework? nn What are the top five risks the organization has related to cybersecurity? nn How are employees made aware of their roles related to cybersecurity? nn Are external and internal threats considered when planning cybersecurity program activities? nn How is security governance managed in the organization? nn In the event of a serious breach, does management have a robust response protocol?
Cybersecurity Escalates to the Board Level
Cybersecurity in the Boardroom 5www.crowehorwath.com Executives have become acutely aware of their personal stakes in facilitating adequate cybersecurity by preventing incidents and responding to data breaches in an appropriate manner. Their jobs are on the line. Yet the decades of industry experience that make someone a great leader in his or her industry might not foster the knowledge or relationships needed to respond to a major cybersecurity threat. In addition to the financial damage that ensues, a data breach causes significant exposure to reputational risk. An apt illustration is the recent Sony Entertainment Inc. hack in which executives’ reputations appeared to be among the attack’s principal targets.2 In such a case, with management having to deal with matters of national security, the board’s input and participation become essential. The list of companies beset by data breaches in recent years includes some of the marketplace’s highest- profile brands across a broad spectrum of industries, including The Home Depot Inc.3 and Target Corp.4 in retail; Domino’s Pizza5 and P.F. Chang’s China Bistro Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking; and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in the technology sector. Even being a relatively low-profile organization provides no assurance of safety, as seen by breaches at the Montana Department of Public Health and Human Services,11 Community Health Systems Inc.,12 and Goodwill Industries International Inc.13 In fact, data breaches have become extremely common, with an estimated 43 percent of companies experiencing one in the past year.14 In 2014, just counting those confirmed by media sources or subject to notification through state governmental agencies, there were a record-high 783 data breaches in the U.S.,15 which, due to patchwork reporting regulation and systemic underreporting, understates the problem. Yet not all data breaches are motivated by criminal gain or malicious intent. For most, some sort of glitch or human error is the cause.16 In fact, employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.17 Human errors take the forms of misconfiguration, a lack of patching, and “social engineering” in which an Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
Cybersecurity in the Boardroom 6www.crowehorwath.com attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out- of-date credentials. A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18 In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies: nn Technical remediation involving internal IT and external consultants nn Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug nn Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes nn Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats. Data breaches cost an average of $145 per record lost.
Assessing Responsibilities for Cybersecurity
Cybersecurity in the Boardroom 8www.crowehorwath.com Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans. Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack. Despite cybersecurity’s immense challenge, the general principles of corporate governance remain intact. In dividing the responsibility, management has full charge for executing the specific steps required to mitigate risk while the board of directors acts largely in an oversight and advisory role. Principal responsibilities for management: 1. Perform a cybersecurity assessment. The Crowe approach, which combines input from the leading industry frameworks with Crowe professionals’ extensive experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities. Cybersecurity assessments include the following steps: nn Identify critical data. nn Map data stores and flows. nn Perform a controls risk analysis. nn Rate the maturity of security controls. nn Build short- and long-term remediation plans. 2. Perform an ecosystem assessment. Verify that vendors and outsourcing providers also have adequate cybersecurity controls. 3. Facilitate global review. Evaluate data protection laws and breach disclosure requirements in each country or state in which the organization does business. 4. Follow frameworks. Meet the appropriate requirements of the NIST cybersecurity framework, ISO 27001 standards, and industry-specific frameworks and/or standards – for example, PCI for retailers, SEC for public companies and financial regulators. Efforts taken to meet the requirements of multiple security frameworks and/or standards can be rationalized using the Unified Compliance Framework, a tool that includes a regulations database for centralized compliance. 5. Form a mitigation plan. Establish an internal risk management framework supported with adequate staffing and a budget for achieving compliance.
Cybersecurity in the Boardroom 9www.crowehorwath.com Principal responsibilities for the board of directors19 : 1. Revise the agenda. Cybersecurity once was viewed as an IT issue, but given cyberattacks’ present frequency and intensity, the topic now is considered an enterprisewide, operational risk management issue to be monitored closely by the board. 2. Facilitate legal review. Depending on the region and industry, cybersecurity will have varying legal implications pertaining to board responsibilities, and these implications should be reviewed by counsel and monitored for changes. 3. Enhance expertise. The challenge’s technical nature requires boards to have access to cybersecurity expertise, through either the election of specialists in the field or use of external consultants. 4. Set expectations. In addition to or in conjunction with existing goals and responsibilities, management should be monitored, measured, and compensated based on its ability to establish and enforce an enterprisewide risk management framework that can lower the risk of cybersecurity breaches. 5. Maintain frameworks. The adoption of a cybersecurity framework is not a one-time affair; rather, security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources. The board needs to set the parameters of frameworks’ evolution. Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
The Board of Directors: Achieving Cybersecurity Excellence
Cybersecurity in the Boardroom 11www.crowehorwath.com Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right. In meeting these responsibilities, a board of directors should take steps to provide effective oversight of cybersecurity risk mitigation along with sound advice to executive management. Learn from recent breaches and breach attempts. Every cybersecurity-related incident, whether or not it causes damage, offers a valuable opportunity to evaluate what went wrong and right. nn If the organization has been affected by a breach, ask, “How did we react? What did we tell our customers?” nn If not affected, ask, “What prevented the breach? What would have happened if we had been breached?” Stress test the incident response plan. Similar to a disaster recovery plan, the specifics of an incident response plan have to be carefully planned and tested. nn Board members should understand their personal roles in the response plan and have access to resources to fulfill their responsibilities as outlined in the plan. nn Board members should be aware of the expected reactions to a breach from regulators, law enforcement, customers, and other stakeholders. nn Following an attack on the company or broader industry, the board should convene to review the company’s response.
Cybersecurity in the Boardroom 12www.crowehorwath.com Perform an independent cybersecurity assessment. For a cybersecurity assessment, as with any other type of evaluation, the board of directors should not rely entirely on information from management to assess its own performance. Accordingly, it is essential to receive an independent evaluation of how the organization is meeting the requirements of the various cybersecurity frameworks. An effective, independent cybersecurity assessment will evaluate: nn Qualifications and capabilities of the cybersecurity team nn The state of the organization’s IT and cybergovernance nn Reporting relationships among the CEO, CIO, chief information security officer, chief audit executive, and other relevant executives nn Preventive controls and security awareness training nn Other organizations in the industry or organizations of similar size in other industries Establish and maintain a cybersecurity road map. Much like a technology road map, a cybersecurity road map provides a consensus-driven framework for achieving realistic short- and long- term objectives. A cybersecurity road map not only defines the extent to which an organization intends to protect itself against data breaches but moderates risk tolerances in different areas to employ the optimal alignment of people, processes, and technology. A cybersecurity road map should include the following elements: nn Annual health checks. Establish the capability to review the performance of the cybersecurity response team through interviews and independent data reviews. nn Year-by-year milestones. Set expectations for annual improvements in incident rate, incident response time, employee training hours, and levels of compliance with cybersecurity frameworks. 43% of companies experienced a data breach in the past year.
Cybersecurity in the Boardroom 13www.crowehorwath.com Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks. nn Risk tolerances. For each type of risk faced by an organization, identify the risk tolerance – which risks to avoid, which to accept, which to mitigate through an operational response, and which to transfer through insurance. nn Cybersecurity insurance. Insurance’s cost is expected to vary greatly in coming years. Price increases will be affected by the threat level and virulence of attack vectors, with decreases driven by the extent to which technology solutions succeed at improving cybersecurity’s efficacy. Given the attention and investment in the cybersecurity sector, as well as interest in the category by the insurance industry, it’s quite possible or even likely that an organization that currently self-insures against cybersecurity risks will find cybersecurity insurance a much more attractive proposition in the years to come. The board of directors should have a sense of the right price for coverage at the organization and, based on a set of planning assumptions, incorporate those expectations into the road map. nn Long-term remediation plans. The cybersecurity road map and the broader technology road map can converge to rework business processes with the aim of reducing exposure to cybersecurity threats. Given that the human element in the form of employee negligence plays a contributing role in the majority of data breaches, it follows that an approach that supplements human labor with artificial intelligence potentially would reduce the overall risk of operations from a cybersecurity standpoint. These and other long-term considerations should be incorporated into the cybersecurity road map for annual review.
Looking Ahead
Cybersecurity in the Boardroom 15www.crowehorwath.com In the next several years, boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats. Even as technology enables powerful new business models that still are being explored, IT infrastructures remain relatively immature from a cybersecurity perspective. Until the security model catches up with the business model, organizations will be exposed to malicious and criminal actions. Through their cross-industry exposure, high-level perspective, and influence, board members can guide management toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the present threat environment. Given the participation of well-funded adversaries, it’s unlikely the cybersecurity threat ever will go away. But it’s certainly within the grasp of any organization to stop making simple mistakes, improve overall awareness, and establish a solid course toward a safer computing environment that’s ready to do business in the 21st century. Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly. Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
Cybersecurity in the Boardroom 16www.crowehorwath.com 1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15. 2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/ sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/ a799e8a0-809c-11e4-8882-03cf08410beb_story.html 3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted- malware-contained 4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch. com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen- including-names-emails-and-phones 5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos- pizza-ransom-hack-data 6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http:// krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs 7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of- jpmorgan-data-breach-is-identified/?_r=0 8 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached- records-from-adobe-hack-surface-online 9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple- developer-site-hacked 10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles. chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares- ebay-users-u-s-company 11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www. informationweek.com/healthcare/security-and-privacy/montana-health-department- hacked/d/d-id/1278872 12 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity- idUSKBN0GI16N20140818 13 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months 14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 15 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html 16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 18 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www. theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask- download-pdf-1852.cfm Sources
www.crowehorwath.com Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values® ,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world. Crowe Horwath LLP, The Unique Alternative® Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376 Contact Information For more information, contact Raj Chaudhary at 312.899.7008 or raj.chaudhary@crowehorwath.com.

Recommended

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
Thanuja Seneviratne
 

Recommended

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
Thanuja Seneviratne
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model Roadmap
David Sweigert
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
cyber security
cyber security cyber security
cyber security
NiharikaVoleti
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
Leon Fouche
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
A. Shamel
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposal
David Sweigert
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
Olivier Busolini
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
Paul McGillicuddy
 

More Related Content

What's hot

Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 

What's hot (20)

IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model Roadmap
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
cyber security
cyber security cyber security
cyber security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Incident response
Incident responseIncident response
Incident response
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Sample network vulnerability analysis proposal
Sample network vulnerability analysis proposalSample network vulnerability analysis proposal
Sample network vulnerability analysis proposal
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 

Viewers also liked

7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
Paul McGillicuddy
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
Tripwire
 
CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!
Dr David Probert
 
The Defender's Dilemma
The Defender's DilemmaThe Defender's Dilemma
The Defender's Dilemma
Symantec
 

Viewers also liked (20)

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Bridging the Cybersecurity Gap
Bridging the Cybersecurity GapBridging the Cybersecurity Gap
Bridging the Cybersecurity Gap
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurity
 
The Defender's Dilemma
The Defender's DilemmaThe Defender's Dilemma
The Defender's Dilemma
 

Similar to Cybersecurity in the Boardroom

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
James Blake
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The Economist Media Businesses
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
Tim Grieveson
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
dotco
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 

Similar to Cybersecurity in the Boardroom (20)

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
 
Websense
WebsenseWebsense
Websense
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Cybersecurity in the Boardroom

  • 1. Technology Risk E-Book Audit | Tax | Advisory | Risk | Performance Cybersecurity in the Boardroom A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies nn Six Critical Questions to Assess Cybersecurity Readiness nn Ten Principles of Corporate Governance for Management and the Board nn Five Steps to Establish and Maintain a Cybersecurity Road Map nn Plus: Seven Crowe Insights to Share on LinkedIn
  • 2. Cybersecurity in the Boardroom 2www.crowehorwath.com Boards of directors have extremely limited capacity for taking on new areas of oversight. Given that constraint, it is noteworthy that cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Company executives and top management used to be responsible for meeting the ongoing strategic challenges in their industries. For example, being an oil executive was sufficient experience for running an oil company, being a retail executive was sufficient for running a retail firm, and so on. The demands on management have changed with the times. The digital age has brought about a convergence such that no matter the industry, executives now struggle with a set of common concerns related to technology strategy and information security. Across widespread, globalized supply chains, organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent. This digital convergence opens profitable opportunities and markets but brings with it additional risks and exposures. CEOs and other high-level executives need a starting point for understanding and responding to growing board-level concerns about cybersecurity. To help with this objective, Crowe Horwath LLP examines why the subject has escalated to the board level and how executives should guide their board members in thinking about cybersecurity issues. Introduction Cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
  • 3. Cybersecurity in the Boardroom 3www.crowehorwath.com Cybersecurity Readiness: Is Your Organization Prepared? According to The Institute of Internal Auditors Research Foundation (IIARF), the critical questions to consider when assessing the cybersecurity readiness of a board of directors are1 : nn Does the organization use a security framework? nn What are the top five risks the organization has related to cybersecurity? nn How are employees made aware of their roles related to cybersecurity? nn Are external and internal threats considered when planning cybersecurity program activities? nn How is security governance managed in the organization? nn In the event of a serious breach, does management have a robust response protocol?
  • 4. Cybersecurity Escalates to the Board Level
  • 5. Cybersecurity in the Boardroom 5www.crowehorwath.com Executives have become acutely aware of their personal stakes in facilitating adequate cybersecurity by preventing incidents and responding to data breaches in an appropriate manner. Their jobs are on the line. Yet the decades of industry experience that make someone a great leader in his or her industry might not foster the knowledge or relationships needed to respond to a major cybersecurity threat. In addition to the financial damage that ensues, a data breach causes significant exposure to reputational risk. An apt illustration is the recent Sony Entertainment Inc. hack in which executives’ reputations appeared to be among the attack’s principal targets.2 In such a case, with management having to deal with matters of national security, the board’s input and participation become essential. The list of companies beset by data breaches in recent years includes some of the marketplace’s highest- profile brands across a broad spectrum of industries, including The Home Depot Inc.3 and Target Corp.4 in retail; Domino’s Pizza5 and P.F. Chang’s China Bistro Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking; and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in the technology sector. Even being a relatively low-profile organization provides no assurance of safety, as seen by breaches at the Montana Department of Public Health and Human Services,11 Community Health Systems Inc.,12 and Goodwill Industries International Inc.13 In fact, data breaches have become extremely common, with an estimated 43 percent of companies experiencing one in the past year.14 In 2014, just counting those confirmed by media sources or subject to notification through state governmental agencies, there were a record-high 783 data breaches in the U.S.,15 which, due to patchwork reporting regulation and systemic underreporting, understates the problem. Yet not all data breaches are motivated by criminal gain or malicious intent. For most, some sort of glitch or human error is the cause.16 In fact, employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.17 Human errors take the forms of misconfiguration, a lack of patching, and “social engineering” in which an Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
  • 6. Cybersecurity in the Boardroom 6www.crowehorwath.com attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out- of-date credentials. A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18 In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies: nn Technical remediation involving internal IT and external consultants nn Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug nn Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes nn Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats. Data breaches cost an average of $145 per record lost.
  • 8. Cybersecurity in the Boardroom 8www.crowehorwath.com Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans. Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack. Despite cybersecurity’s immense challenge, the general principles of corporate governance remain intact. In dividing the responsibility, management has full charge for executing the specific steps required to mitigate risk while the board of directors acts largely in an oversight and advisory role. Principal responsibilities for management: 1. Perform a cybersecurity assessment. The Crowe approach, which combines input from the leading industry frameworks with Crowe professionals’ extensive experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities. Cybersecurity assessments include the following steps: nn Identify critical data. nn Map data stores and flows. nn Perform a controls risk analysis. nn Rate the maturity of security controls. nn Build short- and long-term remediation plans. 2. Perform an ecosystem assessment. Verify that vendors and outsourcing providers also have adequate cybersecurity controls. 3. Facilitate global review. Evaluate data protection laws and breach disclosure requirements in each country or state in which the organization does business. 4. Follow frameworks. Meet the appropriate requirements of the NIST cybersecurity framework, ISO 27001 standards, and industry-specific frameworks and/or standards – for example, PCI for retailers, SEC for public companies and financial regulators. Efforts taken to meet the requirements of multiple security frameworks and/or standards can be rationalized using the Unified Compliance Framework, a tool that includes a regulations database for centralized compliance. 5. Form a mitigation plan. Establish an internal risk management framework supported with adequate staffing and a budget for achieving compliance.
  • 9. Cybersecurity in the Boardroom 9www.crowehorwath.com Principal responsibilities for the board of directors19 : 1. Revise the agenda. Cybersecurity once was viewed as an IT issue, but given cyberattacks’ present frequency and intensity, the topic now is considered an enterprisewide, operational risk management issue to be monitored closely by the board. 2. Facilitate legal review. Depending on the region and industry, cybersecurity will have varying legal implications pertaining to board responsibilities, and these implications should be reviewed by counsel and monitored for changes. 3. Enhance expertise. The challenge’s technical nature requires boards to have access to cybersecurity expertise, through either the election of specialists in the field or use of external consultants. 4. Set expectations. In addition to or in conjunction with existing goals and responsibilities, management should be monitored, measured, and compensated based on its ability to establish and enforce an enterprisewide risk management framework that can lower the risk of cybersecurity breaches. 5. Maintain frameworks. The adoption of a cybersecurity framework is not a one-time affair; rather, security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources. The board needs to set the parameters of frameworks’ evolution. Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
  • 10. The Board of Directors: Achieving Cybersecurity Excellence
  • 11. Cybersecurity in the Boardroom 11www.crowehorwath.com Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right. In meeting these responsibilities, a board of directors should take steps to provide effective oversight of cybersecurity risk mitigation along with sound advice to executive management. Learn from recent breaches and breach attempts. Every cybersecurity-related incident, whether or not it causes damage, offers a valuable opportunity to evaluate what went wrong and right. nn If the organization has been affected by a breach, ask, “How did we react? What did we tell our customers?” nn If not affected, ask, “What prevented the breach? What would have happened if we had been breached?” Stress test the incident response plan. Similar to a disaster recovery plan, the specifics of an incident response plan have to be carefully planned and tested. nn Board members should understand their personal roles in the response plan and have access to resources to fulfill their responsibilities as outlined in the plan. nn Board members should be aware of the expected reactions to a breach from regulators, law enforcement, customers, and other stakeholders. nn Following an attack on the company or broader industry, the board should convene to review the company’s response.
  • 12. Cybersecurity in the Boardroom 12www.crowehorwath.com Perform an independent cybersecurity assessment. For a cybersecurity assessment, as with any other type of evaluation, the board of directors should not rely entirely on information from management to assess its own performance. Accordingly, it is essential to receive an independent evaluation of how the organization is meeting the requirements of the various cybersecurity frameworks. An effective, independent cybersecurity assessment will evaluate: nn Qualifications and capabilities of the cybersecurity team nn The state of the organization’s IT and cybergovernance nn Reporting relationships among the CEO, CIO, chief information security officer, chief audit executive, and other relevant executives nn Preventive controls and security awareness training nn Other organizations in the industry or organizations of similar size in other industries Establish and maintain a cybersecurity road map. Much like a technology road map, a cybersecurity road map provides a consensus-driven framework for achieving realistic short- and long- term objectives. A cybersecurity road map not only defines the extent to which an organization intends to protect itself against data breaches but moderates risk tolerances in different areas to employ the optimal alignment of people, processes, and technology. A cybersecurity road map should include the following elements: nn Annual health checks. Establish the capability to review the performance of the cybersecurity response team through interviews and independent data reviews. nn Year-by-year milestones. Set expectations for annual improvements in incident rate, incident response time, employee training hours, and levels of compliance with cybersecurity frameworks. 43% of companies experienced a data breach in the past year.
  • 13. Cybersecurity in the Boardroom 13www.crowehorwath.com Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks. nn Risk tolerances. For each type of risk faced by an organization, identify the risk tolerance – which risks to avoid, which to accept, which to mitigate through an operational response, and which to transfer through insurance. nn Cybersecurity insurance. Insurance’s cost is expected to vary greatly in coming years. Price increases will be affected by the threat level and virulence of attack vectors, with decreases driven by the extent to which technology solutions succeed at improving cybersecurity’s efficacy. Given the attention and investment in the cybersecurity sector, as well as interest in the category by the insurance industry, it’s quite possible or even likely that an organization that currently self-insures against cybersecurity risks will find cybersecurity insurance a much more attractive proposition in the years to come. The board of directors should have a sense of the right price for coverage at the organization and, based on a set of planning assumptions, incorporate those expectations into the road map. nn Long-term remediation plans. The cybersecurity road map and the broader technology road map can converge to rework business processes with the aim of reducing exposure to cybersecurity threats. Given that the human element in the form of employee negligence plays a contributing role in the majority of data breaches, it follows that an approach that supplements human labor with artificial intelligence potentially would reduce the overall risk of operations from a cybersecurity standpoint. These and other long-term considerations should be incorporated into the cybersecurity road map for annual review.
  • 15. Cybersecurity in the Boardroom 15www.crowehorwath.com In the next several years, boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats. Even as technology enables powerful new business models that still are being explored, IT infrastructures remain relatively immature from a cybersecurity perspective. Until the security model catches up with the business model, organizations will be exposed to malicious and criminal actions. Through their cross-industry exposure, high-level perspective, and influence, board members can guide management toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the present threat environment. Given the participation of well-funded adversaries, it’s unlikely the cybersecurity threat ever will go away. But it’s certainly within the grasp of any organization to stop making simple mistakes, improve overall awareness, and establish a solid course toward a safer computing environment that’s ready to do business in the 21st century. Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly. Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
  • 16. Cybersecurity in the Boardroom 16www.crowehorwath.com 1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15. 2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/ sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/ a799e8a0-809c-11e4-8882-03cf08410beb_story.html 3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted- malware-contained 4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch. com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen- including-names-emails-and-phones 5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos- pizza-ransom-hack-data 6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http:// krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs 7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of- jpmorgan-data-breach-is-identified/?_r=0 8 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached- records-from-adobe-hack-surface-online 9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple- developer-site-hacked 10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles. chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares- ebay-users-u-s-company 11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www. informationweek.com/healthcare/security-and-privacy/montana-health-department- hacked/d/d-id/1278872 12 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity- idUSKBN0GI16N20140818 13 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months 14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 15 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html 16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 18 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www. theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask- download-pdf-1852.cfm Sources
  • 17. www.crowehorwath.com Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values® ,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world. Crowe Horwath LLP, The Unique Alternative® Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376 Contact Information For more information, contact Raj Chaudhary at 312.899.7008 or raj.chaudhary@crowehorwath.com.