Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015


Published on

CIO Perspectives Atlanta 2015 CISO Panel on Cybersecurity for Board of Directors

Published in: Business
  • Login to see the comments

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015

  1. 1. Board of Directors Exposure • Target – 4 shareholder derivative lawsuits filed against directors, naming 13 directors and officers, asserting breach of fiduciary duty and waste of corporate assets. • Wyndham – Lawsuit dismissed; Directors showed reasonable investigation Make data privacy and data security and the resources devoted to these areas, regular topic of discussion at board meetings. * Hogan Lovells, Chronicle of Data Protection, 1/23/15
  2. 2. Sample Concerns Driving Boardroom Conversations • Verizon 2013 Data Breach Report – 162 companies – Size doesn’t matter: more than 50% had < 1000 workers – SMB see security as a medium high priority • Only 75% admitted sufficient knowledge to assess – 1/3 of the companies security budget <10% total IT budget • Mandiant Threat Report – 2014 – 2/3 of breached companies notified by external parties – 229 days (average, improved 13 days) to detect breach – 44% of phishing emails impersonate internal IT – Political threats: example, Syrian Electronic Army – Iran: targeted Saudi Aramco, RASGAS
  3. 3. Sales growth is healthy Effective controls are in place What about Cyber Security? Manufacturing safety metrics are in line “ Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cyber security measure needs to be a critical part of a boards of director’s risk oversight responsibilities.” SEC Commissioner Luis A. Aguilar, June 2014
  4. 4. National Association of Corporate Directors (NACD) Five principles: 1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget. 5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance as ell as specific plans associated with each approach.
  5. 5. Six Questions the Board Should Ask*: 1. Does the organization use a security framework? (ex; ISO 27001) 2. What are the top five risks the organization has related to cybersecurity? 3. How are employees made aware of their role related to cybersecurity? 4. Are external and internal threats considered when planning cybersecurity program activities? 5. How is security governance managed within an organization? 6. In the event of a serious breach, has management developed a robust response protocol? * Institute of Internal Auditors Research Foundation