SlideShare a Scribd company logo

Cybersecurity and The Board

Paul Melson
Paul Melson

Keynote from the GrrCON 2014 Executive Summit

Technology
1 of 21
Download to read offline
1
• The SEC, NACD, and all of the “Big 4” firms have issued guidance in the last 2 years on boards needing visibility in order to manage cybersecurity risks. • I just want to acknowledge how surreal this is. A very complex, extremely technical, adversary-driven set of problems is a topic of conversation at the highest levels of your organization. Or, if it’s not a conversation at those levels, that puts your organization in a fast-shrinking minority. • How did we get here? What changed? • As technology and business professionals – or simply as people that read newspapers and watch TV – we are aware that cybersecurity threats have achieved fever pitch. However, we also know that cybersecurity risks have been around since our organizations went online 15-20 years ago. • There are a combination of forces and events that get us here. Understanding them is a key to solving the puzzle within our own organizations. • Let’s start with the board – In 2009, following the financial crisis, the SEC amended its rules to require companies to disclose the board’s role in risk oversight. • This rule change creates the backdrop for our story. And it is against this backdrop that three interrelated forces come together to shape the rest of the dialogue. 2
• The first force is that 7-8 years ago, the sophistication of attackers began to out-pace available security controls. •This sophistication is both technical and operational: 1. A market for stolen data is built. Intrusions for profit are now a thing. 2. Malware becomes available for sale in these same underground markets. You can now go into business as a hacker without ever writing a single line of code. 3. Technology that obfuscates malicious code becomes commonplace, allowing attackers to reuse code even after anti-virus signatures can detect it, keeping the cost to attackers low and allowing malware authors to maintain profit. • Compare this to the disruptive network worms and website defacements we faced only a decade ago. • Also realize that the firewall and anti-virus technology you have today is largely the same thing you had 10 years ago. 3
• The second force is the impact regulatory changes have had in driving “sunshine” into the environment around data breaches. 1. Since 2003, when California enacted SBS1386, the first law to require companies to notify victims in the event of their personal information being stolen, 46 other states have passed breach notification laws. Michigan’s law went into effect in April of 2010. 2. In 2009, HIPAA’s HITECH amendment requires healthcare entities to disclose publicly any time 500+ individuals are affected. 4
• So we have highly motivated, well-equipped attackers operating in an environment where victims are required to publicly disclosure data breaches. •This has led to a seemingly endless stream of news stories and reporting on cybersecurity intrusions over the last 3-4 years. 5
• Now here we are in 2014. This pair of forces now figures centrally in the discussion between the board and the CIO. • At this point, you may be wondering if this set of circumstances hasn’t created some sort of a widespread misconstruction about . • Have we achieved a level of hysterics that is causing boards to manage risk by headlines? • That is a completely legitimate question, and one I won’t directly attempt to answer here today. • Instead, let’s seek to understand the role cybersecurity incidents play in the larger context of our organizations. 6
• The Ponemon Institute, for it’s 2014 report on the cost of data breaches, surveyed 314 organizations world-wide that had experienced a data breach of some kind. • (The fact alone that they surveyed 314 companies that had a data breach in 2013 is interesting – do you feel relieved or alarmed?) • Surveyed organizations reported breach costs that ranged from $135K to $23M. • The data also showed, not surprisingly, that the number of records exposed correlates to the cost of the breach. 7
• However, per capita costs – meaning the cost per breached record – were also widely variable, ranging from a few dollars to as much as $459 per record. • Also not a surprise, especially in light of the regulatory environment we spoke of earlier, is the fact that the US per capita cost is the highest, with an average of $201 per record. • From a purely financial perspective, a single data breach event may or may not be significant within an organization. And since we understand that the cost of a breach scales with the size of a breach – which logically would also scale with the size of a business – we can assume that it would take more than a single data breach to bankrupt most companies. 8
• In January 2007, TJX – the company behind TJ Maxx, Marshalls, and several other retail chains – went public with the news that it had been the victim of hackers who had stolen over 45M credit card numbers and another 450K social security numbers. • At the time, this was the largest data breach in US history. That record has been broken several times since then. • The company paid fines to banks, provided customers with credit monitoring, spent money to improve its technology security, and in September of that year settled a class-action lawsuit for a reported $10M. • However, as we look at the companies stock performance over the last decade, it’s clear that not only was the breach not devastating to the company’s quarterly performance while it was happening, it has not had a lasting impact on TJX or its brands. 9
• Why in the midst of these awesome graphs and stats would I show you pictures of jets? • “Because jets are cooler than bar charts?” • If I told you that the top picture is the F-35 Lightning joint strike fighter developed by Lockheed Martin and flown for the first time in 2006? • …and that the bottom picture is the Chinese J-18 stealth fighter, believed to have first flown in early 2013? • Now if I told you that both planes have vertical take-off & landing (VTOL) capabilities based on similar thrust vectoring designs? • Not all data breaches are of private customer data. • In May of 2011, Lockheed Martin confirmed that, along with RSA’s SecureID secret keys, they had been hacked. The suspect was a group referred to as “APT18.” • Two years later, in May of 2013, Lockheed confirmed that hackers believed to be operating at the direction of the Chinese government had been targeting the joint strike fighter. • In September of 2013, the first picture of the J-18 shown here surfaced in Western media. 10
• At the start of 2011, Sony and its Sony Computer Entertainment America (SCEA) division are locked in a battle with Microsoft for online gaming territory. • Sony launched Playstation Network, signed exclusives for the PS3 console which sold well during the preceding Christmas season, and are preparing to dominate the online gaming market. • They double-down on the Playstation Network investment, quietly preparing to launch Qrocity, a service to stream music and movies to PS3 and other consumer devices to compete with iTunes and Netflix. • Then, in February, the Fukushima earthquake and subsequent tsunami strike Japan. This knocks the Nikkei on it’s butt, and takes electronics factories offline for months while they retool and recalibrate. • As if that wasn’t enough, Sony has just signed a $650M deal to acquire a facility in Nagasaki owned by rival Toshiba, which also closed as a result of the earthquake. 11
• We come into the Spring of 2011 with Sony in a precarious position – manufacturing is down, capital is overextended with no clear sign of return. The revenue stream that could save them, their big bet, is SCEA and the Playstation Network. • Which is then hacked. A lot. So much, Sony gets sued. • George Hotz story, Anonymous, LulzSec 12
13
• And then, a year after the nightmare begins, Howard Stringer resigns. Sony’s stock is at half of its share price from prior to the earthquake. • Even now, it’s 52wk high is only $20 a share. Sony still has not recovered from 2011. • By all accounts, Stringer was well liked by Sony’s board, as evidenced by it accepting their accepting his recommendation of successor, Kaz Hirai. 14
• In 2013, Target is facing flat growth at a time when retail is overall recovering from the recession. • Target has invested $4.4B in an expansion plan to open 124 stores in Canada. In FY13, this expansion netted a loss of $169M for Target. 15
• Target goes public with the fact that they were compromised, and credit card numbers were stolen from their payment system. • There was a lot of blaming and shaming done in the press in the early days. Losing 70M customer credit card numbers is a huge problem. • But I am here to tell you that Target did a great job. We’ve known their incident response team for years through conferences and a product advisory board both companies sat on. They were well-staffed, well-trained, and well-equipped. The vulnerability in the network design of their stores that let the hackers pivot from the HVAC vendor to the payment network was known. (Like TJX’s wireless, it was deemed too expensive to fix.) • The fact that they were hacked the week before Thanksgiving, were alerted, detected, responded, and recovered from the breach in a little over two weeks time is phenomenal. Don’t believe me? Here’s how other companies that suffered similar breaches did: • Nieman Marcus (2 months) • Kmart (2 months) • Dairy Queen (at least 3mos – they still don’t know) • Jimmy John’s (4 months) • Michaels (5 months) • Home Depot (6 months) • Goodwill (18 months) 16
• Jan 9 – Target releases a single statement to the public about the total size (70M) of its data breach and its 4th quarter performance where they predict an $800M loss, mostly from the failed Canadian expansion plan. • Was this an intentional move to conflate the two issues and give the board a new story about firing Steinhafel? • The stock trades even lower on news of layoffs of 475 people from Target’s corporate HQ. • In early May, Steinhafel resigns. 17
• Neither Steinhafel nor Stringer were fired solely because their company suffered a breach. • But where turmoil and performance issues loomed, the breaches served to erode all of the margin these executives had. • Because the breaches became PR incidents, they put the CEO and the company in the spotlight at an already challenging time. 18
• I have a rule about presenting on cybersecurity topics: If you present a problem, you must also offer a solution. 19
• These are the four things you must have within your organization in order to provide oversight and management of cybersecurity risks. • These will enable board-level visibility, actively manage risk, and enable your organization to act in a trustworthy way that protects your brand in the event of a breach. • Impact Assessment • Identify and articulate the ways that a cybersecurity incident could negatively impact your organization • This is not an IT-only exercise, and should include input from Risk, Finance, and Marketing • Cyber Risk Management • Create (or better yet, use an existing) risk assessment framework. • Update it regularly • Use quantitative scoring of risks to create metrics and priority • Priority drives an action plan, which begets funding and project requests to address top risks • Cybersecurity Monitoring • You need the technology and the people necessary to identify and respond to attacks • Attacks are a daily occurrence. • Focus not only on real-time detection and response, but also on the ability to retain evidence so you can search it later when you learn something new • Incident Response Planning • The organization needs a plan for how it will respond to a breach if one occurs • Large list of stakeholders, they all need to be involved • Prepare and practice the plan • Example: Time to spin up credit monitoring 20
21

Recommended

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Top 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersTop 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersMerry D'souza
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 

Recommended

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Top 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersTop 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersMerry D'souza
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesPaige Rasid
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial InstitutionsKhawar Nehal khawar.nehal@atrc.net.pk
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability RiskChristopher Rieser
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
In the news
In the newsIn the news
In the newsRob Wilson
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowSandra Fathi
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCheffley White
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Cyber Insurance - The Basics
Cyber Insurance - The Basics Cyber Insurance - The Basics
Cyber Insurance - The Basics Chris Stallard
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber InsuranceHB Litigation Conferences
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesAdvanced Imaging Solutions & Pinnacle
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 

More Related Content

What's hot

11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 aIT Strategy Group
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowSandra Fathi
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCheffley White
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Cyber Insurance - The Basics
Cyber Insurance - The Basics Cyber Insurance - The Basics
Cyber Insurance - The Basics Chris Stallard
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 

What's hot (20)

11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a11 pp-cybersecurity-revised2 a
11 pp-cybersecurity-revised2 a
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
In the news
In the newsIn the news
In the news
 
Cyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to KnowCyber Security 101: What Your Agency Needs to Know
Cyber Security 101: What Your Agency Needs to Know
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate Boards
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and Preparation
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
 
Cyber Insurance - The Basics
Cyber Insurance - The Basics Cyber Insurance - The Basics
Cyber Insurance - The Basics
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?
 

Viewers also liked

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraKnowledge Group
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSACBreaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSACJohn Willis
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster CompanyPriyanka Aash
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPriyanka Aash
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...BCM Institute
 
State of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsState of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsPriyanka Aash
 
Cyber Security and IT Security Management Program
Cyber Security and IT Security Management ProgramCyber Security and IT Security Management Program
Cyber Security and IT Security Management ProgramMedard Sotta
 
Bank Director List of Worries
Bank Director List of WorriesBank Director List of Worries
Bank Director List of WorriesBank Director
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsShawn Tuma
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
 

Viewers also liked (20)

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSACBreaking Bad Equilibrium - Devops Connect 2017 RSAC
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
 
Security Program Development for the Hipster Company
Security Program Development for the Hipster CompanySecurity Program Development for the Hipster Company
Security Program Development for the Hipster Company
 
Partnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of CybersecurityPartnership with a CFO: On the Front Line of Cybersecurity
Partnership with a CFO: On the Front Line of Cybersecurity
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
 
State of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsState of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and Implications
 
Cyber Security and IT Security Management Program
Cyber Security and IT Security Management ProgramCyber Security and IT Security Management Program
Cyber Security and IT Security Management Program
 
Bank Director List of Worries
Bank Director List of WorriesBank Director List of Worries
Bank Director List of Worries
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsCybersecurity Issues All Lawyers Should Know -- Especially Litigators
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
 
Websense
WebsenseWebsense
Websense
 
10 Rules for Vendors - an Overview
10 Rules for Vendors - an Overview10 Rules for Vendors - an Overview
10 Rules for Vendors - an Overview
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossLeadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
 

Similar to Cybersecurity and The Board

4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Graeme Cross
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]Lucy Kitchin
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP)
8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP) 8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP)
8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP) Evolver Inc.
 
Dealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response PlanDealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response Planbenefitexpress
 
What Lies Beyond Digital for Insurance Bionic Operations?
What Lies Beyond Digital for Insurance Bionic Operations? What Lies Beyond Digital for Insurance Bionic Operations?
What Lies Beyond Digital for Insurance Bionic Operations? Alberto Garuccio
 
The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurityMark Albala
 
Conclusion Research Pap. Online assignment writing service.
Conclusion Research Pap. Online assignment writing service.Conclusion Research Pap. Online assignment writing service.
Conclusion Research Pap. Online assignment writing service.Lesly Lockwood
 
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfCYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfVikashSinghBaghel1
 
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsKnow Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsSurfWatch Labs
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityAlistair Blake
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper FinalLarry Taylor Ph.D.
 
Big Data's Big Paradox_Dr. Nita Rollins
Big Data's Big Paradox_Dr. Nita RollinsBig Data's Big Paradox_Dr. Nita Rollins
Big Data's Big Paradox_Dr. Nita RollinsNita Rollins, Ph.D.
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019Ulf Mattsson
 
82. next gen part 4
82. next gen part 482. next gen part 4
82. next gen part 4Tim Histalk
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 

Similar to Cybersecurity and The Board (20)

4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
sc_can0315_28373
sc_can0315_28373sc_can0315_28373
sc_can0315_28373
 
Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017
 
CyberSecurityBook[Final]
CyberSecurityBook[Final]CyberSecurityBook[Final]
CyberSecurityBook[Final]
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP)
8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP) 8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP)
8 Questions for 2016 Federal Cybersecurity National Action Plan (CNAP)
 
Cyber security lifting the veil of hacking webinar
Cyber security lifting the veil of hacking webinarCyber security lifting the veil of hacking webinar
Cyber security lifting the veil of hacking webinar
 
Dealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response PlanDealing Data Leaks: Creating Your Data Breach Response Plan
Dealing Data Leaks: Creating Your Data Breach Response Plan
 
What Lies Beyond Digital for Insurance Bionic Operations?
What Lies Beyond Digital for Insurance Bionic Operations? What Lies Beyond Digital for Insurance Bionic Operations?
What Lies Beyond Digital for Insurance Bionic Operations?
 
Chaintech BitTalk Series Episode 1
Chaintech BitTalk Series Episode 1Chaintech BitTalk Series Episode 1
Chaintech BitTalk Series Episode 1
 
The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurity
 
Conclusion Research Pap. Online assignment writing service.
Conclusion Research Pap. Online assignment writing service.Conclusion Research Pap. Online assignment writing service.
Conclusion Research Pap. Online assignment writing service.
 
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdfCYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
CYBER SECURITY FOR PRIVATE AND DOMESTIC USE -VIKASH SINGH BAGHEL.pdf
 
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsKnow Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
Know Your Adversary: Analyzing the Human Element in Evolving Cyber Threats
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber Security
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final
 
Big Data's Big Paradox_Dr. Nita Rollins
Big Data's Big Paradox_Dr. Nita RollinsBig Data's Big Paradox_Dr. Nita Rollins
Big Data's Big Paradox_Dr. Nita Rollins
 
What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019What i learned at the infosecurity isaca north america expo and conference 2019
What i learned at the infosecurity isaca north america expo and conference 2019
 
82. next gen part 4
82. next gen part 482. next gen part 4
82. next gen part 4
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Cybersecurity and The Board

  • 1. 1
  • 2. • The SEC, NACD, and all of the “Big 4” firms have issued guidance in the last 2 years on boards needing visibility in order to manage cybersecurity risks. • I just want to acknowledge how surreal this is. A very complex, extremely technical, adversary-driven set of problems is a topic of conversation at the highest levels of your organization. Or, if it’s not a conversation at those levels, that puts your organization in a fast-shrinking minority. • How did we get here? What changed? • As technology and business professionals – or simply as people that read newspapers and watch TV – we are aware that cybersecurity threats have achieved fever pitch. However, we also know that cybersecurity risks have been around since our organizations went online 15-20 years ago. • There are a combination of forces and events that get us here. Understanding them is a key to solving the puzzle within our own organizations. • Let’s start with the board – In 2009, following the financial crisis, the SEC amended its rules to require companies to disclose the board’s role in risk oversight. • This rule change creates the backdrop for our story. And it is against this backdrop that three interrelated forces come together to shape the rest of the dialogue. 2
  • 3. • The first force is that 7-8 years ago, the sophistication of attackers began to out-pace available security controls. •This sophistication is both technical and operational: 1. A market for stolen data is built. Intrusions for profit are now a thing. 2. Malware becomes available for sale in these same underground markets. You can now go into business as a hacker without ever writing a single line of code. 3. Technology that obfuscates malicious code becomes commonplace, allowing attackers to reuse code even after anti-virus signatures can detect it, keeping the cost to attackers low and allowing malware authors to maintain profit. • Compare this to the disruptive network worms and website defacements we faced only a decade ago. • Also realize that the firewall and anti-virus technology you have today is largely the same thing you had 10 years ago. 3
  • 4. • The second force is the impact regulatory changes have had in driving “sunshine” into the environment around data breaches. 1. Since 2003, when California enacted SBS1386, the first law to require companies to notify victims in the event of their personal information being stolen, 46 other states have passed breach notification laws. Michigan’s law went into effect in April of 2010. 2. In 2009, HIPAA’s HITECH amendment requires healthcare entities to disclose publicly any time 500+ individuals are affected. 4
  • 5. • So we have highly motivated, well-equipped attackers operating in an environment where victims are required to publicly disclosure data breaches. •This has led to a seemingly endless stream of news stories and reporting on cybersecurity intrusions over the last 3-4 years. 5
  • 6. • Now here we are in 2014. This pair of forces now figures centrally in the discussion between the board and the CIO. • At this point, you may be wondering if this set of circumstances hasn’t created some sort of a widespread misconstruction about . • Have we achieved a level of hysterics that is causing boards to manage risk by headlines? • That is a completely legitimate question, and one I won’t directly attempt to answer here today. • Instead, let’s seek to understand the role cybersecurity incidents play in the larger context of our organizations. 6
  • 7. • The Ponemon Institute, for it’s 2014 report on the cost of data breaches, surveyed 314 organizations world-wide that had experienced a data breach of some kind. • (The fact alone that they surveyed 314 companies that had a data breach in 2013 is interesting – do you feel relieved or alarmed?) • Surveyed organizations reported breach costs that ranged from $135K to $23M. • The data also showed, not surprisingly, that the number of records exposed correlates to the cost of the breach. 7
  • 8. • However, per capita costs – meaning the cost per breached record – were also widely variable, ranging from a few dollars to as much as $459 per record. • Also not a surprise, especially in light of the regulatory environment we spoke of earlier, is the fact that the US per capita cost is the highest, with an average of $201 per record. • From a purely financial perspective, a single data breach event may or may not be significant within an organization. And since we understand that the cost of a breach scales with the size of a breach – which logically would also scale with the size of a business – we can assume that it would take more than a single data breach to bankrupt most companies. 8
  • 9. • In January 2007, TJX – the company behind TJ Maxx, Marshalls, and several other retail chains – went public with the news that it had been the victim of hackers who had stolen over 45M credit card numbers and another 450K social security numbers. • At the time, this was the largest data breach in US history. That record has been broken several times since then. • The company paid fines to banks, provided customers with credit monitoring, spent money to improve its technology security, and in September of that year settled a class-action lawsuit for a reported $10M. • However, as we look at the companies stock performance over the last decade, it’s clear that not only was the breach not devastating to the company’s quarterly performance while it was happening, it has not had a lasting impact on TJX or its brands. 9
  • 10. • Why in the midst of these awesome graphs and stats would I show you pictures of jets? • “Because jets are cooler than bar charts?” • If I told you that the top picture is the F-35 Lightning joint strike fighter developed by Lockheed Martin and flown for the first time in 2006? • …and that the bottom picture is the Chinese J-18 stealth fighter, believed to have first flown in early 2013? • Now if I told you that both planes have vertical take-off & landing (VTOL) capabilities based on similar thrust vectoring designs? • Not all data breaches are of private customer data. • In May of 2011, Lockheed Martin confirmed that, along with RSA’s SecureID secret keys, they had been hacked. The suspect was a group referred to as “APT18.” • Two years later, in May of 2013, Lockheed confirmed that hackers believed to be operating at the direction of the Chinese government had been targeting the joint strike fighter. • In September of 2013, the first picture of the J-18 shown here surfaced in Western media. 10
  • 11. • At the start of 2011, Sony and its Sony Computer Entertainment America (SCEA) division are locked in a battle with Microsoft for online gaming territory. • Sony launched Playstation Network, signed exclusives for the PS3 console which sold well during the preceding Christmas season, and are preparing to dominate the online gaming market. • They double-down on the Playstation Network investment, quietly preparing to launch Qrocity, a service to stream music and movies to PS3 and other consumer devices to compete with iTunes and Netflix. • Then, in February, the Fukushima earthquake and subsequent tsunami strike Japan. This knocks the Nikkei on it’s butt, and takes electronics factories offline for months while they retool and recalibrate. • As if that wasn’t enough, Sony has just signed a $650M deal to acquire a facility in Nagasaki owned by rival Toshiba, which also closed as a result of the earthquake. 11
  • 12. • We come into the Spring of 2011 with Sony in a precarious position – manufacturing is down, capital is overextended with no clear sign of return. The revenue stream that could save them, their big bet, is SCEA and the Playstation Network. • Which is then hacked. A lot. So much, Sony gets sued. • George Hotz story, Anonymous, LulzSec 12
  • 13. 13
  • 14. • And then, a year after the nightmare begins, Howard Stringer resigns. Sony’s stock is at half of its share price from prior to the earthquake. • Even now, it’s 52wk high is only $20 a share. Sony still has not recovered from 2011. • By all accounts, Stringer was well liked by Sony’s board, as evidenced by it accepting their accepting his recommendation of successor, Kaz Hirai. 14
  • 15. • In 2013, Target is facing flat growth at a time when retail is overall recovering from the recession. • Target has invested $4.4B in an expansion plan to open 124 stores in Canada. In FY13, this expansion netted a loss of $169M for Target. 15
  • 16. • Target goes public with the fact that they were compromised, and credit card numbers were stolen from their payment system. • There was a lot of blaming and shaming done in the press in the early days. Losing 70M customer credit card numbers is a huge problem. • But I am here to tell you that Target did a great job. We’ve known their incident response team for years through conferences and a product advisory board both companies sat on. They were well-staffed, well-trained, and well-equipped. The vulnerability in the network design of their stores that let the hackers pivot from the HVAC vendor to the payment network was known. (Like TJX’s wireless, it was deemed too expensive to fix.) • The fact that they were hacked the week before Thanksgiving, were alerted, detected, responded, and recovered from the breach in a little over two weeks time is phenomenal. Don’t believe me? Here’s how other companies that suffered similar breaches did: • Nieman Marcus (2 months) • Kmart (2 months) • Dairy Queen (at least 3mos – they still don’t know) • Jimmy John’s (4 months) • Michaels (5 months) • Home Depot (6 months) • Goodwill (18 months) 16
  • 17. • Jan 9 – Target releases a single statement to the public about the total size (70M) of its data breach and its 4th quarter performance where they predict an $800M loss, mostly from the failed Canadian expansion plan. • Was this an intentional move to conflate the two issues and give the board a new story about firing Steinhafel? • The stock trades even lower on news of layoffs of 475 people from Target’s corporate HQ. • In early May, Steinhafel resigns. 17
  • 18. • Neither Steinhafel nor Stringer were fired solely because their company suffered a breach. • But where turmoil and performance issues loomed, the breaches served to erode all of the margin these executives had. • Because the breaches became PR incidents, they put the CEO and the company in the spotlight at an already challenging time. 18
  • 19. • I have a rule about presenting on cybersecurity topics: If you present a problem, you must also offer a solution. 19
  • 20. • These are the four things you must have within your organization in order to provide oversight and management of cybersecurity risks. • These will enable board-level visibility, actively manage risk, and enable your organization to act in a trustworthy way that protects your brand in the event of a breach. • Impact Assessment • Identify and articulate the ways that a cybersecurity incident could negatively impact your organization • This is not an IT-only exercise, and should include input from Risk, Finance, and Marketing • Cyber Risk Management • Create (or better yet, use an existing) risk assessment framework. • Update it regularly • Use quantitative scoring of risks to create metrics and priority • Priority drives an action plan, which begets funding and project requests to address top risks • Cybersecurity Monitoring • You need the technology and the people necessary to identify and respond to attacks • Attacks are a daily occurrence. • Focus not only on real-time detection and response, but also on the ability to retain evidence so you can search it later when you learn something new • Incident Response Planning • The organization needs a plan for how it will respond to a breach if one occurs • Large list of stakeholders, they all need to be involved • Prepare and practice the plan • Example: Time to spin up credit monitoring 20
  • 21. 21