In the banking and finance sector the onus is on the financial organization to maintain compliance with regulations while supporting the dynamic landscape of the business. Often this means incorporating new assets or joining business units, but divesting assets can prove to be a greater challenge.
In his presentation Mitchell highlights how Skybox enabled network visibility that was necessary to determine asset ownership while divesting part of the organization. With Skybox, BT was able to identify key assets that could have been lost during the separation, which otherwise would not have been discovered until after the separation was complete.
Additionally Mitchell will talk about reputational risk, and how maintaining your reputation as secure institution can be an important consideration when allocating funding for security.
BT Global Services delivers a combination of communications and IT services to more than 10,000 organizations and governments worldwide. With decades of experience working at the forefront of network security, BT helps their customers understand and prioritize the risks faced in their organizations, and provides solutions to defend against the ever-changing threat environment.
2. 2
• BT Risk Hourglass
• BT Cyber Risk Hierarchy
• Business Case Challenges
• Justifying Risk Mitigation Expenditure
• Case Study
– The Merger
– Project Methodology
– Results
Risk Management for Financial Services
Putting Things into Perspective
3. 3
Risk Hourglass – Case Study
Detection
Prevention
Emergency Response
Incident Management
Material Event(s)
Non-Material Event(s)
Consequential Event(s)
Crisis Management
Disaster Recovery
Financial Compensation
Insurance Coverage
POS equipment infected with RAM
scraper and exfiltration malware
Data leak and malware trace signatures
detected by FireEye and Symantec AV
Critical alerts and sirens were alledged to
have been heard in India and Brazil
SOCs.
SOC teams were reported to have alerted
CERT who in turn alerted IT
management.
SOCs ordered to turn off alerts/sirens and
carry on by Top Management due to
Christmas Shopping backlog
Target alerted by Federal Authorities. By
then 40 million credit/debit card details
downloaded.
Estimated $420 million in customer
compensations, $100 million in cyber
insurance claims and 90 court orders.
2weeks!
Time Money
People/Process
4. 4
Cyber Risk Hierarchy
Operational ‘Cyber Risks’
Overload Sabotage
Infrastructure or Processes
Destroyed or Control Taken Over
Web Pages Defaced,
Abused or Infected
Systems Overwhelmed in a Denial
of Service (DDoS) Attack
Personal Data Stolen
and Exploited
Industrial Espionage
Commercially Sensitive and Valuable
Information Intercepted or Uploaded
Data Theft
Service InterruptionVandalismTheft of Information
Data Exposed,
Publicised or Corrupted
Confidentiality AvailabilityIntegrity
5. 5BT in commercial confidence
Business Case Challenges
An example of a common scenario we find in business today
7. 7
Justifying Risk Mitigation Expenditure : Business Case
• Risk mitigation may have to
compete for funds with plans for
growth and greater efficiency
• Executive scorecards rarely
include risk reduction, but may
include growth, cost reduction
and defence of market share
• Risk mitigation aims to cut
potential losses and unbudgeted
expenditure
• Support for cost reduction is
only realistic for high frequency
risks
• Fears, Uncertainty and Doubts
(FUDs) play a major role
• Regulatory compliance is a
common theme
• Avoiding reputation and brand
damage is intangible justification
• Avoidance of regret is an
underlying principle
• Satisfying audit requirements is
valid with risk-based auditing
• Clear definition of risk appetite
makes justification much easier