1. Security as a Strategy
Engaging with the C-Suite and the
Board
Center for Cybersecurity and Privacy Protection at Cleveland-
Marshall College of Law and CyberOhio Business Summit
Cleveland, Ohio
March 22, 2018
2. Our Panel
James Deiotte
Executive in
Residence
Monte Ahuja
College of
Business
Moderator Helen Patton
Chief Information Security Officer
Ohio State University
Eric Hibbard
Chief Technology Officer
Security & Privacy
Hitachi Vantara
Dick Kerr
Vice President and Chief
Information Security Officer
Eaton
Jamil N. Jaffer
Adjunct Professor of Law and
Director of the National
Security Law & Policy Program
at the Antonin Scalia Law
School at George Mason
University
3. ABC Company
Cleveland, Ohio
BOARD AGENDA
January 1, 2018
Time: 9:00 am
Location: Cleveland, Ohio
Company Corporate Office
I. Call to Order
II. Opening Executive Session
III. Call to Order (by the Board Chair)
a. Approval of minutes of the most recent past board of directors meeting
IV. Report on Company Strategy Current Year and Next Two Years (by the CEO)
a. Review of strategy approved by board
i. RPA Project Update
ii. Acquisition of sensor enterprise
b. Suggested adjustment based on current developments
c. Special issue – data and privacy in Europe
V. Report on Company Performance and Operations Current Quarter and Year to Date
a. Reserves and insurance cyber profile
VI. Report of the Nominating and Governance Committee (by the Committee Chair)
a. Approval of minutes of the most recent past governance committee meeting
b. Motion to elect new board member
c. New risk committee charter approval
VII. Report of the Audit Committee (by the Committee Chair)
a. Approval of minutes of the most recent past audit committee meeting
b. Review of auditor management letter and controls testing concerns
c. Review financial statements
VIII. Report of the Finance & Investment Committee (by the Committee Chair)
a. Review budget adjustments
i. Claims on breach
1. Employees
2. Customer
b. Review current-year financial projections
IX. Closing Executive Session
Next meeting date March 1, 2018
Introduction
Navigating the boardroom agenda
5. Introduction
Hazards of not having a CIO in the room
ABC Company
Cleveland, Ohio
BOARD AGENDA
January 1, 2018
Time: 9:00 am
Location: Cleveland, Ohio
Company Corporate Office
I. Call to Order
II. Opening Executive Session
III. Call to Order (by the Board Chair)
a. Approval of minutes of the most recent past board of directors meeting
IV. Report on Company Strategy Current Year and Next Two Years (by the CEO)
a. Review of strategy approved by board
i. RPA Project Update
ii. Acquisition of sensor enterprise
b. Suggested adjustment based on current developments
c. Special issue – data and privacy in Europe
V. Report on Company Performance and Operations Current Quarter and Year to Date
a. Reserves and insurance cyber profile
VI. Report of the Nominating and Governance Committee (by the Committee Chair)
a. Approval of minutes of the most recent past governance committee meeting
b. Motion to elect new board member
c. New risk committee charter approval
VII. Report of the Audit Committee (by the Committee Chair)
a. Approval of minutes of the most recent past audit committee meeting
b. Review of auditor management letter and controls testing concerns
c. Review financial statements
VIII. Report of the Finance & Investment Committee (by the Committee Chair)
a. Review budget adjustments
i. Claims on breach
1. Employees
2. Customer
b. Review current-year financial projections
IX. Closing Executive Session
Next meeting date March 1, 2018
CONTROLS
TESTING – when are
they going to visit
with me?
Risk Charter – who
is on it? Anyone
from tech teams?
Engineers?
Are the claims from
EU, US or
elsewhere?
Employees?
Customers???
SENSORS? For which
products or solutions?
Is this for internal or
external use?
Insurance – how are
we evaluating cloud
suppliers and third
party risks?
What about socio-
engineered
attacks?
RPA – which
activities and areas
of company under
focus? US or India?
6. Introduction
Reality of addressing challenges – the starting point
89% say their cybersecurity function does not fully meet their
organizations needs
88% feel it is very unlikely that they would detect a sophisticated
cyber attack
77% respondents consider a careless member of staff is the most
likely source of attack
63% of organizations still keep cybersecurity reporting within IT
function
32% of boards have sufficient knowledge for effective oversight
87% believe that they need at least a 50% increase in budget
Source: http://www.ey.com/gl/en/services/advisory/ey-global-
information-security-survey-2017-18
7. Technology permeates all facets of business. Newly
created stakeholder groups exist both within and beyond
the enterprise itself. How are investments needed or
changes required facilitated?
Security must be embedded in
each and every strategy
8. Technology is embedded in facets of an
enterprises six forms of capital
All are assets of an
enterprise requiring
nurturing and
protection to support
growth
A success in
protecting one asset,
and failure in another,
can still lead to overall
failure of the
enterprise
9. Tech’s journey… is firmly embedder in
operations and strategy
Shareholders
Board of directors
Audit committee
Chief Executive Officer
Legal
Chief Financial Officer
Chief Risk Officer
Chief Information (CIO/CTO)
Operations (R&D, Engineering and
Production)
Human Resources
Communications/PR
Third party suppliers
Customers/End Users
Regulators
Policymakers
Stakeholders
Cost control
Create value
• Increase productivity of
employees through
connectivity and
collaboration
• Connect complex supply
chains across the world
• Agility
• Aligned and enabler of the
business modes
• Control costs (server and
communication
maintenance)
• Deliver actionable
information
• Protection of personal
information
Enhance, protect and
increase enterprise value
• Protection strategic
information
• Improve insights through
analytics
• Manage stakeholder
relationships with greater
transparency
• Delivery self-provided
information with new tools
for savvy users
• Manage disruptions
• Help people better use their
technology based tools
more safely
• Manage cloud solutions
10. Exploring strategies that drive growth in enterprise value
and the impact technology may have
Strategies
12. Where do humans fit?
Introducing Tay –
the racist chatbot
Google Home - who is
Jesus Christ?
13. Strategy 2
Achieving greater productivity through data
IoT and IIoT in production
Smart manufacturing — for continuous
monitoring of critical assets, equipment,
process, and product parameters using
sensors to pass along data with wired
networks or WiFi.
Connected products — for products giving
continuous feedback about their location
and performance after they are put into
service.
Connected supply chain — for keeping
track of inbound and outbound shipments
for location related information and critical
in-transit parameters such as temperature
14. Exploring the impact of the misuse of data. As a
deterrent, does it matter how the data was acquired, but
used improperly?
Misuse of data
15. So what exactly was the business model of Ashley
Madison?
How do you determine what is your
assets of value?
• Gain competitive advantage
(e.g. IP, strategy)
• Gain position of power for
exploitation (e.g. ransomware)
• Cause harm (e.g. automotive,
industrial, grid, military)
• Theft (e.g. counterfeit,
embezzlement)
• Gain disruptive power (e.g.
political, community)
16. Attack, flee or hide
• Processes and controls that
limit adverse consequences
• Limit access to data
• Limit data collected and
held to what is
necessary
• However, the impact is
increased cost of
maintenance and
efficiencies lost within
systems
17. Cyber risk management and the creating of an ecosystem
for cyber defense
Cyber risk management
20. Oversight, accountability or tone setting?
The cybersecurity policy shall be reviewed by the Covered Entity’s
board of directors or equivalent governing body, and approved by a
Senior Officer of the Covered Entity
NY State Banking
(Regulatory
response)
• The cybersecurity policy shall address, at a minimum, the following areas:
• Information security; data governance and classification; access controls and identity management; business continuity and
disaster recovery planning and resources;
• Capacity and performance planning; systems operations and availability concerns; systems and network security; systems and
network monitoring;
• Systems and application development and quality assurance; physical security and environmental controls; customer data
privacy;
• Vendor and third-party service provider management; risk assessment; and Incident response
IT governance under King IV emphasizes that governance should
focus on technology and information as separate issues, not one.
South Africa
(adopted
Governance)
• Companies will be required to conduct an Intellectual Property Audit to protect your intellectual property
assets.
• The board will be required to conduct an IT governance assessment that assesses the gaps, and
makes recommendations as well. This will include briefing staff, assessing the technologies in use,
and possibly changing processes as well.
21. How will enterprises that have global platforms manage
the changes taking place and those that will likely take
place in the future?
Remaining globally compliant
22. Drivers that impact privacy risk
Globalization of
business platforms
Global structures enabled by Cloud solutions
Technologies are
shifting
Move towards digitization of products
and services
Legislative and
regulatory changes
Continuous change
that reacts (compare
US versus South
African changes)
Changes in enforcement
and litigation
Access to global
information and
sharing
information
23. Privacy statement – guess where and type
of business involved
The website is currently hosted on our computer
server in ______. We may send personal
information that we collect through the website to
any other country in which the United States or
Company has an affiliate.
By providing Company with your personal
information on the Site, you consent to and
allow the storage of your personal information
within and outside ______.
If you participate in any blog or other online forum
on the site, any personal information you post on
the site will be shared with other participants of the
forum. In these circumstances, the party that
obtained your personal information may be located
in ______ or may be located in another jurisdiction.
The data and privacy protection laws of these
other jurisdictions may differ from those of
_______.
24. Is the talent out there in enough numbers and how do we
develop and prepare our children for what is coming up
next
Human and social capital
25. What do we tell our children today about
tomorrow?
Celestine Johnson and and daughter, Tatiana
at the Frederick Douglas Detroit Public Library branch
This program, officially titled Automation Workz 4 U, is
leading Detroit residents into CCNA Security or CCNA
Cyberops certification. See www.autoworkz.org
Source: Bloomfbert By Lulu Yilun Chen
November 17, 2015:
https://www.bloomberg.com/news/features/2015-11-
17/latest-craze-for-chinese-parents-preschool-coding-
classes