BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
•Download as PPTX, PDF•
1 like•194 views
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
Similar to BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216 (20)
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
- 1. Managing Digital Earnings In an Unknowable Environment Transformation Begins From Within The Art of Healing Cyber Risk Management Intelligence B L A C K D I A M O N D Q U A N T I T A T I V E C Y B E R R I S K M A N A G E M E N T G R O U P M I T C H E L L G R O O M S D R . R O B E R T M A R K M I C H A E L F . A N G E L O
- 2. Net Profits in an Interest Rate Cycle 2 C D A B C
- 3. Cyber Risk Management Strategy 3 Cycle NetProfits Maximize Net Profits while mitigating risks in a changing Cyber Environment Time
- 4. Tectonic Shifts Impact Net Profits Credit Risk Seismic Shift 2007 • Risk Models break down • Black Swans arrive • Significant decline in Asset valuations • Faulty Risk measures in stress markets • Unprecedented market disruptions • Funding Liquidity crisis • Major corporate failures • Failure to harmonize and integrate risk: uncover Unknowns Unknowns • Great Recession Cyber RM Seismic Shift Q4 2015 • Shift in attack surface (malware to accelerated privileges) with increasing vulnerability • Visible, high complexity attacks: scaled, staged with exponential impact • Increasing frequency, rising severity • Limited measures of Cyber Risk • Corporate ecosystems under attack • June 7th, 2016 SWIFT Alert • Corporate Infrastructure overrun, weakest failing first • Failure to harmonize and integrate risk: uncover Unknowns Unknowns • Breaches challenge company survivability in a stress environment, i.e. Verizon, SWIFT 4
- 5. Cyber Survival Cycle 5 30 40 50 60 70 80 90 100 Init Time 1 Attack Analysis Recover Normal Attack Analysis Recovery Attack Will Activates Death Cycle Failure Business Goal = 95% Attacks lower score Analysis halts drop Remediation Raises Score Blue is US Treasury Kill Line Cybersecurity event is a protracted disruption or event that severely impacts reputational risk Living Will Initializes by the parameters above causing orderly resolution to start Death
- 7. Cyber Risk Management Embedded Options 7 Frequency : Likelihood of a successful cyber event Severity: Magnitude of a successful cyber event Choice: Mitigate vs Accept Potential Cyber Risk Price Insurance: Function of frequency & severity Mitigate Cyber Risk Accept Cyber Risk Mitigate Cyber Risk Likelihood: Frequency (number of years) You are out of business! Acceptable cost of risk
- 8. Who’s Testing Your Security? 8 We hope you are more successful than the hackers, but… Even, with all the investment, the bad guys still getting in!!! Why? - We don’t have what we think we have, and there are gaps even in what we do. - The bad guys always exploit the gaps.
- 9. Our Solution: 3 Steps 9 Scoring the Personalization of Your Infrastructure Normalizing Your Cyber Risk Database Cyber Risk & Cyber Capital Management Program Step 1 – Scoring, the Personalization of Your Infrastructure Complete Cyber-Eco System Analysis Cross Mapping to multiple standards Risk Scoring Attack Analysis and Risk Scoring Step 2 – Normalizing Your Cyber Risk Database Changing the past to wisdom Step 3 – Cyber Risk & Cyber Capital Management Program Mastery, Healing, Managing Net Profits
- 10. Security Risk Intelligence (Cyber Defense) • Fighting as a strategy • Costs directed at corporate shield • No Scoring Metrics • Threat Hunting • Not aligned with business vision, goal • Reactive • Uncover unknown unknowns Plus Cyber Risk Intelligence • Risk measures plus culture • Net profit orientation, costs directed at making risk transparent • Scoring Metrics • Makes Cyber Risk transparent at the infrastructure level, evolving risk metrics with increasing digitization of the business • Aligned with business vision, goal and Risk return tradeoffs • Proactive • Discover the unknown unknowns Harmonizing & Integrating Intelligence 10
- 11. Call to Action – Time to Show Up! 11 Create a Cyber Risk Management Committee Complexity of Cyber makes it the greatest Risk challenge ever R&D in the quantification of Cyber Risk must be innovative Create a Cyber Risk Management Committee Organizationally the authority needs to be as high up as possible – ideally at the Board Complexity of Cyber makes it the greatest Risk challenge ever Create Two Actionable Teams The Composition of the Teams are Security and Risk Management members with the necessary capabilities and skills How to populate the teams? Teams must create a common means of communication and harmonize, integrate, Security and Risk Management into a workable, actionable, Cyber Risk Management Intelligence Unit that is competitive and differentiating in nature as per the organizations corporate vision R&D in the quantification of Cyber Risk must be innovative the introduction of new elements into the evolving attack surface IoT 2020 = 50B connections Assume 10% measured
- 12. The Future is Now, What Will You Do? If you can’t measure the Cyber Risk, you can’t manage it, can you measure your Cyber Risk? Given everything you have done to protect your organization, you are still getting hacked, do you know why? Do you have you an appropriate allocation of Cyber Risk with a transfer pricing mechanism across your Business Units? Do you have a value driven Cyber Risk Capital Management program? Do you know how to capture your orderly resolution in your Living Will in the event of a protracted business disruption and/or reputational risk impairment due to a high impact Cyber attack? Is the primary focus of your company, Security Risk Management “fighting” or Cyber Risk Management of your net profits while mitigating risks? 12
Editor's Notes
- At each point in the cycle, A, B, C, D, the strategy for a healthy company, profits, is difference. Asset values, i.e., mortgages, appreciate from A-C and their value must be protected from C-A. Every new cycle peak exceeds the previous cycle peak. Over the course of the history of Risk Management we have learned how to measure and manage risk by understanding the embedded options in a risk complexity that is behind the etiology of a specific risk, i.e., by understanding the embedded options associated with mortgages we were able to manage the granularity of mortgage related risk. The solution once known caused the normalization of systems of record of financial institutions to produce successful risk management results. The same methodology and processes can be applied to Cyber Risk to quantify and manage the complexities of Cyber Risk. Cyber Risk is the greatest, most complex risk encountered to date. The nature of Cyber Risk is unlike any other discovered risk. It is also one of the most damaging risk ever discovered because of it’s exponentially and ability to change forms.
- Cyber Risk events are operational and morph to credit risk events exponentially in an organization. The impact of cyber risk frequency and severity causes dramatic swings in net profits, based on the unique corporate attack surface, infrastructure, of a company. The etiology of the impact, whether the incident(s) are terminable or remediable, is a function of two critical inventories, 1) connectivity and 2) externalities.
- We have had more tectonic Risk events in the Cyber Risk era (2005 to Present) than all other risks combined over the last 50 years. The great breakdown in the history of Risk Management is happening today because of the failure to create, design, implement a viable risk management solution to measure and manage Cyber Risk. The June 7th SWIFT alert, which is a Cyber Risk event, is evidence of the system-wide failure of Security Risk. The Verizon hack is a close second. The recent Oracle hack is yet to be understood. It is very likely that Fireeye will also be hacked. Large financial institutions are already modeling the implications of a SWIFT meltdown. First Data is a very likely next up hack. Near term a protracted large institutional disruption is high probable. Many of these hacks will be successful because the Security focus was on fighting hackers versus protecting critical corporate infrastructure first via Scoring. The SWIFT alert is likely to generate a minimum Regulatory response that mandates the closing of the Cyber Risk infrastructure gap.
- In a 100 point Scoring methodology, financial intermediaries are obligated to maintain a constant score of 98.5, corporation are obligated to maintain a constant score of 95. A score of 50 or less is a terminable risk for any institution or corporation. A sampling of companies and financial intermediaries would currently reflect levels that are substandard for conducting business (at or below 50). A score of 50 or less could trigger the execution of the orderly resolution of a financial institution and this process must be accounted (how it would be executed) for in the Living Will requirements defined by Dodd Frank and managed by Regulators.
- S&P – does a rating based on criteria that excludes an explicit view of the quality of risk management in a system. Rating Agencies believe if you are not doing good RM the rating drops. This is included in their ratings review. Ratings, by means of Cyber Risk Scoring, which is a personalization of the unique infrastructure of a company to capture all of the embedded options or key risk indicators from a Cyber Risk perspective, i.e., the IT and Process assessment based on an ERM framework of the two key inventories that comprise the infrastructure in a digital economy, 1) connectivity and, 2) externalities (FFIEC definition), can measure the Cyber Risk so you can manager the Cyber Risk. The entire ERM framework is the basis of quantification, business intelligence, transparency, safety and soundness.
- The key to success is the harmonization and integration of Security Risk and Cyber Risk Management. Mastery is accomplished through the quantification of Cyber Risk including all the necessary elements of Risk Management, frequency, severity, weighting, modeling, model vetting, valuation, pricing (specifically, Cyber Insurance Premiums) , Cyber Risk Transfer Pricing, Cyber Risk Management, Cyber Risk Capital Management, Cyber Risk Stress Testing and more.
- We hope you are more successful than the hackers, but… So why, with all the investment, are the bad guys still getting in? We don’t have what we think we have, and there are gaps even in what we do really. The bad guys exploit the gaps. So why, with all the investment, are the bad guys still getting in?
- The intrinsic model is – 1) Personalization, 2) Normalization, 3) Mastery. Phase I Scoring moves the ball from reactive, which is the domain of Security Risk Management and Security Intelligence to preventative, proactive, Cyber Risk Management, Cyber Risk Intelligence. Closing the current infrastructure Scoring gap shrinks the corporate attack surface from the existing corporate score to 98.5 for financial institutions and 95 for corporations. At the end of Phase I account decisions about Cyber Insurance pricing and the purchase of Cyber Risk Insurance are possible based on an accurate assessment of the existing corporate infrastructure. No Insurance company or vendor has accomplished a valuation or pricing rationale for Cyber Insurance that is viable to date. This is the heart of the current breakdown regarding Cyber Risk, we can provide the breakthrough with our Scoring and quantification solutions to solve this breakdown and cause a viable, transparent, breakthrough in measuring and managing Cyber Risk.
- The goal is to maintain operational excellence above 98.5% for financial institutions and 95% for all other corporations and business entities. Fighting can not be the end all be all of Cyber Risk. The goal of Cyber Risk Intelligence is to manage net profits, ultimately viability, while mitigating risks. This methodology is designed to be able to measure the risk so you can manage the risk. The process is transparent. The solution is proactive, aligned with the business vision, goals and risk return tradeoffs.
- Create a Cyber Risk Management Committee Organizationally the authority needs to be as high up as possible – ideally at the Board Complexity of Cyber makes it the greatest Risk challenge ever Create Two Actionable Teams - 1) The Infrastructure Security Assessment Team, 2) the Business Innovation Team The Composition of the Teams are Security and Risk Management members with the necessary capabilities and skills, i.e., IT, Business Process, Quantitative Risk Management Analytics, Big Data How to fill? Choose 1) Internal team, 2) External team, 3) Combining, harmonizing, integrating of 1 & 2 successfully accomplishes your results Teams must create a common means of communication and harmonize, integrate, Security and Risk Management into a workable, actionable, Cyber Risk Management Intelligence Unit that is competitive and differentiating in nature as per the organizations corporate vision R&D in the quantification of Cyber Risk will be innovative because of the introduction of new elements into the evolving attack surface, AI, VR, etc. In 2020 IoT will have 50B connections, 10% measured. Special Note: Think about the HC System of Records issue as it relates to a Cyber Risk Management normalized database, there are two paths 1) an external team (95% of the time this path is chose) and an internal team (5%), compare and contrast the two paths.
- Roadmap to results, which by necessity incorporates a transformation of the corporate Digital Enterprise strategy that is led by creating a secure infrastructure technology architecture (SITA) to ensure trust and deliver critical information property (Consumer, SBA, other) services, products and value propositions to clients. Security Risk Management is a secondary albeit necessary activity which is aligned with Cyber Risk Management which is focused on managing net profits and corporate viability. CRO’s will drive the quantification of Cyber Risk to incorporate Digital Risk and Cyber Security into the historical domains of ERM, i.e., Credit, Market and Operational Risk.