SlideShare a Scribd company logo

Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats?

Download as PPTX, PDF
PECB
PECB

Main points covered: • Understanding the inverted economics of cyber security, the incentives for cyber crime and its effect on the growing threat • Inefficiencies with the traditional approaches to cyber risk assessment and why we are not making more progress in enhancing cyber defenses • Resetting roles and responsibilities regarding cyber security within organizations • Developing empirical, cost-effective cyber risk assessments to meet the evolving threat Our presenter for this webinar is Larry Clinton, the president of the Internet Security Alliance (ISA), a multi-sector association focused on Cybersecurity thought leadership, policy advocacy, and best practices. Mr. Clinton advises both industry and governments around the world. He has twice been listed on the Corporate 100 list of the most influential people in corporate governance. He is the author of The Cyber Risk Handbook for Corporate Boards. PWC has found the use of this Handbook improves cyber budgeting, cyber risk management and helps create a culture of security. The Handbook has been published in the US, Germany, the UK and Latin America. He is currently working on a version for the European Conference of Directors Associations as well as versions for Japan and India. Mr. Clinton also leads ISA, public policy work built around their publication “The Cyber Security Social Contract” which the NATO Center of Cyber Excellence in Estonia asked for a briefing on. Recorded Webinar: https://www.youtube.com/watch?v=8qVtoqi37X8

Education
1 of 46
1
• Understanding the inverted economics of cyber security and the incentives for cyber crime – how bad are things? (really bad) • Understanding the Inefficiencies of traditional cyber risk assessment and risk management – why we are not making more progress? • Becoming Digitally structured -- Resetting the roles and responsibilities regarding cyber security in the organization • Developing empirical, economics based cyber risk assessment techniques – what you need to be providing to the board What We Will Cover Today 2
Cyber Crime: The numbers • Costs of cyber criminal activity vary between hundreds of billions to a trillion dollars a year or more – between 1-2% Global GDP • One major ISP reports it sees 80 billion malicious scans a day • 300 million new malicious viruses are created every day • There were 4.8 billion records lost due to data breaches in 2016 • There are 4000 Ransomware attacks every day • We spend $200,000 per minute on regulations and audits-- costs projected to go up 2X by 2020 & several hundred times by 2030 3
4 “Cyber criminals are technologically as sophisticated as the most advanced IT companies and like them have moved quickly to adopt AI, cloud, software- as a service (cybercrime-as-a service) and encryption.” Symantec 2018 Cyber Crime Report How Good Are the Bad Guys?
Put Succinctly….. “Cybercrime is relentless, undiminished and unlikely to stop. It’s just too easy, rewarding and the chances of getting caught are far too low. Cyber crime also leads on a risk to payoff rate. It is a low risk crime with high profits. A smart cyber criminal can easily make millions without fear of being caught.” McAfee 2018 Cyber Crime Report 5
What is the Real Problem? • Marcus Aurelius: Of each thing demand to know what is its essence • The essence of the cyber security problem ? • Selfish Companies? • Bad Technology? • Is it the economy? • The essence of the cyber security problem is that we have an inherently insecure system guarding incredibly valuable data 6
Is it the Technology or the Incentives? “We find that misplaced incentives are as important as technical design…security failure is caused as least as often by bad incentives as by bad technological design” Anderson and Moore “The Economics of Information Security” 7
Why Don’t We have Better Tech? • We don’t teach secure coding? – because we don’t want to pay for security. • Personally, we really can’t be bothered (seriously) • Government’s point fingers but they are to blame too? • Maybe technological success has come too fast for us to manage it 8
Digital innovation is profitable … and risky • “Firms are increasingly competing at different points in the value chain to take advantage of unmet customer needs, less efficient structures, high capital usage and attractive returns. These changes can bring enormous benefits including improved customer experience, greater efficiency & new value creators. HOWEVER, tech driven innovations are expanding the amount of cyber risk and enabling more sophisticated attacks.” World Economic Forum Report on Cyber Security 2018 9
Historically, Tech Innovation is good for business – bad for Security • VOIP • Cloud computing • BYOD • International supply chains • You can increase the security of these technologies and practices but it comes at a cost – you are looking for a balance between profitability and security – How do you find it? 10
• Offence: Attacks are cheap • Offence: Attacks are easy to launch • Offence: Profits from attacks are enormous • Offence: GREAT business model (“resell” same service) • Defense: Perimeter to defend is unlimited • Defense: Is compromised – hard to show ROI • Defense: Usually a generation behind the attacker • Defense: Prosecution is difficult and rare Cyber Economic Equation: Incentives Favors Attackers 11
The Systems are hard to defend “The military’s computer networks can be compromised by low to middling skilled attacks. Military systems do not have a sufficiently robust security posture to repel sustained attacks. The development of advanced cyber techniques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a position to degrade DOD missions when and if they choose.” Pentagon Annual Report. 12
Digital economics are not obvious “Economists have long known that liability should be assigned to the entity that can manage risk. Yet everywhere we look we see online risk allocated poorly…people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code” Anderson and Moore “Economics of Information Security” 13
Won’t the Market Self-Correct? No. • Target up 40% six months after breach • Sony up 30% six months after breach • Home Depot (65 million accounts)---20% increase • JP Morgan stock price stable at first then up 7 % • Sears (Kmart) initially down 18%-- then up 34% • E-bay initially down 6%, then up 15% • On average after initial dip stocks rebound and are up 7% following incidents. 14
The real cyber challenge is the economics “The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices, demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.” The Information Systems Audit and Control Association (ISACA)- March 2011 15
We Need to put Cyber Risk in Economic terms to manage it • “Overall, cost was most frequently cited as “the biggest obstacle to ensuring the security of critical networks.” -- PWC • “Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions.” -- McAfee • “The number one barrier is the security folks who haven’t been able to communicate the urgency well enough and they haven’t actually been able to persuade the decision makers of the reality of the threat in business terms.” -- CSIS 16
Traditional vs Leading Edge Cyber Risk Management. • Checking boxes --- the more you check the more mature you are and hence the more secure, right? • Which unchecked box do we focus on? • How much risk reduction do we get from checking one box over the other? • What’s the difference between yellow and green? (3 and 4?) … garbage in … garbage out • We need prioritization, cost based, empirical 17
Problems with Traditional Cyber Risk Assessment • People (even “experts”) have different meanings for terms like “likely” “probable” “unlikely” “extremely unlikely” • Things like heat maps imply certainty but can’t tell you: • How much money you will lose ? • How probable the scenario is ? • What is the adequate risk reduction cost ? 18
Problems with Traditional Cyber Risk Assessment – It doesn’t work “There is not a single study indicating that the use of such methods actually reduces risk.” Doug Hubbard How to Measure Anything in Cyber Security 19
Start at the beginning: What is a Risk? • Insiders? • Supply Chain? • Mobile Technology? 20
How much risk is there? A little None A lot 21
A little None A lot How much risk is there? 22
How much risk is there? A little None A lot 23
What Is Risk • Risk is best conceptualized as a quantity. It is a measure of future loss from a given scenario representing how much money an organization might lose from a given scenario over time 24
25
NACD Handbook Approach to Cyber • Guidelines from the NACD advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyber threats in the context of the organization’s overall tolerance for risk. -- PWC 2016 Global Information Security Survey 26
Boards are now using the NACD Handbook • Boards appear to be listening to this advice. This year we saw a double-digit uptick in Board participation in most aspects of information security. Deepening Board involvement has improved cybersecurity practices in numerous ways. As more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending. -- PWC 2016 Global Information Security Survey 27
NACD Yields Actual Security Improvements • Notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals. Perhaps more than anything, Board participation opened the lines of communication between the cybersecurity function and top executives and directors -- PWC 2016 Global Information Security Survey 28
Orgs Endorsing Cyber Risk Handbooks Globally • US Department of Homeland Security • US Department of Justice • German Government Cyber Security Divisions (BSI) • Organization of American States • National Association of Corporate Directors • European Confederation of Director Associations • Japanese Federation of Businesses • International Auditing Association 29
NACD Principles • Cyber is not an IT issue • Bds need to understand their unique legal obligations • Bds need to access adequate cyber security expertise • MANAGEMENT needs to provide a cyber security framework (tech and structural) • MANAGEMENT must do risk assessment 30
Economics Discussion between Management and Board • Principle #4 Management needs to provide Board with a Framework for enterprise wide cyber risk • Management be structured for enterprise wide enterprise wide cyber risk assessments (not just IT) • Principle #5 Management must provide board with analysis of risks to avoid, accept, mitigate or transfer via insurance. • Management present the board with an economics based cyber risk assessment tying cyber risk to the business 31
NACD P 4 Having a Framework Hygiene & Cost Effective Hygiene • Basic Models – NIST - ISO - PCIS • Restricting User installation of applications (whitelisting) • Ensuring operational systems is patched with current updates • Ensuring software applications have current updates • Restricting administrative privileges 32
NACD P 4: Having a Management Framework for the Digital Age • Traditional view of board involvement in cyber security • NACD approach • Developing Cyber policy from the top down • Industrial Age structures don’t fit the digital age issues – like cyber • Cyber Security is “just like” legal and finance 33
Principle 4: Knowledge & Skills for Cyber Risk Management • Critical thinking • Understanding of probability • Training in calibrated estimation • Comfort with numbers • Familiarity decision methods • Familiarity with the business • Proper Cyber Risk Management uses a systematic, ideally empirical, enterprise wide risk assessment and management framework 34
Principle 4. Management must provide a Framework 35
ANSI-ISA Program • Recommends an enterprise wide cyber risk team that meets regularly and has its own budget • CFO strategies • HR strategies • Legal/compliance strategies • Operations/technology strategies • Communications strategies • Risk Management/insurance strategies 36
Three Lines of Cyber Defense --- (3LoD) • Line 1 – operates the business, owns the risk designs and implements operations • Line 2 – defines policy statements & defines RM framework. provides a credible challenge to the first line & responsible for evaluating risk exposure for board to determine risk appetite • Line 3 – commonly internal audit responsible for independent evaluation of the first and second lines 37
The first line of defense • Provide through exam—is the business doing enough? (not one size fits all). Each business line defines the cyber risk they face & weave cyber risk and self assessment into fraud, crisis management and resiliency process. • Business lines need to actively monitor existing and future exposures, vuls threats and assess what impact cber risk has on new tech deployment, client relationships, and business strategies 38
The second line of defense • Should be walled off as a separate independent function. Manages enterprise cyber risk appetite and RM framework within overall enterprise risk –challenges the first line. Determines how to appropriately measure cyber risk and integrates into a risk tolerance statement for the firm • Focus of first and second tiers needs to be on effectively managing risk – not regulatory compliance – although can integrate compliance 39
Third Line of defense • Provides independent objective assessment of firms process across lines one and two with focus on operational effectiveness and efficiency. Traditionally I audit relied on frameworks (NIST) but firms will likely need to develop their own to adapt to enhanced threats • IA perform assessments validate tech infrastructure and third party risks, do independent Pen testing and must stay abreast of threat intel 40
Principle 5 Principle in Modern Cyber Risk Management • Focus not on attacks but impacts • Clear terms, better scoping, no bogus math • Place cyber events in quantitative economic terms • Prioritize cyber risk to the business • Do you need to keep spending on this ____? • Are these risks, really risks, or just innovations? • A new – better – direction for Govt. and Industry -- See Hubbard, FAIR, X-Analytics Models 41
Basic Cyber Risk Assessment Economics Methodology • Using best available data make probabilistic assessment of possible scenarios – looking for accuracy not precision • Focus on scenarios that are probable and have enough expected loss to matter • Calculate best case, worst case, most likely case and what degree of loss is acceptable (risk appetite) • Determine investment required to mitigate to an acceptable level • Option: run multiple scenarios (Monte Carlo simulations) 42
Government Industry Collaboration • We are all on the same side • Is blaming the Victims the right strategy? • Calls for Accountability go both ways – we need more than accountability , we need collaboration • Government and Industry – Legitimately --Assess Cyber Risk Differently from an Economic perspective • Traditional Models and Assumptions Wont Work • The History of the Social Contract 43
The Cyber Security Social Contract • Rethink Industry and Government Roles and Responsibilities • Create Market Incentives to rebalance the economic incentives for cyber security • This will take a lot of work, can it be done? 44
ISO/IEC 27032 Training Courses • ISO/IEC 27032 Introduction 1 Day Course • ISO/IEC 27032 Foundation 2 Days Course • ISO/IEC 27032 Lead Cybersecurity Manager 5 Days Course Exam and certification fees are included in the training price. www.pecb.com/en/education-and-certification-for-individuals/iso-iec-27032 www.pecb.com/events
THANK YOU ? lclinton@isalliance.org linkedin.com/in/larry-clinton-20237b4 https://isalliance.org

Recommended

Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptxSandeepK707540
 

Recommended

Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptxSandeepK707540
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Cyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnCyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnKloudLearn
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorOlivier Busolini
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data ProtectionStrategic Insurance Software
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 

More Related Content

What's hot

Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Cyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnCyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnKloudLearn
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorOlivier Busolini
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 

What's hot (20)

Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Cyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnCyber Crisis Management - Kloudlearn
Cyber Crisis Management - Kloudlearn
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data Protection
 

Similar to Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats?

4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Jay Kesan
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clintonCIONET
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a ProductVMware Tanzu
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Preventionfmi_igf
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco systemDavid Sweigert
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015CSO_Presentations
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...SurfWatch Labs
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
 

Similar to Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats? (20)

4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a Product
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Prevention
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Security, Audit and Compliance: course overview
Security, Audit and Compliance: course overviewSecurity, Audit and Compliance: course overview
Security, Audit and Compliance: course overview
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 

More from PECB

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?PECB
 

More from PECB (20)

DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 
ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?ISO/IEC 27005:2022 – What are the changes?
ISO/IEC 27005:2022 – What are the changes?
 

Recently uploaded

ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMr Bounab Samir
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataBabyAnnMotar
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...DhatriParmar
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleCeline George
 

Recently uploaded (20)

ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
MS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdfMS4 level being good citizen -imperative- (1) (1).pdf
MS4 level being good citizen -imperative- (1) (1).pdf
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Measures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped dataMeasures of Position DECILES for ungrouped data
Measures of Position DECILES for ungrouped data
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
Beauty Amidst the Bytes_ Unearthing Unexpected Advantages of the Digital Wast...
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP Module
 

Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats?

  • 1. 1
  • 2. • Understanding the inverted economics of cyber security and the incentives for cyber crime – how bad are things? (really bad) • Understanding the Inefficiencies of traditional cyber risk assessment and risk management – why we are not making more progress? • Becoming Digitally structured -- Resetting the roles and responsibilities regarding cyber security in the organization • Developing empirical, economics based cyber risk assessment techniques – what you need to be providing to the board What We Will Cover Today 2
  • 3. Cyber Crime: The numbers • Costs of cyber criminal activity vary between hundreds of billions to a trillion dollars a year or more – between 1-2% Global GDP • One major ISP reports it sees 80 billion malicious scans a day • 300 million new malicious viruses are created every day • There were 4.8 billion records lost due to data breaches in 2016 • There are 4000 Ransomware attacks every day • We spend $200,000 per minute on regulations and audits-- costs projected to go up 2X by 2020 & several hundred times by 2030 3
  • 4. 4 “Cyber criminals are technologically as sophisticated as the most advanced IT companies and like them have moved quickly to adopt AI, cloud, software- as a service (cybercrime-as-a service) and encryption.” Symantec 2018 Cyber Crime Report How Good Are the Bad Guys?
  • 5. Put Succinctly….. “Cybercrime is relentless, undiminished and unlikely to stop. It’s just too easy, rewarding and the chances of getting caught are far too low. Cyber crime also leads on a risk to payoff rate. It is a low risk crime with high profits. A smart cyber criminal can easily make millions without fear of being caught.” McAfee 2018 Cyber Crime Report 5
  • 6. What is the Real Problem? • Marcus Aurelius: Of each thing demand to know what is its essence • The essence of the cyber security problem ? • Selfish Companies? • Bad Technology? • Is it the economy? • The essence of the cyber security problem is that we have an inherently insecure system guarding incredibly valuable data 6
  • 7. Is it the Technology or the Incentives? “We find that misplaced incentives are as important as technical design…security failure is caused as least as often by bad incentives as by bad technological design” Anderson and Moore “The Economics of Information Security” 7
  • 8. Why Don’t We have Better Tech? • We don’t teach secure coding? – because we don’t want to pay for security. • Personally, we really can’t be bothered (seriously) • Government’s point fingers but they are to blame too? • Maybe technological success has come too fast for us to manage it 8
  • 9. Digital innovation is profitable … and risky • “Firms are increasingly competing at different points in the value chain to take advantage of unmet customer needs, less efficient structures, high capital usage and attractive returns. These changes can bring enormous benefits including improved customer experience, greater efficiency & new value creators. HOWEVER, tech driven innovations are expanding the amount of cyber risk and enabling more sophisticated attacks.” World Economic Forum Report on Cyber Security 2018 9
  • 10. Historically, Tech Innovation is good for business – bad for Security • VOIP • Cloud computing • BYOD • International supply chains • You can increase the security of these technologies and practices but it comes at a cost – you are looking for a balance between profitability and security – How do you find it? 10
  • 11. • Offence: Attacks are cheap • Offence: Attacks are easy to launch • Offence: Profits from attacks are enormous • Offence: GREAT business model (“resell” same service) • Defense: Perimeter to defend is unlimited • Defense: Is compromised – hard to show ROI • Defense: Usually a generation behind the attacker • Defense: Prosecution is difficult and rare Cyber Economic Equation: Incentives Favors Attackers 11
  • 12. The Systems are hard to defend “The military’s computer networks can be compromised by low to middling skilled attacks. Military systems do not have a sufficiently robust security posture to repel sustained attacks. The development of advanced cyber techniques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a position to degrade DOD missions when and if they choose.” Pentagon Annual Report. 12
  • 13. Digital economics are not obvious “Economists have long known that liability should be assigned to the entity that can manage risk. Yet everywhere we look we see online risk allocated poorly…people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code” Anderson and Moore “Economics of Information Security” 13
  • 14. Won’t the Market Self-Correct? No. • Target up 40% six months after breach • Sony up 30% six months after breach • Home Depot (65 million accounts)---20% increase • JP Morgan stock price stable at first then up 7 % • Sears (Kmart) initially down 18%-- then up 34% • E-bay initially down 6%, then up 15% • On average after initial dip stocks rebound and are up 7% following incidents. 14
  • 15. The real cyber challenge is the economics “The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices, demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.” The Information Systems Audit and Control Association (ISACA)- March 2011 15
  • 16. We Need to put Cyber Risk in Economic terms to manage it • “Overall, cost was most frequently cited as “the biggest obstacle to ensuring the security of critical networks.” -- PWC • “Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions.” -- McAfee • “The number one barrier is the security folks who haven’t been able to communicate the urgency well enough and they haven’t actually been able to persuade the decision makers of the reality of the threat in business terms.” -- CSIS 16
  • 17. Traditional vs Leading Edge Cyber Risk Management. • Checking boxes --- the more you check the more mature you are and hence the more secure, right? • Which unchecked box do we focus on? • How much risk reduction do we get from checking one box over the other? • What’s the difference between yellow and green? (3 and 4?) … garbage in … garbage out • We need prioritization, cost based, empirical 17
  • 18. Problems with Traditional Cyber Risk Assessment • People (even “experts”) have different meanings for terms like “likely” “probable” “unlikely” “extremely unlikely” • Things like heat maps imply certainty but can’t tell you: • How much money you will lose ? • How probable the scenario is ? • What is the adequate risk reduction cost ? 18
  • 19. Problems with Traditional Cyber Risk Assessment – It doesn’t work “There is not a single study indicating that the use of such methods actually reduces risk.” Doug Hubbard How to Measure Anything in Cyber Security 19
  • 20. Start at the beginning: What is a Risk? • Insiders? • Supply Chain? • Mobile Technology? 20
  • 21. How much risk is there? A little None A lot 21
  • 22. A little None A lot How much risk is there? 22
  • 23. How much risk is there? A little None A lot 23
  • 24. What Is Risk • Risk is best conceptualized as a quantity. It is a measure of future loss from a given scenario representing how much money an organization might lose from a given scenario over time 24
  • 25. 25
  • 26. NACD Handbook Approach to Cyber • Guidelines from the NACD advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyber threats in the context of the organization’s overall tolerance for risk. -- PWC 2016 Global Information Security Survey 26
  • 27. Boards are now using the NACD Handbook • Boards appear to be listening to this advice. This year we saw a double-digit uptick in Board participation in most aspects of information security. Deepening Board involvement has improved cybersecurity practices in numerous ways. As more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending. -- PWC 2016 Global Information Security Survey 27
  • 28. NACD Yields Actual Security Improvements • Notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals. Perhaps more than anything, Board participation opened the lines of communication between the cybersecurity function and top executives and directors -- PWC 2016 Global Information Security Survey 28
  • 29. Orgs Endorsing Cyber Risk Handbooks Globally • US Department of Homeland Security • US Department of Justice • German Government Cyber Security Divisions (BSI) • Organization of American States • National Association of Corporate Directors • European Confederation of Director Associations • Japanese Federation of Businesses • International Auditing Association 29
  • 30. NACD Principles • Cyber is not an IT issue • Bds need to understand their unique legal obligations • Bds need to access adequate cyber security expertise • MANAGEMENT needs to provide a cyber security framework (tech and structural) • MANAGEMENT must do risk assessment 30
  • 31. Economics Discussion between Management and Board • Principle #4 Management needs to provide Board with a Framework for enterprise wide cyber risk • Management be structured for enterprise wide enterprise wide cyber risk assessments (not just IT) • Principle #5 Management must provide board with analysis of risks to avoid, accept, mitigate or transfer via insurance. • Management present the board with an economics based cyber risk assessment tying cyber risk to the business 31
  • 32. NACD P 4 Having a Framework Hygiene & Cost Effective Hygiene • Basic Models – NIST - ISO - PCIS • Restricting User installation of applications (whitelisting) • Ensuring operational systems is patched with current updates • Ensuring software applications have current updates • Restricting administrative privileges 32
  • 33. NACD P 4: Having a Management Framework for the Digital Age • Traditional view of board involvement in cyber security • NACD approach • Developing Cyber policy from the top down • Industrial Age structures don’t fit the digital age issues – like cyber • Cyber Security is “just like” legal and finance 33
  • 34. Principle 4: Knowledge & Skills for Cyber Risk Management • Critical thinking • Understanding of probability • Training in calibrated estimation • Comfort with numbers • Familiarity decision methods • Familiarity with the business • Proper Cyber Risk Management uses a systematic, ideally empirical, enterprise wide risk assessment and management framework 34
  • 35. Principle 4. Management must provide a Framework 35
  • 36. ANSI-ISA Program • Recommends an enterprise wide cyber risk team that meets regularly and has its own budget • CFO strategies • HR strategies • Legal/compliance strategies • Operations/technology strategies • Communications strategies • Risk Management/insurance strategies 36
  • 37. Three Lines of Cyber Defense --- (3LoD) • Line 1 – operates the business, owns the risk designs and implements operations • Line 2 – defines policy statements & defines RM framework. provides a credible challenge to the first line & responsible for evaluating risk exposure for board to determine risk appetite • Line 3 – commonly internal audit responsible for independent evaluation of the first and second lines 37
  • 38. The first line of defense • Provide through exam—is the business doing enough? (not one size fits all). Each business line defines the cyber risk they face & weave cyber risk and self assessment into fraud, crisis management and resiliency process. • Business lines need to actively monitor existing and future exposures, vuls threats and assess what impact cber risk has on new tech deployment, client relationships, and business strategies 38
  • 39. The second line of defense • Should be walled off as a separate independent function. Manages enterprise cyber risk appetite and RM framework within overall enterprise risk –challenges the first line. Determines how to appropriately measure cyber risk and integrates into a risk tolerance statement for the firm • Focus of first and second tiers needs to be on effectively managing risk – not regulatory compliance – although can integrate compliance 39
  • 40. Third Line of defense • Provides independent objective assessment of firms process across lines one and two with focus on operational effectiveness and efficiency. Traditionally I audit relied on frameworks (NIST) but firms will likely need to develop their own to adapt to enhanced threats • IA perform assessments validate tech infrastructure and third party risks, do independent Pen testing and must stay abreast of threat intel 40
  • 41. Principle 5 Principle in Modern Cyber Risk Management • Focus not on attacks but impacts • Clear terms, better scoping, no bogus math • Place cyber events in quantitative economic terms • Prioritize cyber risk to the business • Do you need to keep spending on this ____? • Are these risks, really risks, or just innovations? • A new – better – direction for Govt. and Industry -- See Hubbard, FAIR, X-Analytics Models 41
  • 42. Basic Cyber Risk Assessment Economics Methodology • Using best available data make probabilistic assessment of possible scenarios – looking for accuracy not precision • Focus on scenarios that are probable and have enough expected loss to matter • Calculate best case, worst case, most likely case and what degree of loss is acceptable (risk appetite) • Determine investment required to mitigate to an acceptable level • Option: run multiple scenarios (Monte Carlo simulations) 42
  • 43. Government Industry Collaboration • We are all on the same side • Is blaming the Victims the right strategy? • Calls for Accountability go both ways – we need more than accountability , we need collaboration • Government and Industry – Legitimately --Assess Cyber Risk Differently from an Economic perspective • Traditional Models and Assumptions Wont Work • The History of the Social Contract 43
  • 44. The Cyber Security Social Contract • Rethink Industry and Government Roles and Responsibilities • Create Market Incentives to rebalance the economic incentives for cyber security • This will take a lot of work, can it be done? 44
  • 45. ISO/IEC 27032 Training Courses • ISO/IEC 27032 Introduction 1 Day Course • ISO/IEC 27032 Foundation 2 Days Course • ISO/IEC 27032 Lead Cybersecurity Manager 5 Days Course Exam and certification fees are included in the training price. www.pecb.com/en/education-and-certification-for-individuals/iso-iec-27032 www.pecb.com/events

Editor's Notes

  1. Global Voices Campaign – July 24, 2019
  2. Imagine you have a tire so bald, you can barely tell if there was ever any tread there.
  3. Imagine you have a tire so bald, you can barely tell if there was ever any tread there.