Successfully reported this slideshow.
Your SlideShare is downloading. ×

ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?

Ad

ISO/IEC 27001,
Cyber Security
and Risk
Management:
How to avoid data
breaches?

Ad

Agenda
1. Introductions
2. Cyber Security trends: What we are seeing today
3. Identify those assets that ‘matter’
4. Under...

Ad

1. Introduction
Simon Lacey
 20 years in cyber security
 Principal consultant – OLIVERLACEY
 Head of secuirty policy – ...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 16 Ad
1 of 16 Ad

ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?

Download to read offline

Cybersecurity risk management is very important when it comes to maintaining the assets of an organization.
In order to effectively manage cybersecurity risks and avoid data breaches, all functions of the organization should operate with clearly defined roles and responsibilities.

Amongst others, the webinar covers:

1. Cyber Security trends: What we are seeing today
2. Identify those assets that ‘matter’
3. Understanding your threat landscape
4. What does good look like for cyber risk management?


Presenters:

Nick Frost

Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.

Simon Lacey

Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.

Date: August 17, 2022

Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
https://pecb.com/en/education-and-certification-for-individuals/iso-31000
https://pecb.com/whitepaper/the-future-of-privacy-with-isoiec-27701
https://pecb.com/whitepaper/iso-310002018-risk-management-guidelines
Webinars: https://pecb.com/webinars

Cybersecurity risk management is very important when it comes to maintaining the assets of an organization.
In order to effectively manage cybersecurity risks and avoid data breaches, all functions of the organization should operate with clearly defined roles and responsibilities.

Amongst others, the webinar covers:

1. Cyber Security trends: What we are seeing today
2. Identify those assets that ‘matter’
3. Understanding your threat landscape
4. What does good look like for cyber risk management?


Presenters:

Nick Frost

Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.

Simon Lacey

Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.

Date: August 17, 2022

Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
https://pecb.com/en/education-and-certification-for-individuals/iso-31000
https://pecb.com/whitepaper/the-future-of-privacy-with-isoiec-27701
https://pecb.com/whitepaper/iso-310002018-risk-management-guidelines
Webinars: https://pecb.com/webinars

Advertisement
Advertisement

More Related Content

More from PECB (20)

Advertisement

ISO/IEC 27001, Cybersecurity, and Risk Management: How to avoid data breaches?

  1. 1. ISO/IEC 27001, Cyber Security and Risk Management: How to avoid data breaches?
  2. 2. Agenda 1. Introductions 2. Cyber Security trends: What we are seeing today 3. Identify those assets that ‘matter’ 4. Understanding your threat landscape 5. What does good look like for cyber risk management? 6. Q&A
  3. 3. 1. Introduction Simon Lacey  20 years in cyber security  Principal consultant – OLIVERLACEY  Head of secuirty policy – Bank of England  Information Governance Lead - BUPA
  4. 4. 1. Introduction Nick Frost  25 years in cyber security  Principal consultant – Cyber Risk Management Group (CRMG)  Head of information risk – PwC Group  Senior researcher – Information Security Forum (ISF)
  5. 5. 2. Cyber Security: 30 years of risky business 1988 Driven by notoriety 1998 Media attention and first real signs of concern 2008 Financially driven Cyber gangs increasingly organised 2018 Target rich environment with New Tech and IoT
  6. 6. 2. Cyber Security trends: What we are seeing today
  7. 7. Poll #1 To what extent does your board grapple with cyber security as a real business risk? A. The Board appointed a Head of Cyber security. Job done! B. They get that cyber risk is a big deal, but they prefer to leave it all to me/us C. They're all over it! We deliver regular risk updates that position cyber as an integral element of enterprise risk
  8. 8. 3. Cyber risk assessment – key steps
  9. 9. 3. Identify those assets that ‘matter’ Low Moderate High Very High Financial <£100,000 £100,001 - £500,000 £500,001 - £1.5 million >£1.5 million Reputational No or low media coverage Moderate adverse coverage (e.g story runs over 1-2 days) Significant adverse coverage >2 days, main focus of attention Adverse coverage sustained over more than 1 week Regulatory No increased regulatory focus Slight increase in regulatory focus / impact Significant attention from regulator / Notified single breach Multiple breaches / License withdrawn Health / Safety Very minor injury / No ongoing effect Non-critical injury requiring medical intervention / No prolonged effect Critical injury requiring hospitalisation / medium term effect Death / Long term debilitation * Consider running this as a workshop Once a business impact assessment has been completed: ‘Go / No Go’ to next step? CONSIDER RISK APPETITE!
  10. 10. 4. Understanding your threat landscape Consider: • Intent (malicious or unintended?) • Capability • Strength • Likelihood • Timescale Remember: The initiator (agent / source / actor) , is different from the action! * Use a standard list of threats as your starting point * Consider running this as a workshop HOW RELEVANT ARE DIFFERENT THREATS TO YOUR ENVIRONMENT, AND WHAT’S THEIR POTENTIAL CAPABILITY?
  11. 11. What does good look like for cyber risk management? Framework for conducting risk assessments Training and education to equip staff with skills Easy to follow process Approved data sets (threat lists, control libraries) Plan for delivery and execution Agreement on reporting Stakeholders identified Assets identified
  12. 12. 5. What does good look like for cyber risk management? Focus on those systems and data assets that are business critical Establish a practical process that incorporates the fundamentals of information risk Evaluate GRC products to help streamline and semi-automate the cyber risk process to minimize staff utilisation Present the business argument to help establish a cyber risk approach (e.g. target investment, quick wins, best practice) Establish a phased approach (do not attempt to boil the ocean) Extrapolate the risk insights to other areas of the security programme (e.g. policy update, awareness and education) Promote the approach to your clients and partners.
  13. 13. 5. Cyber risk assessment: Hints and Tips Prioritise the risks Provide the business with options Collaborate to determine a response You will never mitigate all cyber risks so prioritise and be pragmatic in what you can achieve. Accept the risk: reduce costs, increase exposure to an attack and possible damage to reputation…. Mitigate the risk: increase investment, reduce risk to an attack Costs, Complexity, Timescale to implement, Disruption from change, Business obstacles, Training, End- user-experience, Testing and Assurance
  14. 14. Poll #2 To what extent is your cyber security programme risk-based? A. We did a gap assessment of our security programme, so we're good B. We've started to do risk assessments, but it's all a bit ad hoc and we don’t focus on underlying business criticality C. We conduct structured risk assessment and focus on underlying business criticality. Headline risks are reported to the Board, which shapes meaningful decision-making
  15. 15. 5. Enterprise-wide cyber risk management Business awareness Customisation (control libraries, threat lists for different tech) Conduct multiple pilot assessments Training and education Risk review board GRC evaluation Project 1 Project 2 Project 3 Project 4 Data feeds Project 5
  16. 16. THANK YOU Q&A simon.lacey@oliverlacey.com nick.frost@crmg-consult.com linkedin.com/in/simon-oliver-lacey linkedin.com/in/nickfrost

Editor's Notes

  • Run through these – main point is that compliance led approaches (on their own) are no longer sufficient……that’s why we are talking about risk led approaches today

×