2. Speaking with you today
Vikas Bhatia – CEO & ERA
Vikas is the founder, CEO and Executive Risk Adviser at Kalki. He has 18+ years’ experience,
obtained serving local, regional & global clients in the outsourcing, consulting, and regulatory
domains, enabling him to enhance any organizations Information Security Management
System (ISMS).
He is a Certified Chief Information Security Officer (C|CISO), Certified Information Systems
Security Professional (CISSP), and Certified Information Privacy Professional (CIPP).
6. Finding 1: It took the Target breach to get the board’s
attention.
What brings your attention to cybersecurity? What
influences the way you feel about cybersecurity?
8. Finding 2: Board members may be overly confident about
the effectiveness of their cybersecurity governance
practices and often rate the effectiveness of these
programs much higher than IT security professionals do.
Lets talk about how you feel about this finding and how
this relates to you and your role within VFCU.
10. Finding 3: Board members admit their knowledge about
cybersecurity is limited.
How can we work to improve your understanding of
cybersecurity issues and risk levels?
13. Finding 4: Board members may not be receiving
information and briefings about cyber attacks and data
breaches affecting their organization.
Do you feel you are receiving enough information on
data security and data breaches to help grow your
knowledge and understanding of cyber threats?
16. Finding 5: IT security professionals are skeptical of their
board’s understanding about cybersecurity risks.
Technology and strategic management often have trouble
seeing eye-to-eye on cybersecurity readiness and needs.
How can we get everyone speaking the same language?
18. Survey
Who from your organization is responsible for handling technology outages? CEO or IT Team
How confident are you in that person’s ability to respond to those outages? Somewhat - Very Confident
How confident are you in your company’s ability to recover from such an
incident?
Somewhat - Very Confident
Who from your organization is responsible for handling and responding to
unauthorized disclosure of information or a breach?
CEO
How confident are you in that person’s ability to respond to such an
unauthorized disclosure?
Somewhat - Very Confident
How confident are you in your company’s ability to recover from such an
incident?
Somewhat - Very Confident
Technology Outages
Handling a Breach
19. What’s important to Credit Unions?
Serving the member
Reputation Service Stability Trust
Innovation Engagement Dedication
Value Growth
20. Strategic Drivers
A Credit Union’s revenue is
driven by the trust of its
members.
The loss of even a small
percentage of membership
due to loss of trust would
result in significant financial
loss.
Revenue
The day-to-day operations of
branches is vital. Members
expect 24x7 access to funds
and rely on branches to be
operational.
Operational downtime incurs
significant costs including
productivity costs, costs of
restoration of service or
funds and costs due to lost
membership.
Operations
Credit Unions pride
themselves on their
reputation among members
and rely on that reputation
to retain and grow their
membership.
The impact of a breach on
that reputation would be
detrimental. A focus on
SecurITy will provides a key
differentiator to improve
member trust and build
reputation.
Reputation
The NCUA compliance
framework was designed in
2006, provides very little
guidance and represents a
minimum standard.
Outdated compliance
standards do not keep pace
with current threats and are
not sufficient to protect
member data.
Compliance
Mission: to best serve members.
22. Do we walk the walk?
Ranking
Area 1 2 3 4
Reputation 6 2 3 1
Revenue 1 1 2 8
Operations 2 5 4 1
Compliance 4 4 3 1
Sample priority ranking by a previous Credit Union client. Does this look familiar?
An over-focus on compliance may not support the objective of serving the member community.
25. SecurITy Direction
Incident Management Business Continuity Technical SecurITy Compliance
Access Control Physical SecurITy Operations SecurITy 3rd Party SecurITy
Organization of SecurITy Human SecurITy Asset Management
How do we protect it?
26. How are we measuring what we’re doing?
The Capability Maturity Model Integration (CMMI) will be used to measure our journey.
Maturity Level Name Definition
0 Non-existent
Complete lack of any recognizable processes. The enterprise has not even recognized that there is an
issue to be addressed.
1 Initial / Ad Hoc
There is evidence that the enterprise has recognized that the issues exist and need to be addressed.
There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be
applied on an individual or case-by-case basis. The overall approach to management is disorganized.
2
Repeatable
but Intuitive
Processes have developed to the stage where similar procedures are followed by different people
undertaking the same task. There is no formal training or communication of standard procedures, and
responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals
and, therefore, errors are likely.
3
Defined
Process
Procedures have been standardized and documented, and communicated through training. It is mandated
that these processes should be followed; however, it is unlikely that deviations will be detected. The
procedures themselves are not sophisticated but are the formalization of existing practices.
4
Managed and
Measurable
Management monitors and measures compliance with procedures and takes action where processes
appear not to be working effectively. Processes are under constant improvement and provide good
practice. Automation and tools are used in a limited or fragmented way.
5 Optimized
Processes have been refined to a level of good practice, based on the results of continuous improvement
and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow,
providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
27. Incident Management Business Continuity Technical SecurITy Compliance
Access Control Physical SecurITy
SecurITy Direction Human SecurITy
Sample Client: What are they doing now?
Operations SecurITy
28. Incident Management
(2)
Business Continuity
(3)
Technical SecurITy
(1)
Compliance
(3)
Access Control
(3)
Physical SecurITy
(3)
SecurITy Policies
(1)
Human SecurITy
(2)
Sample Client: How are well are they doing the things they are doing?
Operations SecurITy
(1)
29. Incident Management Business Continuity Technical SecurITy Compliance
Access Control Physical SecurITy
SecurITy Direction Human SecurITy
Sample Client: What’s the bigger picture?
Operations SecurITy
31. Scenario A: Breach
Remediation Costs
Total Number of records
X
$154 per record*
Additional Impact
• Reputational impact
• Additional
productivity impacts
• Cost of remediation
*Ponemon institute: average cost of breach remediation is $145 per record
Example:
15,000 members
X
$154 per record*
=
$2,310,000
32. Cyber Insurance: Incident Response Responsibilities
Do you know which stages of the incident
response process your company is responsible for
handling vs. your insurance company?
Do you have a written, tested and
functional incident response process in place?
33. Cyber Insurance: Internal Security Controls
Did you know that your insurance provider can
refuse to pay out if you aren’t taking preventative
measures?
Do you know all the cyber security program
elements you are expected to have in place?
34. Cyber Insurance: Payout and Expectations
What are your policy’s max and average payouts?
Does either one of those numbers cover the cost
of the breach estimated earlier?
Do you know what you are expected to provide
and when to provide it when notifying your cyber
insurance of a problem? Do you have these
expectations built in to your company's internal
processes?
$$$
35. Scenario B: Downtime due to system outage
Productivity Costs
$ amount per day
in Salary costs
Additional Impact
• Reputational impact
• Additional
productivity impacts
• Cost of remediation
36. Scenario C: Malware outbreak
Numbers and costs based on actual malware incidents at 150 employee financial firm in NY.
Incident 1: Pre-SecurITy (June 2014)
100% of firm’s users
affected
Lost productivity totaled
approx. 3,600 hours
Approx. 145 hours
combined (internal IT
team and vendors) spent
on clean-up
Total outbreak cost:
Approx. $325,000
Incident 2: Mid-SecurITy Implementation (June 2015)
5% of firm’s users
affected
Lost productivity totaled
approx. 255 hours
Approx. 96 hours
combined (internal IT
team and vendors) spent
on clean-up
Total outbreak cost:
Approx. $25,000
Difference
95% 3,345 hours 49 hours $300,000
39. Education: Target your weakest links ASAP!
TEST
Regularly test your
employees to see how they
behave! Run regular 3rd party
Phishing & Social Engineering
Testing to practice the real
thing and see how they
respond. Conduct a recurring
Security Awareness Survey to
measure the culture around
security and gauge the level
of employee knowledge.
TEACH
Provide interactive training
on security that’s geared
toward educating even the
non-technical employees at
your company. Use a variety
of instructor-led and digital
methods. Make sure your
trainers are ready to teach
employees WHY they should
care and how to protect both
themselves and the
company.
TRACK
Measure your success and
adjust accordingly. Track key
metrics including
participation. Use the
methods in the TEST section
to regularly benchmark
where your employees fall
and measure improvements
in the results. Make
adjustments and
improvements over time to
mature your education
program.
40. DIY Resources
Beginner’s Guide to Data
Classification
SecurITy Checklist for
Executives
Project Initiation Form
Template
Risk Register Template