• The SEC, NACD, and all of the “Big 4” firms have issued guidance in the last 2 years on
boards needing visibility in order to manage cybersecurity risks.
• I just want to acknowledge how surreal this is. A very complex, extremely technical,
adversary-driven set of problems is a topic of conversation at the highest levels of your
organization. Or, if it’s not a conversation at those levels, that puts your organization in a
• How did we get here? What changed?
• As technology and business professionals – or simply as people that read newspapers and
watch TV – we are aware that cybersecurity threats have achieved fever pitch. However,
we also know that cybersecurity risks have been around since our organizations went
online 15-20 years ago.
• There are a combination of forces and events that get us here. Understanding them is a
key to solving the puzzle within our own organizations.
• Let’s start with the board – In 2009, following the financial crisis, the SEC amended its
rules to require companies to disclose the board’s role in risk oversight.
• This rule change creates the backdrop for our story. And it is against this backdrop that
three interrelated forces come together to shape the rest of the dialogue.
• The first force is that 7-8 years ago, the sophistication of attackers began to out-pace
available security controls.
•This sophistication is both technical and operational:
1. A market for stolen data is built. Intrusions for profit are now a thing.
2. Malware becomes available for sale in these same underground markets. You can now
go into business as a hacker without ever writing a single line of code.
3. Technology that obfuscates malicious code becomes commonplace, allowing attackers
to reuse code even after anti-virus signatures can detect it, keeping the cost to attackers
low and allowing malware authors to maintain profit.
• Compare this to the disruptive network worms and website defacements we faced only a
• Also realize that the firewall and anti-virus technology you have today is largely the same
thing you had 10 years ago.
• The second force is the impact regulatory changes have had in driving “sunshine” into the
environment around data breaches.
1. Since 2003, when California enacted SBS1386, the first law to require companies to
notify victims in the event of their personal information being stolen, 46 other states
have passed breach notification laws. Michigan’s law went into effect in April of 2010.
2. In 2009, HIPAA’s HITECH amendment requires healthcare entities to disclose publicly
any time 500+ individuals are affected.
• So we have highly motivated, well-equipped attackers operating in an environment where
victims are required to publicly disclosure data breaches.
•This has led to a seemingly endless stream of news stories and reporting on cybersecurity
intrusions over the last 3-4 years.
• Now here we are in 2014. This pair of forces now figures centrally in the discussion
between the board and the CIO.
• At this point, you may be wondering if this set of circumstances hasn’t created some sort
of a widespread misconstruction about .
• Have we achieved a level of hysterics that is causing boards to manage risk by headlines?
• That is a completely legitimate question, and one I won’t directly attempt to answer here
• Instead, let’s seek to understand the role cybersecurity incidents play in the larger context
of our organizations.
• The Ponemon Institute, for it’s 2014 report on the cost of data breaches, surveyed 314
organizations world-wide that had experienced a data breach of some kind.
• (The fact alone that they surveyed 314 companies that had a data breach in 2013 is
interesting – do you feel relieved or alarmed?)
• Surveyed organizations reported breach costs that ranged from $135K to $23M.
• The data also showed, not surprisingly, that the number of records exposed correlates to
the cost of the breach.
• However, per capita costs – meaning the cost per breached record – were also widely
variable, ranging from a few dollars to as much as $459 per record.
• Also not a surprise, especially in light of the regulatory environment we spoke of earlier, is
the fact that the US per capita cost is the highest, with an average of $201 per record.
• From a purely financial perspective, a single data breach event may or may not be
significant within an organization. And since we understand that the cost of a breach scales
with the size of a breach – which logically would also scale with the size of a business – we
can assume that it would take more than a single data breach to bankrupt most companies.
• In January 2007, TJX – the company behind TJ Maxx, Marshalls, and several other retail
chains – went public with the news that it had been the victim of hackers who had stolen
over 45M credit card numbers and another 450K social security numbers.
• At the time, this was the largest data breach in US history. That record has been broken
several times since then.
• The company paid fines to banks, provided customers with credit monitoring, spent
money to improve its technology security, and in September of that year settled a class-action
lawsuit for a reported $10M.
• However, as we look at the companies stock performance over the last decade, it’s clear
that not only was the breach not devastating to the company’s quarterly performance while
it was happening, it has not had a lasting impact on TJX or its brands.
• Why in the midst of these awesome graphs and stats would I show you pictures of jets?
• “Because jets are cooler than bar charts?”
• If I told you that the top picture is the F-35 Lightning joint strike fighter developed by
Lockheed Martin and flown for the first time in 2006?
• …and that the bottom picture is the Chinese J-18 stealth fighter, believed to have first
flown in early 2013?
• Now if I told you that both planes have vertical take-off & landing (VTOL) capabilities
based on similar thrust vectoring designs?
• Not all data breaches are of private customer data.
• In May of 2011, Lockheed Martin confirmed that, along with RSA’s SecureID secret keys,
they had been hacked. The suspect was a group referred to as “APT18.”
• Two years later, in May of 2013, Lockheed confirmed that hackers believed to be
operating at the direction of the Chinese government had been targeting the joint strike
• In September of 2013, the first picture of the J-18 shown here surfaced in Western media.
• At the start of 2011, Sony and its Sony Computer Entertainment America (SCEA) division
are locked in a battle with Microsoft for online gaming territory.
• Sony launched Playstation Network, signed exclusives for the PS3 console which sold well
during the preceding Christmas season, and are preparing to dominate the online gaming
• They double-down on the Playstation Network investment, quietly preparing to launch
Qrocity, a service to stream music and movies to PS3 and other consumer devices to
compete with iTunes and Netflix.
• Then, in February, the Fukushima earthquake and subsequent tsunami strike Japan. This
knocks the Nikkei on it’s butt, and takes electronics factories offline for months while they
retool and recalibrate.
• As if that wasn’t enough, Sony has just signed a $650M deal to acquire a facility in
Nagasaki owned by rival Toshiba, which also closed as a result of the earthquake.
• We come into the Spring of 2011 with Sony in a precarious position – manufacturing is
down, capital is overextended with no clear sign of return. The revenue stream that could
save them, their big bet, is SCEA and the Playstation Network.
• Which is then hacked. A lot. So much, Sony gets sued.
• George Hotz story, Anonymous, LulzSec
• And then, a year after the nightmare begins, Howard Stringer resigns. Sony’s stock is at
half of its share price from prior to the earthquake.
• Even now, it’s 52wk high is only $20 a share. Sony still has not recovered from 2011.
• By all accounts, Stringer was well liked by Sony’s board, as evidenced by it accepting their
accepting his recommendation of successor, Kaz Hirai.
• In 2013, Target is facing flat growth at a time when retail is overall recovering from the
• Target has invested $4.4B in an expansion plan to open 124 stores in Canada. In FY13, this
expansion netted a loss of $169M for Target.
• Target goes public with the fact that they were compromised, and credit card numbers
were stolen from their payment system.
• There was a lot of blaming and shaming done in the press in the early days. Losing 70M
customer credit card numbers is a huge problem.
• But I am here to tell you that Target did a great job. We’ve known their incident response
team for years through conferences and a product advisory board both companies sat on.
They were well-staffed, well-trained, and well-equipped. The vulnerability in the network
design of their stores that let the hackers pivot from the HVAC vendor to the payment
network was known. (Like TJX’s wireless, it was deemed too expensive to fix.)
• The fact that they were hacked the week before Thanksgiving, were alerted, detected,
responded, and recovered from the breach in a little over two weeks time is phenomenal.
Don’t believe me? Here’s how other companies that suffered similar breaches did:
• Nieman Marcus (2 months)
• Kmart (2 months)
• Dairy Queen (at least 3mos – they still don’t know)
• Jimmy John’s (4 months)
• Michaels (5 months)
• Home Depot (6 months)
• Goodwill (18 months)
• Jan 9 – Target releases a single statement to the public about the total size (70M) of its
data breach and its 4th quarter performance where they predict an $800M loss, mostly
from the failed Canadian expansion plan.
• Was this an intentional move to conflate the two issues and give the board a new story
about firing Steinhafel?
• The stock trades even lower on news of layoffs of 475 people from Target’s corporate HQ.
• In early May, Steinhafel resigns.
• Neither Steinhafel nor Stringer were fired solely because their company suffered a breach.
• But where turmoil and performance issues loomed, the breaches served to erode all of
the margin these executives had.
• Because the breaches became PR incidents, they put the CEO and the company in the
spotlight at an already challenging time.
• I have a rule about presenting on cybersecurity topics: If you present a problem, you must
also offer a solution.
• These are the four things you must have within your organization in order to provide oversight
and management of cybersecurity risks.
• These will enable board-level visibility, actively manage risk, and enable your organization to act in
a trustworthy way that protects your brand in the event of a breach.
• Impact Assessment
• Identify and articulate the ways that a cybersecurity incident could negatively impact your
• This is not an IT-only exercise, and should include input from Risk, Finance, and Marketing
• Cyber Risk Management
• Create (or better yet, use an existing) risk assessment framework.
• Update it regularly
• Use quantitative scoring of risks to create metrics and priority
• Priority drives an action plan, which begets funding and project requests to address top
• Cybersecurity Monitoring
• You need the technology and the people necessary to identify and respond to attacks
• Attacks are a daily occurrence.
• Focus not only on real-time detection and response, but also on the ability to retain
evidence so you can search it later when you learn something new
• Incident Response Planning
• The organization needs a plan for how it will respond to a breach if one occurs
• Large list of stakeholders, they all need to be involved
• Prepare and practice the plan
• Example: Time to spin up credit monitoring