Successfully reported this slideshow.
Your SlideShare is downloading. ×

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 32 Ad

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk

Download to read offline

Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Northwestern State University's Fall Continuing Legal Education Conference on November 18, 2020.

Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Northwestern State University's Fall Continuing Legal Education Conference on November 18, 2020.

Advertisement
Advertisement

More Related Content

Slideshows for you (18)

Similar to Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk (20)

Advertisement

More from Shawn Tuma (20)

Recently uploaded (20)

Advertisement

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk

  1. 1. Spencer Fane LLP | spencerfane.com 1 CYBERSECURITY IS A TEAM SPORT Why Teams, Strategies, and Processes are Essential for Managing Cyber Risk Shawn E. Tuma Co-Chair, Data Privacy & Cybersecurity Practice Spencer Fane LLP
  2. 2. Spencer Fane LLP | spencerfane.com 2 You must take the poll to get credit for the CLE!
  3. 3. Spencer Fane LLP | spencerfane.com 3Credit: NASA’s Goddard Space Flight Center/Jeremy Schnittman
  4. 4. Spencer Fane LLP | spencerfane.com 4 Cybersecurity is a legal issue • Types – Security – Privacy – Unauthorized Access • International Laws – GDPR – Privacy Shield – China’s Cybersecurity Law • Federal Laws and Regs – FTC, SEC, HIPAA • State Laws – All 50 States – Privacy (50) + security (25+) – CCPA, NYDFS, Colo FinServ • Industry Groups – PCI – FINRA • Contracts – 3rd Party Bus. Assoc. – Privacy / Data Security / Cybersecurity Addendum
  5. 5. Spencer Fane LLP | spencerfane.com 5 Common business objections 1.We have an “IT Guy” 2.We have an “IT Company” 3.We are “compliant” 4.We have cyber insurance 5.We are not a large company (or, “tech” company) 6.Our data is not that valuable
  6. 6. Spencer Fane LLP | spencerfane.com 6
  7. 7. Spencer Fane LLP | spencerfane.com 7
  8. 8. Spencer Fane LLP | spencerfane.com 8
  9. 9. Spencer Fane LLP | spencerfane.com 9
  10. 10. Spencer Fane LLP | spencerfane.com 10
  11. 11. Spencer Fane LLP | spencerfane.com 11
  12. 12. Spencer Fane LLP | spencerfane.com 12 Takeaway: Cybersecurity is no longer just an IT issue – it is an overall business risk issue – indeed, the ONE risk...
  13. 13. Spencer Fane LLP | spencerfane.com 13 Since cyber is an overall business risk issue, who is on the team?
  14. 14. Spencer Fane LLP | spencerfane.com 14 Who is on the cyber risk team, and when? Internal team • CISO • IT • Information Security • Business • Risk • Legal • Privacy • CFO • COO • HR • Audit • Marketing External team • Legal • MSP / MSSP • Security Firm • Forensics Firm • Insurance • Cyber, etc. • Broker • Carrier • PR Firm • Notification Vendor • Law Enforcement
  15. 15. Spencer Fane LLP | spencerfane.com 15 Team considerations Questions to consider • Do you have a “cyber risk committee”? • Who is the “head coach”? • Who are the “coordinators”? • i.e., who takes the lead on and “owns”: • Proactive risk management • Incident response • Chain of command • Have you considered the team members’ personalities, experience, and other intangibles vis-à-vis the role they play? Planning considerations • Who is on the field during which situation? • Do the players know their role? • Are the players eligible to play? • i.e., pre-approval of vendors, engagements executed • Can they communicate? • Understand language • Logistics for communicating • How often do they practice? • Do you play scrimmages?
  16. 16. Spencer Fane LLP | spencerfane.com 16 Takeaway: It takes a team of many different stakeholders within and outside of the organization, working together as a team, to effectively manage cyber risk.
  17. 17. Spencer Fane LLP | spencerfane.com 17 What does the team do?
  18. 18. Spencer Fane LLP | spencerfane.com 18 Common cybersecurity best practices 1. Risk assessment. 2. Policies and procedures focused on cybersecurity. – Social engineering, password, security questions. 3. Training of all workforce on P&P, then security. 4. Phish all workforce (esp. leadership). 5. Multi-factor authentication. 6. Signature based antivirus and malware detection. 7. Internal controls / access controls. 8. No outdated or unsupported software. 9. Security patch updates management policy. 10. Backups segmented offline, cloud, redundant. 11. Incident response plan. 12. Encrypt sensitive and air-gap hypersensitive data. 13. Adequate logging and retention. 14. Third-party security risk management program. 15. Firewall, intrusion detection and prevention systems. 16. Managed services provider (MSP) or managed security services provider (MSSP). 17. Really top-notch battle-tested CISO. 18. Cyber risk insurance.
  19. 19. Spencer Fane LLP | spencerfane.com 19 Canary in the coal mine • What is your role? • How does your company (or others) handle: – P&P + Training – MFA – Phishing – Backups – IRP & IR Team – Cyber Insurance
  20. 20. Spencer Fane LLP | spencerfane.com 20
  21. 21. Spencer Fane LLP | spencerfane.com 21 How mature is the company’s cyber risk management program? • “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014) • “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018) • “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02 • “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32 “A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” – Ken Paxton
  22. 22. Spencer Fane LLP | spencerfane.com 22 What is reasonable cybersecurity? Too little – “just check the box” Too much – “boiling the ocean”
  23. 23. Spencer Fane LLP | spencerfane.com 23 Reasonable cybersecurity is a process, not a definition
  24. 24. Spencer Fane LLP | spencerfane.com 24 Takeaway: Reasonable cybersecurity is a process, not a definition: it includes understanding your risks, prioritizing your efforts, and executing your priorities in a systematic manner.
  25. 25. Spencer Fane LLP | spencerfane.com 25 Once you have your team in place and understand what your risks are that you’re trying to manage, what do you do?
  26. 26. Spencer Fane LLP | spencerfane.com 26 What do you think? What do you think is the most glaring thing missing when I look at substantial incidents and data breaches I have handled over the past 20 years? 1. Lack of hardware, services, gadgets, and gizmos? 2. Lack of support from management? 3. Lack of funding? 4. Lack of talent? 5. Lack of skills and knowledge? 6. Lack of strategy?
  27. 27. Spencer Fane LLP | spencerfane.com 27
  28. 28. Spencer Fane LLP | spencerfane.com 28
  29. 29. Spencer Fane LLP | spencerfane.com 29 Strategic leadership and planning “Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.” – Sun Tsu What does strategy consider? • Risk analysis – present and future • Resources – present and future • Who is on your team? • For different situations, understand team capabilities – internal and external • How is your team executing? • Don’t forget 3rd and Nth party risk! • Prioritize and execute for evolving threats • Objectives – what is a “win”?
  30. 30. Spencer Fane LLP | spencerfane.com 30 What is a “win”?
  31. 31. Spencer Fane LLP | spencerfane.com 31 Takeaway: Winning is withstanding the attacks so your company can stay focused on its primary mission. Winning comes from preparation, resilience, and continuously learning and adapting.
  32. 32. Spencer Fane LLP | spencerfane.com 32 Shawn Tuma Co-Chair, Cybersecurity & Data Privacy Spencer Fane LLP 972.324.0317 stuma@spencerfane.com • 20+ Years of Cyber Law Experience • Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law • Council Member, Southern Methodist University Cybersecurity Advisory • Board of Advisors, North Texas Cyber Forensics Lab • Policy Council, National Technology Security Coalition • Board of Advisors, Cyber Future Foundation • Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016) • SuperLawyers Top 100 Lawyers in Dallas (2016) • SuperLawyers 2015-20 • Best Lawyers in Dallas 2014-20, D Magazine • Chair-Elect, Computer & Technology Section, State Bar of Texas • Privacy and Data Security Committee of the State Bar of Texas • College of the State Bar of Texas • Board of Directors, Collin County Bench Bar Conference • Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association • Information Security Committee of the Section on Science & Technology Committee of the American Bar Association • North Texas Crime Commission, Cybercrime Committee & Infragard (FBI) • International Association of Privacy Professionals (IAPP)

×