1) Cybersecurity has become a major concern for boardrooms as data breaches are increasingly common and costly. The FBI has warned that data breaches increased 400% in recent years.
2) Effective cybersecurity requires a company-wide effort overseen by leadership. It is no longer just an IT issue but a business risk that must be addressed from the top down.
3) To properly advise CEOs and boards, cybersecurity experts must understand the true threats including nation-state attacks and opportunistic hackers, and recommend risk-reducing strategies in business terms palatable to non-technical leadership.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
RSA 2019 was held March 4-8 at the Moscone Center in San Francisco. The conference is one of the largest conferences for information security globally and hosted 42,500+ attendees.
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...Tripwire
Boards of Directors have an inescapable legal responsibility to protect their organisation’s assets and shareholder value against risks. Where does cybersecurity fit in the agenda? Many boards lack the knowledge, awareness and confidence to connect security to the business.
In this webcast, moderator Paul Edon, Director of Customer Services at Tripwire, will provide a variety of perspectives from experienced professionals in the industry — including Amar Singh UK CISO for Elsevier, Ray Stanton EVP Professional Services at BT and Advisory Board Member of ISF, and Gary Cheetham, CISO at NFU Mutual.
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
http://tatainteractive.com/ - A comprehensive cyber security-training program in an organization needs to be multi-tiered and nuanced to be effective. Tata Interactive Systems cybersecurity training curriculum leverages games and simulations to improve the profile of your business. It is also ideal for students who are currently working full-time and are aspiring cybersecurity professionals. TIS can help you to learn more, please visit!
1. How often do you see non-sanctioned cloud services in use?
2. Are we protecting ourselves against insider threats?
3. Do we have a cyber security task force in place?
4. Is our BYOD policy secure?
5. Do you feel limited by your security budget or staff size?
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
RSA 2019 was held March 4-8 at the Moscone Center in San Francisco. The conference is one of the largest conferences for information security globally and hosted 42,500+ attendees.
Talking To The Board: How To Improve Your Board's Cyber Security Literacy – U...Tripwire
Boards of Directors have an inescapable legal responsibility to protect their organisation’s assets and shareholder value against risks. Where does cybersecurity fit in the agenda? Many boards lack the knowledge, awareness and confidence to connect security to the business.
In this webcast, moderator Paul Edon, Director of Customer Services at Tripwire, will provide a variety of perspectives from experienced professionals in the industry — including Amar Singh UK CISO for Elsevier, Ray Stanton EVP Professional Services at BT and Advisory Board Member of ISF, and Gary Cheetham, CISO at NFU Mutual.
The Security Director's Practical Guide to Cyber SecurityKevin Duffey
Presented at the annual UK Security Expo in London, to help traditional Security Directors understand and feel confident about the practical ways in which their role should extend to cyber security issues. This presentation was followed by a simple cyber attack simulation (not shown here).
Presented by Barrie Millett and Kevin Duffey of Cyber Rescue.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
http://tatainteractive.com/ - A comprehensive cyber security-training program in an organization needs to be multi-tiered and nuanced to be effective. Tata Interactive Systems cybersecurity training curriculum leverages games and simulations to improve the profile of your business. It is also ideal for students who are currently working full-time and are aspiring cybersecurity professionals. TIS can help you to learn more, please visit!
1. How often do you see non-sanctioned cloud services in use?
2. Are we protecting ourselves against insider threats?
3. Do we have a cyber security task force in place?
4. Is our BYOD policy secure?
5. Do you feel limited by your security budget or staff size?
We are living in a world where cyber security is a top priority for .pdfgalagirishp
We are living in a world where cyber security is a top priority for all governments and
businesses. In fact, last week the United States announced cyber security as its biggest. James
Clapper, the Director of National Intelligence, says that “the world is applying digital
technologies faster than our ability to understand the security implications and mitigate potential
risks.” Hackers are able to get ahead of governments because they are applying technology faster
than many can understand it.
(http://ca.reuters.com/article/technologyNews/idCABRE92B0LS20130312)
These attackers are persistent, and it is important to be aware of the methods used by hackers as
it is an important step towards defending sensitive company data.
When a hacker strikes, the cost to a company could potentially be millions of dollars. Not only
will it affect the bottom line, but hard-earned reputations can be compromised or destroyed.
It is important to recognize the differences between the different kinds of cyber threats: external
and internal. An external, or outsider threat is much trickier to pinpoint. It can be “from someone
that does not have authorized access to the data and has no formal relationship to the company.”
They could be from someone who is actively targeting the company, or accidentally from
someone who found a lost mobile device.
Internal threats are likely to come from an authorized individual that has easy access to sensitive
corporate data as part of their day-to-day duties. This could be anyone working within the
company or acting as a third party representative. The Global Knowledge Blog states that
insiders have a much greater advantage because they have means, motive, and opportunity,
whereas outsiders most often only have a motive.
(http://globalknowledgeblog.com/technology/security/hacking-cybercrime/insider-vs-outsider-
threats/)
When focusing on internal threats, we have made a digital security check list:
Implement an Intrusion Detection System (IDS). These systems act like security cameras
watching a network. They react to suspicious activity by logging off suspect users, or in some
cases, they might reprogram firewalls to snag a possible intrusion.
Implement a log management platform that will centralize all the logs and correlate to find
threats and alert on them.
Stay proactive with Identity Management systems that will monitor high risk or suspicious user
activity by detecting and correcting situations that are out of compliance or present a security
risk.
Be aware of who has keys and access codes to vulnerable information. Monitor the activity
when these spaces are accessed, authorized, or not.
Create safety policies for when employees with these security privileges leave the company or
are terminated. This will reduce the risk of theft due to careless behaviour, or break-ins from
disgruntled employees.
Get employees involved with the security procedures of the company. As a team, you can work
to strengthen your digital security pr.
Digital has increased businesses’ cybersecurity risk – and yet few have elevated security to a senior leadership concern, according to our recent research. Here’s what businesses are thinking about cybersecurity, and a framework for strengthening their security strategies.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
To implement data-centric security, while simultaneously empowering your business to compete and win in today’s nano-second world, you need to understand your data flows and your business needs from your data. Begin by answering some important questions:
•
What does your organization need from your data in order to extract the maximum business value and gain a competitive advantage?
•
What opportunities might be leveraged by improving the security posture of the data?
•
What risks exist based upon your current security posture? What would the impact of a data breach be on the organization? Be specific!
•
Have you clearly defined which data (both structured and unstructured) residing across your extended enterprise is most important to your business? Where is it?
•
What people, processes and technology are currently employed to protect your business sensitive information?
•
Who in your organization requires access to data and for what specific purposes?
•
What time constraints exist upon the organization that might affect the technical infrastructure?
•
What must you do to comply with the myriad government and industry regulations relevant to your business?
Finally, ask yourself what a successful data-centric protection program should look like in your organization. What’s most appropriate for your organization?
The answers to these and other related questions would provide you with a clearer picture of your enterprise’s “data attack surface,” which in turn will provide you with a well-documented risk profile. By answering these questions and thinking holistically about where your data is, how it’s being used and by whom, you’ll be well positioned to design and implement a robust, business-enabling data-centric protection plan that is tailored to the unique requirements of your organization.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
This Frost & Sullivan analyst report reveals how the legal and threat environment, combined with BYOD and cost factors, make multi-factor, risk-based authentication the logical approach to solving the security challenges posed by threat actors.
Similar to BLACKOPS_USCS CyberSecurity Literacy (20)
1. Current State
As 2015 unfolds, cybersecurity is the hot topic in
boardrooms today. According to Forbes, 2014 was the
year of the data breach, and we would be wise to brace
for more in 2015.1
FireEye CEO Dave DeWalt stated, “The
trend of massive data breaches are now the new norm as
97% of companies are currently being hacked.”2
The FBI
warned that data breaches are up 400%, and a doubling or
tripling of the available workforce to counter them may be
required.3
Looking into the near future, Corporate Counsel
recently stated that if the current trend continued, breaches
were on track to cost companies $2.1 trillion.4
This trend
illustrates the fact that the CEO and board of every U.S.
company needs an immediate new cybersecurity game
plan, beginning from the top down.
How to Increase Your
CEO and Board’s
Cybersecurity Literacy
T. Casey Fleming, CEO
BLACKOPS Partners Corporation
Anthony M. Chapa, Director
BLACKOPS Partners Corporation
Former Assistant Director and Chief Technology Officer, U.S. Secret Service
United States Cybersecurity Magazine | www.uscybersecurity.net62
2. Company-Wide Effort
The board’s role in cybersecurity is defined as active
oversight. Directors, officers, and CEOs can be held
personally liable for failing to appropriately monitor and
supervise the enterprise, including the protection of sensitive
data. According to a recent article by Chief Executive,
“While the mechanics of identifying and remediating
attacks may reside with the IT team, cybersecurity has
become a company-wide effort that the leadership team
must oversee.”5
As a result of recent breaches, boards have realized that
cybersecurity is no longer just an IT problem; it is a business
risk problem that must be approached from the top. When
the castle walls continue to be regularly breached, it’s not
time to continue to build higher walls and deeper moats.
A redesigned company-wide approach that includes all
departments, partners, suppliers, and attention to insider
threat is long overdue.
Become a Resource
To become an effective resource against today’s threats,
it’s important to understand the true threat behind data
breaches, the scale and motivations involved. This is only
accomplished through active, on-going intelligence and
counterintelligence.
There are two classes of threats: nation-state and
“privateers.” Each type is very different in intent, approach,
means, and scope. Nation-state attacks are government-
based, well planned, massive, decades long, and designed
to steal innovation and trade secrets on a grand scale. This
eliminates the requirements of time and funding for research
and development. Secrecy and plausible deniability are the
primary components of nation-state threats. Research and
experience proves that 99% of nation-state breaches go
unreported or, worse, undetected.6
The second class of threat is the “privateer.” This is usually
a lone wolf or small group of hackers who are opportunistic
and have the intent to steal private data for immediate sale
on the DarkNet. These breaches typically involve personally
identifiable information (PII). In a recent experiment by
Bitglass, “stolen” data was viewed more than1000 times
and downloaded 47 times by people in 22 counties on five
continents.7
BLACKOPS Partners intelligence also shows
stolen data is typically parsed and resold an average of
five times. For example, this equates to 10 million stolen
records having the effective damage of 50 million. Most
of these breaches are exposed when they are listed on the
DarkNet for sale and reported as required by regulators.
You Don’t Know What You Don’t Know
To add real value for CEOs and Boards, an effective
cybersecurity strategy must incorporate a 180 degree
departure from our expired defensive strategy. The
cybersecurity industry has traditionally been built upon
a collection of software and hardware products requiring
patches and updates. Many of the products currently
in use have become obsolete in this fast-moving threat
environment. Defending the “castle wall” became obsolete
years ago. The old way of thinking must make way for a
new thought process. Changing nothing risks everything.
To effectively defend against a nation-state, privateer
hacker, or insider threat, we must begin to think like
our adversary on a fluid security model. It is this core
transformation that truly yields the breakthrough
protection companies desperately require today. This is
also the point where we become valuable to the CEO and
board. Mike Tyson said it best: “Everyone has a plan ‘till
they get punched in the mouth.”
Understand the Board’s Role
In their role of active oversight, the board does not need to
know specific technological details. However, they require
enough detail to review and make effective decisions
on where to place focus, resources, and funding. Data
breaches are a new and increasingly massive business risk
that CEOs and boards must learn to manage effectively.
Speak Their Language
CEOs and boards rarely come from cybersecurity or
technology backgrounds. They are focused on business
United States Cybersecurity Magazine | www.uscybersecurity.net 63
3. risk and the business impact of data breaches, their total
cost over time, potential revenue hit, and damage to the
company’s reputation over time.
Provide context and comparisons in terms of data breach
specifics by listing and quantifying the business risks the
breached companies incurred. Include a cost/benefit
analysis in support of your recommendations to manage
and reduce business risk.
Answer Key Questions
Now that data breaches have become the norm, directors
must handle the cybersecurity curve quickly. CEOs and
boards have little training in cybersecurity but have the
fiduciary responsibility to actively oversee it. In many cases,
they don’t know the correct questions to ask. The following
questions are an excellent opportunity to begin a next-
level relationship with your board. Be sure you have solid
answers to each question before you sit down.
1. Where is our sensitive data stored?
2. Who has access to it? How is access managed?
3. Where is our sensitive data going?
4. What can we do to limit it?
5. How do we limit damage to our reputation?
6. How do we protect our reputation?
Get Them Involved
The most effective way to increase your CEO and board’s
cybersecurity literacy is to schedule them “hands-on” with
a cyber breach exercise facilitated by a highly experienced
third party. Include all key executives and document the
process. Repeat it twice per year or annually, at a minimum.
When directors walk through the process, it becomes
enlightening for everyone involved. Each participant gains
understanding and appreciation for each other’s role in
the exercise. A shared breach exercise with officers and
directors is the cornerstone to next-level cybersecurity
literacy and a productive relationship going forward.
Sources
1 Fisher, Daniel: “If 2014 Was The Year Of The Data Breach, Brace For More.”
Forbes.com, January 2015.
<http://www.forbes.com/sites/danielfisher/2015/01/02/if-2014-was-the-year-of-the-
data-breach-brace-for-more/>
2 Storm, Darlene: “FireEye suspects FIN4 hackers are Americans after insider info to
game stock market.” Computerworld.com, December 2014.
<http://www.computerworld.com/article/2853697/fireeye-suspects-fin4-hackers-are-
americans-after-insider-info-to-game-stock-market.html>
3 Viebeck, Elise: “FBI: Data breaches ‘increasing substantially’.” TheHill.com, May 2015.
<http://thehill.com/policy/cybersecurity/242110-fbi-official-data-breaches-
increasing-substantially>
4 Reisinger, Sue: “Data Breaches on Track to Cost Companies $2.1 Trillion.”
Corpcounsel.com, May 2015.
<http://www.corpcounsel.com/id=1202726318756/Data-Breaches-on-Track-to
-Cost-Companies-3621-Trillion?slreturn=20150515184638>
5 “Cybersecurity Lessons for the C Suite.” Chiefexecutive.net, May 2015.
<http://chiefexecutive.net/cybersecurity-lessons-for-the-c-suite/>
6 BLACKOPS Partners intelligence
7 “Experiment Shows Speed at Which Stolen Data Travels.” Wallstreetjournal.com,
April 2015.
<http://blogs.wsj.com/riskandcompliance/2015/04/15/experiment-shows-speed-at-
which-stolen-data-travels/>
About the Authors:
T. Casey Fleming serves as Chairman and
Chief Executive Officer of BLACKOPS Partners
Corporation, the leading management advisors
consisting of America’s elite executive thought
leaders from intelligence, technology, federal
law enforcement, information security, and
management consulting. Mr. Fleming is a leading
expert in risk reduction and the advanced
protection of innovation, trade secrets, and
competitive advantage for Fortune 500 companies, U.S. government
agencies, universities, and research facilities. Mr. Fleming is an
innovative information security and management consulting
executive who directed organizations for Good Technology, Deloitte
Consulting, and was a founding executive of IBM’s Cyber division. Mr.
Fleming earned his Bachelor of Science from Texas A&M University.
Anthony M. Chapa serves on the Board of Directors for BLACKOPS
Partners Corporation. Mr. Chapa is the CEO of Chapa Concepts, which
provides threat and technology assessment for leading advanced
technology and public sector organizations. In
addition, Chapa Concepts provides strategy and
operational support to biometric access, security
technology, and communication firms. Mr. Chapa
retired from the United States Secret Service
(USSS), Department of Homeland Security
after a highly successful career, including as
Assistant Director at USSS Headquarters and
Deputy Assistant Director and Chief Technology
Officer responsible for the Technical Security Division. Mr. Chapa
also served as the Special Agent in Charge of the Los Angeles field
office including leadership over the nation’s premier USSS Electronic
Crimes Task Force (ECTF). Mr. Chapa earned his Bachelor of Arts and
Master of Arts in Political Science from St. Mary’s University.
®
PARTNERS
United States Cybersecurity Magazine | www.uscybersecurity.net64