2. Agenda
§ Introductions
§ Cyber Incident Response
– The process
– Tips for getting it right
§ Today’s reality with breaches – CSO versus CPO
§ Q&A
Page 2
3. Introductions: Today’s Speakers
§ Gant Redmon, GC and VP Business Development, Co3
– Former CPO of Arbor Networks, Inc.
– General Counsel for 12 years
§ Ellen Giblin, Privacy Counsel, Ashcroft Law Firm
– Internationally-recognized expert in privacy, data breach, data
protection, cyber security, and information management
– Privacy Counsel at Littler Mendelson P.C.
– Privacy Officer for Citizens Financial Group
Page 3
5. Cyber Incident Response Plans
§ Every company should develop a written cyber incident response
plan
– Not only is it a good idea, some regulations require it
§ The plan should document cyber attack scenarios and define
appropriate responses
§ The plan should include:
– Response team
– Reporting
– Initial response
– Investigation
– Recovery and follow-up
– Public relations
– Law enforcement
Page 5
6. Cyber Incident Response Team
The response team should:
• Identify and classify cyber attack scenarios
• Determine the tools and technology used to detect attacks
• Develop a checklist for handling initial investigations of cyber
attacks
• Determine the scope of an internal investigation once an attack
has occurred
• Conduct any investigations within the determined scope
• Address data breach issues, including notification requirements
• Conduct follow up reviews on the effectiveness of the company's
response to an actual attack
Page 6
7. Discovery and Reporting of Cyber Incidents
§ Define procedures for cyber attack discovery and reporting,
including:
– Team members who monitor industry practices to ensure that:
• information systems are appropriately updated; and
• information systems are instrumented to allow for early
discovery of attacks
– A database to track all reported incidents
– A risk rating to classify all reported incidents (ex. low,
medium, or high) and facilitate the appropriate response
Page 7
8. Initial Response to a Cyber Attack
• Conduct a preliminary investigation to determine whether a cyber
attack has occurred
• follow the investigation checklist set out in the cyber incident
response plan
• The initial response varies depending on the type of attack and level
of seriousness. However, the response team should aim to:
• Stop the cyber intrusions from spreading further into the
company's computer systems
• Appropriately document the investigation
Page 8
9. Investigating a Cyber Attack
§ A formal internal investigation may be required depending on:
– the level of intrusion
– its impact on critical business functions
§ An internal investigation allows the company to:
– Fully understand the intrusion
– Fotn its chances of identifying the attacker
– Detect previously-unknown security vulnerabilities
– Identify required improvements to IT systems
§ If the company's response team or IT department lacks the
capacity or expertise to conduct an internal investigation the
company may wish to retain:
• Legal counsel
• A cyber security consultant
Page 9
10. Common Cyber Attack Scenarios
• Cyber attacks often fall into one or more common scenarios
• Anticipate and prepare for these common scenarios in advance and
provide preliminary investigatory questions for each
• Obtaining fast and accurate answers to these questions helps shape
and expedite the investigation
Page 10
11. Recovery and Follow-Up After a Cyber Attack
§ Address the recovery of IT systems by both:
– Eliminating the vulnerabilities exploited by the attacker and
any other identified vulnerabilities
– Bringing the repaired systems back online
§ Once systems are restored:
– Determine what improvements are needed to prevent similar
incidents from reoccurring
– Evaluate how the response team executed the response plan
Page 11
12. The Role of the CPO in a Breach
§ Understand the efforts underway by security staff to ‘plug the
gaps’ and restore integrity
§ Realize that there may be a conflict of interest
§ Know how to align and satisfy all our organization’s requirements
Page 12
13. Suggestions
§ Working with Security in advance is vital, knowing where the
tensions are, and what you’ll do to resolve them is key to success
§ Early triage is critical to determining if PI has been exposed
§ Establish Executive support in advance of a breach for anything
that may look contentious
§ Have a clear process that coordinates activities across multiple
groups to ensure an efficient organizational response
§ Conduct dry runs, simulations or tabletops – it will illuminate
where there are potential issues – make sure to test out multiple
scenarios
Page 13
14. Security and Privacy – the Yin and the Yang
Cyber Incidents
• Cyber breach
• DDoS
• Malware, etc.
PII Exposed
CISO-Driven CPO-Driven
Response Response
Combined
Response
§ IT/Security: protect the integrity and continuity of business operations
§ Privacy: protect customers and employees
aligning objectives
Page 14
15. 5 Rules for Working With Your CSO
§ Rule #1: Know Your History
– The modern day CSO has been around about the same amount
of time as the CPO
– The CPO title came about in the mid to late 90s with the
advent of GLB and HIPAA
– The CSO title (as opposed to the CiSO title) arose after 9/11
with the increased focus on security
– The CPO role weakened following 9/11 but has strengthened as
personal information becomes basis of corporate value
Page 15
16. 5 Rules for Working With Your CSO
§ Rule #2 Accept Your Co-Dependence
– Privacy and Security are intertwined. You can have security
without privacy, but you can’t have privacy without security
– You can promise not to share information, but that doesn’t do
much good if any hacker can just steal it
– There’s no responding to a data breach if you don’t know about
it or you can’t identify what information has been accessed
– IT is generally the real first responder. They are the ER triage
of data breach response
Page 16
17. 5 Rules for Working With Your CSO
§ Rule #3 Empathize with Your CSO
– CSOs stockpile data. CPOs are minimalist. Show your CSO the
advantages of cleaning house
• Data retention policy compliance
• eDiscovery advantages
• Less exposure if a breach occurs if there is less sensitive data available
– Follow the Data
• The CSO knows the flow of data within the organization. You need to work with CSO
to understand this flow and do your job
• Once you understand the flow of data, you can compare it to the business process
that drives that flow
• With an understanding the flow of data and the business process, you can make
suggestions that take into consideration the value proposition of the use of customer
data
• Many companies see the role of CPO as driving internal process improvement
– Privacy can be an unnatural act for the CSO
• The CSO is charged with protecting the perimeter
• The CPO may be asking the CSO for “holes below the waterline” in the perimeter for
purposes of information owner inspection and verification
Page 17
18. 5 Rules for Working With Your CSO
§ Rule #4 Stop Talking “Privacy”
– Privacy is a loaded word. It’s like saying “conservative” or
“liberal.” Use a word your CSO and others can rally around.
– Call it “Information Governance”
• Information governance encompasses information management, security,
use, and data strategy
• Information governance can refer to a lifecycle: how we create
information, how we keep it safe and secure and accessible during its
lifecycle, and how we thoughtfully dispose of it
– Information governance rings true with the legal department
• Can refer to data retention and eDiscovery
• Positions you as a bridge between the GC and CSO
• GCs didn’t go to law school because of their engineering prowess. Give
them a hand
Page 18
19. 5 Rules for Working With Your CSO
§ Rule #5 Keep Your Head Out of the Boat
– A CSO’s role is largely inward looking. They must protect corporate assets and
keep the system running
– The CPO’s role is outward facing because they act as the customers' and
employees' advocate within the company
– Customer/Client advocacy translates to corporate revenue. Ask yourself what
other department uses this argument to drive change within your organization
– The CPO must be business savvy and navigate conflicting interests of business
needs, customer expectation and legal requirements
– If the CPO can prove him or herself to be an ally with management in the
balancing of concerns, then that CPO will be embraced by those above
– If the CPO is embraced by the management team, the CPO is more likely to be
have a good working relationship with the CSO
Page 19
20. 5 Rules for Working With Your CSO
§ Bonus Rule #6 Embrace Technology to Improve Processes and
Efficiency
– CSOs make their career out of using software to improve
process – conversations will go well if you speak their language
– CSOs can use software as “breach triage” as well as for
escalating events to the CPO
– Using software to diagnose an event makes the outcome and
action plan both objective and quantifiable. These are traits
valued by both the GC and CSO
– Build a dashboard. CSOs love them as a way to stay in the loop
and remain part of an incident response
Page 20
22. Thanks!
1 Alewife Center, Suite 450 1100 Main Street, Suite 2710
Cambridge, MA 02140 Kansas City, MO 64105
ph: 617.206.3900 ph: 816.285.7600
e: info@co3sys.com e: info@ashcroftlawfirm.com
www.co3sys.com www.ashcroftgroupllc.com/law/
Gartner:
“Co3 …define(s) what software
packages for privacy look like.”
Page 22