Cyber Resilience across Subsidiaries and Suppliers
1. Measuring Cyber Resilience
across Subsidiaries & Suppliers
because what gets measured gets managed
Executive Briefing, 12th March 2019
Kevin Duffey
Kevin.Duffey@CyberRescue.co.uk
5. What is Resilience?
Resilience is the ability to:
• anticipate
• absorb and
• adapt
to challenges.
Source: Resilience First
6. What is Resilience
Resilience is the ability to:
• anticipate Intelligence
• absorb and Strength-In-Depth
• adapt Honesty
to challenges.
Source: Resilience First
11. Who do you trust with sensitive data?
1) Your boss
2) Your team
3) Your IT Department
4) Your Supplier(s)
12. Who do you trust with sensitive data?
1) Your boss 63% of CEOs admit to clicking links by mistake
2) Your team
3) Your IT Department
4) Your Supplier(s)
13. Who do you trust with sensitive data?
1) Your boss 63% of CEOs admit to clicking links by mistake
2) Your team 22% of staff clicked a phishing link in the last year
3) Your IT Department
4) Your Supplier(s)
14. Who do you trust with sensitive data?
1) Your boss 63% of CEOs admit to clicking links by mistake
2) Your team 22% of staff clicked a phishing link in the last year
3) Your IT Department 34% of those that spend > 10% of IT budget on
security identified a data breach in last 12 months
4) Your Supplier(s)
15. Who do you trust with sensitive data?
1) Your boss 63% of CEOs admit to clicking links by mistake
2) Your team 22% of staff clicked a phishing link in the last year
3) Your IT Department 17% of those that spend < 10% of IT budget on
security identified a data breach in last 12 months
4) Your Supplier(s)
16. Who do you trust with sensitive data?
1) Your boss 63% of CEOs admit to clicking links by mistake
2) Your team 22% of staff clicked a phishing link in the last year
3) Your IT Department 17% of those that spend < 10% of IT budget on
security identified a data breach in last 12 months
4) Your Supplier(s) 416% annual growth in number of records
breached via a supplier or other third party
17. Who do you trust with sensitive data?
It wants to be found
18. Who do you trust with sensitive data?
1) Your boss 1
2) Your team 1
3) Your IT Department 1
4) Your Supplier(s) 100
19. Who do you trust with sensitive data?
1) Your boss 1 1
2) Your team 1 10
3) Your IT Department 1 100
4) Your Supplier(s) 100 10,000
20. Example: who does HR Dept trust?
Recruitment Agencies
Staff Vetting Agencies
Payroll Agencies
Pension provider
Private health care
Other Benefits Providers
Training Providers
Coaches & Mentors
Staff Survey Providers
Staff Unions
Legal Experts
Outplacement Consultants
Etc, Etc, … .
31. Regulators say Contract not Enough
GDPR (Article 32) requires you to implement a process for regularly
testing, assessing and evaluating technical and organisational
measures for security of processing at suppliers.
Banks operating in the USA must now conform to finance
regulation 23 NYCRR 500 which requires continuous monitoring or
periodic penetration tests of key suppliers.
The European Banking Authority issued Guidelines for all banks to
monitor the level of security at Suppliers.
32. How best to review suppliers?
Attestation: 60 questions completed each year by 1 person at supplier
Awareness: 1 hour online compliance training & assessment by all staff
Certification: 8 hour audit completed every three years by external reviewer
Discussion: 1 hour meeting where supplier explains security governance
Cyber Range: 8 hour competition for IT staff, with scores & feedback
Pen Testing: 10 days of probing each year, of 10% of the applications in use
ScoreCard: 365 days monitoring, scores & feedback on all external systems
Simulation: 2 hour simulation of executive decisions during a breach
33. How best to review suppliers?
Attestation: 60 questions completed each year by 1 person at supplier
Awareness: 1 hour online compliance training & assessment by all staff
Certification: 8 hour audit completed every three years by external reviewer
Discussion: 1 hour meeting where supplier explains security governance
Cyber Range: 8 hour competition for IT staff, with scores & feedback
Pen Testing: 10 days of probing each year, of 10% of the applications in use
ScoreCard: 365 days assessment, scores & feedback on all external systems
Simulation: 2 hour simulation of executive decisions during a breach
48. The most important question
What will You do
by 12 April to
help your key
Suppliers keep
your secrets safe
49. Censored
The Live Demonstration
given to delegates on 12 March,
of how to measure cyber
resilience is Censored from this
public version of the slides.
50. Measuring Cyber Resilience
across Subsidiaries & Suppliers
because what gets measured gets managed
Executive Briefing, 12th March 2019
Kevin Duffey
Kevin.Duffey@CyberRescue.co.uk