Cybersecurity has escalated to a major board-level concern and corporate governance issue. Boards of directors now play an important oversight role in ensuring organizations have adequate cybersecurity measures, response plans, and roadmaps to address growing threats. Management is responsible for executing specific security steps, while the board provides advisory and monitoring functions. These include assessing security readiness, stress testing response plans, conducting independent reviews, and establishing long-term strategies. With continued board guidance, organizations can better mitigate risks and adapt to changing cyber threats.
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
The cyber security job is everyone's business including the Board of Directors, even without a cyber security degree. Recent cyber security news proves that. According to several studies, Boards are getting it wrong and are leaving cyber awareness and risk management in the hands of the CEO, CISO, CTOs and cyber security companies. In a sense they are abdicating their responsibility to the shareholders. This slideshare proposes 7 questions every board should be asking their company executives abour IT security. They're not necessarily all encompassing and don't take the place of real cybersecurity training, but will drive the discussion to better and more complete understanding of strategic risk. Questions cover the basics of cyber security training, cyber policies, who briefs and when at board meetings. Thanks.
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
On average organizations spend $10M+ responding to third-party security breaches each year. Third-Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your organization by outsourcing to third-party service providers (TPSP). TPSP relationships can introduce strategic, financial, operational, regulatory, and reputational risks.
For example, some TPSPs are involved in the storage, processing, and/or transmission of cardholder data (CHD), while others are involved in securing cardholder data, or securing the cardholder data environment (CDE).
Digital relationships with third-party providers increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they had experienced a data breach caused by one of their third-party providers (up 12% since 2016).
Learn more about:
• TPSP lifecycle,
• The effects of due diligence,
• The five critical control objectives, and
• How to build an effective risk assessment questionnaire.
To learn more, visit: https://bit.ly/3vQ4DjC
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
Main points covered:
• Understanding the inverted economics of cyber security, the incentives for cyber crime and its effect on the growing threat
• Inefficiencies with the traditional approaches to cyber risk assessment and why we are not making more progress in enhancing cyber defenses
• Resetting roles and responsibilities regarding cyber security within organizations
• Developing empirical, cost-effective cyber risk assessments to meet the evolving threat
Our presenter for this webinar is Larry Clinton, the president of the Internet Security Alliance (ISA), a multi-sector association focused on Cybersecurity thought leadership, policy advocacy, and best practices. Mr. Clinton advises both industry and governments around the world. He has twice been listed on the Corporate 100 list of the most influential people in corporate governance. He is the author of The Cyber Risk Handbook for Corporate Boards. PWC has found the use of this Handbook improves cyber budgeting, cyber risk management and helps create a culture of security. The Handbook has been published in the US, Germany, the UK and Latin America. He is currently working on a version for the European Conference of Directors Associations as well as versions for Japan and India. Mr. Clinton also leads ISA, public policy work built around their publication “The Cyber Security Social Contract” which the NATO Center of Cyber Excellence in Estonia asked for a briefing on.
Recorded Webinar: https://www.youtube.com/watch?v=8qVtoqi37X8
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
The cyber security job is everyone's business including the Board of Directors, even without a cyber security degree. Recent cyber security news proves that. According to several studies, Boards are getting it wrong and are leaving cyber awareness and risk management in the hands of the CEO, CISO, CTOs and cyber security companies. In a sense they are abdicating their responsibility to the shareholders. This slideshare proposes 7 questions every board should be asking their company executives abour IT security. They're not necessarily all encompassing and don't take the place of real cybersecurity training, but will drive the discussion to better and more complete understanding of strategic risk. Questions cover the basics of cyber security training, cyber policies, who briefs and when at board meetings. Thanks.
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
On average organizations spend $10M+ responding to third-party security breaches each year. Third-Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your organization by outsourcing to third-party service providers (TPSP). TPSP relationships can introduce strategic, financial, operational, regulatory, and reputational risks.
For example, some TPSPs are involved in the storage, processing, and/or transmission of cardholder data (CHD), while others are involved in securing cardholder data, or securing the cardholder data environment (CDE).
Digital relationships with third-party providers increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they had experienced a data breach caused by one of their third-party providers (up 12% since 2016).
Learn more about:
• TPSP lifecycle,
• The effects of due diligence,
• The five critical control objectives, and
• How to build an effective risk assessment questionnaire.
To learn more, visit: https://bit.ly/3vQ4DjC
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
Main points covered:
• Understanding the inverted economics of cyber security, the incentives for cyber crime and its effect on the growing threat
• Inefficiencies with the traditional approaches to cyber risk assessment and why we are not making more progress in enhancing cyber defenses
• Resetting roles and responsibilities regarding cyber security within organizations
• Developing empirical, cost-effective cyber risk assessments to meet the evolving threat
Our presenter for this webinar is Larry Clinton, the president of the Internet Security Alliance (ISA), a multi-sector association focused on Cybersecurity thought leadership, policy advocacy, and best practices. Mr. Clinton advises both industry and governments around the world. He has twice been listed on the Corporate 100 list of the most influential people in corporate governance. He is the author of The Cyber Risk Handbook for Corporate Boards. PWC has found the use of this Handbook improves cyber budgeting, cyber risk management and helps create a culture of security. The Handbook has been published in the US, Germany, the UK and Latin America. He is currently working on a version for the European Conference of Directors Associations as well as versions for Japan and India. Mr. Clinton also leads ISA, public policy work built around their publication “The Cyber Security Social Contract” which the NATO Center of Cyber Excellence in Estonia asked for a briefing on.
Recorded Webinar: https://www.youtube.com/watch?v=8qVtoqi37X8
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, at the January 27, 2017 meeting of (ISC)² Dallas Fort Worth Chapter.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
View on-demand: http://bit.ly/1OLCGgd
Cybersecurity incidents have significant impact beyond the IT organization, representing a significant risk to ongoing business continuity and reputation, and requiring heightened engagement across the entire executive team. Common wisdom is that security leaders need to speak in ways the business will understand, but what does that really mean? And how does the business side of an organization view security? To answer these questions, IBM conducted a survey of over 700 C-Suite executives - excluding the CISO - from 28 countries, across 18 industries - to understand any patterns, as well as any differing or aligning attitudes on cybersecurity. 60 percent of respondents are located in mature markets and 40 percent from emerging markets. Participants spanned traditional C-Suite roles, from CEOs and Board members to CFOs, Chief Risk Officers, CMOs, COOs, Human Resource executives, Chief Compliance Officers and Legal Counsel.
View this webinar to hear Diana Kelley, Executive Security Advisor in IBM Security, and Carl Nordman, Functional Research Lead for CFO and Cybersecurity in the IBM Institute for Business Value, discuss findings from the 2015 C-Suite Cybersecurity Study "Securing the C-Suite - Cybersecurity Perspectives from the Boardroom and C-Suite."
This webinar will cover an overview of the study findings, including:
C-Suite views of the risks and actors - Is the C-Suite view aligned with security reality?
IT and business alignment / collaboration- Who's engaged and who's not?
The tone from the top on external collaboration and sharing of incident information
Characteristics of more "Cyber-Secure" companies based on C-Suite responses to what their organization has accomplished
Sans 20 CSC: Connecting Security to the Business MissionTripwire
You know the old break-up line, “it’s not you, it’s me….”? As a CISO, what if when you get your few minutes to discuss security with the C-suite, board of directors or mission leadership, it really turns out to be you not them who failed in the communication?
Lack of success in communicating with your C-suite could lead to a breakup sooner or later. I’ve had hundreds of conversations with and about CISOs communicating – - on topics ranging from security breach information, status, performance metrics, risk, visualizations, or overall security posture with their executive leadership.
And largely, it turns out to be no surprise that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives.
Success with SANS
The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations.
Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process.
However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support.
In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.
Here are my slides on "Board and Cyber Security" that I presented at the Just People Information Security breakfast this morning. Thanks Adam for arranging the session and those who attended.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
Most boards of directors don't have someone that understands cyber security issues. As a consequence, they can't provide the proper oversight over the companies they are responsible for. This presentation will cover the issues boards of directors need to understand, what questions board members need to ask and how to communicate with them.
Presentation to (ISC)2 Omaha-Lincoln Chapter meeting on March 15th, 2017. This presentation looks at managing compliance with multiple cybersecurity laws and regulations across different industries using the NIST Risk Management Framework.
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.
Presentation given at the International East-West Security Conference in Rome - November 2016. The presentation begins with a review of Models of the Internet and CyberSpace such as those based upon IP Hilbert Space. We then discuss the transformation from 20thC Physical Threats (Speed of Sound) to the 21stC Cyber Threats (Speed of Light) such as CyberCrime, CyberTerror, CyberEspionage and CyberWar from sources such as the UN/ITU and the World Economic Forum. The core presentation explores Cyber Scenarios for 2018 (Integrated Security). 2020 (Adaptive Security), 2025 (Intelligent Security) and 2040 (Neural Security).We consider the New Generation of Tools based upon Machine Learning & Artificial Intelligence that use Self-Learning & Self-Organisation. We consider the application of these tools for the effective defence of Critical National Infrastructure and also to enhance Cybersecurity for the Internet of Things. We review some of the latest Cyber Ventures that provide Security Solutions based upon Machine Learning. Finally we provide a suggested TOP 10 Actions for your Business to upgrade Cybersecurity & Mitigate Future Attacks!
While board of directors may understand the importance of cybersecurity, many lack crucial knowledge and visibility into issues and risks, which breeds a lack of trust between the board and IT security professionals. On this site, you’ll find a variety of resources to help bridge those gaps and bring the two groups together so organizations can better defend against advanced threats.
Cybersecurity is a constant, and, by all accounts growing, challenge. Although software products are gradually becoming more secure and novel approaches to cybersecurity are being developed, hackers are becoming more adept, their tools are better, and their markets are flourishing. The rising tide of network intrusions has focused organizations' attention on how to protect themselves better. This report, the second in a multiphase study on the future of cybersecurity, reveals perspectives and perceptions from chief information security officers; examines the development of network defense measures — and the countermeasures that attackers create to subvert those measures; and explores the role of software vulnerabilities and inherent weaknesses. A heuristic model was developed to demonstrate the various cybersecurity levers that organizations can control, as well as exogenous factors that organizations cannot control. Among the report's findings were that cybersecurity experts are at least as focused on preserving their organizations' reputations as protecting actual property. Researchers also found that organizational size and software quality play significant roles in the strategies that defenders may adopt. Finally, those who secure networks will have to pay increasing attention to the role that smart devices might otherwise play in allowing hackers in. Organizations could benefit from better understanding their risk posture from various actors (threats), protection needs (vulnerabilities), and assets (impact). Policy recommendations include better defining the role of government, and exploring information sharing responsibilities.
For Corporate Boards, a Cyber Security Top 10David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
Conventional information security measures continue to fail our businesses in today’s rapidly changing world of cyber-risk. Adverse cyber-events manifest themselves as the usual suspects including data breaches, information theft, ransom- and malware, viruses, payment card fraud, DDOS attacks or physical loss – to name but a few.
Problem is, the tally of adverse events keeps mounting up. While headline adverse cyber incidents are now reported in the media with regularity, this represents the tip of the cyber-risk iceberg. Most known events are either unreported or hidden from public disclosure. Not helping, is the industry analysis suggesting that, on average, nearly half of all adverse cyber-risk events impacting organisations are self-inflicted and avoidable. No industry is untouched.
Delivered at the CIO Summit in Melbourne, Australia in November 2016, in this presentation, Rob offers valuable strategic insights into the problem and why it continues to be a problem.
He outlines some practical steps that will be helpful for CIOs and CISOs in reshaping their own organisation’s approach in building a more effective and resilient information security capability.
Booz Allen's U.S. Commercial Leader and Executive Vice President, Bill Phelps, recently released his list of 10 Cyber Priorities for Boards of Directors. As we peer into how business, technology, regulatory, and cyber threat realities are evolving in the coming year, here is a reference guide for board members to use in validating their company's cybersecurity approach.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursSurfWatch Labs
With the board room increasingly being held accountable for data breaches, it's crucial that they know and understand the cyber risks facing their organization.Connect board room to server room
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Cybersecurity in the Boardroom
1. Technology Risk
E-Book
Audit | Tax | Advisory | Risk | Performance
Cybersecurity
in the Boardroom
A Briefing Guide for C-Level Executives to Threats,
Tactics, and Strategies
nn Six Critical
Questions to Assess
Cybersecurity Readiness
nn Ten Principles of
Corporate Governance for
Management and the Board
nn Five Steps to Establish and
Maintain a Cybersecurity
Road Map
nn Plus: Seven Crowe Insights
to Share on LinkedIn
2. Cybersecurity in the Boardroom
2www.crowehorwath.com
Boards of directors have extremely limited capacity for
taking on new areas of oversight. Given that constraint,
it is noteworthy that cybersecurity has escalated to
a board-level concern and could become one of the
decade’s major corporate governance trends.
Company executives and top management used
to be responsible for meeting the ongoing strategic
challenges in their industries. For example, being an
oil executive was sufficient experience for running an
oil company, being a retail executive was sufficient for
running a retail firm, and so on.
The demands on management have changed with the
times. The digital age has brought about a convergence
such that no matter the industry, executives now
struggle with a set of common concerns related to
technology strategy and information security. Across
widespread, globalized supply chains, organizations
are diversifying beyond property, plant, and equipment
to acquire assets consisting of information, algorithms,
and talent. This digital convergence opens profitable
opportunities and markets but brings with it additional
risks and exposures.
CEOs and other high-level executives need a starting
point for understanding and responding to growing
board-level concerns about cybersecurity. To help
with this objective, Crowe Horwath LLP examines
why the subject has escalated to the board level and
how executives should guide their board members in
thinking about cybersecurity issues.
Introduction
Cybersecurity has escalated to
a board-level concern and
could become one of the
decade’s major corporate
governance trends.
Crowe Insight
Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of
information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
3. Cybersecurity in the Boardroom
3www.crowehorwath.com
Cybersecurity Readiness: Is Your Organization Prepared?
According to The Institute of Internal Auditors Research Foundation (IIARF), the
critical questions to consider when assessing the cybersecurity readiness of a
board of directors are1
:
nn Does the organization use a security framework?
nn What are the top five risks the organization has related to cybersecurity?
nn How are employees made aware of their roles related to cybersecurity?
nn Are external and internal threats considered when planning cybersecurity
program activities?
nn How is security governance managed in the organization?
nn In the event of a serious breach, does management have a robust
response protocol?
5. Cybersecurity in the Boardroom
5www.crowehorwath.com
Executives have become acutely aware of their
personal stakes in facilitating adequate cybersecurity
by preventing incidents and responding to data
breaches in an appropriate manner. Their jobs are on
the line. Yet the decades of industry experience that
make someone a great leader in his or her industry
might not foster the knowledge or relationships
needed to respond to a major cybersecurity threat.
In addition to the financial damage that ensues,
a data breach causes significant exposure to
reputational risk. An apt illustration is the recent
Sony Entertainment Inc. hack in which executives’
reputations appeared to be among the attack’s
principal targets.2
In such a case, with management
having to deal with matters of national security, the
board’s input and participation become essential.
The list of companies beset by data breaches in recent
years includes some of the marketplace’s highest-
profile brands across a broad spectrum of industries,
including The Home Depot Inc.3
and Target Corp.4
in
retail; Domino’s Pizza5
and P.F. Chang’s China Bistro
Inc.6
in restaurants; JPMorgan Chase & Co.7
in banking;
and Adobe Systems Inc.,8
Apple Inc.,9
and eBay Inc.10
in
the technology sector. Even being a relatively low-profile
organization provides no assurance of safety, as seen by
breaches at the Montana Department of Public Health
and Human Services,11
Community Health Systems
Inc.,12
and Goodwill Industries International Inc.13
In fact, data breaches have become extremely
common, with an estimated 43 percent of companies
experiencing one in the past year.14
In 2014, just
counting those confirmed by media sources or subject
to notification through state governmental agencies,
there were a record-high 783 data breaches in the
U.S.,15
which, due to patchwork reporting regulation and
systemic underreporting, understates the problem.
Yet not all data breaches are motivated by criminal
gain or malicious intent. For most, some sort of glitch
or human error is the cause.16
In fact, employee
negligence plays a role in more than 80 percent
of breaches, whether as the sole cause or acting
as a contributing factor to a cyberattack.17
Human
errors take the forms of misconfiguration, a lack
of patching, and “social engineering” in which an
Crowe Insight
The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands
across a broad spectrum of industries, including retail, banking, and the technology sector.
6. Cybersecurity in the Boardroom
6www.crowehorwath.com
attacker convinces an employee to provide sensitive
information. These avenues enable attackers to deploy
point-of-sale malware, botnets, and viruses; exploit
zero-day vulnerabilities; or make use of stolen or out-
of-date credentials.
A data breach of any type can cause severe
financial repercussions. According to IBM Corp.’s
eight-factor model, breaches cost an average of
$145 per record lost.18
In the event of a breach – especially one that
becomes public knowledge – an organization has to
handle a diverse, exhausting set of demands from
multiple constituencies:
nn Technical remediation involving internal IT and
external consultants
nn Media and public relations – an even more
difficult task when coping with a high-profile
“branded” attack, such as one that involved the
Heartbleed bug
nn Liaisons with government officials at the federal,
state, and local levels in accordance with
differing breach notification and consumer
protection statutes
nn Customer communications, including outbound
messages about notifications and remediation
and inbound response teams to handle the
volume of status inquiries
As such, the responsibility falls on boards of directors
to provide an additional layer of external oversight
to confirm that their organizational leadership is
prepared adequately with incident response plans,
evaluated regularly through independent cybersecurity
assessments, and guided by cybersecurity road maps
designed to address long-term threats.
Data breaches cost an average
of $145 per record lost.
8. Cybersecurity in the Boardroom
8www.crowehorwath.com
Crowe Insight
Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls
risk analysis, rating the maturity of security controls, and building remediation plans.
Employee negligence plays a
role in more than 80 percent of
breaches, whether as the sole
cause or acting as a contributing
factor to a cyberattack.
Despite cybersecurity’s immense challenge, the
general principles of corporate governance remain
intact. In dividing the responsibility, management has
full charge for executing the specific steps required to
mitigate risk while the board of directors acts largely in
an oversight and advisory role.
Principal responsibilities for management:
1. Perform a cybersecurity assessment. The
Crowe approach, which combines input from
the leading industry frameworks with Crowe
professionals’ extensive experience, provides
a highly practical, comprehensive approach to
assessing cybersecurity risks, exposures, and
vulnerabilities. Cybersecurity assessments include
the following steps:
nn Identify critical data.
nn Map data stores and flows.
nn Perform a controls risk analysis.
nn Rate the maturity of security controls.
nn Build short- and long-term remediation plans.
2. Perform an ecosystem assessment. Verify
that vendors and outsourcing providers also have
adequate cybersecurity controls.
3. Facilitate global review. Evaluate data
protection laws and breach disclosure
requirements in each country or state in which
the organization does business.
4. Follow frameworks. Meet the appropriate
requirements of the NIST cybersecurity framework,
ISO 27001 standards, and industry-specific
frameworks and/or standards – for example, PCI
for retailers, SEC for public companies and financial
regulators. Efforts taken to meet the requirements
of multiple security frameworks and/or standards
can be rationalized using the Unified Compliance
Framework, a tool that includes a regulations
database for centralized compliance.
5. Form a mitigation plan. Establish an internal risk
management framework supported with adequate
staffing and a budget for achieving compliance.
9. Cybersecurity in the Boardroom
9www.crowehorwath.com
Principal responsibilities for the board
of directors19
:
1. Revise the agenda. Cybersecurity once was
viewed as an IT issue, but given cyberattacks’
present frequency and intensity, the topic now
is considered an enterprisewide, operational risk
management issue to be monitored closely by
the board.
2. Facilitate legal review. Depending on the region
and industry, cybersecurity will have varying legal
implications pertaining to board responsibilities,
and these implications should be reviewed by
counsel and monitored for changes.
3. Enhance expertise. The challenge’s technical
nature requires boards to have access to
cybersecurity expertise, through either the election of
specialists in the field or use of external consultants.
4. Set expectations. In addition to or in conjunction
with existing goals and responsibilities, management
should be monitored, measured, and compensated
based on its ability to establish and enforce an
enterprisewide risk management framework that
can lower the risk of cybersecurity breaches.
5. Maintain frameworks. The adoption of a
cybersecurity framework is not a one-time affair;
rather, security frameworks are meant to evolve
based on threat levels, risk appetites, industry
profiles, and available capabilities in terms of
technical, financial, and organizational resources.
The board needs to set the parameters of
frameworks’ evolution.
Crowe Insight
Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and
available capabilities in terms of technical, financial, and organizational resources.
10. The Board of Directors: Achieving Cybersecurity Excellence
11. Cybersecurity in the Boardroom
11www.crowehorwath.com
Crowe Insight
Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to
evaluate what went wrong and right.
In meeting these responsibilities, a board of directors
should take steps to provide effective oversight of
cybersecurity risk mitigation along with sound advice
to executive management.
Learn from recent breaches and breach
attempts. Every cybersecurity-related incident,
whether or not it causes damage, offers a valuable
opportunity to evaluate what went wrong and right.
nn If the organization has been affected by a
breach, ask, “How did we react? What did we
tell our customers?”
nn If not affected, ask, “What prevented the
breach? What would have happened if we had
been breached?”
Stress test the incident response plan. Similar to
a disaster recovery plan, the specifics of an incident
response plan have to be carefully planned and tested.
nn Board members should understand their
personal roles in the response plan and have
access to resources to fulfill their responsibilities
as outlined in the plan.
nn Board members should be aware of the expected
reactions to a breach from regulators, law
enforcement, customers, and other stakeholders.
nn Following an attack on the company or broader
industry, the board should convene to review the
company’s response.
12. Cybersecurity in the Boardroom
12www.crowehorwath.com
Perform an independent cybersecurity
assessment. For a cybersecurity assessment,
as with any other type of evaluation, the board of
directors should not rely entirely on information
from management to assess its own performance.
Accordingly, it is essential to receive an independent
evaluation of how the organization is meeting the
requirements of the various cybersecurity frameworks.
An effective, independent cybersecurity assessment
will evaluate:
nn Qualifications and capabilities of the
cybersecurity team
nn The state of the organization’s IT
and cybergovernance
nn Reporting relationships among the CEO, CIO,
chief information security officer, chief audit
executive, and other relevant executives
nn Preventive controls and security
awareness training
nn Other organizations in the industry or
organizations of similar size in other industries
Establish and maintain a cybersecurity
road map. Much like a technology road map, a
cybersecurity road map provides a consensus-driven
framework for achieving realistic short- and long-
term objectives. A cybersecurity road map not only
defines the extent to which an organization intends
to protect itself against data breaches but moderates
risk tolerances in different areas to employ the optimal
alignment of people, processes, and technology.
A cybersecurity road map should include the
following elements:
nn Annual health checks. Establish the capability
to review the performance of the cybersecurity
response team through interviews and
independent data reviews.
nn Year-by-year milestones. Set expectations for
annual improvements in incident rate, incident
response time, employee training hours, and levels
of compliance with cybersecurity frameworks.
43% of companies experienced
a data breach in the past year.
13. Cybersecurity in the Boardroom
13www.crowehorwath.com
Crowe Insight
Perform an independent cybersecurity assessment to determine if the organization is meeting the
requirements of the various cybersecurity frameworks.
nn Risk tolerances. For each type of risk faced
by an organization, identify the risk tolerance –
which risks to avoid, which to accept, which to
mitigate through an operational response, and
which to transfer through insurance.
nn Cybersecurity insurance. Insurance’s cost is
expected to vary greatly in coming years. Price
increases will be affected by the threat level
and virulence of attack vectors, with decreases
driven by the extent to which technology
solutions succeed at improving cybersecurity’s
efficacy. Given the attention and investment in
the cybersecurity sector, as well as interest in
the category by the insurance industry, it’s quite
possible or even likely that an organization that
currently self-insures against cybersecurity risks
will find cybersecurity insurance a much more
attractive proposition in the years to come. The
board of directors should have a sense of the right
price for coverage at the organization and, based
on a set of planning assumptions, incorporate
those expectations into the road map.
nn Long-term remediation plans. The
cybersecurity road map and the broader
technology road map can converge to rework
business processes with the aim of reducing
exposure to cybersecurity threats. Given that
the human element in the form of employee
negligence plays a contributing role in the
majority of data breaches, it follows that an
approach that supplements human labor with
artificial intelligence potentially would reduce the
overall risk of operations from a cybersecurity
standpoint. These and other long-term
considerations should be incorporated into the
cybersecurity road map for annual review.
15. Cybersecurity in the Boardroom
15www.crowehorwath.com
In the next several years, boards of directors have
the opportunity to play an important role in the global
economy by guiding organizations through the present
phase of challenging cybersecurity threats. Even as
technology enables powerful new business models
that still are being explored, IT infrastructures remain
relatively immature from a cybersecurity perspective.
Until the security model catches up with the business
model, organizations will be exposed to malicious and
criminal actions.
Through their cross-industry exposure, high-level
perspective, and influence, board members can guide
management toward proper cybersecurity planning
and mitigation, quickening the process of adaptation
to the present threat environment.
Given the participation of well-funded adversaries,
it’s unlikely the cybersecurity threat ever will go away.
But it’s certainly within the grasp of any organization
to stop making simple mistakes, improve overall
awareness, and establish a solid course toward a safer
computing environment that’s ready to do business in
the 21st century.
Crowe Insight
Cross-industry exposure allows board members to guide management toward proper cybersecurity
planning and mitigation more quickly.
Boards of directors have the
opportunity to play an important
role in the global economy by
guiding organizations through
the present phase of challenging
cybersecurity threats.
16. Cybersecurity in the Boardroom
16www.crowehorwath.com
1
Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014,
pp. 14-15.
2
“Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The
Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/
sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/
a799e8a0-809c-11e4-8882-03cf08410beb_story.html
3
“Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security,
Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-
malware-contained
4
“Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including
Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch.
com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen-
including-names-emails-and-phones
5
“The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The
Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos-
pizza-ransom-hack-data
6
“Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http://
krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs
7
“Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times
DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of-
jpmorgan-data-breach-is-identified/?_r=0
8
“Over 150 million breached records from Adobe hack have surfaced online,” The Verge,
Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-
records-from-adobe-hack-surface-online
9
“Apple Developer site hack: Turkish security researcher claims responsibility,” The
Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple-
developer-site-hacked
10
“EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles.
chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares-
ebay-users-u-s-company
11
“Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www.
informationweek.com/healthcare/security-and-privacy/montana-health-department-
hacked/d/d-id/1278872
12
Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18,
2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity-
idUSKBN0GI16N20140818
13
“Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014,
http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months
14
“43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014,
http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197
15
“Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity
Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys-
Studies/2014databreaches.html
16
“2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014,
http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_
Data_Breach_Study.pdf
17
“43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014,
http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197
18
“2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014,
http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_
Data_Breach_Study.pdf
19
Based on principles established by the National Association of Corporate Directors, as
listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www.
theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-
download-pdf-1852.cfm
Sources