Marc Brawner, a principal at Kroll with over 23 years of experience in IT and cyber security, oversees endpoint threat monitoring and complex incident investigations. Kroll provides global risk and investigative services, focusing on helping clients manage and mitigate cyber security risks through a diverse team of experts. The document emphasizes the importance of strong governance, the evolving role of cybersecurity within organizations, and the necessity of a proactive approach to risk management by engaging dedicated resources and third-party expertise.

1. Who has the ball in
[Cyber | IT | Information] Security?
Marc Brawner
Principal
Cyber Security and Investigations
Nashville, TN

2. Proprietary and Confidential — External Use Only2
Marc Brawner
With over 23 years of experience in information technology, including 18 years focused on cyber security, Marc is
a true expert in cyber risk management, incident response, and forensic investigations. He brings an
extraordinary level of experience and knowledge, having led or participated in hundreds of cyber security matters
at organizations around the USA and abroad.
Today, Marc oversees the practice's endpoint threat monitoring and analysis team, while also leading and
supporting complex incident investigations, and providing guidance on a range of technology and cyber security
matters to Kroll colleagues and clients worldwide.
Marc returned to Kroll in 2013 after spending seven years at Marsh & McLennan Companies, a Fortune 200 firm,
where he led its global information security incident response and risk assessment teams. Earlier in his career at
Kroll, Marc implemented and managed a variety of technology and security solutions, developed and implemented
policy and regulatory compliance programs, and managed information technology teams.
Marc is a Tennessee native and holds a bachelor’s degree in Computer Science from Lipscomb University, along
with several industry certifications, including: Core PCI Forensic Investigator and Qualified Security Assessor, PCI
Security Standards Council (PFI/QSA); Certified Information Systems Security Professional (CISSP); Certified in
Risk and Information Systems Control (CRISC).
Principal
Cyber Security & Investigations
mbrawner@kroll.com

3. Proprietary and Confidential — External Use Only3
Who we are
Kroll is the leading global provider of risk and investigative services,
helping clients anticipate, detect, mitigate, and respond to risk.
TRUSTEDPARTNER
+40
• Help clients make confident risk
management decisions about:
people, assets, operations and security
• Provide an unparalleled range
of services and solutions
77% DIVERSE
years
EXPERTISEFORTUNE100
• Regularly work on the most complex and
highest profile matters in the world
• Extensive global network allows us to
efficiently and effectively address
challenging situations
Former members of law enforcement
agencies including the FBI, US Secret
Service, Dept. of Homeland Security, Dept.
of Defense, Dept. of Justice, Ministry of
Defense. Other expertise includes:
computer forensic analysts, forensic
accountants, information security analysts,
former prosecutors, business intelligence
analysts, and investigative journalists.

4. Proprietary and Confidential — External Use Only4
Global, expert team
Kroll has offices in 20 countries and
more than 30 cities
Language fluency includes:
Arabic, Bengali, Chinese, English, French, German,
Hindi, Japanese, Portuguese, Punjabi, Russian, and Spanish
Expertise includes:
Cyber Risk Management, Due Diligence & Compliance Management, Business
Intelligence & Investigations, Security Risk Management
Licenses / Certifications include:
Payment Card Industry Data Security Standard (PCI DSS), Qualified Security
Assessor (QSA), Certified Information Systems Security Professional (CISSP),
Certified Business Continuity Professional (CBCP)

5. Proprietary and Confidential — External Use Only5
Best Cyber Security
Provider
2017 National Law Journal Reader
Choice Survey
“[Kroll] is capable of being a one-
stop shop for multiple services
relating to breach response,
from forensic investigations to
support for clients in litigation
issues.
THE FORRESTER WAVE™: CUSTOMER DATA BREACH NOTIFICATION AND
RESPONSE SERVICES, Q4 2017
Best Litigation Dispute
Advisory Services
Consultant
2017 National Law Journal
Reader Choice Survey
Cyber security solutions
Some recent awards and recognitions
Best Corporate
Investigations
Provider
2017 National Law Journal Reader
Choice Survey
“Leader” in Customer
Data Breach and
Notification
THE FORRESTER WAVE™: CUSTOMER DATA
BREACH NOTIFICATION AND RESPONSE
SERVICES, Q4 2017

6. Proprietary and Confidential — External Use Only6
 Why does your institution need an information technology program?
 Why does your institution need an information security program?
 Understand key differences between Information Technology and
Cyber/Information Security
 Review roles and responsibilities
 Review industry guidance and trends
 Review board level considerations
 Discuss modern threats and defenses
Session Agenda

7. Proprietary and Confidential — External Use Only7
Why do
we need
IT?

8. Proprietary and Confidential — External Use Only8
Information Technology
 Design, implement and operate critical business technology
 Servers
 Workstations
 Networks
 Telephony and communication tools
 Business applications
 Manage electronic data and information storage
 Develop strategic technology plans and objectives consistent with business
needs

9. Proprietary and Confidential — External Use Only9
Why do
we need
Security?

10. Proprietary and Confidential — External Use Only10
Information Security
 Security
 Resilience from harm
 Information Security
 Program, process, and activities designed to protect
the confidentiality, integrity, and availability of
information.
 Cyber Security
 Focus on digital information and systems

11. Proprietary and Confidential — External Use Only11
Information Security Triad
Confidentiality
IntegrityAvailability

12. Proprietary and Confidential — External Use Only12
 Information security
 …is the process by which a financial institution protects the creation, collection,
storage, use, transmission, and disposal of sensitive information, including the
protection of hardware and infrastructure used to store and transmit such
information.
 …promotes the commonly accepted objectives of confidentiality, integrity, and
availability of information and is essential to the overall safety and soundness of
an institution.
FFIEC Guidance

13. Proprietary and Confidential — External Use Only13
 Information security exists to provide protection from malicious and non-
malicious actions that increase the risk of adverse effects on earnings,
capital, or enterprise value.
 The potential adverse effects can arise from the following:
 Disclosure of information to unauthorized individuals.
 Unavailability or degradation of services.
 Misappropriation or theft of information or services.
 Modification or destruction of systems or information.
 Records that are not timely, accurate, complete, or consistent.
Source: FFIEC IT Examination Handbook (2016)
FFIEC Guidance

14. Proprietary and Confidential — External Use Only14
IT
Operations
• Store
• Process
• Transmit
• Access
Information
Security
• Understand
Risk
• Appropriately
Secure
• Monitor
Information Security and IT Ops

15. Proprietary and Confidential — External Use Only15
IT Operations
IT
Security/Risk
Management
Confidentiality
Integrity
Delivery
Availability
Balancing Act

16. Proprietary and Confidential — External Use Only16
 Develop and implement IT strategy
 Oversee IT budget
 IT acquisition, development, training
 IT architecture
 Planning
 Supporting lines of business strategy
Roles and Responsibilities – CIO/CTO/IT Manager

17. Proprietary and Confidential — External Use Only17
 Management and mitigation of information security risks
 Implementing information security strategy
 Address current and emerging risks
 Work with business on information flows, risks, and protection
 Championing security awareness and training
Roles and Responsibilities – CISO/ISO/Risk Mgr

18. Proprietary and Confidential — External Use Only18
Roles and Responsibilities
 Develop and implement IT strategy
 Oversee IT budget
 IT acquisition, development, training
 IT architecture
 Planning
 Supporting lines of business strategy
 Management and mitigation of
information security risks
 Implementing information security
strategy
 Address current and emerging risks
 Work with business on information
flows, risks, and protection
 Championing security awareness
and training
 Building external relationships
 IR Planning
CIO/CTO/IT Manager CISO/CSO/Risk Manager

19. Proprietary and Confidential — External Use Only19
 “While in the past, the office of the CISO was considered a technology
function, the role has become a strategic and integral part of the business
management team.”
 “The CISO should be an enterprise-wide risk manager, rather than a
production resource devoted to IT operations.”
Why?
CISO Evolution

20. Infosec Theory Evolution
Perimeter
Defense In
Depth
Assumption
of Breach

21. Proprietary and Confidential — External Use Only21
Tool Based Strategy?
Technical
Controls
Operations Governance
Most Data Breaches Occur When This Strategy Is Used!

22. Proprietary and Confidential — External Use Only22
Most Effective Strategy to Mitigate Risk!
Governance Operations
Technical
Controls

23. Proprietary and Confidential — External Use Only23
 Information security officers should report directly to the board or senior
management
 NOT IT operations management
 Ensures appropriate segregation of duties
 Information security officers should be responsible for responding to security
events by ordering emergency actions to protect the institution and its
customers from imminent loss of information; managing the negative effects
on the confidentiality, integrity, availability, or value of information; and
minimizing the disruption or degradation of critical services.
FFIEC: Reporting Structure

24. Proprietary and Confidential — External Use Only24
 Frequent conflicts of interest
 Too many ‘hats’ for one person, team, or role
 Increased complexity of technology
 Increased complexity of threats and vulnerabilities
 Different skills, education and training paths
 Often follows tool-based strategy
 Often minimizes or misses subtle clues of exposure
 Incident management
 What happens during a crisis?
Pitfalls of IT driven information security

25. Proprietary and Confidential — External Use Only25
 The board, or designated board committee,
should be responsible for:
 overseeing the development, implementation, and
maintenance of the institution’s information
security program;
 holding senior management accountable for its
actions.
FFIEC: Role of the Board of Directors

26. Proprietary and Confidential — External Use Only26
 Consider prior evolution of board to address and validate financial statement
accuracy
 Proliferation of cybersecurity risks now trumps financial accounting risks
Increasing Board Oversight

27. Proprietary and Confidential — External Use Only27
 Cybersecurity risks pose grave threats to investors, our capital markets, and
our country…
 Regulation S-K ... Require a company to disclose the extent of its board of
directors’ role in the risk oversight of the company…
 “To the extent cybersecurity risks are material to a company’s business,
we believe this discussion should include the nature of the board’s role in
overseeing the management of that risk.”
 “We believe disclosures regarding a company’s cybersecurity risk
management program and how the board of directors engages with
management on cybersecurity issues allow investors to assess how a board of
directors is discharging its risk oversight responsibility…”
https://www.sec.gov/rules/interp/2018/33-10459.pdf
Recent SEC Guidance – February 26, 2018

28. Proprietary and Confidential — External Use Only28
 A key question in 2018 is not, “Do we have a security
program”
 Rather, “Is our program actually working to reduce risk as
intended?”
Board Oversight

29. Proprietary and Confidential — External Use Only29
 Create a cyber security committee (similar to audit
committee)
 Add cyber expertise to board
 Engage third party to conduct annual review (similar to
accounting audit) and participate in strategy
 Require management reporting and feedback
Board Modernization
https://corpgov.law.harvard.edu/2018/03/31/cybersecurity-the-secs-wake-up-
call-to-corporate-directors/

30. Proprietary and Confidential — External Use Only30
 Absolutely! 
 Leading security advisory and incident response firms offer
 Exposure to ongoing threats, real-world incidents, and what works (or
doesn’t)
 Neutral understanding of business risk without politics
 Articulate effective risk management priorities and practices based on
experience
 Can’t fully shift responsibility, however.
What about Outsourcing?

31. Proprietary and Confidential — External Use Only31
Information Security Funding?

32. Proprietary and Confidential — External Use Only32
Where is your sensitive/ regulated data?
Creation
Transmission
Reproduction
Physical
Transport
Storage
Disposal
Intellectual
Property

33. Proprietary and Confidential — External Use Only33
20 CSC is Minimum Standard
The 20 Critical Security Controls “identify a minimum
level of information security that all organizations that
collect or maintain personal information should meet.
The failure to implement all the Controls that
apply to an organization’s environment constitutes a
lack of reasonable security.
California Data Breach Report (Feb 2016) Attorney Gen. Kamala D. Harris

34. Cyber Threat Landscape
THREATS
• Criminals / criminal
organizations
• Terrorists / non-
government
organizations
• Hacktivists
• Foreign governments
• Employees
• Regulatory penalties
• Reputational damage
• Financial loss
TARGETED
ASSETS
• Customer
• Personal
information
• Health Data
• Account data
• Financial system
functions- AR & AP
• Financial assets
• Employee PII
• Intellectual property
• Network bandwidth
ATTACK
METHODS
• Spearphishing
• Web site attacks
• Social engineering
• DDoS
• Data destruction
• Data alteration

35. TRADITIONAL
TOOLS
• Antivirus
• Network Firewall
• IDS
• Helpdesk
• Policies
• SOC
MODERN
TOOLS
• Endpoint Monitoring
• Threat Hunting
• Managed Detection/IR
• Application firewall
• User Behavior Analytics
Modern Cyber Tools
Building a higher level cyber security program

36. Proprietary and Confidential — External Use Only36
What is Your Narrative?
 Reasonable Measures Implemented
 Attacker Used Extraordinary Methods
 Able to Rapidly Detect and Respond Effectively
Assumption of Breach

37. Proprietary and Confidential — External Use Only37
Narrative
 Have a narrative before an incident
 Choose and implement a cybersecurity framework
 Use governance structures to operationalize the
framework
 Fund appropriately based on risk tolerance
 Infosec Maturity = detect and respond capability

38. Proprietary and Confidential — External Use Only38
Summary
 Cybersecurity today is a board-level issue, more than ever
 IT is not the primary stakeholder for managing
cybersecurity risk
 Dedicated resources are required
 Leverage independent third party expertise to right-size
program and validate effectiveness
 Modern tools are essential, but governance comes first
 Assume breach – have a response plan and defensible
narrative

39. Proprietary and Confidential — External Use Only39
Additional Kroll Resources
https://www.kroll.com/en-us/intelligence-center

40. Kroll.com
Marc Brawner
Principal
Cyber Security Investigations
mbrawner@kroll.com