Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Similar presentations


Presentation on theme: "Cyber Security Phillip Davies Head of Content, Cyber and Investigations."— Presentation transcript:

1 Cyber Security Phillip Davies Head of Content, Cyber and Investigations

2 2 Business Leaders Urged to Step Up Response to Cyber Threats The UK’s most senior business leaders are getting new advice on how to better tackle the growing cyber threats to their companies. Currently, too few company chief executives and chairs take a direct interest in protecting their businesses from cyber threats. So now, for the first time, the Government and intelligence agencies are directly targeting the most senior levels in the UK’s largest companies and providing them with advice on how to safeguard their most valuable assets, such as personal data, online services and intellectual property. Today, the Government is launching a Cyber Security Guidance for Business at an event attended by FTSE 100 CEOs and Chairs, Ministers from Department for Business, Innovation and Skills (BIS), Foreign Office, Cabinet Office, Home Office and senior figures from the intelligence agencies.

3 3 Key questions for CEO’s and boards 1.How confident are we that our company’s most important information is being properly managed, and is safe from cyber threats? 2.Are we clear that the board are likely to be key targets? 3.Do we have a full and accurate picture of: the impact on our company’s reputation, share price or existence if sensitive information held by the company were to be lost or stolen? The impact on the business if our online services were disrupted for a short or sustained period? 4.Do we receive regular intelligence from the Chief Information Officer / Head of Security on who may be targeting our company, their methods and motivations? 5.Do we encourage our technical staff to enter into information sharing exchanges with other companies in our sector and/ or across the economy in order to benchmark, learn from others and help identify emerging threats? 6.Are we confident that we have identified our key information assets, thoroughly assessed their vulnerability to attack? Responsibility for the cyber risk has been allocated appropriately? Is it on the risk register? We have a written information security policy in place, which is championand supported through regular staff training? Are we confident the entire workforce understands and follows it?

4 4 Agenda Implementing a cyber security risk strategy beyond IT 4 potential steps: –Establishing the enterprise risk and ensuring visibility –Intelligence and Information – updating the risk profile –The coordinated Security response –Security awareness beyond the business

5 5 Strategy Intelligence Awareness then coordination of hooks Feeds into into a single system Continual update of risk profiles Benchmarking and Industry awareness Law Enforcement Risk Group Risk Registers Ownership and Management buy support Risks identified with inherent and residual risks quantified Importance of consistency Controls and Action Plans Reviews Benchmarking Enterprise Incident response Security CIRT Protocols aligned to risk profiles Regular meetings, reviews – incident debriefs, pro active work streams, lessons learned, reporting on security to the Executive, Board and Audit Committee Communications Security Awareness Programs Our consumers

6 6 So what ‘Risk’ are we seeking to capture? Define our scope - Cyber Crime is defined as any ‘crime’ that is likely or intended to impact any of our businesses or any of our customers, that takes place online or with the aid of Information Technology and can include attacks on networks, our IT infrastructure, our Voice network and call facilities and our exposure and our customers on Social Network and other online sites. Many of these instances will involve transnational offending, often across multiple jurisdictions Capture the risks within scope. How do we do this? Some issues to consider: Different business models and different risk profiles Consistency in calculating inherent and residual risk Who needs to know – business decisions? Are the action plans and controls proportionate to the risk Risk appetite?

7 7 Information in External - What groups, organisations, products and reports do we have access to across the enterprise? Who owns these relationships and what do we get for them? By product of going through this exercise (£ savings) How do we capture this information and put into context with our risk profiles? Enterprise internal – IT and IS systems (DLP, IDS, IPS, e Discovery, Logging….) Resourcing our information evaluation - systems and people? Reporting mechanisms and stakeholder groups. Re assess the risk Benchmarking

8 8 Security Responses Do we have a Security Computer Incident Response Team or similar? How is this resourced? How is it coordinated? Where in the business is this drive owned? And supported? Where are our Response Plans captured? Are they tested, evaluated and reviewed? Do we have clear escalation procedures and clear communication to the Executive, Board and Audit Committee’s Who might our non technical stakeholders be? Benchmarking across and beyond industry sectors Are we clear about points of referral to Government and Law Enforcement and across jurisdictions? Training and Budget? CISO reporting lines.

9 9 Security Awareness Who do we tell about Security? –Our staff –Our Board –Our customers What do we tell? –Proportionate / Alarmist Government and Industry messaging and consistency

10 10 Other work streams? Responsible social network use Talent and Senior Management online profiles Risk diversifies as business divergence continues and importance of working with Policy areas Data Classification and Data Governance


Download ppt "Cyber Security Phillip Davies Head of Content, Cyber and Investigations."

Similar presentations


Ads by Google