Presentation on theme: "Robert Gregg CEO ID Experts"— Presentation transcript:
1 Robert Gregg CEO ID Experts Bob.firstname.lastname@example.org
2 Overview Defining the cybersecurity problem Serious national security concernWhat does this mean for companies…particularly the CFOWhat we must do - Now
3 Picture of bad guys from uspis Oceans 11 analogyZeus malware- 240,000 variantsTargeting you and your campanyDemetri Galutav hackers-10 yrs, 400k pol office40-50K hackers active =Secret serviceFor profit, not noteriety---32% infected
5 Cybersecurity RiskConclusion of the Internet Security Alliance (ISA) , the American National Standards Institute (ANSI), and all executives who worked on the project:The single biggest risk involving cybersecurity is ignorance and misunderstanding!
6 We Need a Total Risk Management Approach The security discipline has so far been skewedtoward technology—firewalls, ID management,intrusion detection—instead of risk analysis andproactive intelligence gathering.PWC Global Cyber Security SurveyWe have to shift our focus from consideringcybersecurity as a technical-operational issueto a economic-strategic issue
7 Cybersecurity = Investment Cybersecurity has historically been looked at as a cost….. Increasingly it has to be looked at as an investmentGreater trust=Stronger brand=Higher sales
8 The Threat Source Outside Intruder (Hacker) Well meaning insider Insider with mal-intent
9 Data Breach Perfect Storm Technology AdvancementShrinking IT BudgetsHacker SophisticationRealization of the Value of DataDeclining EconomyGovernment RegulationsIncreasedOutsourcing
10 The Private SectorThe private sector owns 95% of the cyber infrastructureThe private sector must, by law, operate---not in the public interest---but to maximize shareholder valueThe private sector makes decisions based on economicsThe way to improve cybersecurity is to alter the economics of cybersecurity
11 Follow the MoneyWe have –and will continue to have- cyber attacks because of the economic incentivesAttacks are easy/cheap/very profitableDefense is hard---successful prosecution 1%Perimeter to defend is endlessExtremely hard to show ROI because enterprises don’t analyze their cyber risk correctly
12 Structural / Economic Misalignment Symantec: attacks up 500% between & doubled again betweenCyber Space Policy Review: Cost to American business = $1 TRILLIONPWC/CSIS/Forrester all report investment in information security is down in 50%-66% of American companies----and most of the security spending is for audit compliance not security
13 We are Not Cyber Structured In 95% of companies the CFO is not directly involved in information security2/3 of companies don’t have a risk plan83% of companies don’t have a cross organizational privacy/security teamLess than ½ have a formal risk management plan—1/3 of the ones who do don’t consider cyber in the plan
14 What to Do…Good News: We know a lot about how to solve this problem % can be solved by using best practices and standards—most don’t due to costFocus on Enterprise Education so companies understand total financial cyber riskGet a copy of “Financial Management of CyberRisk….A framework for CFO’s”
16 Cybersecurity Document Outlines an enterprise wide process to attack cyber security broadly and economicallyCFO strategiesHR strategiesLegal/compliance strategiesOperations/technology strategiesCommunications strategiesRisk Management/insurance strategies
17 What CFO Needs to Do Own the problem Appoint an enterprise wide cyber risk teamGet other C-Level exec buy-inDevelop an enterprise wide cyber risk management plan & budgetComplete a comprehensive breach response planEngage a breach response expertImplement the plan, analyze it regularly, test and reform
18 Human Resources Recruitment Awareness Remote Access Compensate for cyber securityDiscipline for bad behaviorManage social networkingBeware of vulnerability especially from IT and former employees
19 Legal/Compliance Cyber Issues What rules/regulations apply to us and partners?Exposure to theft of our trade secrets?Exposure to shareholder and class action suits?Are we prepared for govt. investigations?Are we prepared for suits by customers and suppliers?Are our contracts up to date and protecting us?
20 Operations/IT What are our biggest vulnerabilities? Re-evaluate? What is the maturity of our information classification systems?Are we complying with best practices/standardsHow good is our physical security?Do we have an incident response plan?How long till we are back up?---do we want that?Continuity Plan? Vendors/partners/providers plan?
21 Communications Do we have a breach plan for multiple audiences? --general public--shareholders--Govt./regulators--affected clients--employees---press
22 Insurance—Risk Management Are we covered?What can be coveredHow do we measure cyber losses?D and O exposure?Who sells cyber insurance & what does it cost?How do we evaluate insurance coverage?
23 Summary Cybersecurity is an enterprise problem….not an IT problem The risk is growing rapidlyCFO is the best person to own and manage all aspects of the riskLook at this as a very strategic investment…..because it is!