Trends in Cyber Threats

MANAGING CYBERSECURITYGOVERNANCE

2BUSINESS.NASDAQ.COM/BOARDVANTAGE

BUSINESS.NASDAQ.COM/INTEL/DIRECTORS-DESK-BOARD-PORTAL

TRENDS IN CYBER THREATS

Boards and audit committees have developed a heightened interest in cybersecurity governance over the last three years and even more so in the past year as high-profile cyber issues have dominated the news.

Trends in Cyber Threats

Cybersecurity intelligence and reporting from the information security team are a high priority among the organization’s updates to the audit committee, says Modano. “I attend every audit committee meeting along with the CIO to report on information security within Nasdaq,” says Modano.

Phishing—fraudulent emails that bait employees so hackers can access the network—is a critical board-level cybersecurity concern. Organizations can also lose sensitive information when employees exhibit malicious insider activity by accessing and abusing data.

Trends in mitigating critical vulnerabilities, phishing, and insider threats

“It’s imperative that organizations have patch management programs to address critical vulnerabilities in their environments,” says Modano. When you are running a large technology environment, there’s a level of hygiene that the board should expect, which includes ensuring that you update and patch your systems, according to Modano.

Hackers can exploit a vulnerability that remains unpatched for an extended period, and that could severely impact an organization; that’s why the attention to vulnerabilities is so high at the board level, says Modano.

Organizations can curb phishing by using testing programs, which train their employees to identify real phishing attempts and rewards them for improvement. Nasdaq deploys a related simulation as part of its governance program.

MANAGING CYBERSECURITY GOVERNANCE

Nasdaq Boardvantage: Enhanced governance for boards, committees, and leadership

THE NUMBER OF QUESTIONS WE ADDRESS HERE AT NASDAQ, THE INTEREST LEVEL, AND THE NUMBER OF PRESENTATIONS WE SHARE WITH THE BOARD HAVE INCREASED DRASTICALLY,

SAYS CYBERSECURITY GOVERNANCE MANAGEMENT ADVOCATE, LOUIS MODANO, CISO, NASDAQ

BUSINESS.NASDAQ.COM/BOARDVANTAGE 3

TRENDS IN CYBER THREATS

“We test our employees to see whether they will click on the fraudulent links that tend to appear in these kinds of emails,” says Modano. “Our testing allows us to measure who is reporting what appears to be an illegitimate email,” Modano adds.

Information security teams can mitigate unauthorized access and insider threats by using the Nasdaq Boardvantage board portal software solution, which uses multifactor authentication and full-strength encryption. Nasdaq Boardvantage separates content into individual repositories and protects them with unique encryption keys. “A board portal like Nasdaq Boardvantage ensures fidelity of confidential documents, automates the dissemination of sensitive material, allows you to purge documents centrally, and enables users to exchange comments and messages securely,” says Modano.

Nasdaq Boardvantage lives in a highly secure, hardened data center with no third-party access. Nasdaq Boardvantage meets SOC 2 certification requirements to ensure compliance with the highest security industry standards. “Not every board portal is created equal. There are multiple layers of security and mature security activities that must support it, too. You have to weigh that when looking at using board portals,” says Modano.

Managing cybersecurity governance

As a principal governance activity, Nasdaq has a formal program charter outlining information security team responsibilities. The charter covers the authority the team has in addressing cybersecurity matters that come up as the line function in the organization. The board ensures that the information security team performs those functions.

In addition to the formal cybersecurity program and strategy document, the board supports line functions

for information security team performance with the aid of the audit committee and with periodic updates and approvals by all parties. The security team initiates updated cyber reports to the chain of command. Cybersecurity updates to the audit committee carry equal weight with other business updates in today’s cyber threat environment.

The information security team tracks and reports security activities to the board via dashboards using metrics that show increases and decreases in vulnerabilities and threats, according to Modano. “The dashboard is a roll-up of metrics we follow monthly,” says Modano.

“We use the dashboard to track all the activities we are involved in to mitigate threats. We align these activities with a formal standard known as the NIST 800.53 standard,” says Modano. This standard is a cybersecurity standard from the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce. Nasdaq uses the dashboard to track whether it is investing more in security controls, as well.

Tracking enables Nasdaq to warn employees who fall for phishing and then put them through formal training if it continues. “We actively report to the board on how well this is going,” says Modano.

The dashboard visualizes trends in employee behavior such as insider activity, where someone is doing something they should not.

Dashboards track the quality and effectiveness of security mitigations and controls including patches for current vulnerabilities. Dashboard metrics demonstrate the likelihood of occurrence of a security event and its impact as well as whether the organization is increasing its investment of time and resources to address those events.

Boards avail themselves of regular presentations about new vulnerabilities and threats that consider threat capabilities in the proper context. The CISO, CSO, or CIO, or whoever runs security risk should present vulnerabilities and threats in the appropriate context. “Context includes how often such a threat targets such an organization and transparency into the mitigations and controls in place at that institution and their effectiveness against such risks as well as the probability and cost of related security events,” says Modano.

Nasdaq Boardvantage: Award-winning software from a technology innovator

BUSINESS.NASDAQ.COM/BOARDVANTAGE 4

TRENDS IN CYBER THREATS

Context is important as people can otherwise become worried when they hear about some scary new cyber threat if they don’t understand that someone must have already compromised your systems for these attacks to cause any harm. The Meltdown and Spectre vulnerabilities, which are broad and impact nearly every computing device are good examples.

Addressing the organization’s risk appetite

To determine what the information security team will support, the board must evaluate the company’s risk appetite, i.e., the risks the organization will mitigate, avoid, transfer, or accept. The CISO’s teams, the technical risk committee, the global risk committee, and the management teams conduct thorough reviews of key risks in the organization and prioritize them together with the likelihood/probability that they will occur, and the financial impact if they do happen.

The organization baselines its environment as to the acceptable level of risk across all lines of business. The board reviews these risks annually with these teams. The audit committee tracks those risks to determine whether the organization has exceeded the threshold of the amounts and types of risk the business is willing to accept. When a risk surpasses a threshold, the audit committee and the business line involved communicate the cause and work with the board and the information security team to confirm how to address the risk more appropriately.

Future threats

The board must remain vigilant as new threats appear on the horizon. In 2018, expect to see increases in attacks intent on destroying infrastructure. Cryptojacking, using someone's computer without their knowledge to mine cryptocurrency will increase this year as well.

The information security team can update its awareness of vulnerabilities and threats using advanced threat intelligence from multiple vendor sources.

Cybersecurity governance can further address unforeseen vulnerabilities, threats, and attacks using third-party assessments of the maturity of the entire information security program. The third-party service looks at multiple information security domains and conducts interviews with stakeholders in search of evidence of the maturity of the program. “The third-party service looks at 13 to 20 different domains for evidence, based on interviews with stakeholders, as to the maturity of your security program,” says Modano.

The third-party provider reports on their findings to the information security team, which shares it with the board. The results of the findings demonstrate how well the organization’s information security program addresses threats in comparison with the performance of its peers.

Nasdaq Boardvantage streamlines meeting processes and accelerates decision-making

© Copyright 2018. All rights reserved. Nasdaq and Nasdaq Boardvantage are registered trademarks of Nasdaq, Inc. 1139-Q18 US Letter