AICD directors’ Breakfast with Cyber Exeprt Rob Sloan

Directors’ BreakfastWith International Cyber Expert Rob Sloan

Monday 20 March 2017

Proudly sponsored by:

Build Your Resilience Against Cyber AttackAustralian Institute of Company Directors

Rob SloanCybersecurity Research Director, WSJ Pro

Dow Jones & Co

Australian Institute of Company Directors

Cybersecurity Research Director, WSJ Pro (2014 - Present)

● Working with the Wall Street Journal newsroom to produce business-focused cybersecurity reporting

● Building datasets to help cybersecurity professionals better understand the business landscape

● Writing and speaking about this incredible subject and its many, constantly-evolving aspects

Introduction

3

Response Director, Context Information Security (2011 - 2014)

● Built and led an incident response capability in an information security consultancy● Worked with global companies to investigate intrusions, deploy monitoring solutions

and mitigate impact

Various Roles, UK Government (2002 - 2011)

● Led investigations into some of the earliest targeted attacks against government and UK critical national infrastructure, in particular Chinese and Russian espionage campaigns

● Spent time with the Ministry of Defence and the Foreign and Commonwealth Office to understand the cybersecurity landscape and how threat actors developed their capabilities

● Raised awareness with senior decision-makers in government and private sector


• Nation states operate with impunity• Criminals are making out like bandits• Resurgence of old threats• Low level hacking success• Cyber-enabled criminality

Context of the Opportunity

4

The Threat Landscape

• Increasing levels of cybercrime• Increasing regulation across industries• Financial and reputational impact of data-loss events• Senior level attention as a business risk• Supply chain obligations

Key Growth Drivers

$81BValue of cybersecurity market in 2017

$6TGlobal cost of cybercrime by 2021


• What does cyber mean the organization?• Who are the key people responsible for cybersecurity?• How vulnerable is the organization?• What is the organization’s risk exposure?• What is the long-term strategy?

Five Key Questions

5

Building Resilience:


What does ‘cyber’ mean to our organization?• Confidentiality, Integrity and Availability.• Who are the threat actors?• What information is business critical?• Have we been targeted / impacted in the past?• How have our peers / competitors been affected?• How has the organization prepared for attacks?

Context

6

Every organization has a unique cybersecurity profile. There is no one-size-

fits-all.


• Who are the key people responsible for cybersecurity?• In most organizations, the lead for information security is the Chief Information Security Officer (CISO), a relatively new position.

• Overall cybersecurity responsibility should not remain with the CISO. Ideally a CxO will ‘own’ cybersecurity and there are arguments for different positions taking the lead role.

• Long-term planning is essential. Ensure there is internal succession planning – CISOs are in high demand and recruitment and retention will be issues.

Governance

7

This is not an IT problem anymore. This is a business issue.


• How vulnerable is the organization?• What measures are in place to reduce the likelihood of incidents?• Are employees adequately briefed on how to protect sensitive

data? Is training ongoing?• Are data security policies in place? • Which third parties hold critical data? • Has there been an external assessment of cybersecurity

preparedness?

Vulnerability

8

You cannot protect everything. Decide what is most important and ensure it is secure.


What is the organization’s risk exposure?• How is risk being tracked? How is the board able to measure

progress over time?• Where progress is lacking, the opportunity for attackers

opens. • What is the organization’s tolerance of risk? How is cyber

risk being avoided, controlled, accepted or transferred?• Are exercises regularly carried out to test responses to

cyber incidents?

Exposure

9

Attackers only have to be successful once. Defenders have to be successful every time.

Wall Street Journal, Dec15th 2016


What is the long term strategy?• How can the cybersecurity of the organization best be controlled?• Can enhanced cybersecurity become a business strength? Can an

investment pay for itself?• Should network monitoring be outsourced or insourced?• A cybersecurity framework must be in place, either aligned

to or compliant with recognized standards

Strategy

10

You can outsource the service or the data, but you cannot outsource the risk.


Key points to keep in mind:

Summing Up

11

● This problem is not going away any time soon - learn to to deal with it on a business-as-usual basis

● There is no guaranteed technology solution. Cybersecurity solutions come from getting the right blend of people and management

● Compromise is almost inevitable so protect what you really need to protect, accept that the rest may be go, and plan accordingly

● Practice makes perfect. The difference between a well-handled incident and a poorly handled incident can be millions of dollars. It pays to conduct table-top exercises

The day of the ball is not the time to learn how to dance


• [email protected]• +1-650-471-9091• www.linkedin.com/in/robsloan1

Contact Details & Further ResourcesWSJ Pro Cybersecurity

For more details and a free trial of our daily newsletter, visit https://buy.wsj.com/wsjprocs/

12

An Inch Wide, A Mile DeepWSJ Pro Cybersecurity is a new membership service designed to help executives monitor the ever-changing landscape of cybersecurity through a business lens. Our dedicated team of journalists delivers unique, actionable insight on the wide-ranging challenges of cybercrime risk.Helping to Educate Business LeadersThe cybersecurity information market place is over populated with either vendor-driven or highly technical content. WSJ Pro Cybersecurity is the only service focusing on the topic through a dedicated business lens.

Technology

AICD directors’ Breakfast with Cyber Exeprt Rob Sloan