Embed Size (px)
Citation preview
Protection Beyond Compliance:Effective Cyber Security Risk Management
Speaking with you today
Vikas Bhatia – CEO & ERA
Vikas is the founder, CEO and Executive Risk Adviser at Kalki. He has 18+ years’ experience, obtained serving local, regional & global clients in the outsourcing, consulting, and regulatory domains, enabling him to enhance any organizations Information Security Management System (ISMS).
He is a Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), and Certified Information Privacy Professional (CIPP).
Risk = Likelihood x Impact
How is everything connected?
Where are we least prepared?
Finding 1: It took the Target breach to get the board’s attention.
What brings your attention to cybersecurity? What influences the way you feel about cybersecurity?
Target Attack Timeline
Finding 2: Board members may be overly confident about the effectiveness of their cybersecurity governance practices and often rate the effectiveness of these
programs much higher than IT security professionals do.
Lets talk about how you feel about this finding and how this relates to you and your role within VFCU.
Perceived Effectiveness of Cybersecurity Governance Practices
Finding 3: Board members admit their knowledge about cybersecurity is limited.
How can we work to improve your understanding of cybersecurity issues and risk levels?
Perceived Knowledge about Cybersecurity
Incident Classification Patterns
Finding 4: Board members may not be receiving information and briefings about cyber attacks and data
breaches affecting their organization.
Do you feel you are receiving enough information on data security and data breaches to help grow your
knowledge and understanding of cyber threats?
Board Knowledge of Breaches
Breach Discovery Methods
Finding 5: IT security professionals are skeptical of their board’s understanding about cybersecurity risks.
Technology and strategic management often have trouble seeing eye-to-eye on cybersecurity readiness and needs.
How can we get everyone speaking the same language?
Board vs. IT Perceptions
Survey
Who from your organization is responsible for handling technology outages? CEO or IT Team
How confident are you in that person’s ability to respond to those outages? Somewhat - Very Confident
How confident are you in your company’s ability to recover from such an incident? Somewhat - Very Confident
Who from your organization is responsible for handling and responding to unauthorized disclosure of information or a breach? CEO
How confident are you in that person’s ability to respond to such an unauthorized disclosure? Somewhat - Very Confident
How confident are you in your company’s ability to recover from such an incident? Somewhat - Very Confident
Technology Outages
Handling a Breach
What’s important to Credit Unions?
Serving the member
Reputation Service Stability Trust
Innovation Engagement Dedication
Value Growth
Strategic Drivers
A Credit Union’s revenue is driven by the trust of its members.
The loss of even a small percentage of membership due to loss of trust would result in significant financial loss.
RevenueThe day-to-day operations of branches is vital. Members expect 24x7 access to funds and rely on branches to be operational.
Operational downtime incurs significant costs including productivity costs, costs of restoration of service or funds and costs due to lost membership.
OperationsCredit Unions pride themselves on their reputation among members and rely on that reputation to retain and grow their membership.
The impact of a breach on that reputation would be detrimental. A focus on SecurITy will provides a key differentiator to improve member trust and build reputation.
ReputationThe NCUA compliance framework was designed in 2006, provides very little guidance and represents a minimum standard.
Outdated compliance standards do not keep pace with current threats and are not sufficient to protect member data.
Compliance
Mission: to best serve members.
What’s important to your Credit Union?
Do we walk the walk?
RankingArea 1 2 3 4
Reputation 6 2 3 1Revenue 1 1 2 8
Operations 2 5 4 1Compliance 4 4 3 1
Sample priority ranking by a previous Credit Union client. Does this look familiar?
An over-focus on compliance may not support the objective of serving the member community.
What are we protecting? … Our Members!
Technical SecurITy
Physical SecurITy
Protection is not:
SecurITy Direction
Incident Management Business Continuity Technical SecurITy Compliance
Access Control Physical SecurITy Operations SecurITy 3rd Party SecurITy
Organization of SecurITy Human SecurITy Asset Management
How do we protect it?
How are we measuring what we’re doing?The Capability Maturity Model Integration (CMMI) will be used to measure our journey.
Maturity Level Name Definition
0 Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed.
1 Initial / Ad HocThere is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
2 Repeatable but Intuitive
Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.
3 Defined Process
Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.
4 Managed and Measurable
Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.
5 OptimizedProcesses have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
Incident Management Business Continuity Technical SecurITy Compliance
Access Control Physical SecurITy
SecurITy Direction Human SecurITy
Sample Client: What are they doing now?
Operations SecurITy
Incident Management
(2)
Business Continuity
(3)
Technical SecurITy
(1)
Compliance
(3)
Access Control
(3)
Physical SecurITy
(3)
SecurITy Policies
(1)
Human SecurITy
(2)
Sample Client: How are well are they doing the things they are doing?
Operations SecurITy
(1)
Incident Management Business Continuity Technical SecurITy Compliance
Access Control Physical SecurITy
SecurITy Direction Human SecurITy
Sample Client: What’s the bigger picture?
Operations SecurITy
So What…
Scenario A: Breach
Remediation Costs
Total Number of recordsX
$154 per record*
Additional Impact
• Reputational impact
• Additional productivity impacts
• Cost of remediation
*Ponemon institute: average cost of breach remediation is $145 per record
Example:15,000 members
X$154 per record*
=$2,310,000
Cyber Insurance: Incident Response Responsibilities
Do you know which stages of the incident response process your company is responsible for handling vs. your insurance company?
Do you have a written, tested and functional incident response process in place?
Cyber Insurance: Internal Security Controls
Did you know that your insurance provider can refuse to pay out if you aren’t taking preventative measures?
Do you know all the cyber security program elements you are expected to have in place?
Cyber Insurance: Payout and Expectations
What are your policy’s max and average payouts?
Does either one of those numbers cover the cost of the breach estimated earlier?
Do you know what you are expected to provide and when to provide it when notifying your cyber insurance of a problem? Do you have these expectations built in to your company's internal processes?
$$$
Scenario B: Downtime due to system outage
Productivity Costs
$ amount per dayin Salary costs
Additional Impact
• Reputational impact
• Additional productivity impacts
• Cost of remediation
Scenario C: Malware outbreak
Numbers and costs based on actual malware incidents at 150 employee financial firm in NY.
Incident 1: Pre-SecurITy (June 2014)
100% of firm’s users affected
Lost productivity totaled approx. 3,600 hours
Approx. 145 hourscombined (internal IT
team and vendors) spent on clean-up
Total outbreak cost: Approx. $325,000
Incident 2: Mid-SecurITy Implementation (June 2015)
5% of firm’s users affected
Lost productivity totaled approx. 255 hours
Approx. 96 hourscombined (internal IT
team and vendors) spent on clean-up
Total outbreak cost: Approx. $25,000
Difference
95% 3,345 hours 49 hours $300,000
Opportunities
Where should we start?
Education: Target your weakest links ASAP!
TESTRegularly test your employees to see how they behave! Run regular 3rd party Phishing & Social Engineering Testing to practice the real thing and see how they respond. Conduct a recurring Security Awareness Survey to measure the culture around security and gauge the level of employee knowledge.
TEACHProvide interactive training on security that’s geared toward educating even the non-technical employees at your company. Use a variety of instructor-led and digital methods. Make sure your trainers are ready to teach employees WHY they should care and how to protect both themselves and the company.
TRACKMeasure your success and adjust accordingly. Track key metrics including participation. Use the methods in the TEST section to regularly benchmark where your employees fall and measure improvements in the results. Make adjustments and improvements over time to mature your education program.
DIY Resources
Beginner’s Guide to Data Classification
SecurITy Checklist for Executives
Project Initiation Form Template
Risk Register Template
Questions?
protected@kalkiconsulting.comwww.kalkiconsulting.com1.855.GO.KALKI
