Post on 28-Jan-2019
Matt Loeb, CGEIT, CAE, FASAE Chief Executive Officer
Collabora'onandCapabili'esasNecessaryStepsforIncreasingCyberResilience
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
IT’s a risk-based world: The 10 most critical uncertainties companies face
2
10
Economiccondi+onsmayrestrictgrowth
2Regulatorychangesandscru+nymayincreaseaffec+ngproductsandservices
3Organiza+onsareinsufficientlypreparedforcyberthreats
4Rapidspeedofdisrup+veinnova+onsandnewtechnologiesmayoutpaceorganiza+ons’abilitytocompeteormanagerisk
5Privacy,iden+fyandinforma+onsecurityrisksarenotbeingaddressedwithsufficientresources
6SuccessionchallengesandabilitytoaJracttoptalentmaylimitabilitytoachieveopera+onaltargets
7An+cipatedvola+lityinglobalfinancialmarkets/currenciesmaycreatesignificantchallenges
8Org.culturemaynotsufficientlyencourageiden+fica+onandescala+onofriskissues
9 Resistancetochangecouldrestrictorgsfrommakingnecessaryadjustmentstobusinessmodelandcoreopera+ons.
Sustainingcustomerloyaltyandreten+onmaybeincreasinglydifficultascustomerdemographicsandneedschange.
Source:NACD2017PublicCompanyGovernanceSurvey
HighlightedTextisinforma+onandtechnologygovernance-related
1
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
52% of C-suite executives think their boards are not fully knowledgeable about the risks the organization is taking and the measures that are in place.
3
Source:EY’s19thGlobalInforma'onSecuritySurvey2016-17
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Who is leading digital transformation?
4
CEO
BOARD
EXECUTIVECOMMITTEE
CIO
CTO
COO
CDO
CMO
ANOTHEREXECUTIVE
NOONE
TOOMANYPEOPLE
0 10 20 30 40
SnapshotResultsofMIT/ISACASurvey,2017
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
“In a digital economy, the whole company is responsible for generating value from digital investments. We see three key components:”
5
STRATEGIC(e.g.howwillweoperate
inthefuturee.g.businessmodels,ecosystems,partnerships).
DEFENSIVE(e.g.cyber,privacy,regula'onetc.)
“Howgoodyouareateachofthesewillpredictyourlikelysuccessinthedigitaleconomy.”
OVERSIGHT(makingsurethemajorinvestments
andorganiza'onalchangeareontrack)
Dr.PeterWeillDirector,MITCenterforInforma'onResearch
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
GETTINGTHERIGHTROIFROMTECHNOLOGYINVESTMENTS
CYBER:PARTOFA
LARGERPUZZLE
10/31/17
®2017ISACA.AllRightsReserved.6
ENTERPRISE-LEVELRISKMANAGEMENT
SOLIDFOUNDATIONINTHE
GOVERNANCEOFENTERPRISE
INFORMATIONANDTECHNOLOGY
HIRINGQUALIFIEDPERSONNEL
NEEDTOASSESSCAPABILITYMATURITY
DIGITALTRANSFORMATION
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
87% of board members and C-level executives have said they lack confidence in their organization’s level of cybersecurity
7
Source:EY’s19thGlobalInforma'onSecuritySurvey2016-17
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
57% of enterprises have had a recent significant cybersecurity incident, which shows that there is still more work to do to strengthen the corporate shield.
8
Source:EY’s19thGlobalInforma'onSecuritySurvey2016-17
BOARDS/C-SUITEWANTANSWERSandASSURANCE
ELEVATING
9
DEFINING
CREATING
ESTABLISHING
CYBERSECURITYRISKTOENTERPRISERISK
CRITICALCAPABILITIESANDMATURING
SITUATIONALAWARENESS
COMMITMENT
BOARDS/C-SUITE WANT ANSWERS and ASSURANCE
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Cyber security capability assessment
Benefits and impact
STANDARDIZEDMATURITY
COMPANYRISK-BASED
ROADMAPDEVELOPMENT
COMPLIANCEVIEWS
Defines maturity for people,
process and technology;
includes hygiene; enables industry benchmarking
Defines company’s risk profile and sets maturity targets
Provides risk-based prioritization of gaps in
maturity to support roadmap development
Provides views into compliance with ISO27001, NIST
CSF, CMMI Threat Kill Chain, ASD, etc.
WE PRESENT OUR RESULTS IN
BUSINESS TERMS SIMPLE GRAPHICS TO SUPPORT BOARD COMMUNICATION
OUR
COMPREHENSIVE SCOPE LEVERAGES LEADING FRAMEWORKS, STANDARDS AND CONTROLS
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Is our organization hiring the right people?
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Hiring the Best So…who’s the better choice?
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Time Is (Not Always) On Our Side
• In cybersecurity, 90 days is a lifetime…
• …but 180 days is an eternity...
• And both time frames are unacceptable
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Fewer (Qualified) Applicants • When we do get applicants, are they
qualified to safeguard our enterprise?
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Performance-Based Assessment? • Computer Science
– Create an algorithm derived from a mathematical analysis of the sound properties generated by a glockenspiel, theramin, oboe, and cowbell.
– Using only two smartphones, a refurbished TRS-80, and some string, migrate the finished algorithm to at least 50 computers wirelessly.
– Make sure all necessary controls are in place, and that all computers, when shutting down, emit a loud whistling noise that only dogs can hear.
– You will find either a glockenspiel or theramin under your seat to assist you.
– You have 20 minutes.
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
Safeguarding Your
Enterprise
Whenchoosingthosewhowilldefendyourorganiza+on…choosewisely.
Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org
The pace of change creates the pain
• Skills gap, near-term: embrace diversity, hands-on training, and performance-based assessment.
• Enterprises must be able to self-assess to effectively maintain cyber resilience.
• We can’t “win” Cyber without good governance of enterprise information and technology
• Cyber is everybody’s business; it’s a matter of global and local economic security and public safety.