BOARD DIRECTOR CONCERNS ABOUT CYBER AND TECHNOLOGY RISK

21 September 2017

Rob Clyde, CISM, NACD Board Leadership FellowManaging Director, Clyde Consulting LLCVice-Chair, ISACAExecutive Chair White Cloud SecurityExecutive Advisor to BullGuard and HyTrust

22

Board of Director’s View

Source: NACD 2016-17 Board of Directors Survey

33

Security Professionals View

Source: Cisco 2017 Security Capabilities Benchmark Study

44

55

Functions Most Likely to Be Affected by a Public Breach

Source: Cisco 2017 Annual Cyber Security Report

66

% of Companies Experiencing Customer Loss Due to A Breach

Source: Cisco 2017 Security Capabilities Benchmark Study

77

FTC Opens Probe into Equifax Data BreachApache Struts flaw was known to be critical and should have been addressed, security researchers say.The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

9/14/2017

Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

Social Security numbers, birth dates, addresses and driver’s license numbers exposed

By AnnaMaria Andriotis and Ezequiel MinayaUpdated Sept. 8, 2017 9:48 a.m. ET

Equifax Data Breach

88

NACD Cyber-Risk Oversight Handbook forBoard Directors

Five key principles for Board Directors:1. Directors need to understand and approach cybersecurity as an enterprise-

wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate

to their company’s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and

discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.

5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

99

Where Has the Board Allocated Most Tasks Related to Cyber Risk?

Source: NACD 2016-2017 Public Company Governance Survey

1010

Cyber Risk Oversights Board Practices Performed In Last 12 Months

Source: NACD 2016-2017 Public Company Governance Survey

1111

Which Members of Management Report to The Board About State of Cybersecurity

Source: NACD 2016-2017 Public Company Governance Survey

1212

Guidelines for Talking to the Board

• Give summary of good and bad news right up front (don’t hold the punchline)

• Be clear and concise both in your discussion and the advance materials for board packet

• Be transparent and honest. Don’t give unfounded assurances

• If you don’t know something, say so and promise to get back to them

• Avoid low level tech speak and acronyms

• Use analogies to aid understanding for non-cyber experts

• Articulate business impact, risk, mitigations and plans

• Clearly identify anything that requires board action or consideration

• Do not surprise your CEO – brief CEO in advance

12

1313

Advice in Preparing for Presenting to the Board

• Understand what the board wants to hear from you and what defines success?

• What is the big goal of your presentation?

• What is the takeaway you want board members to have (feel, say, do afterwards)

• When preparing metrics, you should answer key questions:

– Are we getting better or worse? Trends– Are we in good or bad shape compared to our goals and/or

industry benchmarks?

• Describe regulatory or IT audit concerns, risks, and mitigations

• Less is more: what should you leave out?

• Know your subject and recent big industry and cyber-related news

• Practice with CEO or other executive and ask them for likely board questions

• If possible, get to know board members at social events or dinner before board meeting

1414

1515

Cyber Risk Heat Map Example (Retail Industry)

Source: NACD Cyber-Risk Oversight Director’s Handbook

1616Source: NACD Cyber-Risk Oversight Director’s Handbook

Example: Executive Risk Summary Dashboard (Financial Services Industry)

1818

Example: CIS 20 Critical Security ControlsCoverage Report to Board

Source: “Briefing the Board: Lessons Learned from CISOs and Directors”, RSA 2017, John Pescatore, Alan Paller; Center for Internet Security

1919

Example: Validated metrics of software security

Source: “Briefing the Board: Lessons Learned from CISOs and Directors”, RSA 2017, John Pescatore, Alan Paller

2020

Other Possible Board Level Metrics

• Mean-time to detect an incident

• Mean-time to respond to an incident

• Key 3 to 5 vulnerability metrics summarized over monthly or quarterly time periods

• Training and certification metrics (also show goals and trends)

– % security staff trained, % certified (CISM, CSX, CISSP, etc.)– % IT security staff trained, % certified (CSX Fundamentals, etc.)– % IT Audit staff trained, % certified (CISA)

2121

Ransomware Exploding

2222

Should The Board Authorize Paying Ransoms?

• What is your policy for paying a Ransom if your data or systems are held hostage by Ransomware?

• Who should authorize such a policy? Board? Board delegates this to management?

• Policy could indicate if and under what conditions a ransom might be paid and who should authorize it

• What are the ethical, reputational, and regulatory issues?

2323

NACD Handbook on Basic Cybersecurity Controls

Four basic cybersecurity controls effective in preventing 85% of cyber intrusions

1. Restricting user installation of applications (“whitelisting”)

2. Ensuring that operating system is pushed current updates

3. Ensuring software apps are regularly updated

4. Restricting administrative privileges

Source: NACD Cyber-Risk Oversight Director’s Handbook

App Control recommended as #1 Mitigation strategy

2424

Impact of Technologies

• Board may not be aware of opportunity and risk for new technologies

• Don’t just focus on security risk

• Opportunity and competitive risk of not adopting new technology may be even more significant

• Discuss how to mitigate security risks and safely adopt new technologies

25

Let’s explore some technologies and how we might discuss the opportunities and risks at the board level….

Internet of Things

Artificial Intelligence

Quantum Computing

2626

Internet of Things (or sensors or everything)

26

Source: BullGuard 2016 IoT Surveywww.bullguard.com/blog/2016/03/the-internet-of-things-consummer-security-and-privacy-concerns.html

Gartner predicts 26 Billion IoT Devices by 2020

8 Billion IoT Devices Today

2727

Smart TVs as Spies?

• Keep track of what is watched?

• Listen to conversations in room?

• WikiLeaks claims CIA “Weeping Angel” covertly does this

• Video the room?

27

Visio to pay $2.2M for collecting and selling customer data

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”—Samsung

2828

28

Connected Cars Are at Risk

Fiat Chrysler has issued a safety recall affecting 1.4m vehicles in the US, after security researchers showed that one of its cars could be hacked.

On Tuesday, tech magazine Wired reported that hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system

2929

29

3030

30

FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras

Device-maker’s alleged failures to reasonably secure software created malware risks and other vulnerabilitiesFOR RELEASEJanuary 5, 2017The Federal Trade Commission filed a complaint against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.

3131

IoT data as evidence?

• Fitness devices indicate you are asleep and level of activity

• Smart thermostat detects when you leave home

• Smart home security detects when doors are unlocked and relocked

• Automotive telemetry used to detect when, where and how fast you drove

• Smart autos may record conversations in car

• Alexa and similar devices hear conversations

31

32

How Might You Discuss The Internet of Things with The Board?

3333

34

What are AI and Machine learning?

34

Source: Symantec, RSA 2017, “Combatting Advanced Cybersecurity Threats with AI and Machine Learning”

35

Example

35

AI: A self-driving carMachine Learning: Pedestrian Detection

Source: Symantec, RSA 2017, “Combatting Advanced Cybersecurity Threats with AI and Machine Learning”, ISACA 2016 State of Cybersecurity Survey

62% of IT and Cybersecurity professionals think AI will increase

security risk

3636

37

How Might You Discuss AI and Machine Learning with The Board?

3838

Quantum Computing May Break Today’s Encryption

38

Source: D-Wave Systems Source: IBM

39

4040

U.S. NIST Post-Quantum Crypto project

At risk from Quantum attack:

• Public key

• Block chain

• Digital signature creation and validation

Project to develop quantum-resistant cryptography

Also see:

• https://openquantumsafe.org

40

http://csrc.nist.gov/groups/ST/post-quantum-crypto/

41

How Might You Discuss Quantum Computing with The Board?

4242

Conclusion

• Realize that most boards:

– are very concerned about cybersecurity– are not very confident about their organization’s cyber risk

• Make sure you understand the business

• Learn how to talk about cyber risks and security at board level

• Understand that opportunity of competitive risk may be bigger than cyber risk

– Learn about new technologies and their potential impact– Avoid just saying “no” or becoming a roadblock that slows growth and progress– Enable safely adopting new technologies and processes

4343

Questions?

44

44

Rob Clyde, CISM, NACD Board Leadership FellowVice-Chair, ISACA InternationalExecutive Chair, Board of Directors, White Cloud SecurityManaging Director, Clyde Consulting LLCExecutive Advisor to BullGuard and HyTrust

rclyde@isaca.org

Email: info@isaca.orgWeb Site: www.isaca.org