Upload
lenguyet
View
213
Download
0
Embed Size (px)
Citation preview
BOARD DIRECTOR CONCERNS ABOUT CYBER AND TECHNOLOGY RISK
21 September 2017
Rob Clyde, CISM, NACD Board Leadership FellowManaging Director, Clyde Consulting LLCVice-Chair, ISACAExecutive Chair White Cloud SecurityExecutive Advisor to BullGuard and HyTrust
55
Functions Most Likely to Be Affected by a Public Breach
Source: Cisco 2017 Annual Cyber Security Report
66
% of Companies Experiencing Customer Loss Due to A Breach
Source: Cisco 2017 Security Capabilities Benchmark Study
77
FTC Opens Probe into Equifax Data BreachApache Struts flaw was known to be critical and should have been addressed, security researchers say.The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.
9/14/2017
Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers
Social Security numbers, birth dates, addresses and driver’s license numbers exposed
By AnnaMaria Andriotis and Ezequiel MinayaUpdated Sept. 8, 2017 9:48 a.m. ET
Equifax Data Breach
88
NACD Cyber-Risk Oversight Handbook forBoard Directors
Five key principles for Board Directors:1. Directors need to understand and approach cybersecurity as an enterprise-
wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate
to their company’s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and
discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
99
Where Has the Board Allocated Most Tasks Related to Cyber Risk?
Source: NACD 2016-2017 Public Company Governance Survey
1010
Cyber Risk Oversights Board Practices Performed In Last 12 Months
Source: NACD 2016-2017 Public Company Governance Survey
1111
Which Members of Management Report to The Board About State of Cybersecurity
Source: NACD 2016-2017 Public Company Governance Survey
1212
Guidelines for Talking to the Board
• Give summary of good and bad news right up front (don’t hold the punchline)
• Be clear and concise both in your discussion and the advance materials for board packet
• Be transparent and honest. Don’t give unfounded assurances
• If you don’t know something, say so and promise to get back to them
• Avoid low level tech speak and acronyms
• Use analogies to aid understanding for non-cyber experts
• Articulate business impact, risk, mitigations and plans
• Clearly identify anything that requires board action or consideration
• Do not surprise your CEO – brief CEO in advance
12
1313
Advice in Preparing for Presenting to the Board
• Understand what the board wants to hear from you and what defines success?
• What is the big goal of your presentation?
• What is the takeaway you want board members to have (feel, say, do afterwards)
• When preparing metrics, you should answer key questions:
– Are we getting better or worse? Trends– Are we in good or bad shape compared to our goals and/or
industry benchmarks?
• Describe regulatory or IT audit concerns, risks, and mitigations
• Less is more: what should you leave out?
• Know your subject and recent big industry and cyber-related news
• Practice with CEO or other executive and ask them for likely board questions
• If possible, get to know board members at social events or dinner before board meeting
1515
Cyber Risk Heat Map Example (Retail Industry)
Source: NACD Cyber-Risk Oversight Director’s Handbook
1616Source: NACD Cyber-Risk Oversight Director’s Handbook
Example: Executive Risk Summary Dashboard (Financial Services Industry)
1818
Example: CIS 20 Critical Security ControlsCoverage Report to Board
Source: “Briefing the Board: Lessons Learned from CISOs and Directors”, RSA 2017, John Pescatore, Alan Paller; Center for Internet Security
1919
Example: Validated metrics of software security
Source: “Briefing the Board: Lessons Learned from CISOs and Directors”, RSA 2017, John Pescatore, Alan Paller
2020
Other Possible Board Level Metrics
• Mean-time to detect an incident
• Mean-time to respond to an incident
• Key 3 to 5 vulnerability metrics summarized over monthly or quarterly time periods
• Training and certification metrics (also show goals and trends)
– % security staff trained, % certified (CISM, CSX, CISSP, etc.)– % IT security staff trained, % certified (CSX Fundamentals, etc.)– % IT Audit staff trained, % certified (CISA)
2222
Should The Board Authorize Paying Ransoms?
• What is your policy for paying a Ransom if your data or systems are held hostage by Ransomware?
• Who should authorize such a policy? Board? Board delegates this to management?
• Policy could indicate if and under what conditions a ransom might be paid and who should authorize it
• What are the ethical, reputational, and regulatory issues?
2323
NACD Handbook on Basic Cybersecurity Controls
Four basic cybersecurity controls effective in preventing 85% of cyber intrusions
1. Restricting user installation of applications (“whitelisting”)
2. Ensuring that operating system is pushed current updates
3. Ensuring software apps are regularly updated
4. Restricting administrative privileges
Source: NACD Cyber-Risk Oversight Director’s Handbook
App Control recommended as #1 Mitigation strategy
2424
Impact of Technologies
• Board may not be aware of opportunity and risk for new technologies
• Don’t just focus on security risk
• Opportunity and competitive risk of not adopting new technology may be even more significant
• Discuss how to mitigate security risks and safely adopt new technologies
25
Let’s explore some technologies and how we might discuss the opportunities and risks at the board level….
Internet of Things
Artificial Intelligence
Quantum Computing
2626
Internet of Things (or sensors or everything)
26
Source: BullGuard 2016 IoT Surveywww.bullguard.com/blog/2016/03/the-internet-of-things-consummer-security-and-privacy-concerns.html
Gartner predicts 26 Billion IoT Devices by 2020
8 Billion IoT Devices Today
2727
Smart TVs as Spies?
• Keep track of what is watched?
• Listen to conversations in room?
• WikiLeaks claims CIA “Weeping Angel” covertly does this
• Video the room?
27
Visio to pay $2.2M for collecting and selling customer data
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”—Samsung
2828
28
Connected Cars Are at Risk
Fiat Chrysler has issued a safety recall affecting 1.4m vehicles in the US, after security researchers showed that one of its cars could be hacked.
On Tuesday, tech magazine Wired reported that hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system
3030
30
FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras
Device-maker’s alleged failures to reasonably secure software created malware risks and other vulnerabilitiesFOR RELEASEJanuary 5, 2017The Federal Trade Commission filed a complaint against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk.
3131
IoT data as evidence?
• Fitness devices indicate you are asleep and level of activity
• Smart thermostat detects when you leave home
• Smart home security detects when doors are unlocked and relocked
• Automotive telemetry used to detect when, where and how fast you drove
• Smart autos may record conversations in car
• Alexa and similar devices hear conversations
31
34
What are AI and Machine learning?
34
Source: Symantec, RSA 2017, “Combatting Advanced Cybersecurity Threats with AI and Machine Learning”
35
Example
35
AI: A self-driving carMachine Learning: Pedestrian Detection
Source: Symantec, RSA 2017, “Combatting Advanced Cybersecurity Threats with AI and Machine Learning”, ISACA 2016 State of Cybersecurity Survey
62% of IT and Cybersecurity professionals think AI will increase
security risk
4040
U.S. NIST Post-Quantum Crypto project
At risk from Quantum attack:
• Public key
• Block chain
• Digital signature creation and validation
Project to develop quantum-resistant cryptography
Also see:
• https://openquantumsafe.org
40
http://csrc.nist.gov/groups/ST/post-quantum-crypto/
4242
Conclusion
• Realize that most boards:
– are very concerned about cybersecurity– are not very confident about their organization’s cyber risk
• Make sure you understand the business
• Learn how to talk about cyber risks and security at board level
• Understand that opportunity of competitive risk may be bigger than cyber risk
– Learn about new technologies and their potential impact– Avoid just saying “no” or becoming a roadblock that slows growth and progress– Enable safely adopting new technologies and processes
44
44
Rob Clyde, CISM, NACD Board Leadership FellowVice-Chair, ISACA InternationalExecutive Chair, Board of Directors, White Cloud SecurityManaging Director, Clyde Consulting LLCExecutive Advisor to BullGuard and HyTrust
Email: [email protected] Site: www.isaca.org