SlideShare une entreprise Scribd logo

Cybersecurity in the Boardroom

Marko Suswanto
Marko Suswanto

A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies.

Technologie
1  sur  17
Télécharger pour lire hors ligne
Technology Risk E-Book Audit | Tax | Advisory | Risk | Performance Cybersecurity in the Boardroom A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies nn Six Critical Questions to Assess Cybersecurity Readiness nn Ten Principles of Corporate Governance for Management and the Board nn Five Steps to Establish and Maintain a Cybersecurity Road Map nn Plus: Seven Crowe Insights to Share on LinkedIn
Cybersecurity in the Boardroom 2www.crowehorwath.com Boards of directors have extremely limited capacity for taking on new areas of oversight. Given that constraint, it is noteworthy that cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Company executives and top management used to be responsible for meeting the ongoing strategic challenges in their industries. For example, being an oil executive was sufficient experience for running an oil company, being a retail executive was sufficient for running a retail firm, and so on. The demands on management have changed with the times. The digital age has brought about a convergence such that no matter the industry, executives now struggle with a set of common concerns related to technology strategy and information security. Across widespread, globalized supply chains, organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent. This digital convergence opens profitable opportunities and markets but brings with it additional risks and exposures. CEOs and other high-level executives need a starting point for understanding and responding to growing board-level concerns about cybersecurity. To help with this objective, Crowe Horwath LLP examines why the subject has escalated to the board level and how executives should guide their board members in thinking about cybersecurity issues. Introduction Cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
Cybersecurity in the Boardroom 3www.crowehorwath.com Cybersecurity Readiness: Is Your Organization Prepared? According to The Institute of Internal Auditors Research Foundation (IIARF), the critical questions to consider when assessing the cybersecurity readiness of a board of directors are1 : nn Does the organization use a security framework? nn What are the top five risks the organization has related to cybersecurity? nn How are employees made aware of their roles related to cybersecurity? nn Are external and internal threats considered when planning cybersecurity program activities? nn How is security governance managed in the organization? nn In the event of a serious breach, does management have a robust response protocol?
Cybersecurity Escalates to the Board Level
Cybersecurity in the Boardroom 5www.crowehorwath.com Executives have become acutely aware of their personal stakes in facilitating adequate cybersecurity by preventing incidents and responding to data breaches in an appropriate manner. Their jobs are on the line. Yet the decades of industry experience that make someone a great leader in his or her industry might not foster the knowledge or relationships needed to respond to a major cybersecurity threat. In addition to the financial damage that ensues, a data breach causes significant exposure to reputational risk. An apt illustration is the recent Sony Entertainment Inc. hack in which executives’ reputations appeared to be among the attack’s principal targets.2 In such a case, with management having to deal with matters of national security, the board’s input and participation become essential. The list of companies beset by data breaches in recent years includes some of the marketplace’s highest- profile brands across a broad spectrum of industries, including The Home Depot Inc.3 and Target Corp.4 in retail; Domino’s Pizza5 and P.F. Chang’s China Bistro Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking; and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in the technology sector. Even being a relatively low-profile organization provides no assurance of safety, as seen by breaches at the Montana Department of Public Health and Human Services,11 Community Health Systems Inc.,12 and Goodwill Industries International Inc.13 In fact, data breaches have become extremely common, with an estimated 43 percent of companies experiencing one in the past year.14 In 2014, just counting those confirmed by media sources or subject to notification through state governmental agencies, there were a record-high 783 data breaches in the U.S.,15 which, due to patchwork reporting regulation and systemic underreporting, understates the problem. Yet not all data breaches are motivated by criminal gain or malicious intent. For most, some sort of glitch or human error is the cause.16 In fact, employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.17 Human errors take the forms of misconfiguration, a lack of patching, and “social engineering” in which an Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
Cybersecurity in the Boardroom 6www.crowehorwath.com attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out- of-date credentials. A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18 In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies: nn Technical remediation involving internal IT and external consultants nn Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug nn Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes nn Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats. Data breaches cost an average of $145 per record lost.
Assessing Responsibilities for Cybersecurity
Cybersecurity in the Boardroom 8www.crowehorwath.com Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans. Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack. Despite cybersecurity’s immense challenge, the general principles of corporate governance remain intact. In dividing the responsibility, management has full charge for executing the specific steps required to mitigate risk while the board of directors acts largely in an oversight and advisory role. Principal responsibilities for management: 1. Perform a cybersecurity assessment. The Crowe approach, which combines input from the leading industry frameworks with Crowe professionals’ extensive experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities. Cybersecurity assessments include the following steps: nn Identify critical data. nn Map data stores and flows. nn Perform a controls risk analysis. nn Rate the maturity of security controls. nn Build short- and long-term remediation plans. 2. Perform an ecosystem assessment. Verify that vendors and outsourcing providers also have adequate cybersecurity controls. 3. Facilitate global review. Evaluate data protection laws and breach disclosure requirements in each country or state in which the organization does business. 4. Follow frameworks. Meet the appropriate requirements of the NIST cybersecurity framework, ISO 27001 standards, and industry-specific frameworks and/or standards – for example, PCI for retailers, SEC for public companies and financial regulators. Efforts taken to meet the requirements of multiple security frameworks and/or standards can be rationalized using the Unified Compliance Framework, a tool that includes a regulations database for centralized compliance. 5. Form a mitigation plan. Establish an internal risk management framework supported with adequate staffing and a budget for achieving compliance.
Cybersecurity in the Boardroom 9www.crowehorwath.com Principal responsibilities for the board of directors19 : 1. Revise the agenda. Cybersecurity once was viewed as an IT issue, but given cyberattacks’ present frequency and intensity, the topic now is considered an enterprisewide, operational risk management issue to be monitored closely by the board. 2. Facilitate legal review. Depending on the region and industry, cybersecurity will have varying legal implications pertaining to board responsibilities, and these implications should be reviewed by counsel and monitored for changes. 3. Enhance expertise. The challenge’s technical nature requires boards to have access to cybersecurity expertise, through either the election of specialists in the field or use of external consultants. 4. Set expectations. In addition to or in conjunction with existing goals and responsibilities, management should be monitored, measured, and compensated based on its ability to establish and enforce an enterprisewide risk management framework that can lower the risk of cybersecurity breaches. 5. Maintain frameworks. The adoption of a cybersecurity framework is not a one-time affair; rather, security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources. The board needs to set the parameters of frameworks’ evolution. Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
The Board of Directors: Achieving Cybersecurity Excellence
Cybersecurity in the Boardroom 11www.crowehorwath.com Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right. In meeting these responsibilities, a board of directors should take steps to provide effective oversight of cybersecurity risk mitigation along with sound advice to executive management. Learn from recent breaches and breach attempts. Every cybersecurity-related incident, whether or not it causes damage, offers a valuable opportunity to evaluate what went wrong and right. nn If the organization has been affected by a breach, ask, “How did we react? What did we tell our customers?” nn If not affected, ask, “What prevented the breach? What would have happened if we had been breached?” Stress test the incident response plan. Similar to a disaster recovery plan, the specifics of an incident response plan have to be carefully planned and tested. nn Board members should understand their personal roles in the response plan and have access to resources to fulfill their responsibilities as outlined in the plan. nn Board members should be aware of the expected reactions to a breach from regulators, law enforcement, customers, and other stakeholders. nn Following an attack on the company or broader industry, the board should convene to review the company’s response.
Cybersecurity in the Boardroom 12www.crowehorwath.com Perform an independent cybersecurity assessment. For a cybersecurity assessment, as with any other type of evaluation, the board of directors should not rely entirely on information from management to assess its own performance. Accordingly, it is essential to receive an independent evaluation of how the organization is meeting the requirements of the various cybersecurity frameworks. An effective, independent cybersecurity assessment will evaluate: nn Qualifications and capabilities of the cybersecurity team nn The state of the organization’s IT and cybergovernance nn Reporting relationships among the CEO, CIO, chief information security officer, chief audit executive, and other relevant executives nn Preventive controls and security awareness training nn Other organizations in the industry or organizations of similar size in other industries Establish and maintain a cybersecurity road map. Much like a technology road map, a cybersecurity road map provides a consensus-driven framework for achieving realistic short- and long- term objectives. A cybersecurity road map not only defines the extent to which an organization intends to protect itself against data breaches but moderates risk tolerances in different areas to employ the optimal alignment of people, processes, and technology. A cybersecurity road map should include the following elements: nn Annual health checks. Establish the capability to review the performance of the cybersecurity response team through interviews and independent data reviews. nn Year-by-year milestones. Set expectations for annual improvements in incident rate, incident response time, employee training hours, and levels of compliance with cybersecurity frameworks. 43% of companies experienced a data breach in the past year.
Cybersecurity in the Boardroom 13www.crowehorwath.com Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks. nn Risk tolerances. For each type of risk faced by an organization, identify the risk tolerance – which risks to avoid, which to accept, which to mitigate through an operational response, and which to transfer through insurance. nn Cybersecurity insurance. Insurance’s cost is expected to vary greatly in coming years. Price increases will be affected by the threat level and virulence of attack vectors, with decreases driven by the extent to which technology solutions succeed at improving cybersecurity’s efficacy. Given the attention and investment in the cybersecurity sector, as well as interest in the category by the insurance industry, it’s quite possible or even likely that an organization that currently self-insures against cybersecurity risks will find cybersecurity insurance a much more attractive proposition in the years to come. The board of directors should have a sense of the right price for coverage at the organization and, based on a set of planning assumptions, incorporate those expectations into the road map. nn Long-term remediation plans. The cybersecurity road map and the broader technology road map can converge to rework business processes with the aim of reducing exposure to cybersecurity threats. Given that the human element in the form of employee negligence plays a contributing role in the majority of data breaches, it follows that an approach that supplements human labor with artificial intelligence potentially would reduce the overall risk of operations from a cybersecurity standpoint. These and other long-term considerations should be incorporated into the cybersecurity road map for annual review.
Looking Ahead
Cybersecurity in the Boardroom 15www.crowehorwath.com In the next several years, boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats. Even as technology enables powerful new business models that still are being explored, IT infrastructures remain relatively immature from a cybersecurity perspective. Until the security model catches up with the business model, organizations will be exposed to malicious and criminal actions. Through their cross-industry exposure, high-level perspective, and influence, board members can guide management toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the present threat environment. Given the participation of well-funded adversaries, it’s unlikely the cybersecurity threat ever will go away. But it’s certainly within the grasp of any organization to stop making simple mistakes, improve overall awareness, and establish a solid course toward a safer computing environment that’s ready to do business in the 21st century. Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly. Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
Cybersecurity in the Boardroom 16www.crowehorwath.com 1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15. 2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/ sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/ a799e8a0-809c-11e4-8882-03cf08410beb_story.html 3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted- malware-contained 4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch. com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen- including-names-emails-and-phones 5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos- pizza-ransom-hack-data 6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http:// krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs 7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of- jpmorgan-data-breach-is-identified/?_r=0 8 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached- records-from-adobe-hack-surface-online 9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple- developer-site-hacked 10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles. chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares- ebay-users-u-s-company 11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www. informationweek.com/healthcare/security-and-privacy/montana-health-department- hacked/d/d-id/1278872 12 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity- idUSKBN0GI16N20140818 13 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months 14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 15 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html 16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 18 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www. theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask- download-pdf-1852.cfm Sources
www.crowehorwath.com Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values® ,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world. Crowe Horwath LLP, The Unique Alternative® Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376 Contact Information For more information, contact Raj Chaudhary at 312.899.7008 or raj.chaudhary@crowehorwath.com.

Recommandé

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 

Recommandé

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesLearningwithRayYT
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 

Contenu connexe

Tendances

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesLearningwithRayYT
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 

Tendances (20)

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 

En vedette

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityBen Liu
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directorscentralohioissa
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!Dr David Probert
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecuritysommerville-videos
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 

En vedette (20)

Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Bob West - Educating the Board of Directors
Bob West - Educating the Board of DirectorsBob West - Educating the Board of Directors
Bob West - Educating the Board of Directors
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!CyberSecurity Vision: 2017-2027 & Beyond!
CyberSecurity Vision: 2017-2027 & Beyond!
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Bridging the Cybersecurity Gap
Bridging the Cybersecurity GapBridging the Cybersecurity Gap
Bridging the Cybersecurity Gap
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurity
 

Similaire à Cybersecurity in the Boardroom

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedJames Blake
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...TraintechTde
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursSurfWatch Labs
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
 

Similaire à Cybersecurity in the Boardroom (20)

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
StateOfSecOps - Final - Published
StateOfSecOps - Final - PublishedStateOfSecOps - Final - Published
StateOfSecOps - Final - Published
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
 
Websense
WebsenseWebsense
Websense
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Cybersecurity in the Boardroom

  • 1. Technology Risk E-Book Audit | Tax | Advisory | Risk | Performance Cybersecurity in the Boardroom A Briefing Guide for C-Level Executives to Threats, Tactics, and Strategies nn Six Critical Questions to Assess Cybersecurity Readiness nn Ten Principles of Corporate Governance for Management and the Board nn Five Steps to Establish and Maintain a Cybersecurity Road Map nn Plus: Seven Crowe Insights to Share on LinkedIn
  • 2. Cybersecurity in the Boardroom 2www.crowehorwath.com Boards of directors have extremely limited capacity for taking on new areas of oversight. Given that constraint, it is noteworthy that cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Company executives and top management used to be responsible for meeting the ongoing strategic challenges in their industries. For example, being an oil executive was sufficient experience for running an oil company, being a retail executive was sufficient for running a retail firm, and so on. The demands on management have changed with the times. The digital age has brought about a convergence such that no matter the industry, executives now struggle with a set of common concerns related to technology strategy and information security. Across widespread, globalized supply chains, organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent. This digital convergence opens profitable opportunities and markets but brings with it additional risks and exposures. CEOs and other high-level executives need a starting point for understanding and responding to growing board-level concerns about cybersecurity. To help with this objective, Crowe Horwath LLP examines why the subject has escalated to the board level and how executives should guide their board members in thinking about cybersecurity issues. Introduction Cybersecurity has escalated to a board-level concern and could become one of the decade’s major corporate governance trends. Crowe Insight Organizations are diversifying beyond property, plant, and equipment to acquire assets consisting of information, algorithms, and talent – opening up profitable opportunities but also additional risks and exposures.
  • 3. Cybersecurity in the Boardroom 3www.crowehorwath.com Cybersecurity Readiness: Is Your Organization Prepared? According to The Institute of Internal Auditors Research Foundation (IIARF), the critical questions to consider when assessing the cybersecurity readiness of a board of directors are1 : nn Does the organization use a security framework? nn What are the top five risks the organization has related to cybersecurity? nn How are employees made aware of their roles related to cybersecurity? nn Are external and internal threats considered when planning cybersecurity program activities? nn How is security governance managed in the organization? nn In the event of a serious breach, does management have a robust response protocol?
  • 4. Cybersecurity Escalates to the Board Level
  • 5. Cybersecurity in the Boardroom 5www.crowehorwath.com Executives have become acutely aware of their personal stakes in facilitating adequate cybersecurity by preventing incidents and responding to data breaches in an appropriate manner. Their jobs are on the line. Yet the decades of industry experience that make someone a great leader in his or her industry might not foster the knowledge or relationships needed to respond to a major cybersecurity threat. In addition to the financial damage that ensues, a data breach causes significant exposure to reputational risk. An apt illustration is the recent Sony Entertainment Inc. hack in which executives’ reputations appeared to be among the attack’s principal targets.2 In such a case, with management having to deal with matters of national security, the board’s input and participation become essential. The list of companies beset by data breaches in recent years includes some of the marketplace’s highest- profile brands across a broad spectrum of industries, including The Home Depot Inc.3 and Target Corp.4 in retail; Domino’s Pizza5 and P.F. Chang’s China Bistro Inc.6 in restaurants; JPMorgan Chase & Co.7 in banking; and Adobe Systems Inc.,8 Apple Inc.,9 and eBay Inc.10 in the technology sector. Even being a relatively low-profile organization provides no assurance of safety, as seen by breaches at the Montana Department of Public Health and Human Services,11 Community Health Systems Inc.,12 and Goodwill Industries International Inc.13 In fact, data breaches have become extremely common, with an estimated 43 percent of companies experiencing one in the past year.14 In 2014, just counting those confirmed by media sources or subject to notification through state governmental agencies, there were a record-high 783 data breaches in the U.S.,15 which, due to patchwork reporting regulation and systemic underreporting, understates the problem. Yet not all data breaches are motivated by criminal gain or malicious intent. For most, some sort of glitch or human error is the cause.16 In fact, employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack.17 Human errors take the forms of misconfiguration, a lack of patching, and “social engineering” in which an Crowe Insight The list of companies beset by data breaches includes some of the marketplace’s highest-profile brands across a broad spectrum of industries, including retail, banking, and the technology sector.
  • 6. Cybersecurity in the Boardroom 6www.crowehorwath.com attacker convinces an employee to provide sensitive information. These avenues enable attackers to deploy point-of-sale malware, botnets, and viruses; exploit zero-day vulnerabilities; or make use of stolen or out- of-date credentials. A data breach of any type can cause severe financial repercussions. According to IBM Corp.’s eight-factor model, breaches cost an average of $145 per record lost.18 In the event of a breach – especially one that becomes public knowledge – an organization has to handle a diverse, exhausting set of demands from multiple constituencies: nn Technical remediation involving internal IT and external consultants nn Media and public relations – an even more difficult task when coping with a high-profile “branded” attack, such as one that involved the Heartbleed bug nn Liaisons with government officials at the federal, state, and local levels in accordance with differing breach notification and consumer protection statutes nn Customer communications, including outbound messages about notifications and remediation and inbound response teams to handle the volume of status inquiries As such, the responsibility falls on boards of directors to provide an additional layer of external oversight to confirm that their organizational leadership is prepared adequately with incident response plans, evaluated regularly through independent cybersecurity assessments, and guided by cybersecurity road maps designed to address long-term threats. Data breaches cost an average of $145 per record lost.
  • 8. Cybersecurity in the Boardroom 8www.crowehorwath.com Crowe Insight Cybersecurity assessments include identifying critical data, mapping data stores, performing a controls risk analysis, rating the maturity of security controls, and building remediation plans. Employee negligence plays a role in more than 80 percent of breaches, whether as the sole cause or acting as a contributing factor to a cyberattack. Despite cybersecurity’s immense challenge, the general principles of corporate governance remain intact. In dividing the responsibility, management has full charge for executing the specific steps required to mitigate risk while the board of directors acts largely in an oversight and advisory role. Principal responsibilities for management: 1. Perform a cybersecurity assessment. The Crowe approach, which combines input from the leading industry frameworks with Crowe professionals’ extensive experience, provides a highly practical, comprehensive approach to assessing cybersecurity risks, exposures, and vulnerabilities. Cybersecurity assessments include the following steps: nn Identify critical data. nn Map data stores and flows. nn Perform a controls risk analysis. nn Rate the maturity of security controls. nn Build short- and long-term remediation plans. 2. Perform an ecosystem assessment. Verify that vendors and outsourcing providers also have adequate cybersecurity controls. 3. Facilitate global review. Evaluate data protection laws and breach disclosure requirements in each country or state in which the organization does business. 4. Follow frameworks. Meet the appropriate requirements of the NIST cybersecurity framework, ISO 27001 standards, and industry-specific frameworks and/or standards – for example, PCI for retailers, SEC for public companies and financial regulators. Efforts taken to meet the requirements of multiple security frameworks and/or standards can be rationalized using the Unified Compliance Framework, a tool that includes a regulations database for centralized compliance. 5. Form a mitigation plan. Establish an internal risk management framework supported with adequate staffing and a budget for achieving compliance.
  • 9. Cybersecurity in the Boardroom 9www.crowehorwath.com Principal responsibilities for the board of directors19 : 1. Revise the agenda. Cybersecurity once was viewed as an IT issue, but given cyberattacks’ present frequency and intensity, the topic now is considered an enterprisewide, operational risk management issue to be monitored closely by the board. 2. Facilitate legal review. Depending on the region and industry, cybersecurity will have varying legal implications pertaining to board responsibilities, and these implications should be reviewed by counsel and monitored for changes. 3. Enhance expertise. The challenge’s technical nature requires boards to have access to cybersecurity expertise, through either the election of specialists in the field or use of external consultants. 4. Set expectations. In addition to or in conjunction with existing goals and responsibilities, management should be monitored, measured, and compensated based on its ability to establish and enforce an enterprisewide risk management framework that can lower the risk of cybersecurity breaches. 5. Maintain frameworks. The adoption of a cybersecurity framework is not a one-time affair; rather, security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources. The board needs to set the parameters of frameworks’ evolution. Crowe Insight Security frameworks are meant to evolve based on threat levels, risk appetites, industry profiles, and available capabilities in terms of technical, financial, and organizational resources.
  • 10. The Board of Directors: Achieving Cybersecurity Excellence
  • 11. Cybersecurity in the Boardroom 11www.crowehorwath.com Crowe Insight Whether a cybersecurity-related incident causes damage or not, it offers a valuable opportunity to evaluate what went wrong and right. In meeting these responsibilities, a board of directors should take steps to provide effective oversight of cybersecurity risk mitigation along with sound advice to executive management. Learn from recent breaches and breach attempts. Every cybersecurity-related incident, whether or not it causes damage, offers a valuable opportunity to evaluate what went wrong and right. nn If the organization has been affected by a breach, ask, “How did we react? What did we tell our customers?” nn If not affected, ask, “What prevented the breach? What would have happened if we had been breached?” Stress test the incident response plan. Similar to a disaster recovery plan, the specifics of an incident response plan have to be carefully planned and tested. nn Board members should understand their personal roles in the response plan and have access to resources to fulfill their responsibilities as outlined in the plan. nn Board members should be aware of the expected reactions to a breach from regulators, law enforcement, customers, and other stakeholders. nn Following an attack on the company or broader industry, the board should convene to review the company’s response.
  • 12. Cybersecurity in the Boardroom 12www.crowehorwath.com Perform an independent cybersecurity assessment. For a cybersecurity assessment, as with any other type of evaluation, the board of directors should not rely entirely on information from management to assess its own performance. Accordingly, it is essential to receive an independent evaluation of how the organization is meeting the requirements of the various cybersecurity frameworks. An effective, independent cybersecurity assessment will evaluate: nn Qualifications and capabilities of the cybersecurity team nn The state of the organization’s IT and cybergovernance nn Reporting relationships among the CEO, CIO, chief information security officer, chief audit executive, and other relevant executives nn Preventive controls and security awareness training nn Other organizations in the industry or organizations of similar size in other industries Establish and maintain a cybersecurity road map. Much like a technology road map, a cybersecurity road map provides a consensus-driven framework for achieving realistic short- and long- term objectives. A cybersecurity road map not only defines the extent to which an organization intends to protect itself against data breaches but moderates risk tolerances in different areas to employ the optimal alignment of people, processes, and technology. A cybersecurity road map should include the following elements: nn Annual health checks. Establish the capability to review the performance of the cybersecurity response team through interviews and independent data reviews. nn Year-by-year milestones. Set expectations for annual improvements in incident rate, incident response time, employee training hours, and levels of compliance with cybersecurity frameworks. 43% of companies experienced a data breach in the past year.
  • 13. Cybersecurity in the Boardroom 13www.crowehorwath.com Crowe Insight Perform an independent cybersecurity assessment to determine if the organization is meeting the requirements of the various cybersecurity frameworks. nn Risk tolerances. For each type of risk faced by an organization, identify the risk tolerance – which risks to avoid, which to accept, which to mitigate through an operational response, and which to transfer through insurance. nn Cybersecurity insurance. Insurance’s cost is expected to vary greatly in coming years. Price increases will be affected by the threat level and virulence of attack vectors, with decreases driven by the extent to which technology solutions succeed at improving cybersecurity’s efficacy. Given the attention and investment in the cybersecurity sector, as well as interest in the category by the insurance industry, it’s quite possible or even likely that an organization that currently self-insures against cybersecurity risks will find cybersecurity insurance a much more attractive proposition in the years to come. The board of directors should have a sense of the right price for coverage at the organization and, based on a set of planning assumptions, incorporate those expectations into the road map. nn Long-term remediation plans. The cybersecurity road map and the broader technology road map can converge to rework business processes with the aim of reducing exposure to cybersecurity threats. Given that the human element in the form of employee negligence plays a contributing role in the majority of data breaches, it follows that an approach that supplements human labor with artificial intelligence potentially would reduce the overall risk of operations from a cybersecurity standpoint. These and other long-term considerations should be incorporated into the cybersecurity road map for annual review.
  • 15. Cybersecurity in the Boardroom 15www.crowehorwath.com In the next several years, boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats. Even as technology enables powerful new business models that still are being explored, IT infrastructures remain relatively immature from a cybersecurity perspective. Until the security model catches up with the business model, organizations will be exposed to malicious and criminal actions. Through their cross-industry exposure, high-level perspective, and influence, board members can guide management toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the present threat environment. Given the participation of well-funded adversaries, it’s unlikely the cybersecurity threat ever will go away. But it’s certainly within the grasp of any organization to stop making simple mistakes, improve overall awareness, and establish a solid course toward a safer computing environment that’s ready to do business in the 21st century. Crowe Insight Cross-industry exposure allows board members to guide management toward proper cybersecurity planning and mitigation more quickly. Boards of directors have the opportunity to play an important role in the global economy by guiding organizations through the present phase of challenging cybersecurity threats.
  • 16. Cybersecurity in the Boardroom 16www.crowehorwath.com 1 Sajay Rai, “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, Aug. 2014, pp. 14-15. 2 “Sony’s hacked e-mails expose spats, director calling Angelina Jolie a ‘brat,’” The Washington Post, Dec. 11, 2014, http://www.washingtonpost.com/business/economy/ sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/ a799e8a0-809c-11e4-8882-03cf08410beb_story.html 3 “Home Depot: 56M Cards Impacted, Malware Contained,” Krebs on Security, Sept. 18, 2014, http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted- malware-contained 4 “Target’s Data Breach Gets Worse: 70 Million Customers Had Info Stolen, Including Names, Emails and Phones,” TechCrunch, Jan. 10, 2014, http://techcrunch. com/2014/01/10/targets-data-breach-gets-worse-70-million-customers-had-info-stolen- including-names-emails-and-phones 5 “The €30k data takeaway: Domino’s Pizza faces ransom demand after hack,” The Guardian, June 16, 2014, http://www.theguardian.com/technology/2014/jun/16/dominos- pizza-ransom-hack-data 6 “Banks: Credit Card Breach at P.F. Chang’s,” Krebs on Security, June 10, 2014, http:// krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs 7 “Neglected Server Provided Entry for JPMorgan Hackers,” The New York Times DealBook, Dec. 22, 2014, http://dealbook.nytimes.com/2014/12/22/entry-point-of- jpmorgan-data-breach-is-identified/?_r=0 8 “Over 150 million breached records from Adobe hack have surfaced online,” The Verge, Nov. 7, 2013, http://www.theverge.com/2013/11/7/5078560/over-150-million-breached- records-from-adobe-hack-surface-online 9 “Apple Developer site hack: Turkish security researcher claims responsibility,” The Guardian, July 22, 2013, http://www.theguardian.com/technology/2013/jul/22/apple- developer-site-hacked 10 “EBay client information stolen in hacking attack,” Reuters, May 21, 2014, http://articles. chicagotribune.com/2014-05-21/business/chi-ebay-passwords-20140521_1_ebay-shares- ebay-users-u-s-company 11 “Montana Health Department Hacked,” InformationWeek, June 25, 2014, http://www. informationweek.com/healthcare/security-and-privacy/montana-health-department- hacked/d/d-id/1278872 12 Community Health says data stolen in cyber attack from China,” Reuters, Aug. 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity- idUSKBN0GI16N20140818 13 “Breach at Goodwill Vendor Lasted 18 Months,” Krebs on Security, Sept. 16, 2014, http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months 14 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 15 “Identity Theft Resource Center Breach Report Hits Record High in 2014,” Identity Theft Resource Center, Jan. 12, 2015. http://www.idtheftcenter.org/ITRC-Surveys- Studies/2014databreaches.html 16 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 17 “43% of companies had a data breach in the past year,” USA Today, Sept. 24, 2014, http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197 18 “2014 Cost of Data Breach Study: Global Analysis,” Ponemon Institute LLC, May 2014, http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_ Data_Breach_Study.pdf 19 Based on principles established by the National Association of Corporate Directors, as listed in “Cybersecurity: What the Board of Directors Needs to Ask,” IIARF, http://www. theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask- download-pdf-1852.cfm Sources
  • 17. www.crowehorwath.com Crowe Horwath LLP (www.crowehorwath.com) is one of the largest public accounting and consulting firms in the United States. Under its core purpose of “Building Value with Values® ,” Crowe uses its deep industry expertise to provide audit services to public and private entities while also helping clients reach their goals with tax, advisory, risk and performance services. Crowe and its subsidiaries have offices coast to coast with more than 3,000 personnel. The firm is recognized by many organizations as one of the country’s best places to work. Crowe serves clients worldwide as an independent member of Crowe Horwath International, one of the largest global accounting networks in the world, consisting of more than 150 independent accounting and advisory services firms in more than 100 countries around the world. Crowe Horwath LLP, The Unique Alternative® Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2015 Crowe Horwath LLP RISK15376 Contact Information For more information, contact Raj Chaudhary at 312.899.7008 or raj.chaudhary@crowehorwath.com.