SlideShare une entreprise Scribd logo

Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats?

Télécharger en tant que PPTX, PDF
PECB
PECB

Main points covered: • Understanding the inverted economics of cyber security, the incentives for cyber crime and its effect on the growing threat • Inefficiencies with the traditional approaches to cyber risk assessment and why we are not making more progress in enhancing cyber defenses • Resetting roles and responsibilities regarding cyber security within organizations • Developing empirical, cost-effective cyber risk assessments to meet the evolving threat Our presenter for this webinar is Larry Clinton, the president of the Internet Security Alliance (ISA), a multi-sector association focused on Cybersecurity thought leadership, policy advocacy, and best practices. Mr. Clinton advises both industry and governments around the world. He has twice been listed on the Corporate 100 list of the most influential people in corporate governance. He is the author of The Cyber Risk Handbook for Corporate Boards. PWC has found the use of this Handbook improves cyber budgeting, cyber risk management and helps create a culture of security. The Handbook has been published in the US, Germany, the UK and Latin America. He is currently working on a version for the European Conference of Directors Associations as well as versions for Japan and India. Mr. Clinton also leads ISA, public policy work built around their publication “The Cyber Security Social Contract” which the NATO Center of Cyber Excellence in Estonia asked for a briefing on. Recorded Webinar: https://www.youtube.com/watch?v=8qVtoqi37X8

Formation
1  sur  46
1
• Understanding the inverted economics of cyber security and the incentives for cyber crime – how bad are things? (really bad) • Understanding the Inefficiencies of traditional cyber risk assessment and risk management – why we are not making more progress? • Becoming Digitally structured -- Resetting the roles and responsibilities regarding cyber security in the organization • Developing empirical, economics based cyber risk assessment techniques – what you need to be providing to the board What We Will Cover Today 2
Cyber Crime: The numbers • Costs of cyber criminal activity vary between hundreds of billions to a trillion dollars a year or more – between 1-2% Global GDP • One major ISP reports it sees 80 billion malicious scans a day • 300 million new malicious viruses are created every day • There were 4.8 billion records lost due to data breaches in 2016 • There are 4000 Ransomware attacks every day • We spend $200,000 per minute on regulations and audits-- costs projected to go up 2X by 2020 & several hundred times by 2030 3
4 “Cyber criminals are technologically as sophisticated as the most advanced IT companies and like them have moved quickly to adopt AI, cloud, software- as a service (cybercrime-as-a service) and encryption.” Symantec 2018 Cyber Crime Report How Good Are the Bad Guys?
Put Succinctly….. “Cybercrime is relentless, undiminished and unlikely to stop. It’s just too easy, rewarding and the chances of getting caught are far too low. Cyber crime also leads on a risk to payoff rate. It is a low risk crime with high profits. A smart cyber criminal can easily make millions without fear of being caught.” McAfee 2018 Cyber Crime Report 5
What is the Real Problem? • Marcus Aurelius: Of each thing demand to know what is its essence • The essence of the cyber security problem ? • Selfish Companies? • Bad Technology? • Is it the economy? • The essence of the cyber security problem is that we have an inherently insecure system guarding incredibly valuable data 6
Is it the Technology or the Incentives? “We find that misplaced incentives are as important as technical design…security failure is caused as least as often by bad incentives as by bad technological design” Anderson and Moore “The Economics of Information Security” 7
Why Don’t We have Better Tech? • We don’t teach secure coding? – because we don’t want to pay for security. • Personally, we really can’t be bothered (seriously) • Government’s point fingers but they are to blame too? • Maybe technological success has come too fast for us to manage it 8
Digital innovation is profitable … and risky • “Firms are increasingly competing at different points in the value chain to take advantage of unmet customer needs, less efficient structures, high capital usage and attractive returns. These changes can bring enormous benefits including improved customer experience, greater efficiency & new value creators. HOWEVER, tech driven innovations are expanding the amount of cyber risk and enabling more sophisticated attacks.” World Economic Forum Report on Cyber Security 2018 9
Historically, Tech Innovation is good for business – bad for Security • VOIP • Cloud computing • BYOD • International supply chains • You can increase the security of these technologies and practices but it comes at a cost – you are looking for a balance between profitability and security – How do you find it? 10
• Offence: Attacks are cheap • Offence: Attacks are easy to launch • Offence: Profits from attacks are enormous • Offence: GREAT business model (“resell” same service) • Defense: Perimeter to defend is unlimited • Defense: Is compromised – hard to show ROI • Defense: Usually a generation behind the attacker • Defense: Prosecution is difficult and rare Cyber Economic Equation: Incentives Favors Attackers 11
The Systems are hard to defend “The military’s computer networks can be compromised by low to middling skilled attacks. Military systems do not have a sufficiently robust security posture to repel sustained attacks. The development of advanced cyber techniques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a position to degrade DOD missions when and if they choose.” Pentagon Annual Report. 12
Digital economics are not obvious “Economists have long known that liability should be assigned to the entity that can manage risk. Yet everywhere we look we see online risk allocated poorly…people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code” Anderson and Moore “Economics of Information Security” 13
Won’t the Market Self-Correct? No. • Target up 40% six months after breach • Sony up 30% six months after breach • Home Depot (65 million accounts)---20% increase • JP Morgan stock price stable at first then up 7 % • Sears (Kmart) initially down 18%-- then up 34% • E-bay initially down 6%, then up 15% • On average after initial dip stocks rebound and are up 7% following incidents. 14
The real cyber challenge is the economics “The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices, demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.” The Information Systems Audit and Control Association (ISACA)- March 2011 15
We Need to put Cyber Risk in Economic terms to manage it • “Overall, cost was most frequently cited as “the biggest obstacle to ensuring the security of critical networks.” -- PWC • “Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions.” -- McAfee • “The number one barrier is the security folks who haven’t been able to communicate the urgency well enough and they haven’t actually been able to persuade the decision makers of the reality of the threat in business terms.” -- CSIS 16
Traditional vs Leading Edge Cyber Risk Management. • Checking boxes --- the more you check the more mature you are and hence the more secure, right? • Which unchecked box do we focus on? • How much risk reduction do we get from checking one box over the other? • What’s the difference between yellow and green? (3 and 4?) … garbage in … garbage out • We need prioritization, cost based, empirical 17
Problems with Traditional Cyber Risk Assessment • People (even “experts”) have different meanings for terms like “likely” “probable” “unlikely” “extremely unlikely” • Things like heat maps imply certainty but can’t tell you: • How much money you will lose ? • How probable the scenario is ? • What is the adequate risk reduction cost ? 18
Problems with Traditional Cyber Risk Assessment – It doesn’t work “There is not a single study indicating that the use of such methods actually reduces risk.” Doug Hubbard How to Measure Anything in Cyber Security 19
Start at the beginning: What is a Risk? • Insiders? • Supply Chain? • Mobile Technology? 20
How much risk is there? A little None A lot 21
A little None A lot How much risk is there? 22
How much risk is there? A little None A lot 23
What Is Risk • Risk is best conceptualized as a quantity. It is a measure of future loss from a given scenario representing how much money an organization might lose from a given scenario over time 24
25
NACD Handbook Approach to Cyber • Guidelines from the NACD advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyber threats in the context of the organization’s overall tolerance for risk. -- PWC 2016 Global Information Security Survey 26
Boards are now using the NACD Handbook • Boards appear to be listening to this advice. This year we saw a double-digit uptick in Board participation in most aspects of information security. Deepening Board involvement has improved cybersecurity practices in numerous ways. As more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending. -- PWC 2016 Global Information Security Survey 27
NACD Yields Actual Security Improvements • Notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals. Perhaps more than anything, Board participation opened the lines of communication between the cybersecurity function and top executives and directors -- PWC 2016 Global Information Security Survey 28
Orgs Endorsing Cyber Risk Handbooks Globally • US Department of Homeland Security • US Department of Justice • German Government Cyber Security Divisions (BSI) • Organization of American States • National Association of Corporate Directors • European Confederation of Director Associations • Japanese Federation of Businesses • International Auditing Association 29
NACD Principles • Cyber is not an IT issue • Bds need to understand their unique legal obligations • Bds need to access adequate cyber security expertise • MANAGEMENT needs to provide a cyber security framework (tech and structural) • MANAGEMENT must do risk assessment 30
Economics Discussion between Management and Board • Principle #4 Management needs to provide Board with a Framework for enterprise wide cyber risk • Management be structured for enterprise wide enterprise wide cyber risk assessments (not just IT) • Principle #5 Management must provide board with analysis of risks to avoid, accept, mitigate or transfer via insurance. • Management present the board with an economics based cyber risk assessment tying cyber risk to the business 31
NACD P 4 Having a Framework Hygiene & Cost Effective Hygiene • Basic Models – NIST - ISO - PCIS • Restricting User installation of applications (whitelisting) • Ensuring operational systems is patched with current updates • Ensuring software applications have current updates • Restricting administrative privileges 32
NACD P 4: Having a Management Framework for the Digital Age • Traditional view of board involvement in cyber security • NACD approach • Developing Cyber policy from the top down • Industrial Age structures don’t fit the digital age issues – like cyber • Cyber Security is “just like” legal and finance 33
Principle 4: Knowledge & Skills for Cyber Risk Management • Critical thinking • Understanding of probability • Training in calibrated estimation • Comfort with numbers • Familiarity decision methods • Familiarity with the business • Proper Cyber Risk Management uses a systematic, ideally empirical, enterprise wide risk assessment and management framework 34
Principle 4. Management must provide a Framework 35
ANSI-ISA Program • Recommends an enterprise wide cyber risk team that meets regularly and has its own budget • CFO strategies • HR strategies • Legal/compliance strategies • Operations/technology strategies • Communications strategies • Risk Management/insurance strategies 36
Three Lines of Cyber Defense --- (3LoD) • Line 1 – operates the business, owns the risk designs and implements operations • Line 2 – defines policy statements & defines RM framework. provides a credible challenge to the first line & responsible for evaluating risk exposure for board to determine risk appetite • Line 3 – commonly internal audit responsible for independent evaluation of the first and second lines 37
The first line of defense • Provide through exam—is the business doing enough? (not one size fits all). Each business line defines the cyber risk they face & weave cyber risk and self assessment into fraud, crisis management and resiliency process. • Business lines need to actively monitor existing and future exposures, vuls threats and assess what impact cber risk has on new tech deployment, client relationships, and business strategies 38
The second line of defense • Should be walled off as a separate independent function. Manages enterprise cyber risk appetite and RM framework within overall enterprise risk –challenges the first line. Determines how to appropriately measure cyber risk and integrates into a risk tolerance statement for the firm • Focus of first and second tiers needs to be on effectively managing risk – not regulatory compliance – although can integrate compliance 39
Third Line of defense • Provides independent objective assessment of firms process across lines one and two with focus on operational effectiveness and efficiency. Traditionally I audit relied on frameworks (NIST) but firms will likely need to develop their own to adapt to enhanced threats • IA perform assessments validate tech infrastructure and third party risks, do independent Pen testing and must stay abreast of threat intel 40
Principle 5 Principle in Modern Cyber Risk Management • Focus not on attacks but impacts • Clear terms, better scoping, no bogus math • Place cyber events in quantitative economic terms • Prioritize cyber risk to the business • Do you need to keep spending on this ____? • Are these risks, really risks, or just innovations? • A new – better – direction for Govt. and Industry -- See Hubbard, FAIR, X-Analytics Models 41
Basic Cyber Risk Assessment Economics Methodology • Using best available data make probabilistic assessment of possible scenarios – looking for accuracy not precision • Focus on scenarios that are probable and have enough expected loss to matter • Calculate best case, worst case, most likely case and what degree of loss is acceptable (risk appetite) • Determine investment required to mitigate to an acceptable level • Option: run multiple scenarios (Monte Carlo simulations) 42
Government Industry Collaboration • We are all on the same side • Is blaming the Victims the right strategy? • Calls for Accountability go both ways – we need more than accountability , we need collaboration • Government and Industry – Legitimately --Assess Cyber Risk Differently from an Economic perspective • Traditional Models and Assumptions Wont Work • The History of the Social Contract 43
The Cyber Security Social Contract • Rethink Industry and Government Roles and Responsibilities • Create Market Incentives to rebalance the economic incentives for cyber security • This will take a lot of work, can it be done? 44
ISO/IEC 27032 Training Courses • ISO/IEC 27032 Introduction 1 Day Course • ISO/IEC 27032 Foundation 2 Days Course • ISO/IEC 27032 Lead Cybersecurity Manager 5 Days Course Exam and certification fees are included in the training price. www.pecb.com/en/education-and-certification-for-individuals/iso-iec-27032 www.pecb.com/events
THANK YOU ? lclinton@isalliance.org linkedin.com/in/larry-clinton-20237b4 https://isalliance.org

Recommandé

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 

Recommandé

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Cyber security analysis presentation
Cyber security analysis presentationCyber security analysis presentation
Cyber security analysis presentationVaibhav R
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityANGIEPAEZ304
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 

Contenu connexe

Tendances

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Cyber security analysis presentation
Cyber security analysis presentationCyber security analysis presentation
Cyber security analysis presentationVaibhav R
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxRSAArcher
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 

Tendances (20)

Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Cyber security analysis presentation
Cyber security analysis presentationCyber security analysis presentation
Cyber security analysis presentation
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 

Similaire à Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats?

4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Jay Kesan
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clintonCIONET
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a ProductVMware Tanzu
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Preventionfmi_igf
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016FERMA
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco systemDavid Sweigert
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015CSO_Presentations
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...SurfWatch Labs
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
 

Similaire à Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats? (20)

4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a Product
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Prevention
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Security, Audit and Compliance: course overview
Security, Audit and Compliance: course overviewSecurity, Audit and Compliance: course overview
Security, Audit and Compliance: course overview
 
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
Cybersecurity mitigation strategies webinar AIG ecoDa FERMA 24 March 2016
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Understanding the black hat hacker eco system
Understanding the black hat hacker eco systemUnderstanding the black hat hacker eco system
Understanding the black hat hacker eco system
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Francis Kaitano Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respond
 
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 

Plus de PECB

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityPECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernancePECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationPECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemPECB
 

Plus de PECB (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
ISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management systemISO 28000:2022 – Reduce risks and improve the security management system
ISO 28000:2022 – Reduce risks and improve the security management system
 

Dernier

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 

Dernier (20)

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 

Advanced Cybersecurity Risk Management: How to successfully address your Cyber-threats?

  • 1. 1
  • 2. • Understanding the inverted economics of cyber security and the incentives for cyber crime – how bad are things? (really bad) • Understanding the Inefficiencies of traditional cyber risk assessment and risk management – why we are not making more progress? • Becoming Digitally structured -- Resetting the roles and responsibilities regarding cyber security in the organization • Developing empirical, economics based cyber risk assessment techniques – what you need to be providing to the board What We Will Cover Today 2
  • 3. Cyber Crime: The numbers • Costs of cyber criminal activity vary between hundreds of billions to a trillion dollars a year or more – between 1-2% Global GDP • One major ISP reports it sees 80 billion malicious scans a day • 300 million new malicious viruses are created every day • There were 4.8 billion records lost due to data breaches in 2016 • There are 4000 Ransomware attacks every day • We spend $200,000 per minute on regulations and audits-- costs projected to go up 2X by 2020 & several hundred times by 2030 3
  • 4. 4 “Cyber criminals are technologically as sophisticated as the most advanced IT companies and like them have moved quickly to adopt AI, cloud, software- as a service (cybercrime-as-a service) and encryption.” Symantec 2018 Cyber Crime Report How Good Are the Bad Guys?
  • 5. Put Succinctly….. “Cybercrime is relentless, undiminished and unlikely to stop. It’s just too easy, rewarding and the chances of getting caught are far too low. Cyber crime also leads on a risk to payoff rate. It is a low risk crime with high profits. A smart cyber criminal can easily make millions without fear of being caught.” McAfee 2018 Cyber Crime Report 5
  • 6. What is the Real Problem? • Marcus Aurelius: Of each thing demand to know what is its essence • The essence of the cyber security problem ? • Selfish Companies? • Bad Technology? • Is it the economy? • The essence of the cyber security problem is that we have an inherently insecure system guarding incredibly valuable data 6
  • 7. Is it the Technology or the Incentives? “We find that misplaced incentives are as important as technical design…security failure is caused as least as often by bad incentives as by bad technological design” Anderson and Moore “The Economics of Information Security” 7
  • 8. Why Don’t We have Better Tech? • We don’t teach secure coding? – because we don’t want to pay for security. • Personally, we really can’t be bothered (seriously) • Government’s point fingers but they are to blame too? • Maybe technological success has come too fast for us to manage it 8
  • 9. Digital innovation is profitable … and risky • “Firms are increasingly competing at different points in the value chain to take advantage of unmet customer needs, less efficient structures, high capital usage and attractive returns. These changes can bring enormous benefits including improved customer experience, greater efficiency & new value creators. HOWEVER, tech driven innovations are expanding the amount of cyber risk and enabling more sophisticated attacks.” World Economic Forum Report on Cyber Security 2018 9
  • 10. Historically, Tech Innovation is good for business – bad for Security • VOIP • Cloud computing • BYOD • International supply chains • You can increase the security of these technologies and practices but it comes at a cost – you are looking for a balance between profitability and security – How do you find it? 10
  • 11. • Offence: Attacks are cheap • Offence: Attacks are easy to launch • Offence: Profits from attacks are enormous • Offence: GREAT business model (“resell” same service) • Defense: Perimeter to defend is unlimited • Defense: Is compromised – hard to show ROI • Defense: Usually a generation behind the attacker • Defense: Prosecution is difficult and rare Cyber Economic Equation: Incentives Favors Attackers 11
  • 12. The Systems are hard to defend “The military’s computer networks can be compromised by low to middling skilled attacks. Military systems do not have a sufficiently robust security posture to repel sustained attacks. The development of advanced cyber techniques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a position to degrade DOD missions when and if they choose.” Pentagon Annual Report. 12
  • 13. Digital economics are not obvious “Economists have long known that liability should be assigned to the entity that can manage risk. Yet everywhere we look we see online risk allocated poorly…people who connect their machines to risky places do not bear full consequences of their actions. And developers are not compensated for costly efforts to strengthen their code” Anderson and Moore “Economics of Information Security” 13
  • 14. Won’t the Market Self-Correct? No. • Target up 40% six months after breach • Sony up 30% six months after breach • Home Depot (65 million accounts)---20% increase • JP Morgan stock price stable at first then up 7 % • Sears (Kmart) initially down 18%-- then up 34% • E-bay initially down 6%, then up 15% • On average after initial dip stocks rebound and are up 7% following incidents. 14
  • 15. The real cyber challenge is the economics “The challenge in cyber security is not that best practices need to be developed, but instead lies in communicating these best practices, demonstrating the value in implementing them and encouraging individuals and organizations to adopt them.” The Information Systems Audit and Control Association (ISACA)- March 2011 15
  • 16. We Need to put Cyber Risk in Economic terms to manage it • “Overall, cost was most frequently cited as “the biggest obstacle to ensuring the security of critical networks.” -- PWC • “Making the business case for cyber security remains a major challenge, because management often does not understand either the scale of the threat or the requirements for a solutions.” -- McAfee • “The number one barrier is the security folks who haven’t been able to communicate the urgency well enough and they haven’t actually been able to persuade the decision makers of the reality of the threat in business terms.” -- CSIS 16
  • 17. Traditional vs Leading Edge Cyber Risk Management. • Checking boxes --- the more you check the more mature you are and hence the more secure, right? • Which unchecked box do we focus on? • How much risk reduction do we get from checking one box over the other? • What’s the difference between yellow and green? (3 and 4?) … garbage in … garbage out • We need prioritization, cost based, empirical 17
  • 18. Problems with Traditional Cyber Risk Assessment • People (even “experts”) have different meanings for terms like “likely” “probable” “unlikely” “extremely unlikely” • Things like heat maps imply certainty but can’t tell you: • How much money you will lose ? • How probable the scenario is ? • What is the adequate risk reduction cost ? 18
  • 19. Problems with Traditional Cyber Risk Assessment – It doesn’t work “There is not a single study indicating that the use of such methods actually reduces risk.” Doug Hubbard How to Measure Anything in Cyber Security 19
  • 20. Start at the beginning: What is a Risk? • Insiders? • Supply Chain? • Mobile Technology? 20
  • 21. How much risk is there? A little None A lot 21
  • 22. A little None A lot How much risk is there? 22
  • 23. How much risk is there? A little None A lot 23
  • 24. What Is Risk • Risk is best conceptualized as a quantity. It is a measure of future loss from a given scenario representing how much money an organization might lose from a given scenario over time 24
  • 25. 25
  • 26. NACD Handbook Approach to Cyber • Guidelines from the NACD advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. They should discuss cybersecurity risks and preparedness with management, and consider cyber threats in the context of the organization’s overall tolerance for risk. -- PWC 2016 Global Information Security Survey 26
  • 27. Boards are now using the NACD Handbook • Boards appear to be listening to this advice. This year we saw a double-digit uptick in Board participation in most aspects of information security. Deepening Board involvement has improved cybersecurity practices in numerous ways. As more Boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending. -- PWC 2016 Global Information Security Survey 27
  • 28. NACD Yields Actual Security Improvements • Notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals. Perhaps more than anything, Board participation opened the lines of communication between the cybersecurity function and top executives and directors -- PWC 2016 Global Information Security Survey 28
  • 29. Orgs Endorsing Cyber Risk Handbooks Globally • US Department of Homeland Security • US Department of Justice • German Government Cyber Security Divisions (BSI) • Organization of American States • National Association of Corporate Directors • European Confederation of Director Associations • Japanese Federation of Businesses • International Auditing Association 29
  • 30. NACD Principles • Cyber is not an IT issue • Bds need to understand their unique legal obligations • Bds need to access adequate cyber security expertise • MANAGEMENT needs to provide a cyber security framework (tech and structural) • MANAGEMENT must do risk assessment 30
  • 31. Economics Discussion between Management and Board • Principle #4 Management needs to provide Board with a Framework for enterprise wide cyber risk • Management be structured for enterprise wide enterprise wide cyber risk assessments (not just IT) • Principle #5 Management must provide board with analysis of risks to avoid, accept, mitigate or transfer via insurance. • Management present the board with an economics based cyber risk assessment tying cyber risk to the business 31
  • 32. NACD P 4 Having a Framework Hygiene & Cost Effective Hygiene • Basic Models – NIST - ISO - PCIS • Restricting User installation of applications (whitelisting) • Ensuring operational systems is patched with current updates • Ensuring software applications have current updates • Restricting administrative privileges 32
  • 33. NACD P 4: Having a Management Framework for the Digital Age • Traditional view of board involvement in cyber security • NACD approach • Developing Cyber policy from the top down • Industrial Age structures don’t fit the digital age issues – like cyber • Cyber Security is “just like” legal and finance 33
  • 34. Principle 4: Knowledge & Skills for Cyber Risk Management • Critical thinking • Understanding of probability • Training in calibrated estimation • Comfort with numbers • Familiarity decision methods • Familiarity with the business • Proper Cyber Risk Management uses a systematic, ideally empirical, enterprise wide risk assessment and management framework 34
  • 35. Principle 4. Management must provide a Framework 35
  • 36. ANSI-ISA Program • Recommends an enterprise wide cyber risk team that meets regularly and has its own budget • CFO strategies • HR strategies • Legal/compliance strategies • Operations/technology strategies • Communications strategies • Risk Management/insurance strategies 36
  • 37. Three Lines of Cyber Defense --- (3LoD) • Line 1 – operates the business, owns the risk designs and implements operations • Line 2 – defines policy statements & defines RM framework. provides a credible challenge to the first line & responsible for evaluating risk exposure for board to determine risk appetite • Line 3 – commonly internal audit responsible for independent evaluation of the first and second lines 37
  • 38. The first line of defense • Provide through exam—is the business doing enough? (not one size fits all). Each business line defines the cyber risk they face & weave cyber risk and self assessment into fraud, crisis management and resiliency process. • Business lines need to actively monitor existing and future exposures, vuls threats and assess what impact cber risk has on new tech deployment, client relationships, and business strategies 38
  • 39. The second line of defense • Should be walled off as a separate independent function. Manages enterprise cyber risk appetite and RM framework within overall enterprise risk –challenges the first line. Determines how to appropriately measure cyber risk and integrates into a risk tolerance statement for the firm • Focus of first and second tiers needs to be on effectively managing risk – not regulatory compliance – although can integrate compliance 39
  • 40. Third Line of defense • Provides independent objective assessment of firms process across lines one and two with focus on operational effectiveness and efficiency. Traditionally I audit relied on frameworks (NIST) but firms will likely need to develop their own to adapt to enhanced threats • IA perform assessments validate tech infrastructure and third party risks, do independent Pen testing and must stay abreast of threat intel 40
  • 41. Principle 5 Principle in Modern Cyber Risk Management • Focus not on attacks but impacts • Clear terms, better scoping, no bogus math • Place cyber events in quantitative economic terms • Prioritize cyber risk to the business • Do you need to keep spending on this ____? • Are these risks, really risks, or just innovations? • A new – better – direction for Govt. and Industry -- See Hubbard, FAIR, X-Analytics Models 41
  • 42. Basic Cyber Risk Assessment Economics Methodology • Using best available data make probabilistic assessment of possible scenarios – looking for accuracy not precision • Focus on scenarios that are probable and have enough expected loss to matter • Calculate best case, worst case, most likely case and what degree of loss is acceptable (risk appetite) • Determine investment required to mitigate to an acceptable level • Option: run multiple scenarios (Monte Carlo simulations) 42
  • 43. Government Industry Collaboration • We are all on the same side • Is blaming the Victims the right strategy? • Calls for Accountability go both ways – we need more than accountability , we need collaboration • Government and Industry – Legitimately --Assess Cyber Risk Differently from an Economic perspective • Traditional Models and Assumptions Wont Work • The History of the Social Contract 43
  • 44. The Cyber Security Social Contract • Rethink Industry and Government Roles and Responsibilities • Create Market Incentives to rebalance the economic incentives for cyber security • This will take a lot of work, can it be done? 44
  • 45. ISO/IEC 27032 Training Courses • ISO/IEC 27032 Introduction 1 Day Course • ISO/IEC 27032 Foundation 2 Days Course • ISO/IEC 27032 Lead Cybersecurity Manager 5 Days Course Exam and certification fees are included in the training price. www.pecb.com/en/education-and-certification-for-individuals/iso-iec-27032 www.pecb.com/events

Notes de l'éditeur

  1. Global Voices Campaign – July 24, 2019
  2. Imagine you have a tire so bald, you can barely tell if there was ever any tread there.
  3. Imagine you have a tire so bald, you can barely tell if there was ever any tread there.