SlideShare une entreprise Scribd logo

White paper cyber risk appetite defining and understanding risk in the modern enterprise

B
balejandre

Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise

Technologie
1  sur  4
Télécharger pour lire hors ligne
RSA WHITE PAPER CYBER RISK APPETITE: Defining and Understanding Risk in the Modern Enterprise Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise. In fact, cyber security is now increasingly reviewed by corporate boards of directors and often discussed with financial analysts who see cyber security risk as an imminent and paramount business risk. Because the consequences of cyber security failures can be damaging to business revenues and brand reputation, CEOs have lost their positions as a result of data breaches and inept preparation and planning. According to Deloitte Advisory Cyber Risk Services “the fundamental things that organizations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk. This includes globalization, mergers and acquisitions, extension of third-party networks and relationships, outsourcing, adoption of new technologies, movement to the cloud, or mobility. And they are not going to stop doing these things any time soon. Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology. Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver and then make more informed decisions.” Accordingly, organizations must now factor cyber into their risk appetite and explicitly define the level of cyber risk that they are willing to accept in context of their overall risk appetite. This paper will provide a foundation for organizations looking to better understand cyber risk including; a systematic process for defining and comprehensively categorizing sources of cyber risk, a description of key stakeholders and risk owners within the organization, and finally, outline the basics of how to think about calculating cyber risk appetite. Defining Cyber Risk Cyber risk is commonly defined as exposure to harm or loss resulting from breaches of or attacks on information systems. However, this definition must be broadened. A better, more encompassing definition is “the potential of loss or harm related to technical infrastructure or the use of technology within an organization.” Events covered by this more comprehensive definition can be categorized in multiple ways. One is intent. Events may be the result of deliberately malicious acts, such as a hacker carrying out an attack with the aim of compromising sensitive information, but they may also be unintentional, such as user error that makes a system temporarily unavailable. Risk events may come from sources outside the organization, such as cybercriminals or supply chain partners, or sources inside the organization such as employees or contractors. Combining these two dimensions leads us to a practical framework for inventorying and categorizing cyber risks:  Internal Malicious: Deliberate acts of sabotage, theft or other malfeasance committed by employees and other insiders. For example, a disgruntled employee deleting key information before they leave the organization.  Internal Unintentional: Acts leading to damage or loss stemming from human error committed by employees and other insiders. For example, in 2013, NASDAQ experienced internal technology issues that caused backup systems to fail.1  External Malicious: The most publicized cyber risk; pre-meditated attacks from outside parties, including criminal syndicates, hacktivists and nation states. Examples include network infiltration and extraction of intellectual property, and denial-of-service (DoS) attacks that cause system availability issues, business interruptions, or interfere with the proper performance of connected devices such as medical devices or industrial systems.  External Unintentional: Similar to the internal unintentional, these cause loss or damage to business, but are not deliberate. For example, a third party partner experiencing technical issues can impact system availability, as can natural disasters. 1. http://www.reuters.com/article/us-nasdaq-halt-glitch-idUSBRE97S11420130829
Over the past 15 years, we’ve systematically connected our economy and our society in some really powerful, compelling ways, but we’ve done this using technologies that were largely designed for sharing information and making it available – not for protecting that information. Very few organizations are taking into consideration what they, themselves, are doing to unintentionally magnify or create new risk. According to Deloitte Advisory Cyber Risk Services, organizations need to think of the broad swath of things that can potentially happen, but to think about what is likely to happen in their organizations given the specific things they’re doing from an operational and information perspective. Managing Cyber Risk: Who Has a Seat at the Table? It is not just the legacy definitions of cybersecurity and cyber risk that are incomplete. The list of those responsible for securing physical and digital assets rarely extended beyond IT and physical plant management into the business, which is short-sighted given today’s IT-driven, digital businesses. Chief Information Security Officers (CISOs) emerged about a decade ago, but it was not until recently that they have had regular interaction outside of IT management with executive leadership and boards of directors. Everyone is a source of cyber risk. Public failures become personal. Personal failures become public. Even seemingly small lapses in judgment or policy oversight can have dire consequences. Over sharing on social media can reveal critical personal information that threat actors can use. Not logging out of a system at the end of the day is a wide open door to information thieves. Underscoring that there are no unaffected parties when it comes to cyber security and managing cyber risk, stakeholders who need to shape policy include unexpected job titles. For example, software engineers and developers must ensure that new releases ship without errors that could be exploited. HR teams use Human Capital Management (HCM) software, often cloud-based, that contains employees’ personal information such as social security numbers, home addresses, medical claims and other sensitive information. An enterprise’s supply chain, distribution channel, partner network and similar third-parties that routinely have access systems and are often integrated, can inadvertently be a vector for cyber security failures. Here is a starting point to identify cyber security and cyber risk influencers in the organization: Each group needs to part of the risk management conversation and understand how they influence and impact the organizations’ cyber risk posture.
Key Questions for Stakeholders: Cybersecurity is at the top of the board room agenda today because it is well understood that cyber stakes have never been higher. The innovations and strategic advances that organizations make will continue to raise the stakes. It is not a problem that can be solved; cyber risk cannot be completely eradicated, but it can be managed to facilitate the success of a company’s drive forward. Decisions about cyber risk appetite need to be made with the business and communicated throughout the organization. It’s important to understand the culture of the company and how the key stakeholders answer the following questions:  What losses would be catastrophic?  What can we live without and for how long?  What information absolutely cannot fall into the wrong hands or be made public?  What could cause personal harm to employees, customers, partners, visitors? Creating a common risk management taxonomy and language is essential for an organization to understand cyber risk in the context of its overall objectives. Areas of Impact from Cyber Events The price of some cybersecurity failures can be measured in monetary units. Hard currency costs include fines, legal fees, lost productivity and mitigation, remediation, and incident response. These hard costs also include fines from lack of compliance. Other costs are more difficult to quantify. They are qualitative and long-lasting. These include diminished brand equity, reduced goodwill, and the loss of intellectual property, all leading to a weaker market position or, in some cases, complete elimination of competitive advantage. There are third party impacts in both directions. It’s possible that a third party experiences a loss event, and while unintentional, this could impact deadlines or worse reveal proprietary information. These costs that are more difficult to quantify still have large, negative impact on the business and must be accounted for. “The notion of how to show value for cyber risk investment is one that the industry struggles with because success is invisible – it’s the absence of a cyber event, or the ability to show that an event had a lesser impact than it might have had. It is difficult to show return on investment for cyber risk programs. Organizations need to develop the ability to demonstrate that the investments they are making are aligned with the actual risks they face. They have to ask if they are making the appropriate investments in security, vigilance, and resilience, and whether those decisions are based on a realistic understanding of the specific risks their organization faces – and the magnitude of impact that a cyberattack could have. Managing cyber risk is not just a cost to the business, but a positive investment to enable the success of strategic growth and performance initiatives,” contributes Deloitte Advisory Cyber Risk Services. Prioritization Given the myriad sources of cyber risk, with each event having different levels of potential impact, prioritization is critical. Determining how and where to allocate human, financial, and technology resources is a complicated calculus. The formula includes both intangible and tangible assets, is subjective, and includes variables based on institutional comfort, priorities and governance, risk and compliance policies, regulatory obligations, and legal commitments. A good first step is identifying and classifying applications, databases, systems, and information. A practical classification scheme (in descending order of importance) is: 1. Mission and Business Critical Systems. In aggregate, these are the vital organs of the business where the most sensitive information resides, including intellectual property, information about physical assets, and systems required to run the business. This includes information that can also impact life or death. 2. Core infrastructure, extended ecosystem. Common examples include supply chain management (SCM) applications and partner portals. 3. External, public-facing systems and points of interaction. Common examples include web servers and systems with IP addresses accessible through the internet. While it may be counter-intuitive to prioritize internal systems as the critical area of focus, it is important to prioritize what could cause the most damage if risk is not appropriately managed. If the focus is solely on what is public and customer-facing, then the organization’s most important information or critical systems are being overlooked. These mission critical and business critical systems, if affected, could halt the business entirely, which would have the same implications of a human receiving a jolt to the chest. Deloitte Advisory Cyber Risk Services adds, “For many organizations, becoming truly resilient to cyberattacks requires more than incremental improvements. It requires organizational transformation that broadens the scope of involvement at the top of the organization and instills focus on business risk, rather than technology controls. It requires the ability to focus investments on mitigating likely outcomes, based on a broad understanding of attacker motives and the ability to anticipate high-impact scenarios.”
Cyber Risk Appetite Risk appetite is the level of tolerance that an organization has for risk. One aspect of the definition is understanding how much risk an organization is willing to tolerate, and the other is thinking about how much an organization is willing to invest or spend to manage the risk. Risk appetite sets the boundaries for prioritizing which risks need to be treated. Cyber risk appetite should be set by the CEO, CISO and CRO and then shared throughout the organization. Calculating cyber risk through ongoing assessment using defined and proven methodologies and both quantitative metrics and qualitative risk elements is critical to an organization determining how much risk they are willing to accept to achieve specific business goals or objectives. Further, determining cyber risk appetite cannot be a point-in-time exercise. It must become an ongoing process involving constant evaluation and re-evaluation. While it seems like setting cyber risk appetite may be just technical, there is more to it than that. There are conversations that need to include non-technical functions. Cyber risk appetite ties together operational risk, cyber risk, and enterprise risk in cross- functional conversations. The strategic conversation is about the risk that the organization is willing to take on and what controls it puts in place to prioritize cyber risk management. Setting the appetite is critical to managing the business effectively and efficiently to help an organization know where to invest time and resources. Conclusion The ability to quantify cyber risk and make informed decisions about cyber risk appetite will often be the difference between success and failure for modern enterprises. Those who do so effectively will be better positioned to enable continued growth, those who do not will expose their organization to risks with potential calamitous implications. Organizations must take a comprehensive inventory of potential cyber risks, quantify their potential impact, and prioritize them effectively. This process must involve stakeholders across the organization to gain perspective and consensus. It must be an ongoing process involving constant evaluation and re-evaluation. And, this up-to-date understanding must feed into the organizations view of operational and enterprise risk. This is just the beginning of the discussion, and now that cyber risk appetite has been defined and the key players within an organization have been identified, prioritization of systems and assets is the next step. Cyber Risk Appetite is not just theoretical, but rather it is something that can be modeled and calculated by an organization. This calculus will be explored in our next paper. About Deloitte Advisory Cyber Risk Services As part of the market-leading Advisory practice, Deloitte Advisory’s cyber risk services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Deloitte Advisory’s more than 3,000 cyber risk services practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive, secure, vigilant and resilient cyber risk programs. Deloitte Advisory Cyber Risk Services works with our clients worldwide to better align cybersecurity investments with strategic business priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents About RSA RSA provides more than 30,000 customers around the world with the essential capabilities to protect their most valuable assets from cyber risks and threats. With RSA’s award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; assure and manage identities; implement governance, risk, and compliance processes; and ultimately, reduce IP theft, fraud, and cybercrime. For more information, go to www.rsa.com. EMC 2 , EMC, the EMC logo, RSA, the RSA logo, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. © Copyright 2016 EMC Corporation. All rights reserved. Published in the USA. 05/16 Whitepaper H15150 RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice. www.RSA.com

Recommandé

The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
NACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedNACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedPrista Corporation
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 

Recommandé

The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
Norman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondNorman Broadbent Cybersecurity Report - How should boards respond
Norman Broadbent Cybersecurity Report - How should boards respondLydia Shepherd
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
NACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedNACD Directorship Article - Cyber July:Aug 2015 published
NACD Directorship Article - Cyber July:Aug 2015 publishedPrista Corporation
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-MaligecChristine Maligec, CRM-E, CRIS
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
In the news
In the newsIn the news
In the newsRob Wilson
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsChristine Maligec, CRM-E, CRIS
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameTatainteractive1
 

Contenu connexe

Tendances

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattYigal Behar
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarFERMA
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 

Tendances (20)

Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
In the news
In the newsIn the news
In the news
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
cybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-mattcybersecurity-in-the-c-suite-a-matt
cybersecurity-in-the-c-suite-a-matt
 
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?Managing Cyber Risk: Are Companies Safeguarding Their Assets?
Managing Cyber Risk: Are Companies Safeguarding Their Assets?
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Executive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk WebinarExecutive Summary on the Cyber Risk Webinar
Executive Summary on the Cyber Risk Webinar
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 

Similaire à White paper cyber risk appetite defining and understanding risk in the modern enterprise

Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameTatainteractive1
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeNishantSisodiya
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessibleCharmaine Servado
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023incmagazineseo
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts finalDaren Dunkel
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 

Similaire à White paper cyber risk appetite defining and understanding risk in the modern enterprise (20)

Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 

Plus de balejandre

A Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed ITA Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed ITbalejandre
 
Ataques de seguridad y GRC
Ataques de seguridad y GRCAtaques de seguridad y GRC
Ataques de seguridad y GRCbalejandre
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity securitybalejandre
 
Viii congreso isaca 2015 grc
Viii congreso isaca 2015 grcViii congreso isaca 2015 grc
Viii congreso isaca 2015 grcbalejandre
 
Nuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRCNuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRCbalejandre
 
Itss bc my grc 2013 v1
Itss bc my grc 2013 v1Itss bc my grc 2013 v1
Itss bc my grc 2013 v1balejandre
 
Grc y seguridad
Grc y seguridadGrc y seguridad
Grc y seguridadbalejandre
 
11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Ar11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Arbalejandre
 

Plus de balejandre (8)

A Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed ITA Data-driven Maturity Model for Modernized, Automated, and Transformed IT
A Data-driven Maturity Model for Modernized, Automated, and Transformed IT
 
Ataques de seguridad y GRC
Ataques de seguridad y GRCAtaques de seguridad y GRC
Ataques de seguridad y GRC
 
Achieving high-fidelity security
Achieving high-fidelity securityAchieving high-fidelity security
Achieving high-fidelity security
 
Viii congreso isaca 2015 grc
Viii congreso isaca 2015 grcViii congreso isaca 2015 grc
Viii congreso isaca 2015 grc
 
Nuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRCNuevo Enfoque de la Auditoría Empresarial a través de GRC
Nuevo Enfoque de la Auditoría Empresarial a través de GRC
 
Itss bc my grc 2013 v1
Itss bc my grc 2013 v1Itss bc my grc 2013 v1
Itss bc my grc 2013 v1
 
Grc y seguridad
Grc y seguridadGrc y seguridad
Grc y seguridad
 
11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Ar11479 Ponemon Report Egrc Ar
11479 Ponemon Report Egrc Ar
 

Dernier

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Dernier (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

White paper cyber risk appetite defining and understanding risk in the modern enterprise

  • 1. RSA WHITE PAPER CYBER RISK APPETITE: Defining and Understanding Risk in the Modern Enterprise Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise. In fact, cyber security is now increasingly reviewed by corporate boards of directors and often discussed with financial analysts who see cyber security risk as an imminent and paramount business risk. Because the consequences of cyber security failures can be damaging to business revenues and brand reputation, CEOs have lost their positions as a result of data breaches and inept preparation and planning. According to Deloitte Advisory Cyber Risk Services “the fundamental things that organizations undertake in order to drive performance and execute on their business strategies happen to also be the things that actually create cyber risk. This includes globalization, mergers and acquisitions, extension of third-party networks and relationships, outsourcing, adoption of new technologies, movement to the cloud, or mobility. And they are not going to stop doing these things any time soon. Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology. Executive decision-makers should understand the nature and magnitude of those risks, consider them against the benefits a strategic shift would deliver and then make more informed decisions.” Accordingly, organizations must now factor cyber into their risk appetite and explicitly define the level of cyber risk that they are willing to accept in context of their overall risk appetite. This paper will provide a foundation for organizations looking to better understand cyber risk including; a systematic process for defining and comprehensively categorizing sources of cyber risk, a description of key stakeholders and risk owners within the organization, and finally, outline the basics of how to think about calculating cyber risk appetite. Defining Cyber Risk Cyber risk is commonly defined as exposure to harm or loss resulting from breaches of or attacks on information systems. However, this definition must be broadened. A better, more encompassing definition is “the potential of loss or harm related to technical infrastructure or the use of technology within an organization.” Events covered by this more comprehensive definition can be categorized in multiple ways. One is intent. Events may be the result of deliberately malicious acts, such as a hacker carrying out an attack with the aim of compromising sensitive information, but they may also be unintentional, such as user error that makes a system temporarily unavailable. Risk events may come from sources outside the organization, such as cybercriminals or supply chain partners, or sources inside the organization such as employees or contractors. Combining these two dimensions leads us to a practical framework for inventorying and categorizing cyber risks:  Internal Malicious: Deliberate acts of sabotage, theft or other malfeasance committed by employees and other insiders. For example, a disgruntled employee deleting key information before they leave the organization.  Internal Unintentional: Acts leading to damage or loss stemming from human error committed by employees and other insiders. For example, in 2013, NASDAQ experienced internal technology issues that caused backup systems to fail.1  External Malicious: The most publicized cyber risk; pre-meditated attacks from outside parties, including criminal syndicates, hacktivists and nation states. Examples include network infiltration and extraction of intellectual property, and denial-of-service (DoS) attacks that cause system availability issues, business interruptions, or interfere with the proper performance of connected devices such as medical devices or industrial systems.  External Unintentional: Similar to the internal unintentional, these cause loss or damage to business, but are not deliberate. For example, a third party partner experiencing technical issues can impact system availability, as can natural disasters. 1. http://www.reuters.com/article/us-nasdaq-halt-glitch-idUSBRE97S11420130829
  • 2. Over the past 15 years, we’ve systematically connected our economy and our society in some really powerful, compelling ways, but we’ve done this using technologies that were largely designed for sharing information and making it available – not for protecting that information. Very few organizations are taking into consideration what they, themselves, are doing to unintentionally magnify or create new risk. According to Deloitte Advisory Cyber Risk Services, organizations need to think of the broad swath of things that can potentially happen, but to think about what is likely to happen in their organizations given the specific things they’re doing from an operational and information perspective. Managing Cyber Risk: Who Has a Seat at the Table? It is not just the legacy definitions of cybersecurity and cyber risk that are incomplete. The list of those responsible for securing physical and digital assets rarely extended beyond IT and physical plant management into the business, which is short-sighted given today’s IT-driven, digital businesses. Chief Information Security Officers (CISOs) emerged about a decade ago, but it was not until recently that they have had regular interaction outside of IT management with executive leadership and boards of directors. Everyone is a source of cyber risk. Public failures become personal. Personal failures become public. Even seemingly small lapses in judgment or policy oversight can have dire consequences. Over sharing on social media can reveal critical personal information that threat actors can use. Not logging out of a system at the end of the day is a wide open door to information thieves. Underscoring that there are no unaffected parties when it comes to cyber security and managing cyber risk, stakeholders who need to shape policy include unexpected job titles. For example, software engineers and developers must ensure that new releases ship without errors that could be exploited. HR teams use Human Capital Management (HCM) software, often cloud-based, that contains employees’ personal information such as social security numbers, home addresses, medical claims and other sensitive information. An enterprise’s supply chain, distribution channel, partner network and similar third-parties that routinely have access systems and are often integrated, can inadvertently be a vector for cyber security failures. Here is a starting point to identify cyber security and cyber risk influencers in the organization: Each group needs to part of the risk management conversation and understand how they influence and impact the organizations’ cyber risk posture.
  • 3. Key Questions for Stakeholders: Cybersecurity is at the top of the board room agenda today because it is well understood that cyber stakes have never been higher. The innovations and strategic advances that organizations make will continue to raise the stakes. It is not a problem that can be solved; cyber risk cannot be completely eradicated, but it can be managed to facilitate the success of a company’s drive forward. Decisions about cyber risk appetite need to be made with the business and communicated throughout the organization. It’s important to understand the culture of the company and how the key stakeholders answer the following questions:  What losses would be catastrophic?  What can we live without and for how long?  What information absolutely cannot fall into the wrong hands or be made public?  What could cause personal harm to employees, customers, partners, visitors? Creating a common risk management taxonomy and language is essential for an organization to understand cyber risk in the context of its overall objectives. Areas of Impact from Cyber Events The price of some cybersecurity failures can be measured in monetary units. Hard currency costs include fines, legal fees, lost productivity and mitigation, remediation, and incident response. These hard costs also include fines from lack of compliance. Other costs are more difficult to quantify. They are qualitative and long-lasting. These include diminished brand equity, reduced goodwill, and the loss of intellectual property, all leading to a weaker market position or, in some cases, complete elimination of competitive advantage. There are third party impacts in both directions. It’s possible that a third party experiences a loss event, and while unintentional, this could impact deadlines or worse reveal proprietary information. These costs that are more difficult to quantify still have large, negative impact on the business and must be accounted for. “The notion of how to show value for cyber risk investment is one that the industry struggles with because success is invisible – it’s the absence of a cyber event, or the ability to show that an event had a lesser impact than it might have had. It is difficult to show return on investment for cyber risk programs. Organizations need to develop the ability to demonstrate that the investments they are making are aligned with the actual risks they face. They have to ask if they are making the appropriate investments in security, vigilance, and resilience, and whether those decisions are based on a realistic understanding of the specific risks their organization faces – and the magnitude of impact that a cyberattack could have. Managing cyber risk is not just a cost to the business, but a positive investment to enable the success of strategic growth and performance initiatives,” contributes Deloitte Advisory Cyber Risk Services. Prioritization Given the myriad sources of cyber risk, with each event having different levels of potential impact, prioritization is critical. Determining how and where to allocate human, financial, and technology resources is a complicated calculus. The formula includes both intangible and tangible assets, is subjective, and includes variables based on institutional comfort, priorities and governance, risk and compliance policies, regulatory obligations, and legal commitments. A good first step is identifying and classifying applications, databases, systems, and information. A practical classification scheme (in descending order of importance) is: 1. Mission and Business Critical Systems. In aggregate, these are the vital organs of the business where the most sensitive information resides, including intellectual property, information about physical assets, and systems required to run the business. This includes information that can also impact life or death. 2. Core infrastructure, extended ecosystem. Common examples include supply chain management (SCM) applications and partner portals. 3. External, public-facing systems and points of interaction. Common examples include web servers and systems with IP addresses accessible through the internet. While it may be counter-intuitive to prioritize internal systems as the critical area of focus, it is important to prioritize what could cause the most damage if risk is not appropriately managed. If the focus is solely on what is public and customer-facing, then the organization’s most important information or critical systems are being overlooked. These mission critical and business critical systems, if affected, could halt the business entirely, which would have the same implications of a human receiving a jolt to the chest. Deloitte Advisory Cyber Risk Services adds, “For many organizations, becoming truly resilient to cyberattacks requires more than incremental improvements. It requires organizational transformation that broadens the scope of involvement at the top of the organization and instills focus on business risk, rather than technology controls. It requires the ability to focus investments on mitigating likely outcomes, based on a broad understanding of attacker motives and the ability to anticipate high-impact scenarios.”
  • 4. Cyber Risk Appetite Risk appetite is the level of tolerance that an organization has for risk. One aspect of the definition is understanding how much risk an organization is willing to tolerate, and the other is thinking about how much an organization is willing to invest or spend to manage the risk. Risk appetite sets the boundaries for prioritizing which risks need to be treated. Cyber risk appetite should be set by the CEO, CISO and CRO and then shared throughout the organization. Calculating cyber risk through ongoing assessment using defined and proven methodologies and both quantitative metrics and qualitative risk elements is critical to an organization determining how much risk they are willing to accept to achieve specific business goals or objectives. Further, determining cyber risk appetite cannot be a point-in-time exercise. It must become an ongoing process involving constant evaluation and re-evaluation. While it seems like setting cyber risk appetite may be just technical, there is more to it than that. There are conversations that need to include non-technical functions. Cyber risk appetite ties together operational risk, cyber risk, and enterprise risk in cross- functional conversations. The strategic conversation is about the risk that the organization is willing to take on and what controls it puts in place to prioritize cyber risk management. Setting the appetite is critical to managing the business effectively and efficiently to help an organization know where to invest time and resources. Conclusion The ability to quantify cyber risk and make informed decisions about cyber risk appetite will often be the difference between success and failure for modern enterprises. Those who do so effectively will be better positioned to enable continued growth, those who do not will expose their organization to risks with potential calamitous implications. Organizations must take a comprehensive inventory of potential cyber risks, quantify their potential impact, and prioritize them effectively. This process must involve stakeholders across the organization to gain perspective and consensus. It must be an ongoing process involving constant evaluation and re-evaluation. And, this up-to-date understanding must feed into the organizations view of operational and enterprise risk. This is just the beginning of the discussion, and now that cyber risk appetite has been defined and the key players within an organization have been identified, prioritization of systems and assets is the next step. Cyber Risk Appetite is not just theoretical, but rather it is something that can be modeled and calculated by an organization. This calculus will be explored in our next paper. About Deloitte Advisory Cyber Risk Services As part of the market-leading Advisory practice, Deloitte Advisory’s cyber risk services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Deloitte Advisory’s more than 3,000 cyber risk services practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive, secure, vigilant and resilient cyber risk programs. Deloitte Advisory Cyber Risk Services works with our clients worldwide to better align cybersecurity investments with strategic business priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents About RSA RSA provides more than 30,000 customers around the world with the essential capabilities to protect their most valuable assets from cyber risks and threats. With RSA’s award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; assure and manage identities; implement governance, risk, and compliance processes; and ultimately, reduce IP theft, fraud, and cybercrime. For more information, go to www.rsa.com. EMC 2 , EMC, the EMC logo, RSA, the RSA logo, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. © Copyright 2016 EMC Corporation. All rights reserved. Published in the USA. 05/16 Whitepaper H15150 RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice. www.RSA.com