This document summarizes a presentation on building a cybersecurity risk management program. Some key points:
- The presenter discusses the importance of understanding business impacts of cybersecurity failures and balancing compliance obligations with operational risks.
- Cybersecurity controls must be embedded in business processes to be effective.
- As an executive, one must understand the organization's risk posture relative to peers and how the organization responds to incidents.
- The presenter emphasizes communicating cybersecurity risks using common language executives can understand and prioritizing risks based on limited resources.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Communicating Cybersecurity Risks
1. Information Classification: Public
COMPLIANCE AND SECURITY:
BUILDING A CYBERSECURITY
RISK MANAGEMENT
PROGRAM
Central Ohio Infosec Summit - 2016
Jason Harrell
Corporate Senior Information Risk Officer (CSIRO)
Investment Management
BNY Mellon
March 30, 2016
2. Information Classification: Public
AUDIENCE QUESTIONS
• How many of you are Chief Information Security Officers or Chief Information Risk Officers
for your organization?
• How many of you have regularly scheduled meetings with your Chief Compliance Officers
on cybersecurity regulations?
• How many of you have regularly scheduled meetings with your Legal Counsel (internal
and/or external)?
• How many of you have regularly scheduled meeting with your Chief Operating Officer or
equivalent?
• How many of you subscribe to industry publications for the industry for which you work?
• How many of you brief your Board of Directors on cybersecurity risks for your organization?
2
3. Information Classification: Public
KEY TAKEAWAYS
• As a Chief Information Security Officer (CISO) and Chief Information Risk Officer (CIRO),
you will be required to understand and articulate the business impacts for cybersecurity risk
failures that resonates with your audience
• As executives, we will need to balance our compliance obligations for cybersecurity controls
with our business’ operational cybersecurity risks to prioritize our risk management efforts
(EXHAUSTIVE MEDIOCRITY)
• Cybersecurity controls must be embedded into the business processes to be effective (i.e.,
the business must be involved with the execution of cybersecurity controls)
• As an executive, you need to understand your risk posture/maturity relative to your peer
group
• How your organization responds to a cyber incident is equally as important as the
preventative measures taken to prevent an incident
3
4. Information Classification: Public
WHAT IS CYBERSECURITY RISK MANAGEMENT?
THE MANAGEMENT OF THE BUSINESS’ LEGAL, REGULATORY, OPERATIONAL,
AND CLIENT RISKS THAT MAY RESULT FROM ITS USE OF INFORMATION,
TECHNOLOGY, OR ASSOCIATED BUSINESS PROCESSES IN ORDER TO ALIGN
WITH THE BUSINESS’ RISK APPETITE.
CYBERSECURITY RISKS EXTEND BEYOND TECHNOLOGY. THE CONTROLS MUST
BE EMBEDDED INTO THE BUSINESS PROCESS TO BE EFFECTIVE!
4
5. Information Classification: Public
CYBERSECURITY RISK MANAGEMENT EXPECTATIONS
In general, regulatory authorities want to provide businesses with a principles based risk
approach to provide flexibility. Common guidance from the regulatory authorities (financial)
is that controls should be appropriate based on
The size and complexity of business operations
The makeup of the customers and counterparties serviced
The products and markets traded
Access to trading venues and other industry participants (i.e., market
interconnectedness)
Depending on your sector and regional presence, your business may have more
prescriptive requirements for cybersecurity controls (e.g., OCC Third Party Risk
Management)
The NIST Framework is recommended by different regulatory authorities but is not a silver
bullet. Every organization must understand the risks relative to its business operations and
the controls that are used to manage these risks
5
6. Information Classification: Public
BOARD AND EXECUTIVE MANAGEMENT QUESTIONS
• When do I know when I have spent enough on cybersecurity controls? (i.e., When have I
spent too much on cybersecurity?)
• How does our cybersecurity program stack up against our peers?
• Is our business in compliance with our regulatory obligations for managing cybersecurity
risks?
• What are the legal / client / fiduciary / regulatory impacts for cybersecurity failures AND do
we understand those impacts on business operations?
• Could an event like Target / Sony / Anthem / Home Depot happen at our organization?
• How do we know that we haven’t been hacked already?
• Are we prepared to manage a cybersecurity incident and, if not, how long will it take for us
to be appropriately prepared?
6
8. Information Classification: Public
LEGAL / REGULATORY OBLIGATIONS
Every regulatory agency has a rule requiring the adoption and implementation of written
policies and procedures reasonably designed to prevent violation of federal security laws
As the CISO or CIRO, do you know the compliance rules
relative to internal control requirements for your business?
Client Contracts and Addendums
As the CISO or CIRO, do you have visibility into
client agreements being entered into by your business areas?
Enforcement Actions
As the CISO or CIRO, do you understand how fines
and enforcement actions are being levied in your sector?
Regulatory Focus
There are a number of areas relative to cybersecurity risk management.
Do you know where there regulatory focus is on the required controls?
8
9. Information Classification: Public
OPERATIONAL IMPACTS
Numerous cybersecurity risks are realized due to (1) the lack of demarcation of the business and
technology responsibility for controls (2) inappropriate business processes to managing changing
risk environment
How does your business ensure that cybersecurity
controls extend and are embedded into associated business processes?
While many business have a technology incident response plan, they do not have an appropriate
business incident response plan or crisis communication plan.
Does your business have a crisis communication plan that includes engagement of external
counsel, regulatory reporting, law enforcement engagement, media relations, client
communications?
The lack of understanding of how the business operates causes may lead to arduous and/or
ineffective implementation of controls
How do you train the individuals in your organization to look outside of the technology
controls to those controls that are part of the business process?
The maturity of your peer’s cybersecurity risk management program will contribute to your
definition of reasonable and adequate controls.
Do you know where the cybersecurity risk management
program stacks up relative to your peer group?
9
10. Information Classification: Public
Communicating cybersecurity risks and associated impacts through
a common vernacular as the individuals you are trying to influence
will increase your success with gaining the support required for your
cybersecurity risk management program.
11
11. Information Classification: Public
IMPORTANT POINTS
Remember that you are competing for a limited pool of resources (e.g., money, personnel)
with other risk and control organizations as well as the business revenue-generating
programs
You can’t fix everything at once! As an executive, you need to define and defend those risk
gaps that you are addressing and demonstrate that you understand those areas that will
also need additional focus
Technology controls without business adoption will not decrease your business risks. These
controls must be embedded into the business operational processes
Understanding where your program is relative to your peer group will assist you with
gaining executive program support and changes in the risk management posture within
your industry
12