1. 40
STKI’s Cyber
Governance initiative
Life is like riding a
bicycle.To keep
your balance, you
must keep
moving."
— Albert Einstein
STKI’s Cyber
Governance initiative
Page 1
STKI Company Confidential
2. 41
41
It’s well known that so many
companies get hacked
Yet many executives believe it
will not affect them
Even the largest and most
prestigious ones
Page 2
STKI Company Confidential
3. 42
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
4242
Cyber’s Problematic Reputation
“Cyber is holding us back from achieving all other initiatives”
Page 3
STKI Company Confidential
4. 43
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
4343
Cyber governance initiative destination
Striking a balance between
the business needs and cyber,
risk & compliance needsCyber, governance & compliance are crucial for the survival of organizations
But they are also holding organizations back in many ways.
Executives don’t fully comprehend the importance of cyber security and their
personal responsibility.
Page 4
STKI Company Confidential
5. 44
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
4444
Cyber Governance Initiative
Page 5
STKI Company Confidential
6. 45
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
45
45
Demonstrate CEO
BOARD their cyber
responsibility
Determine business cyber
main principles
Allocate cyber budget,
head count & org.
structure
Trek name:
Zero trust security: Get top management on board
Page 6
STKI Company Confidential
7. 46
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
4646
Source: STKI staffing report
Number of Employees/ Cyber personnel
Implement STKI’s market data &
best practices to receive
appropriate budgets and personnel!
Page 7
STKI Company Confidential
8. 47
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
47
Build risk & cyber multi-
year program
Build cyber resilience
program
Trek name:
Design a Cyber Governance Plan
Design holistic cyber
measurement program
Use “Israel National Cyber
Directorate” guidance and tools
Page 8
STKI Company Confidential
9. 48
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
4848
Israel National Cyber Directorate guidance
will boost cyber security in Israel!
Especially for non-regulated enterprises
Non-regulated CISO
I don’t have enough
budget and resources
I can’t explain this to the
CEOBoard
Page 9
STKI Company Confidential
10. 49
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
49
49
Page 10
STKI Company Confidential
11. 50
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
50
50
Organizations that want to participate in the betta program can contact tora@pmo.gov.il
Page 11
STKI Company Confidential
12. 51
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
51
Don’t forget to secure the ENTIRE supply chain!
Page 12
STKI Company Confidential
13. 52
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
52
STKI expects new regulation based on Israel National
Cyber Directorate guidance in several industries
Take a deep breath.We’ve only just started.
Page 13
STKI Company Confidential
14. 53
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
5353
Of boards are not trained to
deal with cyber security incidents!
Source: Einat Meyron cyber resilience consultant & The Cyber Security Source - 2017
Page 14
STKI Company Confidential
15. 54
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
5454
CEO board member nightmare:
One Innocent phone call
Page 15
STKI Company Confidential
18. 57
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
5757
Leverage the similarities between BCP & Cyber Resilience
BCP
(Business
Continuity Plan)
Cyber
Resilience
And make them work together in collaboration
Page 18
STKI Company Confidential
19. 58
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
5858
Trek name:
Adopt to changing regulations
Keep up with existing
regulations
Look as GDPR
becomes standard
Implement Privacy
Protection Regulation
Page 19
STKI Company Confidential
20. 59
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
5959
GDPR Hype
GDPR is searched more
than Cyber Security
GDPR
Cyber Security
Page 20
STKI Company Confidential
21. 60
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6060
Page 21
STKI Company Confidential
22. 61
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6161
What does GDPR mean to our business? A lot!
The right to data portability allows individuals to obtain and reuse their
personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT
environment to another in a safe and secure way, without hindrance to usability
Page 22
STKI Company Confidential
23. 62
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
62
It will also change many processes and interaction methods.
Example first engagement with client and his consent to continue with the process:
Page 23
STKI Company Confidential
24. 63
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6363
Consent Management
One of the new tools needed to maintain compliance
Page 24
STKI Company Confidential
25. 64
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6464
Some organizations will have to appoint a DPO under
GDPR law
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/
The first point of contact for supervisory
authorities and for individuals whose data is
processed
Informs and advises the organization and its employees
about their obligations to comply with GDPR and other
data protection laws
Monitors compliance with GDPR and other data
protection laws, including managing internal data
protection activities
Advises on data protection impact assessments
Trains staff and conducts internal audits.
Page 25
STKI Company Confidential
26. 65
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6565
source: konfidas
GDPR and Israeli privacy act are touching the same areas
Page 26
STKI Company Confidential
27. 66
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6666
Eventually, it will come… So be prepared
Page 27
STKI Company Confidential
28. 67
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6767
Trek name:
Cyber Security Operations
Enforce patches
Applying to new devices
(watches, pumps, cars, etc.)
Embrace new technologies and
prepare for new vulnerabilities
Re-adjust cyber security program
Embrace
DevSecOps
Automate Cyber
Operations and Use
AIML
Page 28
STKI Company Confidential
29. 68
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6868
DevSecOps Manifesto:
Page 29
STKI Company Confidential
30. 69
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph
6969
DevSecOps tools - Embed SDLC (Secure Dev. life cycle) tools
into CICD:
• Static analysis tools
• Dynamic scanning (auto pen. tests)
• Embed operations data (logs, customer inputs) with security inputs
Page 30
STKI Company Confidential