This document outlines an agenda for a cyber security director's workshop hosted by Cyber Rescue from November 30th to December 1st 2016. The workshop will cover what CEOs need from security directors to protect against cyber threats, how directors can identify vulnerabilities missed by IT, cyber insurance, responding to attacks, and leading recovery efforts. It introduces the facilitators, Barrie Millett and Kevin Duffey, and their experience in security, crisis response, and digital transformation risks. The typical roles and responsibilities of a security director are defined. The workshop aims to help directors support CEOs in leading through a cyber attack and managing relationships during response and recovery.
2. Why are we here? Topics
www.CyberRescue.co.uk
1. What the CEO needs their Security Director to do,
to protect against Cyber Threats
2. How the Security Director can spot vulnerabilities
the IT team are most likely to have missed
3. What the Security Director should know about
Cyber Insurance
4. Surprises your CEO may suffer during the
response to a major Cyber Attack
5. Why Security Directors must be ready to lead
Recovery from major Cyber Attack
Assistance@CyberRescue.co.uk
3. Who are you?
Typical Security Director Role
www.CyberRescue.co.uk
1. Protect assets, staff & reputation
2. Assess risk, vulnerabilities & issues
3. Define goals to mitigate risk
4. Promote security by design & security culture
5. Respond to Security Incidents
Assistance@CyberRescue.co.uk
4. Kevin Duffey – Managing Director
Expert in commercial response to major cyber attacks
•CEO Asia and UK Board Member at FTSE 100 company
•Group GM at International SOS, global crisis management firm
•Helped organisations respond to cyber attacks in 25 countries.
Barrie Millett – International Advisor
Award winning leader in risk mitigation and business continuity
•Led security teams at blue-chip firms including E.ON and GE
•Chair of Joint Risk Audit & Assurance Panel, Leicestershire Police
•Expert in resilience for National Critical Infrastructure
Who are we?
Facilitators for this Workshop
9. Exponential Risk to Assets
Cyber Threats
Annual Growth
125% Zero Day
71% DDoS
55% Spear Phish
29% Malware
21% SQLi
38% growth in
reported crime
10. Insurance: 52% of British CEOs think their
company is insured for cyber risks.
Just 2% of large businesses actually have
stand alone cyber insurance in UK (March ‘15)
“The market for cyber insurance isn’t sustainable” (Sept ‘15)
Why businesses say they don’t have insurance (Nov ‘15)
“Premiums too expensive” (52%) “Too many exclusions” (44%)
Companies with cyber insurance but not claimed = 81% (Mar ‘16)
£1m cyber policy costs £5k - 25k for “average” company (Apr ‘16)
Consider Cyber Insurance
13. Staff Risks:
•78% of staff don't obey info policy
•63% of breaches involve passwords
•41% of staff install apps on work PC
•30% of phishing messages are opened
•12% of staff download malicious s/ware
Supply Chain Risks:
•41% of breaches affecting healthcare are
caused by Third Parties
•17% of breaches investigated by Kroll
caused by Third Parties
•AT&T, Home Depot, TalkTalk, and Target all
suffered breaches via 3rd
parties
Assess Risks beyond IT
16. What to focus on in 2017?
Typical Security Director Role
www.CyberRescue.co.uk
1. Protects cyber assets, staff & reputation
2. Assesses cyber risk, vulnerabilities & issues
3. Defines cyber goals to mitigate risk
4. Promotes cyber security culture
5. Responds to cyber Security Incidents
Assistance@CyberRescue.co.uk
17. What to focus on in 2017?
Typical Security Director Role
www.CyberRescue.co.uk
1. Protects cyber assets, staff & reputation
2. Assesses cyber risk, vulnerabilities & issues
3. Defines cyber goals to mitigate risk
4. Promotes cyber security culture
5. Responds to cyber Security Incidents
Assistance@CyberRescue.co.uk
18. support CEOs to lead
www.CyberRescue.co.uk
Teams will be unnerved
Many will never have
tested a cyber attack
response
Internal and external
relationships will need
to be managed
21. Why are we here? Topics
www.CyberRescue.co.uk
1. What the CEO needs their Security Director to do,
to protect against Cyber Threats
2. How the Security Director can spot vulnerabilities
the IT team are most likely to have missed
3. What the Security Director should know about
Cyber Insurance
4. Surprises your CEO may suffer during the
response to a major Cyber Attack
5. Why Security Directors must be ready to lead
Recovery from major Cyber Attack
Assistance@CyberRescue.co.uk
23. www.CyberRescue.co.uk
For similar material, follow Cyber Rescue
on LinkedIn here.
Former Head of Resilience E.ON UK
International Advisory Board Member
Cyber Rescue Alliance
Barrie.Millett@CyberRescue.co.uk
+ 44 7913 371249
Barrie Millett
Notes de l'éditeur
The Cyber Rescue Alliance exists to help Executives reduce harm from cyber attack.
To help organisations be resilient.
To help with commercial Recovery.
We help executives avoid turning a breach into a disaster.
We help CEOs make decisions in what is often the most stressful time in their career.
We recognise that a cyber attack is a crime
We know that executives deserve our sympathy and support
And we know that executives find attacks very stressful because they are often so unprepared.
So I will share some observations about how we believe Security Directors can and should help executives respond to major breaches.
Personal experiences have demonstrated that cyber and physical security needs to be intrinsically linked.
With business operations and external agencies also playing a significant role.
You will all have had significant personal journeys around managing crime and crisis events that you can use to great effect.
The importance of all teams understanding the dynamics of emerging threats is essential.
How actors are merging cyber and physical attacks for greater impact or just as a facilitator.
We believe that Security Directors can play a truly successful role in protecting the teams and asset by ensuring a big team approach is taken.
In many instances Security Directors already have the trust of the board, police and other agencies, local operations and business teams.
CEOs need Security Directors to use their rich experiences in other areas to enrich an organisations response to the growing cyber threats.
Security Directors have rich learning from other areas that can and should be harnessed in the arena of cyber security, with the response required prior to, during and following terrorist attacks, a severe weather event and criminal activity.
Cyber crime is just that, a crime, a key point that should not be missed. Security departments have been leading organisational response on criminal activity for years and this experience should not be lost.
High impact events will hit the Board room and the CEO will have to be able to respond from a position of knowledge and confidence in their teams ability to respond effectively and Security Directors have rich experience in helping executives prepare and respond to crisis situations.
It’s the data storage system the FBI used in 1942
To hold a lot less data than fits on a modern memory stick.
Choosing pictures that tell stories is really important.
For example, some people compare a data breach to an earthquake.
There is some value in that approach, because…
This memory stick holds 1,000 Gigabytes
Who here can visualise what that looks like?
We find it helpful to show CEOs this picture, of just 600 Gigabytes
Teams will be unnerved by the pace at which cyber incidents can unfold.
Many will never have tested a cyber attack response to the degree that other response plans such as, building denial of access, terrorist events, severe weather etc…
Internal and external relationships will need to be managed with these relationships built in quiet times and ofter forged of many years of interaction to gain their trust.
Security Directors are the grown-ups at the table, during any business crisis. You have years of experience, training and tools to call upon. Your colleagues will need your mature guidance and support, to manage the cascade of commercial consequences that follow a breach.
High impact events will hit the Board room and the CEO will have to be able to respond from a position of knowledge and confidence in their teams ability to respond effectively and Security Directors have rich experience in helping executives prepare and respond to crisis situations and help them to navigate through to successful conclusion.
Silo thinking, incomplete planning internally or externally, seriously limits your resilience capabilities, increases costs and erodes value.
Challenge cannot be effectively addressed by individual institutions, organisations and teams working in isolation – the interdependencies and responsibilities are simply to great.
We must connect our thinking, resources and activities to create a collaborative approach, building common understanding and direction that overcomes the barriers to building resilient organisations and a more resilient society.
The Physical and Cyber worlds are in my opinion intrinsically connected and Security Directors can effectively prepare our organisations and disrupt the attacks. Price of failure is too great and by working together we can win together and support CEOs and Boards to effectively manage high impact events. Thank you.