The Security Director's Practical Guide to Cyber Security
Download as PPT, PDF2 likes483 views
This document outlines an agenda for a cyber security director's workshop hosted by Cyber Rescue from November 30th to December 1st 2016. The workshop will cover what CEOs need from security directors to protect against cyber threats, how directors can identify vulnerabilities missed by IT, cyber insurance, responding to attacks, and leading recovery efforts. It introduces the facilitators, Barrie Millett and Kevin Duffey, and their experience in security, crisis response, and digital transformation risks. The typical roles and responsibilities of a security director are defined. The workshop aims to help directors support CEOs in leading through a cyber attack and managing relationships during response and recovery.
The Security Director's Practical Guide to Cyber Security
- 1. www.CyberRescue.co.uk Barrie Millett Advisory Board 30th Nov – 1st Dec 2016 Security Director’s Practical Guide to Cyber Security Barrie Millett The UK Security Expo
- 2. Why are we here? Topics www.CyberRescue.co.uk 1. What the CEO needs their Security Director to do, to protect against Cyber Threats 2. How the Security Director can spot vulnerabilities the IT team are most likely to have missed 3. What the Security Director should know about Cyber Insurance 4. Surprises your CEO may suffer during the response to a major Cyber Attack 5. Why Security Directors must be ready to lead Recovery from major Cyber Attack [email protected]
- 3. Who are you? Typical Security Director Role www.CyberRescue.co.uk 1. Protect assets, staff & reputation 2. Assess risk, vulnerabilities & issues 3. Define goals to mitigate risk 4. Promote security by design & security culture 5. Respond to Security Incidents [email protected]
- 4. Kevin Duffey – Managing Director Expert in commercial response to major cyber attacks •CEO Asia and UK Board Member at FTSE 100 company •Group GM at International SOS, global crisis management firm •Helped organisations respond to cyber attacks in 25 countries. Barrie Millett – International Advisor Award winning leader in risk mitigation and business continuity •Led security teams at blue-chip firms including E.ON and GE •Chair of Joint Risk Audit & Assurance Panel, Leicestershire Police •Expert in resilience for National Critical Infrastructure Who are we? Facilitators for this Workshop
- 6. Leading terrorism response Severe weather events Investigating criminal activity transferable skills
- 7. FBI data storage in 1942 = 10 million sets of fingerprints, plus 23 million paper cards = 680 Gigabytes Digital transformation of assets
- 8. Digital transformation of assets £600 storage device in 2016 a “memory stick” from HyperX, stores 1,000 Gigabytes
- 9. Exponential Risk to Assets Cyber Threats Annual Growth 125% Zero Day 71% DDoS 55% Spear Phish 29% Malware 21% SQLi 38% growth in reported crime
- 10. Insurance: 52% of British CEOs think their company is insured for cyber risks. Just 2% of large businesses actually have stand alone cyber insurance in UK (March ‘15) “The market for cyber insurance isn’t sustainable” (Sept ‘15) Why businesses say they don’t have insurance (Nov ‘15) “Premiums too expensive” (52%) “Too many exclusions” (44%) Companies with cyber insurance but not claimed = 81% (Mar ‘16) £1m cyber policy costs £5k - 25k for “average” company (Apr ‘16) Consider Cyber Insurance
- 11. Risks vary by Sector
- 12. Agree Goals with IT Director
- 13. Staff Risks: •78% of staff don't obey info policy •63% of breaches involve passwords •41% of staff install apps on work PC •30% of phishing messages are opened •12% of staff download malicious s/ware Supply Chain Risks: •41% of breaches affecting healthcare are caused by Third Parties •17% of breaches investigated by Kroll caused by Third Parties •AT&T, Home Depot, TalkTalk, and Target all suffered breaches via 3rd parties Assess Risks beyond IT
- 14. Staff Systems Suppliers Work with HR, IT & Procurement to take a Hacker’s Eye View
- 15. Example: daily Security Scorecard on vulnerabilities at key suppliers
- 16. What to focus on in 2017? Typical Security Director Role www.CyberRescue.co.uk 1. Protects cyber assets, staff & reputation 2. Assesses cyber risk, vulnerabilities & issues 3. Defines cyber goals to mitigate risk 4. Promotes cyber security culture 5. Responds to cyber Security Incidents [email protected]
- 17. What to focus on in 2017? Typical Security Director Role www.CyberRescue.co.uk 1. Protects cyber assets, staff & reputation 2. Assesses cyber risk, vulnerabilities & issues 3. Defines cyber goals to mitigate risk 4. Promotes cyber security culture 5. Responds to cyber Security Incidents [email protected]
- 18. support CEOs to lead www.CyberRescue.co.uk Teams will be unnerved Many will never have tested a cyber attack response Internal and external relationships will need to be managed
- 19. Grown-ups at the table www.CyberRescue.co.uk
- 20. Grown-ups at the table www.CyberRescue.co.uk
- 21. Why are we here? Topics www.CyberRescue.co.uk 1. What the CEO needs their Security Director to do, to protect against Cyber Threats 2. How the Security Director can spot vulnerabilities the IT team are most likely to have missed 3. What the Security Director should know about Cyber Insurance 4. Surprises your CEO may suffer during the response to a major Cyber Attack 5. Why Security Directors must be ready to lead Recovery from major Cyber Attack [email protected]
- 22. Part 2: Simulation (for attendees only): We will now simulate a Breach
- 23. www.CyberRescue.co.uk For similar material, follow Cyber Rescue on LinkedIn here. Former Head of Resilience E.ON UK International Advisory Board Member Cyber Rescue Alliance [email protected] + 44 7913 371249 Barrie Millett
Editor's Notes
- #2: The Cyber Rescue Alliance exists to help Executives reduce harm from cyber attack. To help organisations be resilient. To help with commercial Recovery. We help executives avoid turning a breach into a disaster. We help CEOs make decisions in what is often the most stressful time in their career. We recognise that a cyber attack is a crime We know that executives deserve our sympathy and support And we know that executives find attacks very stressful because they are often so unprepared. So I will share some observations about how we believe Security Directors can and should help executives respond to major breaches.
- #6: Personal experiences have demonstrated that cyber and physical security needs to be intrinsically linked. With business operations and external agencies also playing a significant role. You will all have had significant personal journeys around managing crime and crisis events that you can use to great effect. The importance of all teams understanding the dynamics of emerging threats is essential. How actors are merging cyber and physical attacks for greater impact or just as a facilitator. We believe that Security Directors can play a truly successful role in protecting the teams and asset by ensuring a big team approach is taken. In many instances Security Directors already have the trust of the board, police and other agencies, local operations and business teams. CEOs need Security Directors to use their rich experiences in other areas to enrich an organisations response to the growing cyber threats.
- #7: Security Directors have rich learning from other areas that can and should be harnessed in the arena of cyber security, with the response required prior to, during and following terrorist attacks, a severe weather event and criminal activity. Cyber crime is just that, a crime, a key point that should not be missed. Security departments have been leading organisational response on criminal activity for years and this experience should not be lost. High impact events will hit the Board room and the CEO will have to be able to respond from a position of knowledge and confidence in their teams ability to respond effectively and Security Directors have rich experience in helping executives prepare and respond to crisis situations.
- #8: It’s the data storage system the FBI used in 1942 To hold a lot less data than fits on a modern memory stick. Choosing pictures that tell stories is really important. For example, some people compare a data breach to an earthquake. There is some value in that approach, because…
- #9: This memory stick holds 1,000 Gigabytes Who here can visualise what that looks like? We find it helpful to show CEOs this picture, of just 600 Gigabytes
- #19: Teams will be unnerved by the pace at which cyber incidents can unfold. Many will never have tested a cyber attack response to the degree that other response plans such as, building denial of access, terrorist events, severe weather etc… Internal and external relationships will need to be managed with these relationships built in quiet times and ofter forged of many years of interaction to gain their trust.
- #20: Security Directors are the grown-ups at the table, during any business crisis. You have years of experience, training and tools to call upon. Your colleagues will need your mature guidance and support, to manage the cascade of commercial consequences that follow a breach. High impact events will hit the Board room and the CEO will have to be able to respond from a position of knowledge and confidence in their teams ability to respond effectively and Security Directors have rich experience in helping executives prepare and respond to crisis situations and help them to navigate through to successful conclusion.
- #24: Silo thinking, incomplete planning internally or externally, seriously limits your resilience capabilities, increases costs and erodes value. Challenge cannot be effectively addressed by individual institutions, organisations and teams working in isolation – the interdependencies and responsibilities are simply to great. We must connect our thinking, resources and activities to create a collaborative approach, building common understanding and direction that overcomes the barriers to building resilient organisations and a more resilient society. The Physical and Cyber worlds are in my opinion intrinsically connected and Security Directors can effectively prepare our organisations and disrupt the attacks. Price of failure is too great and by working together we can win together and support CEOs and Boards to effectively manage high impact events. Thank you.