Post on 12-Apr-2017
Managing Digital Earnings In an Unknowable Environment
Transformation Begins From WithinThe Art of Healing
Cyber Risk Management Intelligence
B L A C K D I A M O N D Q U A N T I TAT I V E C Y B E R R I S K M A N A G E M E N T G R O U PM I T C H E L L G R O O M SD R . R O B E R T M A R KM I C H A E L F. A N G E L O
Net Profits in an Interest Rate Cycle2
C
D
A
B
C
Cyber Risk Management Strategy3
Se-ries1
Net P
rofit
s
Maximize Net Profits while mitigating risks
in a changingCyber Environment
Time
Tectonic Shifts Impact Net Profits
Credit Risk Seismic Shift 2007
• Risk Models break down
• Black Swans arrive
• Significant decline in Asset valuations • Faulty Risk measures in stress markets• Unprecedented market disruptions• Funding Liquidity crisis• Major corporate failures
• Failure to harmonize and integrate risk: uncover Unknowns Unknowns
• Great Recession
Cyber RM Seismic Shift Q4 2015
• Shift in attack surface (malware to accelerated privileges) with increasing vulnerability
• Visible, high complexity attacks: scaled, staged with exponential impact
• Increasing frequency, rising severity • Limited measures of Cyber Risk• Corporate ecosystems under attack• June 7th, 2016 SWIFT Alert• Corporate Infrastructure overrun,
weakest failing first• Failure to harmonize and integrate risk:
uncover Unknowns Unknowns • Breaches challenge company survivability
in a stress environment, i.e. Verizon, SWIFT
4
Cyber Survival Cycle5
Init Time 1 Attack Analysis Recover Normal Attack Analysis Recovery Attack Will Ac-tivates
Death30405060708090
100CycleFailure
Business Goal = 95% Attacks lower score Analysis halts drop
Remediation Raises Score Blue is US Treasury Kill Line
Cybersecurity event is a protracted disruption or event that severely impacts reputational risk Living Will Initializes by the parameters above causing orderly resolution to start Death
Impact on Ratings6
Init
Attack
Analys
is
Recov
er
Normal
Attack
2
Analys
is3
Recov
ery
Attack
4
Will Acti
vates
Death
40
50
60
70
80
90
100
BusinessRatingAAAAAAFailure
Cyber Risk Management Embedded Options7
Frequency : Likelihood of a successful cyber event Severity: Magnitude of a successful cyber event Choice: Mitigate vs Accept Potential Cyber RiskPrice Insurance: Function of frequency & severity
Mitigate Cyber Risk
Accept Cyber Risk
Mitigate Cyber Risk
Likelihood: Frequency (number of years)
You are out of business!
Acceptable cost of risk
8
Who’s Testing Your Security?
We hope you are more successful than the hackers, but…Even, with all the investment, the bad guys still getting in!!!Why?
- We don’t have what we think we have, and there are gaps even in what we do.
- The bad guys always exploit the gaps.
YouHacker
Our Solution: 3 Steps9
Scoring the Personalization of Your InfrastructureNormalizing Your Cyber Risk DatabaseCyber Risk & Cyber Capital Management Program
Step 1 – Scoring, the Personalization of Your Infrastructure Complete Cyber-Eco System Analysis Cross Mapping to multiple standards Risk Scoring Attack Analysis and Risk Scoring
Step 2 – Normalizing Your Cyber Risk Database Changing the past to wisdom
Step 3 – Cyber Risk & Cyber Capital Management Program Mastery, Healing, Managing Net Profits
Harmonized & Integrated Digital ERM strategy
Security Risk Intelligence (Cyber Defense)
• Fighting as a strategy• Costs directed at
corporate shield
• No Scoring Metrics• Threat Hunting
• Not aligned with business vision, goal
• Reactive• Uncover unknown
unknowns
Plus Cyber Risk Intelligence
• Risk measures plus culture• Net profit orientation, costs
directed at making risk transparent
• Scoring Metrics• Makes Cyber Risk
transparent at the infrastructure level, evolving risk metrics with increasing digitization of the business
• Aligned with business vision, goal and Risk return tradeoffs
• Proactive• Discover the unknown
unknowns
Harmonizing & Integrating Intelligence
10
Call to Action – Time to Show Up! 11
Create a Cyber Risk Management Committee Complexity of Cyber makes it the greatest Risk challenge ever R&D in the quantification of Cyber Risk must be innovative
Create a Cyber Risk Management Committee Organizationally the authority needs to be as high up as possible – ideally at the Board
Complexity of Cyber makes it the greatest Risk challenge ever Create Two Actionable Teams The Composition of the Teams are Security and Risk Management members with the necessary capabilities and
skills How to populate the teams? Teams must create a common means of communication and harmonize, integrate, Security and Risk
Management into a workable, actionable, Cyber Risk Management Intelligence Unit that is competitive and differentiating in nature as per the organizations corporate vision
R&D in the quantification of Cyber Risk must be innovative the introduction of new elements into the evolving attack surface
IoT 2020 = 50B connectionsAssume 10% measured
The Future is Now, What Will You Do?
If you can’t measure the Cyber Risk, you can’t manage it, can you measure your Cyber Risk?
Given everything you have done to protect your organization, you are still getting hacked, do you know why?
Do you have you an appropriate allocation of Cyber Risk with a transfer pricing mechanism across your Business Units?
Do you have a value driven Cyber Risk Capital Management program?
Do you know how to capture your orderly resolution in your Living Will in the event of a protracted business disruption and/or reputational risk impairment due to a high impact Cyber attack?
Is the primary focus of your company, Security Risk Management “fighting” or Cyber Risk Management of your net profits while mitigating risks?
12