Cybersecurity @ Rabobank

Wim Hafkamp - CISO NBA 20 May 2016

‘Doing nothing’ is not an option

2

Changing World

3

New Entrants • Fintech • Non-financials

More Regulations The Netherlands Pan-Europe U.S.A.

New Technologies New distribution channels Product innovations Sociale media

Customer expections Expect 24/7 services 100% reliability Willing to change to other home bank

Social pressure Lower profit marges

lead to cost focus Sustainability Breach of Trust

The financial Sector is changing fast.…

Intense Pressure

on banks

4

The Ultimate

IT Challenge New Entrants

▪ Cheap and Time-to-market solutions

▪ Joint solutions (e.g. iDEAL) ▪ Lean IT

More Regulations ▪ IRM (Integrated Risk Management) ▪ Need for more flexibility

New technologies ▪ New interaction methods

(video, chat, etc.) ▪ Mobile ▪ Cloud ▪ Analytics

Customers expectations ▪ Multichannel ▪ Customized en

personalized services ▪ High(er) Quality

Social pressure ▪ Green IT ▪ Outsourcing &

Offshoring

…and technology is getting more important

Superb Customer Services

Regulatory Compliance

Innovate & ‘Disrupt’

Response to Cyber Threats

Manage priorities

Ambition : Rock-Solid Security

• Up-to-date security at acceptable costs

• Security explicit part of service delivery process

• Strong and robust IT infrastructure

• Capable and adequate security organisation to meet threats and requirements.

Use adequate language!

7

In the boardroom…

8

Questions

9

Where are we?

What is our inspiration?

What is needed?

When will we get there?

Which practice to choose?

Detailed Questions

10

How secure are you? Serious security and privacy incidents

Are you getting more or less secure? Key indicators

How do you set priorities and risk appetite? Downtime and data lost

How are you organized to mange issues? First vs Second line and reporting

Are you spending at the right level? Spending's over next years and is appropriated

How do you manage third party suppliers? How to avoiding unacceptable risk

Threats

Cybersecurity….more than technology

11

Threats

Threat actor Actor

Capability Attack

immediacy

Vulnerabilities

People Process Technology

Assets

Information assets

Systems Applications

Protect and defend

Technical controls

Behavior controls

Respond

Immediate incident response

Investigations

Business drivers Regulations

Business, Resilience and contingency

Environment

Controls and Response Capability's

Different perspective (1)

12

Shift

from prevent to

detect & respond

Human is weakest link,

unless…

Cooperation is required ISAC,

Sector, NCSC, (IT) Partners

How to react if you are hacked (and you

will)..

Protect your ‘crown jewels’

Different Perspective (2)

13

Protect & Defend

Technical Controls

Behavior

Controls

Respond

Immediate Incident response

Investigation

Critical steps

14

Minimize exposure

1. Assess your readiness to

respond/ Resilience 2. Identify your critical assets 3. Select your defense 4. Boost your security awareness

and education 5. Enhance monitoring & incident

response

The role of the CISO

15

6. Hand- shakes

5. Projects/ Key Action Plans

1. Security Compliance

2. Security Risks

3. Incident & findings

4. Security Awareness