At It’s Heart today

IT Security & Risk Management

CEO

CIO

Happy Board

Managers

Technical

Do’ers

IT Security & Risk Management

CEO

CIO

Happy Board

Managers

Technical

Do’ers

ENTERPRISE

RISK

Assessments

AUDITORS

Internal

Audit

IT Security & Risk Management

CEO

CIO

Happy Board

Managers

Technical

Do’ers

MSP

Partners

Vendors

Consultants

Third

Parties

Cloud

Providors

ENTERPRISE

RISK

Assessments

AUDITORS

Internal

Audit

IT Security & Risk Management

CEO

CIO

Happy Board

Managers

Technical

Do’ers

What We Are Hearing

• From You• From Regulators

What We Are HearingFrom You• CIO- “My Board and CEO still doesn’t care about IT security unless I can show them that loss if

they don’t do something.” The board and CEO of this public company are concerned about supply chain impact security concerns and what would happen if this were impacted.

• Director of IT – “The banks are pressing me for me for more IT Security details now. It used to be relatively easy to fill out but now it is hours and hour of work. I failed one line of the questionnaire. I was certain my answer was not a big deal, but it was. I don’t want to risk my companies business with these banks. Can you help me figure this out?” The pressure is mounting as credit card merchants and banks are going to pass the responsibilities down the food chain. They will be exposing the weakest link in the chain.

• CIO – “I really don’t have a problem talking to the CEO and board about justifying our IT Security spending, but I really do need better tools to present the IT Security Vision and Roadmap.” Essentially they trust her, but what if they could trust her plus really understand what IT Security spending is going towards.

• CIO – “I am looking for new and innovative approaches to presenting my IT security program to the Board. Sometimes they are so focused on whether they will pass the compliance audit that they lose the fact that we need great IT Technology security for a business of our size.”

What We Are Hearing from You• I would like your opinion so I don’t overspend on my IT Security. • I have so many areas to secure and I have already spent quite a

bit on IT Security…. What do you think about it? Should I be concerned about these over lapping functions on systems?

• Strategy and architecture – I want to go this way and I am thinking of using these technologies what are your thoughts on my approach?

• Help me understand my current IT Security investments to see if they will pass an audit or some deep dive inspection.

• I have three main constituents that I need to sell my approach to: Auditors, CEO, and the Board. What is the best presentation approach?

JP Morgan Chase

StoryAn interesting story- this is not the most creative slide in the world I apologize, but I did mention that it’s a big project so we’re going to get the slides cleaned up at a different time – I was having coffee with the CEO of Unisys just recently, and he was explaining a story that he was at a security event and the ex-Mandiant CEO, or he might still be the CEO but I know that they were purchased and something’s going on with fireye, but he was talking and obviously many of you have listened to, I forget his first name, Mr. Mandiant talk. He asked the CEOs, ‘what do you want from your information security program?’ and they said I want the best. I want the best, best, best, best, just a real male ego type thing; I want to have a killer IT security program. Then when he (Mandiant) explained it, what’s needed, the CEOs dialed back their expectations and said, I just want to make sure I don’t end up on the cover of Wall Street Journal like the Target CEO. It’s an interesting story, the CEOs are sharing information now and it’s interesting to see that even though they want a very powerful program, there’s a reality that many of them are just concerned about their job security. There’s not only the Jamie Diamonds of the world but people that I’m seeing, that I talk to just having coffee and what they’re hearing as well. That’s what we’re hearing from you when we’re listening. What are we learning from regulators?

What We Are Learning

From Regulators• FFIEC • NCUA• HIPAA /Omnibus• BAA (new mandates from Omnibus ruling)• PCI• EMV

What We Are Learning - Themes

• IT Security is a Verb and not an Event• Risk is starting to flow downhill to the weakest link• Don’t just manage Compliance. Must have a great IT Security

program• Weak Passwords• Malware - APTs• 3rd party challenges • Manage the basics – Patching is not as easy as it might seem• Authentication challenges• Data Governance

Proof Needed

• CEO and Boards and Auditors and Compliance• Want proof• What is your internal audit and reporting

process?

PCI 3.0 Compliance ValidationBIGGEST PROBLEM IS GRAPH

FFIEC Webinar

• FFIEC members include: (http://www.ffiec.~ov)

• Board of Governors of the Federal Reserve• Consumer Financial Protection Bureau -CFPB• Federal Deposit Insurance Corporation -FDIC• National Credit Union Administration -NCUA• Office of the Comptroller of the Currency -OCC• State Liaison Committee

What Every CEO Needs to Know about the Threats They Don’t See.

Executive Leadership of Cyber SecurityFinancial Institutions Examination Council

(FFIEC)Cybersecurity and Critical Infrastructure Working

Group

Cyber Risk Management GOVERNANCE

HIPAA – old rule• http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf• Page 13

Omnibus HIPAA – New Rule• http://www.hhs.gov/ohrp/sachrp/mtgings/2013%20March%20Mtg/hipaa/hitechomnibus_finalrule.pdf• Page 14

EMV

• New Tech Standard• Oct 2015 deadline• Liability for fraud will flow/shift to whichever

party has the lesser technology

NCUA

• Cost breach• http://www.ncuareport.org/ncuareport/augus

t_2014#pg4• Top 10 things credit union auditors look for

IT Security & Risk Management FLOW

CEO

CIO

Happy Board

Managers

Technical

Do’ersChecklists

CIO Scoreboard

CEO/Board

IT Security System Management Checklist

Admin Level to CIO Level40 Security Items

IT Security & Risk Management FLOW

CEO

Happy Board

Security /Infrastructure/DRBy Sector/Category

40 Security Items

Investment Based on Risk

Big PictureWhat is Happening

“Roughly 170 Quadrillion Computer chips wired into aMega-scale computing platformThe total number of transistorsIn this global network is now approximately the same # of neurons of the human brain”What Technology Wants – Kevin Kelly

Complexity

Interesting – The Word Privacy

JWT – World Trends 2014 and Beyond

JWT – World Trends 2014 and Beyond

JWT – World Trends 2014 and Beyond

JWT – World Trends 2014 and Beyond

WE SIT IN THE MIDDLE AND MANAGE COMPLEXITY

So What is a Security Leader Today?

We Are Supposed to be Afraid Right?

Changing the storyAdult Conversations….

Page 6Assume the BreachAssuming the breach requires a shiftOf mindset from prevention alone toContainment after the breach

Assumption of a breach requires a maturing of defenses to meet this realityAnd shifts the focus from ‘if’ to ‘when’

What about changing the story or the way we talk about IT Security?

I like words like relentlessly proactive

Versus playing back on our heals

“IT Pros lack Confidence in protecting themselves”Computer weekly

Show Me The Money

• Cuba Gooding• Tom Cruise

Ponemon

• Cost of Loss