Wednesday, October 14, 2015

GHC15: Security from the Boardroom

What to Protect When You Can't Protect Everything?

Kelly Kitsch, Advisory Director of PwC

Unlimited funds don't come, unless you have a massive breach - and we'd all rather it not get to that.

Threats are complex and ever changing, we have to be able to adjust to protect our assets. Assets can be strategy related, branding, in progress patents, physical, etc.

Traditionally, people focus on perimeter security, but we need to really think about our high-impact assets.

The focus in the last few years have been focused on compliance - but compliance alone does not make you secure.

There is a new Economic Impact Analysis Methodology. First phase is to understand threat modeling, and the second (related) is what are your critical assets - physical and intellectual.

CIA: Confidentiality Integrity and Availability.  Use this to assess your risk.

Once you've identified the most critical assets, and can justify why they are so important, it will ease your ability to get funding.

Security and Privacy by Design: Moving from Concept to Implementation

Madhu Gupta, Head of Member Trust and Security Products of LinkedIn

How do we do this better when we build something from scratch? You know, for the next time we start a project.

At LinkedIn, they think of their guiding principles: Members First!  The three important values are clarity, consistency and control - and most importantly: trust.

Everyone at the company must understand that they are accountable for security and privacy. Look out for new features being launched, and make sure we have the right privacy controls before they launch.

How do you do this?

  • Integrate security and privacy into product requirements
  • Hold office hours so people can ask you questions
  • Review our plans at product reviews
  • Embed security chamption engineers
  • Share externally
You can further improve this by dedicating a team to review, consult, etc.

And when people do it right - make a tshirt! Motivate and share your success.

Let the Games Begin (Cyber Security) 

 Linda Betz, Chief Information Security Officer of Travelers

Linda has to worry about strategic things AND worry about delivering. :-)

What's the game? Everyone wants to hack YOU.  So, as CISO, it's important to minimize this and make it not as bad. Need to find and resolve quickly.

This is expensive - the average cost of a breach is between $3.7M and $5.5M.

What tools do your opponents use?

They could be state sponsored actors, paid to rain down malware on top of you.

It could be an insider - whether placed as an attacker or just careless.

What are they after? Personally Identifiable Information? Intellectual Property? Or perhaps simply seeing if they can do it.  We also see denial of services - like a boycott, but the attacker is deciding that NOBODY can do business with you.

You have tools, too! Apply patches, security toolkits, tripwires, etc. You need to understand what's happening on your  network - use analytics, etc.

Leverage the NIST Cyber Framework to help guide.

Make sure you and your team have all the training you need for various certifications.

When things go off the rails, you can bring in the FBI, regulators, cyber incident response companies and even lawyers.

Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!

No comments:

Post a Comment