cyber security: understanding and mitigating the threats
TRANSCRIPT
Cyber Security: Understanding
and Mitigating the Threats
Facing Your OrganizationMike LeFever, ITC Secure Global AdvisorsWilliam Kilmer, ITC Secure
Agenda
• Introductions
•Why Cyber Security is So Bad
•A New Model for Cyber Security:
Investment and Leadership
• Top Things You Can Do for Little or No Money
Introductions
William Kilmer
• Executive Chairman and CEO, ITC Secure
• CEO two prior security companies
• Author of two books
• www.william.kilmer.com
VADM Mike LeFever, USN (retired)
• ITC Global Advisors
• Chief Operating Officer for IOMAXIS, a US technology company specializing in cyber
• Member of the network of national security experts for “The Cipher Brief”
• 38 Years of Military Service with Command at every level, to include:
• Former Director for Strategic Operational Planning at
the National Counter Terrorism Center NCTC
• Commander, Office of Defense Representative
in Pakistan and Commander, Joint Task Force in
Pakistan, leading all US Armed Forces in Pakistan
between 2008-2011
We enable clients to react to ever-changing threats, and help to prevent brand damage that could impact their profitability
Established in 1995, ITC has capabilities in on-premise, cloud-based and hybrid security, and provides:
• Cyber advisory services
• Managed security services
• Global advisory services
• Secure network services
• Unique access to National Security-level experts
Survey
What do you think about
when you hear Cyber Security?
What keeps you awake at night
about security?
Why cyber security is so bad
• Cyber is the new battlefield
• Hostile actors are widening
• Financial services and government
most targeted, but not exclusive
• Issues will proliferate with digital
transformation
• Leaders are not prepared to lead in a
digitally transformed environment
How bad is the cyber
security problem?
• Russia, China, North Korea, and
Iran active state sponsors for
attacks on the West
• Similar techniques used by
nation states and criminals.
Nation States and
Criminals
• Intentional or unintentional misuse
of access to information accounts for
a growing number of cyber incidents
• Upwards of 41% of significant cyber
breaches are the result of human
error or non-compliance
Snowden : OPM Breach : Islamic State exploit
of CENTCOM : Walmart data breach
Insider threats are
still a problem
• Phishing costs $5 billion
per year
• Ransomware 40% of
cyber attacks
Basic attacks are
still working
2 million:Global shortage of cyber security
professionals
by 2019
53%Of organisations wait
6 month for qualified candidates
84%Believe half or fewer applicants
are qualified 3.5 million cyber security openings by 2021
The cyber security skills gap is widening
The skills gap
Average Security headcount
Enterprise size
(employees)
IT
FTE
IT security
FTE
500 29 2.0
999 58 3.9
• Weakest links are third-party
vendors with fewer security
controls
• Now represents 65% of
breaches
• BestBuy, Sears, Kmart, Delta,
Applebees, Chili’s—all this year
Third parties:
Your new weakest link
• States are increasingly developing or
buying capabilities against industrial
control systems
• Nation States targeting iconic US
brands as a result of sanctions
• At risk:
• Business operations continuity
• Intellectual property
• Private data
Threat surface
increasing: IOT and OT
• GDPR requires more care to data handing and protection
• Some companies adopting as global requirement
• Breach notifications mandatory
• Significant penalties: up to 4% revenue
• Boards must be aware of the risks and cannot opt not to meet them
• CCPA law in CA first major legislation protecting consumer data privacy
New data protection
requirements
A New Model for Cyber
Security: Investment and
Leadership
Digital business changing perspective
• An exponential increase in the number of things that must be protected
• An increasing number of external systems, users, infrastructure
• Increasing transactional and transient business interactions
• Challenges to conventional centralized security governance models
IDC FutureScape: Worldwide Digital Transformation 2018 Predictions
By 2020, 60% of enterprises worldwide will in process of a fully articulated, organization-wide digital transformation strategy.
Digital business increases risk
• Strategic vision addresses the new
challenges of digital business security
• Annual security strategy planning
process, turns vision into action
• Security risks that impact of digital
business, are being addressed
• Monitoring and adapting needs to
actively happen
The change to
investment perspective
Justifying security
spending to:
• Comply with data
regulations
• Align and enable
business objectives
• Reduce events
• Improve risk profile
• Enable digital
business
Moving from
compliance to protection
Source: IT Security Spending Trends, SANs, 2016
• No longer about building “stronger and
bigger,” such as firewalls and defense
in depth
• Recognizes the criticality of the human
factor and human ingenuity
• Requires a holistic approach to
successfully navigate an ever changing
and ambiguous environment
Leadership in a
digitally transformed
environment
It starts at the top
Leaders need to create the environment
that integrates cyber and cyber security
with culture, people, processes, business,
and mission
Ten things you can do for
little or no money
(Tell your CISO do these before they spend another $ on technology)
• What objectives do you have? Gaps?
• Ensure broad perspective
• Marginal dollar and marginal gain
• Benefits:
• Roadmap-based direction
• No shiny objects
• Uncover larger gains for lessor dollars
Define your security
objectives
• 41% of insider incidents from human error
• People forget
• Attack methods change
• Cyber training essential
• Online training is very affordable
• Benefits:• Lower incidents
• Much lower cost than clean up
Raise security awareness
• Develop a champion role
• Build and align program objectives
directly with company objectives
• Across divisions and geographies
• Integrate into performance plans
• Train the trainers
• Let champions to take creative
liberties with the content
Create security
champions
Leverage free material
• Asset discovery and management
• End device software updates
• Password policies
• BYOD policy enforcement
• Vulnerability detection
• Penetration testing
• Guest WiFi network
• Regular systems patching
• Limiting access
• Backing up data
Practice basic
cyber hygiene
Go phishing
• 75% of organizations
experienced attacks in 2017
• 92.4% of malware delivered
by email
• 16 phishing emails per month
• Simple Program:
• Train
• Notify
• Test
• Report
• Repeat
• Comprehensive, independent assessment
• You don’t know what you don’t know
• Technology, culture, governance,
and people
• Benefits:• Situational awareness
• Immediate threat detection
• Identifies root causes
• Improves integrity
This one costs $ but it’s worth it
Get an independent
security assessment
• Hold a regular shredding day
• Delete old files and back ups
• Seek out old equipment
• Ensure electronics are
centrally recycled
Shred and destroy
what you have
• Evaluation of vendor security necessary
• NIST and ISO-based questionnaires and
auditing
• Evaluate and set third party policies and
amend contracts
• Benefits:
• Identifies issues for remediation
• Highlights ongoing monitoring needs
• Strengthens your leverage
Evaluate third parties
Write your breach response and
communications plan—Now!
• Identify risks
• Accountability, roles,
processes decisions
• Communication
procedures:
• Employee
• Media
• Regulatory
• Run an exercise
Thank you.