translating cybersecurity preparedness

13
/ / 1 TRANSLATING CYBERSECURITY PREPAREDNESS INTO A BUSINESS REQUIREMENT

Upload: summit-professional-networks

Post on 15-Jan-2017

221 views

Category:

Business


0 download

TRANSCRIPT

/ / 1

TRANSLATING CYBERSECURITY PREPAREDNESS INTO A BUSINESS REQUIREMENT

/ / 2

THE PANEL

> JoAnn Carlton

General Counsel and Corporate Secretary, Bank of America Merchant Services

> Edward J. McAndrew

Assistant United States Attorney, Cybercrime Coordinator U.S.

Attorney’s Office

> Mercedes Tunstall

Partner, Pillsbury Winthrop Shaw Pittman LLP

> Brian Kudowitz

Commercial product Director, IP/Privacy & Data Security/Tech &

Telecom, Bloomberg BNA

/ / 3

THREAT LANDSCAPE: OVERVIEW

> Data breaches

> Enforcement and liability

> Evolving business models and

dependencies

/ / 4

THREAT LANDSCAPE: INCIDENTS

> Incidents are growing in frequency and size

/ / 5

RECENT INCIDENTS AND TAKEAWAYS

> VTech

> JPMorgan/E*Trade/Scottrade/Dow Jones

> Sacred Heart

> Anthem

> Chipotle

> Kaspersky, and LastPass

> Harvard and other university breaches

/ / 6

THREAT LANDSCAPE: ENFORCEMENT & LIABILITY

> Complex regulatory and law enforcement environment:

DOJ

FTC

HHS

FCC

SEC

State AG’s

Non-U.S. regulators

> New and upcoming laws and regulations

> Class action litigation

/ / 7

THREAT LANDSCAPE: BUSINESS DEPENDENCIES

> Increasing dependence on PII as part of business models:

Behavioral advertising

Mobile/Wearables/Internet of Things

E-Health

Ed-Tech

Digital currency and crowd-lending

> Inside threats

> Third-party vendor risk

> IP risk

> Brand value and damage

> Shareholder panic

/ / 8

IMPACT ON STOCK PRICE

/ / 9

Challenges

• Budget constraints

• Back-office concern v. front-office concern

• Low employee fluency

• Cultural inertia

• Business-scaling dilemma

INTEGRATING CYBERSECURITY INTO THE BUSINESS MODEL

> Drive change from the top down;

> Build privacy preparedness across the organization;

> Cybersecurity should be proactive, not reactive:

Planning and response are part of one continuous cycle.

/ / 10

CHAMPIONING CYBERSECURITY INTERNALLY

> Make the case to the corporate board by:

Understanding and conveying the threat landscape;

Connecting threats to business growth and viability;

Positioning privacy and security as a business selling point;

Monitor changes that pose risk.

> Establish open communication across group lines.

> Education and training is essential.

> Advocate for a bottom-up approach to privacy in new products and services development.

/ / 11

> Inventory data collection and flows

> Regular risk assessment

> Privacy By Design

> Establish/rehearse incident response plan

> Employee education

> Inside threat detection

> Vendor due diligence

> Engage with law enforcement and regulators

> Consult with legal counsel

> Cybersecurity insurance

> Information sharing: ISACs and ISAOs

> Build a deep and broad bench of expertise

> Invest in security and detection systems

> Execute incident response plan

> Law enforcement notification

> Collaboration with outside counsel

> Brand-damage control

> Forensic assessment and evidence collection

> Breach notification

> Remediation

> Retrospective incident analysis

PLAN/PREPARE RESPONSE

/ / 12

PUTTING IT ALL TOGETHER

Board Buy-in

Organizational Adoption and

Communicatoin

Proactive Implementation

Preparedness

Response

Lessons Learned

/ / 13

QUESTIONS