Business At the Speed of Cyber Understanding the CISO Dilemma ISACA Denver October Chapter Meeting Ian Bramson Siemens

RISK IS GOOD

The CISO dilemma: expanding accountability and shrinking control Senior Leadership External Operations Cross-Organizational Security Operations

Most Senior Leadership are very concerned about cyber security, but have little understanding of what it is Senior Leadership Cyber fatigue Strategic alignment Business context Executive reporting Risk reduction High Exposure, Low Understanding 85% Cybercrime will cost the world in excess of $6 trillion annually by 2021 The average cost per breach worldwide was $4 million, that figure rose to $7 million in the U.S. (Ponemon Institute) Board of Directors Focus Due care – How do boards know if they’re doing a good enough job when it comes to cybersecurity oversight? Insider threats – What has the company done to deter, detect, and remediate insider threats? Third-party risk management – How is the company reducing risks with its vendors, partners, contractors, and suppliers? How is data and access managed with third parties? What are our exposures if they get hacked? Cyber insurance – What is covered with cyber insurance? Should the company get cyber insurance? What kind of coverage? How do we minimize premiums? Information sharing – How does the company share cyber information with competitors and the government? What are the privacy laws and regulations about cyber information sharing? Mergers and acquisitions (M&A) – How does cybersecurity factor into M&A? Incident response/breach notification – Who needs to be notified, and when, during a cyber breach? 39% of board executives feel security information is too technical -- Osterman organizations failed to report Ransomware attacks to CEO or Board -- SentinelOne 35X 70% cyber security budgets have increased 35 times over the last thirteen years -- Cybersecurity Ventures of the value of publicly traded companies are “intangible assets” -- Commission on the Theft of American Intellectual Property

Cyber security attackers exploit traditional organizational stovepipes and organizational divisions Cross-Organizational The people problem Span of control and accountability Business enabler, not inhibitor Partnership with business Cyber security and IT Managing Other Executives 95% 53% of mobile professionals carry confidential company information (Ponemon) Up To 12,000 laptop computers are lost weekly and up to 600,000 are lost annually in U.S. airports (Ponemon) 69% percent of organizations have experienced attempted or successful data theft or corruption by corporate insiders during the last 12 months Ransomware increased 6,000% in 2016 - IBM Ransomware was in almost 40% of all spam messages in 2016 - IBM 70% of business victims paid the hackers to get their data back – IBM 26% of employees admitted to uploading sensitive information to cloud apps with the specific intent to share that data outside the company – Sailpoint 65% of all security incidents involve human error -- IBM of those who carry confidential information don’t protect it -- Ponemon 63% 60% of confirmed data breaches involve weak, default or stolen passwords -- Verizon of fired employees steal important corporate data -- Global HR

CISOs are struggling to address expanding cyber threats with severe talent shortages Security Operations Talent shortage Operational reporting and metrics Business impacts of technical operations Career paths Doing More with Less 3.5 Million 47% of organizations say that the number of employees dedicated to network security is inadequate - ESG 44% of organizations say that the number of networking/security staff with strong knowledge in both security and networking technology is inadequate in some, most, or all cases – ESG The demand for information security analysts will grow 37% from 2012-2022—S. Bureau of Labor Statistics  The average senior security analyst in the US makes $103,226, more than double the national average—Glassdoor.com 35%  of organizations are unable to fill open security jobs, despite the fact that 82 percent expect to be attacked this year—ISACA and RSA, “State of Cybersecurity: Implications for 2015” 52% unfilled cybersecurity jobs by 2020 -- Cybersecurity Ventures of organizations that suffered successful cyber attacks aren't making changes to their security –- Barkly 37% 41% of organizations say that the ability of the security staff to keep up with the threat landscape is inadequate -- ESG of workers will be temps, contractors or consultants by 2018 -- CyberArk

CISOs inherit the risks posed by their external partners, suppliers, and customers External Operations Elastic attack surface Supply chain cyber challenges Vendorpalooza and vendor leverage Compliance conundrum Cyber insurance Managing Risks from the Outside 90% The cyber insurance market rose to $2.5 Billion in 2016 Intel predicts there will be up to 200 Billion connected devices by 2020 Microsoft predicts that the number of connected devices will be about 50 Billion by 2020 There are 25 connected devices per 100 inhabitants in the US (Symantec Internet Security Threat Report) $120 Billion of organizations lack full confidence in their IoT security -- AT&T cyber security market in 2017 (it was $3.5 Billion in 2004) -- Wired 50X 88% increase in data volume by 2020 -- Microsoft of organizations lack full confidence in the security of their business partners’ connected devices -- AT&T

MANAGING RISK IS GOOD