Turning IT Risk Management into Business Value Increasing the Value and Profile of InfoSec to the Business Case Study from LockPath Customer

What You Will Learn How to tie IT operations and IT risk to business operations and business value How compliance and risk data needs to be messaged differently across the organization How efficient and effective IT risk management and InfoSec operations moves from ‘checking the box’ to organizational value and increased prestige Good morning My name is Sam Abadir. I am the Director of Product at LockPath. LockPath makes a software platform called Keylight that helps users manage Governance, Risk and Compliance or GRC across their enterprise. I will tell you a little more about Keylight at the end of the presentation today. What we are going to talk about today is how other infosec operations have solved the problem of effectively and efficiently communicating geek speak metrics across the organization while effectively and more efficiently managing IT risk. We will talk about how customers are getting the attention and funding they need from business managers, from the C suite and from the board and how infosec teams are reacting faster to their most important problems. Instead of talking about vulns, threats, configurations and SIEM alerts in techno terms they are using GRC platforms to instantly transform and communicate that message a message telling of specific business impacts, potential process slowdowns or stoppages, and to dollars at risk – while also remediating the most important threats impacting their business. 11/13/2018

IT Risk Management And Business Value IT risks are those within the scope and responsibility of IT, the IT department or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events. 11/13/2018

Disparate Data Throughout the Business Vuln Scanner Tactical and Strategic Activities Threat Feed One of our customers is a large international company which makes them a prime target for attacks on their infrastructure. As threats from threat detection feeds like iSight and vulnerability scans from tools like Qualys are coming in, the organization was having a difficult time understanding what to prioritize at the IT level, how to best manage the information at the IT level, and how to explain and justify the expense to the board. [CLICK] This customer had these two feeds – they actually bring in more data feeds but we are just focusing on these two in this example – to manage. The vulnerability feed seemed pretty straight forward to manage in Qualys. Threats were critical, high, medium, or low. What they did not know was how critical the assets were that had vulnerabilities. Additionally they did not know if the vulnerability was new or if it had already been reported. This made it difficult to prioritize how to fix the vulnerabilities found. Trying to get ahead of threats and harden or monitor systems before breeches happened, this bank bought a threat monitoring service. Their subscription gave them hundreds if not thousands of threats a day…all in pdf form by email. Reading the threats and seeing if they were applicable to the organization was time consuming if not impossible to do in a timely basis. IT knew why they wanted to do this. They wanted to protect their systems, keep their name out of the bad part of the news, and make sure they were meeting their service level agreements with the operational part of the business. They knew that risks to IT meant that the business could not operate or bring reputational harm. IT was challenged internally on how to manage vulns and threats and challenged by their management on how to justify the high costs for data and high costs to manage the data. They were also challenged on how to better prioritize threats to the business. Business Priorities 11/13/2018

Business Operations Supported by Technology Operational Risks Value Operations IT Supports Business IT Infrastructure In order to solve both of these issues what the bank had to do was look at their asset base and understand which assets support which business processes and how did the business prioritize those business processes. With this information they could identify the value the process brings to the organization. They could identify the potential loss of value because of a vulnerability on a process supporting system and they could identify the potential loss of an imminent threat to an IT system that supports a business process. In order to solve both of these issues, what IT had to do was [CLICK ON BULLETS] Identify how the operations of the company created value Then identify which assets supported which operational processes. This gave them the direct tie between assets and value created The business already identified and quantified the value of operational risks This mapping and risk identification by the business laid out the plan for explaining IT risks in business terms IT Risks 11/13/2018

Risk to Value Threats to Processes Put Value At Risk Threats to Supporting Technology Put Value At Risk CRM System Marketing Systems CRM System Account Management Credit Systems CRM Systems Accounting Systems CRM Systems Account Systems CRM Systems Trading Systems What the IT organization did was work with the business to identify the processes that the organization supported and the value to those processes. Internally they were able to map IT assets and supporting information to the processes. Therefore they were able to understand the value that each IT asset supported and how much was at stake when a threat or a vulnerability was found on a supporting asset. They could now begin to prioritize threats and they could prioritize vulnerabilities based on business operations, not just severity. Poor execution Reputation Expensive compliance Etc. System vulnerabilities Application vulnerabilities Inadequate security Etc. 11/13/2018

IT and Business Data Are Inputs to Risk Management Managing this data and information and the rate of change of this data and information however was another logistical nightmare that could have added more cost, more time, and more uncertainty. The increased amount of data only increased the number of questions they had about their data and about their threats. That is where a Governance, Risk and Compliance – or GRC – platform [K] comes in. [K] GRC platforms takes metrics and inputs from across the business, from third parties and from IT scanning tools such as Qualys, Nexpose, WhiteHat, Veracode, Tripwire, etc. GRC platforms [K] then automatically correlates this information and helps users prioritize threats and vulnerabilities. 11/13/2018

GRC Architecture Incidents KPIs Other Business Records Besides managing this data and the rate of change of data, [K] GRC platforms manage the messaging of information to different parts of the company. With many fewer resources. This company today is able to automatically collect and manage data from across the business. They are able to work with the business to identify risks and what metrics are used to measure the risks and [K] GRC platforms are taking that information and presenting pertinent information to people throughout the organization. Incidents KPIs Other Business Records Vulnerability Scanners Web App Scanners Config Scanners Syslog SIEM Risk Register Risk Thresholds Workflow Reporting Dashboards Staff Reports Management Reports Board of Director Reports 11/13/2018

IT Risk Management Across the Organization Operational Reports Management Reports BOD/Audit Reports Which assets are most at risk to Vulns findings Scanner findings SIEM findings etc Asset prioritization What do I fix first? Asset risk history How healthy are assets that support the business? Who needs the most help? Is shadow IT/BYOD creating a threat? Are assets enriched with business information? How much value is at risk? Do I need to make additional investments to manage risk? Are current risk management efforts effective? Today the company we have been discussing is using [K] a GRC platform to pull in data from across the organization. That data is measured and analyzed in the platform and reported to IT operations, to IT and Business Management, and to the C Suite, Board of Directors, and Audit Committees. Said differently, [K] GRC platforms are telling front line IT through live reports and dashboards of prioritized IT threats delivered in geek speak. Front line IT using [K] GRC platforms are now able to better prioritize vulnerabilities and incidents – in real time. [CLICK] [K] GRC platforms are telling management of the effectiveness of front line operations. It’s using scanning technology to identify new assets in the environment and correlating IT data such as encryption levels of assets with business data sensitivity to see if there is exposed data. Its also consuming the hundreds or thousands of daily threats that were previously delivered by email, instantly correlating that information with existing assets to see if the threats are even relevant, and then deploying resources to battle the threat. These follow up activities have included updating mail filters to block known phishing activity, monitoring web traffic for predicted DDoS attacks, or updating configurations to block other types of attacks. Management is given the best information at the right time from sources across the enterprise to develop the right strategy to more efficiently and effectively protect the organization from IT Threats. [K] GRC platforms are trending metrics and KPIs and converting techno-speak into dollars and value at risk, or other messages that senior level management understands. Information presented this way helps IT departments quickly get budget, resources, and tools to manage risks before they become a real problem for the business. Being able to automatically use the same data to inform the right people of risks, opportunities and issues in the language they speak, using their relevant metrics enables the business to efficiently manage risk. Coordinated and timely messaging keeps the business spending focused on creating value instead of reacting to aging problems. The end result for the IT organization has been Greater respect from management and senior management More efficient and effective IT operations And these have lead to the business giving higher priority to IT budget and resource requests. 11/13/2018

Summary GRC takes inputs from across the enterprise and even third parties to efficiently manage different areas of risk, including IT risk GRC automates messaging of IT risk and compliance data to stakeholders across the organization in a efficient, effective, and risk specific manner GRC tools should remove the complexity of compliance and allow the business to focus on its core objectives. To summarize, GRC platforms [K] help organizations effectively manage risk to the business by automatically correlating and managing data from across the enterprise – including from most of the tools you see here at Data Connectors. Organizations using GRC platforms [K] can battle risks to value tactically and strategically by sending the right messages to the right people at the right time. GRC platforms [K] creates huge efficiencies in data management and creating actionable messages. These efficiencies often allow organizations to better focus their resources on value creating activities. And lastly, GRC platforms provide a mechanism for the entire business to agilely manage risks – whether they are IT, Compliance, Operational, or Third Party – and manage messages as business conditions, business strategies, technologies and threats change. 11/13/2018

About Keylight Keylight is a fully integrated suite of seven management applications designed to manage all facets of compliance and risk programs It provides the most efficient and effective path to compliance and audit readiness Helps organizations achieve competitive advantage through confidence, trust, and effective management Keylight consists of a fully integrated suite of management applications designed to manage all facets of compliance and risk programs, including IT Risk Management, Operational Risk Management, Vendor Risk Management, Audit Management, Business Continuity Management and Corporate Compliance. Our Keylight platform is used to automate business processes, reduce enterprise risk, eliminate redundancy, and demonstrate regulatory compliance. In short, Keylight provides the most efficient path to compliance and risk management. Keylight allows an organization to house its entire list of activities, processes and information in one platform. Keylight consists of seven apps, connectors to third-party data sources and a user-friendly interface. All of this is accompanied by LockPath's award-winning support. 11/13/2018

The Keylight Ecosystem Keylight’s seven applications work together to help users analyze data from multiple sources. You can use any combination of applications and add apps as your needs change. LockPath will work with you to understand your needs and identify the applications needed to solve enterprise issues such as Compliance management Risk Management IT Risk and Asset Management Third Party Risk Management and Operational Risk Management All configurations of Keylight include workflow, dedicated GRC reporting and dashboarding, and the advanced data management required to solve the complex risk and compliance issues organizations face. 11/13/2018

Questions? 913-601-4800 info@LockPath.com LockPath Corporate Headquarters 11880 College Boulevard #200 Overland Park, KS 66210 lockpath.com/company/contact If you have any questions, please feel free to ask. Thank you – you should be receiving a follow up from LockPath in the next day or two which includes a link to the recording of this presentation. If you have other questions, please use the contact information here to reach out to us. Again, my name is Sam Abadir and thank you for attending today.