Time
48 minutes
Difficulty
Advanced
CEU/CPE
1

Video Description

This lesson offers an introduction into corporate cybersecurity management and focuses on translation technical threats into business risk. Data breaches are a large issue for companies today. It is something that costs them significant money to settle. For example, Home Depot recently settled a data breach situation for the cost of $19 million. In this course participants will gain knowledge about: 1. Legal concepts relative to cybersecurity 2. TCO vs. ROI 3. How does a spoliation order impact your liability as a cyber professional? 4. Supply chain 5. Cyber implications for publicly traded companies

Video Transcription

00:04
Hello, everybody. My name is Carter Schoenberg.
00:08
Today Session cyber risk for system owners will be focusing on how to effectively translate technical threats
00:14
into business risk
00:16
For more information with regards to my background experience, if you scroll to the bottom of the page, you will see a short biography.
00:23
When we think about cyber security, what do we usually think about? A firewall?
00:28
Antivirus. Remember protection,
00:30
perhaps cyber threat, intelligence or even incident response?
00:35
You cannot pull up a trade rag,
00:37
open a newspaper, turned on the television or open of a Web browser without seeing the most recent aftermath of a data breach that's taken place that day.
00:48
Health and Human Services Office of Civil Rights is handing out penalties ranging between 1 to 1.5
00:55
$1,000,000
00:56
to organizations that failed adequately protect Elektronik health care information. But the U. S citizens
01:03
and they're handing out these fines like it's candy on Halloween.
01:06
Home Depot recently just settled a lawsuit in response to a data breach in the amount of $19 million.
01:15
And as I'm sure most of you are aware,
01:18
Target sustained a pretty large breach in the latter part of 2013
01:23
in the total value of their settlement, and spend to date
01:26
is over 200
01:29
in $56 million.
01:32
Here's what I have outlined for our agenda today.
01:36
First introduction.
01:38
I don't mean a detailed biography on Carter Schoenberg, but more importantly,
01:42
what is the current threat landscape look like? And how does it have a direct applicability to your business operations?
01:51
Next, we'll be focusing on legal concepts that are relative to cyber security.
01:56
We will also be talking about the total cost of ownership
02:00
versus return on investment.
02:02
This is a highly debated topic. As many people firmly believe that you can not show a dollar value on your return on investment
02:12
for cyber security,
02:15
we'll be evaluating
02:16
the definitions of each
02:20
their bases of fact
02:22
versus myth.
02:23
Then we'll be talking about stole e ation order exfoliation. Order is a legal instrument,
02:29
and we will show how a small e ation order could potentially impact your liability. That's a sight for a professional.
02:36
Then we'll focus on supply chain.
02:38
Many people believe that supply chains are simply
02:43
applicable to manufacturing,
02:45
where you're able to show the assembly line where you're getting your core components to make
02:51
a specific device.
02:53
Have you ever considered the fact that your business partners are in fact part of your supply chain?
02:59
And finally, we will conclude with the cyber implications for publicly traded companies.
03:05
The value of any training in awareness section is measured by the knowledge transfer from the instructor to the student.
03:12
Given this isn't the sexy ultracool penetration testing Siri's,
03:16
we want to highlight what you can expect as a result of this session. First, you should be able to understand
03:23
how to discern a cyber threat from a business risk. You should also be able to understand legal concepts as it is relative to cyber security. You should also be able to understand how your business partners directly increases your organization's risk exposure.
03:42
The culmination of all of these points
03:45
will provide greater value to the C suite or system owners that you report to
03:50
and better position you for career advancement.
03:54
For the first part of this lesson introduction,
03:58
we will spend some time on the current cyber threat landscape.
04:01
Current cyber related spending activities in our business owners traditionally operate.
04:06
There's a lot of material to cover,
04:09
and this may potentially be one of the longest intro topic sessions you have encountered within the cyber. Very Siris.
04:16
But where to start with so many fascinating areas of interest?
04:20
How about the word cyber?
04:23
When we hear the words cyber today,
04:25
it has become so meddled in terminology,
04:28
an expectation
04:30
that many of the industry believe
04:31
this word has little or no value.
04:35
However,
04:36
for the purpose of this lesson, we will define cyber
04:41
as the following
04:42
computers, smartphones, networks, cloud infrastructure or data centers and data itself.
04:50
When we look at forecast for a cyber security spending,
04:55
we see very clear upward trend.
04:58
This first graphic shows us the estimated level of spending on everything from mobile to io ti over the next five years between 2015 and 2020.
05:10
It is important to know
05:12
that while this chart is fairly new,
05:14
this upward trend in cyber security spending
05:16
has seen dramatic increases for over 10 years.
05:20
More money is being spent on cyber security today
05:24
ever has before.
05:27
With these increases, you would think our risk posture would improve proportionately to the level of spent.
05:33
But it hasn't
05:36
as seen in this next chart. You'll notice increases in what US certain reports for security incidents
05:45
and Verizon IBM insecure works are all showing similar increases.
05:53
A few years ago, while attending Black Hat,
05:55
there was a very prominent headhunter
05:58
who asked the audience who thought that they were great Ed doing pen testing in a number of hands went up.
06:04
You didn't ask
06:05
what about being a great firewall administrator.
06:09
And again more hands went up.
06:13
He finally concluded. With what about instant response and digital forensics.
06:16
More hands went up. Even still,
06:19
you shook his head and said, People, it's no longer enough
06:24
Once you get the six figure mark for conversation,
06:27
if you can't demonstrate an understanding of the business
06:30
and how your efforts in same security directly support the business,
06:35
you were in a losing proposition.
06:40
There's a great article that was posted a few years ago at C. S. O. Online.
06:46
The name of the article was titled The Four Things I Wish I Knew as a Sister.
06:51
This article featured a former chief information security officer
06:56
that took on the role of the chief operations officer within the same company.
07:01
His main point was that had he only understood then, as a c I s O
07:06
what he does now. As the chief operations officer,
07:12
he would have been significantly more successful getting buying from his peers
07:17
informal support
07:19
from his leaders.
07:21
Why?
07:23
Because he understood the business more.
07:26
So Let's look at business operations.
07:29
Would have business owners typically care about
07:32
their primary concern. Whether we want to acknowledge it or not is sales
07:38
how much money or be able to bring in.
07:40
Let's not fault them too harshly, because that's what pays our salary.
07:45
Other factors include
07:46
program or project management.
07:48
Staffing resource is
07:50
Is wells cash flow
07:54
an accounting?
07:55
When the last light we covered general business considerations,
08:01
let's look at what is generally now overlooked by the same business owners cyber risk,
08:05
legal considerations and insurance.
08:09
This is especially true with mergers and acquisitions activities.
08:15
What is interesting to note is,
08:16
yet there are clear dependencies on these three areas.
08:20
They generally are the most overlooked by business owners,
08:24
and the irony is that overlooking the convergence of these three highly specialized areas,
08:31
equates to the greatest exposure to business risk.
08:35
We will illustrate these risks in greater detail later in the session.
08:39
I'm sure a lot of the students taking this session are very familiar with vulnerably assessment tools like Nexus in Rapid seven.
08:48
When we run these tools, we get report that looks something like the graphic here.
08:54
However, when you try to explain the results from these tool sets to leadership,
09:00
you gentlemen get this expression. Inevitably,
09:03
it's simply whether we want to like it or not.
09:07
We will be faced with this one as well.
09:11
Okay, everybody. So now that we have highlighted
09:13
the traditional model on how we look at the outputs from a security tool and how we convey that to our bosses,
09:20
let's dig a little bit deeper.
09:24
Have you ever been asked to quantify your findings
09:28
if you respond? Well,
09:30
sure. Carter. The tools that gives you a score between one and 10
09:33
at wrong answer. That's never what we're looking for.
09:37
For this example, I'm using a screen capture from the tool Next Pose A, which is part of Rapid seventh Portfolio. As we review the screen capture, I would like to ask you how many critical risks
09:50
are being displayed.
09:52
It's a trick question.
09:54
Any answer other than zero is technically incorrect.
09:58
What you see before you
10:01
are threats defined by the tool not risk.
10:05
These tools are not factoring compensated controls
10:09
or the type of data that resides on the computer in question.
10:15
So here's where you can really hone your skills as a cyber professional.
10:20
Do you recall the article I mentioned earlier before things I wish I knew as the CSO
10:26
focus on how you can add value by understanding the business better
10:31
now, this particular equation, I'm sure that we have all seen
10:35
it's been around for about 15 years, if not more,
10:39
in my professional opinion, is
10:41
what a bunch of it be. Dippy baloney
10:46
couldn't have said it any better myself. The other factor within this equation is the rate of occurrence,
10:52
which I kind of got a chuckle out of because it only takes one occurrence
10:58
for the risk to manifest itself.
11:00
Okay,
11:01
so now let's get into the nitty gritty of where we can really add value by leveraging a weighted scoring system that I call the 40 2040
11:11
using the outputs from next pose A. As we saw from the last line,
11:16
we're gonna highlight
11:18
a critical vulnerability that occurred back in 2006 with Microsoft
11:26
to better. It says the actual potential risk to the business.
11:31
We look at three factors.
11:35
The tool score
11:35
with a weighted average of 40%
11:39
compensating controls with a weighted average of 20%
11:46
in the data itself,
11:48
with the weighted average of 40%.
11:52
It's important to note
11:54
if your core business operations is highly centric around health care,
11:58
top secret
12:01
or highly sensitive financial information,
12:05
the percentage that you will use for that third factor data
12:09
may very well increase
12:13
in this graphic. We have a network apology, which includes
12:16
firewalls
12:18
and I. D. S. This network has three computing assets that maintain different data types.
12:26
The first is defined as a general support system, or
12:30
GSS.
12:33
GSS is generally responsible for day to day operations. But if the system was disrupted, while would cause significant inconvenience to the business,
12:41
it may not necessarily cause her. These other assets maintained personally identifiable information
12:50
in credit cards or electronic health care records.
12:54
So under the scenario,
12:56
now, let's incorporate that Microsoft vulnerability into this sitting
13:01
as we continue to review this vulnerability in its new environment, we will need to give it a numerical value
13:07
for the purpose of this lesson. A Louis to find it's having a score between 13
13:13
a moderate 4 to 7
13:16
and high between eight and 10.
13:18
Now that we have the values to assess the weighted average for the value of the tool score,
13:24
we must now calculate the compensating controls
13:28
and the data.
13:30
Conversely, to the tool score,
13:31
the better you're compensated controls, the lower the numeric value.
13:37
As for data,
13:39
the more valuable the information, the higher the number.
13:43
Using our 40 2040 model,
13:45
we assigned that critical rate of vulnerability
13:48
with an eight.
13:50
We then will assign a score of five for having a firewall in I d. S.
13:56
Why only a five?
14:00
Well, while someone's subjective,
14:01
we need to evaluate
14:03
factors like, you know, it's great to have a fire one i d. S. But who's actually monitoring it in one of their qualifications?
14:11
What about the host based I, PS, or even the use of a security incident in the Mansion party and invent management tools or otherwise known as the SIM?
14:20
And now, finally, the data.
14:24
Because the data is not critically
14:26
important to protect either by requirement or mission sensitivity, we're going to saying that the value of four
14:33
after we complete the equation, using the 40 2040 model
14:37
we see the critical
14:39
comes in
14:41
and a 5 80
14:43
I have 1000
14:45
or a 58.
14:46
This would be to find at best
14:50
at it as a moderate risk
14:52
if we leverage the exact same networked apology. But we simply change the data.
14:56
How does that impact the score? Let's look in a scenario where we're no longer using General Support Service is,
15:03
but now a computer that has personally identifiable information on it.
15:09
The rating from the tool remains in eight.
15:13
The compensating controls have not changed either.
15:18
However,
15:18
you have hit it maximum score
15:20
for data 10 out of 10
15:24
now, only factor all of these data sets. Together,
15:28
we have a total score of an 82%.
15:31
In this specific example,
15:35
the actual rating from the tool to find it's critical
15:39
is now tracking on par with the numeric value that we have given it as a business risk.
15:46
Just to make sure the the Jeralyn chest of what we're looking to illustrate, let's run through one more scenario
15:54
again. Same topology, same configurations.
15:58
But this time we're gonna focus on the
16:02
desktop that has a credit card or electronic health care records.
16:06
We would raid that with the maximum value of 10 out of 10 just like we did for personally identifiable information.
16:12
However,
16:14
we want to be able to change the value
16:17
of the vulnerability itself. Let's say that the tool says that it is a moderate,
16:22
so now we're giving it in. Assign value of five out of 10
16:27
compensating controls remains the same, and so does the score for data.
16:32
Now, when we complete the calculation,
16:34
it gives us the score
16:37
of 70%.
16:38
Again,
16:40
the value that's being described
16:42
by the tool is tracking on par
16:45
with the actual business risk
16:48
as a moderate.

Up Next

Corporate Cybersecurity Management

Cyber risk, legal considerations and insurance are often overlooked by businesses and this sets them up for major financial devastation should an incident occur.

Instructed By

Instructor Profile Image
Carter Schoenberg
Executive VP of IPKeys Power Partners
Instructor