Lessons Learned

Strategy & Framework

Risks & Threats

Growing Digital

Building

Cyber Resilience in the Digital Economy

Agus Wicaksono Chairman iCIO

5 Oct 2016

About iCIO

www.ciocummunity.org

Become a premiere community of IT leaders and decision makers that provides the trusted knowledge, resources peer-to-peer collaboration to enable you to become a

more effective leader, driving personal and organizational results.

Growing Digital

Efficiency vs Risk Exposures

Internet Traffics

Growing Threat

New trends emerge

Innovative start-ups create disruptive business models

Early adopters embrace the new models

Advanced incumbents begin to adopt

Mainstream customers adopt

Laggard incumbents drop off

Tipping point

Time

• Continual Connectivity

• Organization Velocity

• Deluge of Data

Source: McKinsey Quarterly May 2014 – Strategic principles for competing in the digital age

Drive the Digital Vision

CMO

33%

38%

2%

8%

10%

CEO

CIO

CDO

CSO

Source: Forrester-Accenture 2015

and address security risks

2013

2014

Natanz

2010

2011

2016

2015

2012

2015

Ukraine

The Threat is Real Global Live Attack

http://map.ipviking.com/

Black Markets Underground Networks Set the Value of Information

Source: * Verizon 2014 Data Breach Investigation Report ** Oracle-Verizon 2015, Securing Information in the New Digital Economy

14%

18%

27% 29%

34%

Ban

k

Secr

ets

Inte

rnal

Pay

me

nt

Variety of at risk data within insider misuse*

Fresh credit card data $ 20-25

Stale credit card data $ 2-7

Medical record $ 50

Hijacked email account $ 10-100

Bank account credentials $ 10-1,000

Pricelist for stolen information**

Strategic Principles

Business Model: digital footprints, revenue generators, crown jewels and risk vulnerabilities

Break or Bend: withstand and recover rapidly from disruptions

Maginot Line: you are only as strong as your weakest link

Incorporate into Crisis Management procedures

Ability to continuously deliver the intended outcome despite adverse cyber events, connecting Information Security, Business Continuity and Organization Resilience.

Process, Policy, and Governance: CIRT, CIA

Technical Controls and Audit

Common Operating Environment

Identify

Protect

Detect

Respond

Recover

The Crown Jewels Framework and Protection System

BSI PAS

DHS CRR

NIST CSF

ISO 27001

Lessons Learned

Advocate at CEO Level

Cyber Hygiene: culture and behavior, more than just technology

Periodic campaigns and socialization

Segregate system to localize possible damages

Qualify 3rd Party Services

Manage digital debris

There are only two types of companies: those that have been hacked, and those that will be. Robert Mueller FBI Director, 2012

Thank You

@aguswicaksono Agus Wicaksono agusw@chevron.com http://aguswicaksono.blogspot.com