engaging executives and boards in cybersecurity · cybersecurity and the healthcare industry...
TRANSCRIPT
1
Engaging Executives and Boards in Cybersecurity
Session 303, Feb 20, 2017
Sanjeev Sah, CISO, Texas Children’s Hospital
Jimmy Joseph, Senior Manager, Deloitte & Touche LLP
2
Sanjeev Sah
Chief Information Security Officer (CISO)
Texas Children's Hospital
Jimmy Joseph, CISSP, PMP
Senior Manager
Deloitte & Touche LLP
Speaker Introduction
3
Sanjeev Sah
Jimmy Joseph, CISSP, PMP
Has no real or apparent conflicts of interest to report.
Conflict of Interest
4
• Cyber Threat Landscape and Drivers for Cyber Risk Management
• The Need and Catalysts for Executive & Board Support
• What Hampers Executive & Board Involvement
• What Executives & Boards are Interested in
• Talking to Executives & Boards about Cyber
• Executive & Board Messaging Framework
• Case In Point – Texas Children’s Hospital
• Effective Executive & Board Engagement Measures
Agenda
5
• Develop a cybersecurity program successfully
• Construct a successful business case for an organization's cybersecurity program
• Recognize how to obtain senior executive and board support for the cybersecurity program
• Identify how to partner for success with organizational assurance functions
• Analyze how to address legal, privacy and compliance obligations
Learning Objectives
6
Benefits Realized for STEPSTM Categories
• Data is a critical
asset of every
organization
• Ultimate
responsibility of the
Board and
Executives to
protect it
• Boards accountable
for breaches due to
insecure electronic
data
7
[1] Ponemon Institute, Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2015; [2] EMC2 Cybercrime and Healthcare Industry, 2015; [3] Trend Labs, The Reign of Ransomware, 2016;
Cybersecurity and the healthcare industry – Recent trends
Cyber Threat Landscape
125%Increase in criminal attacks on healthcare organizations over last 5 years[1]
Average 4000 + Per day Ransomware attacks in the first quarter of 2016 – 300 % increase from per day no. over 2015[3]
10x Average payout for a medical identity theft as compared to regular identity theft [2]
US $209 million monetary losses suffered by enterprises in 2016 Q1 due to Ransomware[3]
8
Drivers for Cyber Risk Management• E.g., HIPAA/HITECH, HITRUST, PCI DSS
• Consumerization of IT
• Cloud
• Mobile Apps/
Computing
• Internet of Things (IoT)
• Shadow IT
• Cyber Crime, Organized
Crime
• Hacktivism
• State-Sponsorship
• Espionage
• Revenge, Personal Gain
Changing regulatory
environment
Evolving threats
Changing IT
environment
9
The Need for Executive & Board Support
“Executives should set risk appetite and increase focus on what matters”
10
Catalysts for Executive and Board Support
Non-Profit Boards
Fiduciary Responsibility –
Duty of Care
Large Scale Data Breaches
Management Accountability
Heightened Cyber Awareness
11
What Hampers Executive & Board Involvement
Complexity of cybersecurity
Lack of effective messaging
Breach impact unawareness
•Executives & Boards do not understand the complexities and the language of cybersecurity
•Cybersecurity is believed to be the responsibility of security and technical personnel
•Meaningful and effective messaging about cybersecurity are not conveyed to Executives & the Board.
•Cost and ramifications of security breaches are not fully understood.
12
How does cybersecurity support our business priorities, such as attracting and retaining customer, maintaining or growing competitive advantage, and fostering innovation?
If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was expected?
Are we prepared for the future?
How can we validate our understanding of our information risks and how they’re managed?
Should we as an organization or as a Board or Executives be changing our approach?
1
2
3
4
5
What Executives & Boards are Interested in?CISO responses to the following questions posed by Executives & Boards can make or break their cybersecurity agenda:
13
Shortlist top 4-6 cyber risks faced
E.g., Risk of data breach, intellectual property theft
Illustrate strengths and weaknesses of the company’s security posture
Shortlist top cyber risks Identify risk trends Management of cyber risks
Identify risk indicator trends (i.e., up, down or flat) quarter on quarter
Explain the causes of shifts in trends, if any
Explain how cyber risks are being managed and kept within acceptable limits
Talking to Executives & Boards about CyberCISO’s should bring out three (3) core messages while communicating with Executives & the Board:
14
Executive & Board Messaging Framework
Cyber risk program and governance
Who might attack?
What are they after, and what are the key risks I need
to mitigate?
What tactics might they use?
SECURE VIGILANT RESILIENT
Cyber criminals, hactivists, competitors.
Spear phishing, multi-channel attacks, stolen credentials..
Reputation damage, business disruption, threats to health and safety..
Measures: Data Protection, Asset Management, Threat Intelligence, Security Monitoring, Incident Response, Forensics…
15
Case in Point - Texas Children’s HospitalObtaining Executive & Board support and partnering with external entities/organizational assurance functions has helped TCH establish a successful cybersecurity program.
Cyb
er E
vo
luti
on
1996
HIPAA
HITECH, Obamacare
2009-2010
Internal Partnerships• Audit• ITRAC• ERMEC
2014
2016-2018
Our response
HIPAA: Health Insurance Portability and Accountability ActHITECH: Health Information Technology for Economic and Clinical Health* Patient Protection and Affordable Care Act (ACA)ITRAC: Information Technology Risk Assessment CommitteeERMEC: Enterprise Risk Management Executive Committee
External Partnerships• HITRUST• Deloitte• Accudata
Cyber Insurance
Time
16
Security Framework
Benchmarking
Vision- structure-resources
Strategic Hiring
Executive & Board Sponsorship
Transparency
Trusted Advisors
3Ps - Playbook -> Plan -> Program
Metrics & Dashboard
Customized Message to Executives
Effective Executive & Board Engagement Measures
17
DECREASED
RISK
Involved Executives &
Boards lead to the
appropriate measures
taken to improve
security posture and
reduce the risk of
data breaches
INCREASED
AWARENESS
What the
vulnerabilities are,
what measures are
in place to minimize
the potential of a
breach or attack of
electronic data
Summary of Benefits for STEPS Categories
18
Any Questions?
For any further queries you may contact;Sanjeev [email protected]://www.linkedin.com/in/sanjeevsahhttps://twitter.com/sahsanjeev
Jimmy [email protected]://www.linkedin.com/in/jijosephhttps://twitter.com/cyber_Jimmy
Please complete the online session evaluation