1

Engaging Executives and Boards in Cybersecurity

Session 303, Feb 20, 2017

Sanjeev Sah, CISO, Texas Children’s Hospital

Jimmy Joseph, Senior Manager, Deloitte & Touche LLP

2

Sanjeev Sah

Chief Information Security Officer (CISO)

Texas Children's Hospital

Jimmy Joseph, CISSP, PMP

Senior Manager

Deloitte & Touche LLP

Speaker Introduction

3

Sanjeev Sah

Jimmy Joseph, CISSP, PMP

Has no real or apparent conflicts of interest to report.

Conflict of Interest

4

• Cyber Threat Landscape and Drivers for Cyber Risk Management

• The Need and Catalysts for Executive & Board Support

• What Hampers Executive & Board Involvement

• What Executives & Boards are Interested in

• Talking to Executives & Boards about Cyber

• Executive & Board Messaging Framework

• Case In Point – Texas Children’s Hospital

• Effective Executive & Board Engagement Measures

Agenda

5

• Develop a cybersecurity program successfully

• Construct a successful business case for an organization's cybersecurity program

• Recognize how to obtain senior executive and board support for the cybersecurity program

• Identify how to partner for success with organizational assurance functions

• Analyze how to address legal, privacy and compliance obligations

Learning Objectives

6

Benefits Realized for STEPSTM Categories

• Data is a critical

asset of every

organization

• Ultimate

responsibility of the

Board and

Executives to

protect it

• Boards accountable

for breaches due to

insecure electronic

data

7

[1] Ponemon Institute, Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2015; [2] EMC2 Cybercrime and Healthcare Industry, 2015; [3] Trend Labs, The Reign of Ransomware, 2016;

Cybersecurity and the healthcare industry – Recent trends

Cyber Threat Landscape

125%Increase in criminal attacks on healthcare organizations over last 5 years[1]

Average 4000 + Per day Ransomware attacks in the first quarter of 2016 – 300 % increase from per day no. over 2015[3]

10x Average payout for a medical identity theft as compared to regular identity theft [2]

US $209 million monetary losses suffered by enterprises in 2016 Q1 due to Ransomware[3]

8

Drivers for Cyber Risk Management• E.g., HIPAA/HITECH, HITRUST, PCI DSS

• Consumerization of IT

• Cloud

• Mobile Apps/

Computing

• Internet of Things (IoT)

• Shadow IT

• Cyber Crime, Organized

Crime

• Hacktivism

• State-Sponsorship

• Espionage

• Revenge, Personal Gain

Changing regulatory

environment

Evolving threats

Changing IT

environment

9

The Need for Executive & Board Support

“Executives should set risk appetite and increase focus on what matters”

10

Catalysts for Executive and Board Support

Non-Profit Boards

Fiduciary Responsibility –

Duty of Care

Large Scale Data Breaches

Management Accountability

Heightened Cyber Awareness

11

What Hampers Executive & Board Involvement

Complexity of cybersecurity

Lack of effective messaging

Breach impact unawareness

•Executives & Boards do not understand the complexities and the language of cybersecurity

•Cybersecurity is believed to be the responsibility of security and technical personnel

•Meaningful and effective messaging about cybersecurity are not conveyed to Executives & the Board.

•Cost and ramifications of security breaches are not fully understood.

12

How does cybersecurity support our business priorities, such as attracting and retaining customer, maintaining or growing competitive advantage, and fostering innovation?

If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was expected?

Are we prepared for the future?

How can we validate our understanding of our information risks and how they’re managed?

Should we as an organization or as a Board or Executives be changing our approach?

1

2

3

4

5

What Executives & Boards are Interested in?CISO responses to the following questions posed by Executives & Boards can make or break their cybersecurity agenda:

13

Shortlist top 4-6 cyber risks faced

E.g., Risk of data breach, intellectual property theft

Illustrate strengths and weaknesses of the company’s security posture

Shortlist top cyber risks Identify risk trends Management of cyber risks

Identify risk indicator trends (i.e., up, down or flat) quarter on quarter

Explain the causes of shifts in trends, if any

Explain how cyber risks are being managed and kept within acceptable limits

Talking to Executives & Boards about CyberCISO’s should bring out three (3) core messages while communicating with Executives & the Board:

14

Executive & Board Messaging Framework

Cyber risk program and governance

Who might attack?

What are they after, and what are the key risks I need

to mitigate?

What tactics might they use?

SECURE VIGILANT RESILIENT

Cyber criminals, hactivists, competitors.

Spear phishing, multi-channel attacks, stolen credentials..

Reputation damage, business disruption, threats to health and safety..

Measures: Data Protection, Asset Management, Threat Intelligence, Security Monitoring, Incident Response, Forensics…

15

Case in Point - Texas Children’s HospitalObtaining Executive & Board support and partnering with external entities/organizational assurance functions has helped TCH establish a successful cybersecurity program.

Cyb

er E

vo

luti

on

1996

HIPAA

HITECH, Obamacare

2009-2010

Internal Partnerships• Audit• ITRAC• ERMEC

2014

2016-2018

Our response

HIPAA: Health Insurance Portability and Accountability ActHITECH: Health Information Technology for Economic and Clinical Health* Patient Protection and Affordable Care Act (ACA)ITRAC: Information Technology Risk Assessment CommitteeERMEC: Enterprise Risk Management Executive Committee

External Partnerships• HITRUST• Deloitte• Accudata

Cyber Insurance

Time

16

Security Framework

Benchmarking

Vision- structure-resources

Strategic Hiring

Executive & Board Sponsorship

Transparency

Trusted Advisors

3Ps - Playbook -> Plan -> Program

Metrics & Dashboard

Customized Message to Executives

Effective Executive & Board Engagement Measures

17

DECREASED

RISK

Involved Executives &

Boards lead to the

appropriate measures

taken to improve

security posture and

reduce the risk of

data breaches

INCREASED

AWARENESS

What the

vulnerabilities are,

what measures are

in place to minimize

the potential of a

breach or attack of

electronic data

Summary of Benefits for STEPS Categories

18

Any Questions?

For any further queries you may contact;Sanjeev Sahsksah@texaschildrens.orghttps://www.linkedin.com/in/sanjeevsahhttps://twitter.com/sahsanjeev

Jimmy Josephjijoseph@deloitte.comhttps://www.linkedin.com/in/jijosephhttps://twitter.com/cyber_Jimmy

Please complete the online session evaluation