information & cyber security risk

Cyber Security for Small BusinessDr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A

Information & Cyber Security Risk


Agenda

Industry and Competitation

Leadership and Organizational Culture

Identification

Current Trends in Information and Cyber Risk

The Role of the CISO

Current Trends in Business Leadership

Training and Awareness

✓

6

5

4

3

2

1

Conclusion & Questions

7

8

✓✓

✓✓✓✓✓

Identification “Cyber” is the new buzz word…….


Identify Critical PersonnelIdentify Critical Data & Information

What resources are critical to keeping your business running?

Power & Other Utilities Supplies Materials Production Facilities

Be sure to have alternative ways to address shortfalls.

Tech Power Alternate supply vendors Futures Alternate transportation

methods

Identify Critical Resources

321

These people have special knowledge or skills that are crucial to your business.

R&D Engineers Payroll Systems/Network Admins Different by Industry

Who can do the job if you lose someone?

Cross train skill sets Alternate positions Have continuity artifacts Have primary & secondary

What is your business? What information keeps you competitive in your industry?

R&D for products Recipes & formulas Metrics Data Production efficiencies Marketing strategies Business Intelligence

This is where you should focus most of your resources.

Restrict access Protect data & information Do systems need to be

connected to the network that is connected to the internet?

Current & Most Trending Information and Cyber Risks Today

All software should be assessed Commercial off the Shelf In house developed 3rd Party developed Open Source Software as a service

What you should look at Assess supply or development change for

vendors Assessment of product Read contracts and maintenance agreements Vulnerability management

Software Assurance

Malicious Insider Disgruntled Employees Financial Hardship Competitors Want to do harm Want to steal for profit

Accidental Insider Exhibits Bad Habits Phishing Opens malware and bad links Poor password practices

Change Culture Training AUPs Assessment

Insider Threat 1 2


Questions to ask

What is being stored in the cloud?

What does the security look like?

Who owns the data? Who is responsible for a

breach? Review contractual language

and SLAs. VMs – How are the sessions

protected?

Cloud & VM 3 Internet of Things (IoT) BYOD4 5

Current & Most Trending Information and Cyber Risks TodayInformation & Cyber Security Risk

Questions to ask What framework are you

using to manage environment?

What devices are connected and manageed?

Who has visibility inside and outside your business?

Have you assessed for vulnerabilities?

NOTE: 2.8 Mobile devices exist for every person on the planet!This number will double by 2020!

Questions to ask

What is the device connection and approval process?

Do you have a baseline configuration & security baseline?

Do you parse the business data from the personal data?

What are the rules for end of life and upgrades?

What is the incident response and breach notification process for lost or stolen data or the device itself?

Operations and Sustainment• Defense in Depth (hardware, software)• Vulnerability Management

Malware categories have increased – very complex Patches should be texted before being deployed

• Configuration and Change Management• Sound CERT and Incident Response capability• System Engineering Projects • Continuity & Disaster Recovery

Information & Cyber Security RiskCurrent & Most Trending Information and Cyber Risks Today

Information and Cyber Security Culture– Needs to be supported by executive leaders– Middle managers should understand

executive strategy related to security risks– All leaders should participate and let

employees see it– All employees should understand the culture

Information & Cyber Security RiskLeadership and Organizational Culture

Your Logo

Current Trends in Business LeadershipChief Operations Officer (COO)

- Number 1 C-level position cut in large business

Executive VPs and Business Unit Managers picking up more responsibilities

Chief Information Officer (CIO)- Number 2 C-level position cut in

large business Being replaced or combined by CSO/CISO


The Role of the CISOInformation & Cyber Security Risk

• Responsible for Information and Cyber Security Guides the organizational security culture

Works with all business unitsWorks with HR, Legal, Public Affairs and Physical SecurityAdvises C level leaders and Board of Directors

Understands the risks based on their industryOperational security risksAdministrative security risksCommunicates technical requirements into business terms

Expected to be very knowledgeable Regulatory compliance (State, Federal, International)Trends and OpportunitiesSecurity & Risk frameworks

ISO 27000 & 31000, COBIT 5, NIST 800-37, ITIL

Training and Awareness


NOTE: It is very important to relate some of the training and awareness toward real world examples that are specific to your industry for better effectiveness.

All employees should attend initial and periodic information & cyber security awareness training. All privileged users should be identified and trained in their specialty as well as their computing environment. All managers should attend security awareness training geared towards the organization as a whole Specialty training and certification should be identified for specific roles to reduce risky behaviors

Training is Geared Towards Audience

Face to Face Computer Based External training providers (classes, conferences, or hired training professionals) On the job or mentoring

Training Methods

Develop methods to make employees aware of information and cyber security risks. Internal phishing campaigns Posters in common or public areas (change them periodically) News letters and announcements – be creative!

Awareness

1

2

3

Industry and Competitation


Look at procurement strategies and trusted vendor relationships.

Communicate with other business units to ensure consistency in security risk management

Information and cyber security should be represented and managed in all projects.

What are your competitors

doing?

Align security risks to business

strategy!

Learn from someone elses

mistakes!

• Information and Cyber Security Has never been as important as it is todayNew technologies like IoT & Cloud Computing & VMs

are driving innovation for business and adding riskCSOs & CISOs are steering culture and managing riskTraining and Awareness as part of the cultureUnderstand how to align & balance Information & Cyber

Security to your businesses overall business strategy

Information & Cyber Security RiskConclusion

THANK YOU!Questions?