A METRICS-BASED APPROACH TO PRESENT CYBER SECURITY TO THE BOARDIntroducing our GDPR Readiness and Privacy Impact AssessmentA CISOs and Risk Managers Guide to Cyber Risk

INTRODUCTIONThe rise of attacks resulting in huge business losses have brought cyber security into the board room. Prior to the Target breach, the board of directors was not very interested in cyber security. However, things have changed, and we see more and more CISOs reporting into the CRO, CFO, or CEO and not the CIO. Additionally, in light of the new GDPR regulation that will be effective in May 2018, boards and executives need a clear line of sight into avoiding the €20m or 4% of annual turnover penalties. This guide is written with this in mind. Simply put, if you report into the board more than once or twice a year you have to be speaking their language.

Cyber breaches have impactful results at the board level. In 2015, Target’s CEO Gregg Steinhafel, a 35-year employee of the company was forced to resign in light of the recent holiday-season credit-card security breach that affected 40 million customers.

As a result, we are seeing a major shift in corporate cybersecurity policy. The board of directors is no longer interested in check box compliance. They are understanding their role much better. They are responsible to ensure that cyber controls are in place that protect business assets of the firm in alignment with their risk tolerance.

IN THIS GUIDE, WE’LL PROVIDE YOU WITH USEFUL INFORMATION TO UNDERSTAND HOW TO SPEAK THE BOARD ABOUT CYBER RISK IN THEIR LANGUAGE.

In addition to providing you best practices on what’s important to prioritize, we’ll advise on how to use these evidence-based cyber security metrics to speak to the C-suite and to the board about cyber risk and GDPR. Whether you’re a CISO, security manager, a CEO, CFO, CRO or a board member, this information is essential to understand and lower your company’s cyber risk to acceptable levels and have everyone on the same page.

WHAT DO BOARDS WANT TO KNOW?

One of the board’s primary roles is to protect the business assets. The CISO must convey information about cyber risk that identifies and demonstrates how critical assets are protected against cyber-attacks. This lets the CISO guide the conversation so that the board can make strategic decisions using evidence-based metrics.

There are many questions that senior executives must consider:

REGULATION: Are we aligned with regulatory requirements?

FIDUCIARY DUTY: Are we minimizing cyber risk?

GDPR: Are we complaint with GDPR?

M&A: Are we doing proper due diligence? Does the target defer critical upgrades and maintenance costs in order to keep their costs low and attract a buyer?

CISO: Do we have enough cyber budget?

COMPANY LIABILITY: How does cyber risk affect our business performance?

CRO: Do we have enough cyber insurance? Personal Liability: Will what happened at Target happen to me?

The bottom line is: “Do we have acceptable cyber risk in relationship to our valued business assets? If not, where should we focus to lower that risk?” In the past, CISOs spoke to the board in terms of vulnerabilities. Vulnerabilities were not tied to business assets, leading to confusion. Today, top management firms are talking about protecting assets, not plugging gaps.

With that in mind, the CISO needs to communicate in the language of the board.

HOW DO I ANSWER ALL THOSE QUESTIONS?

Telling an understandable story is critical to get the outcome that you want and support from the board. A board is strategic, and the CISO must present a strategy, allowing the board to decide what aspects of that strategy to implement so that the CISO can then execute it. Understanding key metrics in dollars and cents and baking them into your board presentation is critical to get the support you need.

CROWN JEWEL STRATEGY

If you ask 5 board members for the firm’s top 5 assets, you generally will get 25 different answers. This is the first cyber security issue from a fiduciary perspective; one that the board must answer and agree upon. Valuable information is used to compete and succeed in a global market; information assets can represent more than 80% of an organization’s total value. Mission-critical information assets – an organization’s “crown jewels” – are information assets of greatest value and would cause major business impact if compromised. These assets attract the attention of highly capable adversarial threats, all of whom are intent on exploiting this valuable information. Identifying these crown jewel assets are critical for everyone to be on the same page in terms of cyber risk. Understanding which systems process key data is equally important. Focusing on the crown jewels is a good strategy to begin cyber risk management from.

INHERENT CYBERRISK COST

That said, once these crown jewels are identified, then the risk associated

to them must be baselined and monitored. Assets are associated to business processes and a business impact analysis demonstrates this inherent risk cost without cyber controls in place. This is the worst-case scenario in terms of cyber risk. Inherent risk costs are aggregated and can be used in the cyber security strategy. Inherent cyber risk cost allows the CISO to tell the board exactly how many hundreds of thousands or millions of dollars they have in business asset risk in the event of cybergeddon.

RESIDUAL CYBER RISK COST

“What is our total cyber risk cost as it relates to the business assets with controls in place?” This is measured against the business assets and processes in terms of vulnerabilities and how they impact the risk of each system. Data from SIEM and automated vulnerability scans can be used as well as manual assessment data to show dynamic information. This is the best-case scenario in terms of cyber risk.

Crown Jewel Assets by System

Systems by Data Type

Business Impact Analysis and Risk Scores

Total cyber risk can never be completely mitigated; however, using a cyber budgeting tool that demonstrates how each asset is impacted can provide a clear line of sight into what needs to be prioritized and the costs. We will talk more about cyber budgeting shortly.

CYBER RISK TOLERANCE

In order to speak about cyber risk as it relates to business assets, the risk owners must answer the question, “What is our cyber risk tolerance?”. This question should be answered by the CRO or a senior executive who can determine how much money the organization could lose and remain operationally sound in the event of a cyber breach. This metric is used in a cyber risk equation that provides an idea of how well your cyber exposure is mitigated with controls and transferred using cyber insurance.

CYBER INSURANCE

Cyber insurance is a risk transfer tool that should be utilized by major organizations. No one can boil the ocean in cyber. Attacks will happen and will be successful. Insurance is a necessary stop gap measure to ensure the organization is protected against the financial impact of cyber exposure in alignment with the company’s risk tolerance.

CYBER RISK EXPOSURE EQUATION – CYBER STRATEGY

Organizations have been guessing at cyber insurance needs and budgeting for years and it is not working. In the case of Target, they had $100M in cyber insurance but have $250M of loss today and it is expected to be $1B by the end of 2017.

There is a relationship between exposure in terms of our cyber security program, cyber insurance, risk tolerance and cyber risk cost that allows an organization to have an effective cyber strategy. Depending upon which scenario you choose, best case, worst case or a median approach the cyber risk exposure should be equal to total cyber risk, less cyber risk tolerance, less cyber insurance. Using this scenario minimizes the financial impact if a breach occurs:

INHERENT CYBER RISK EXPOSURE = TOTAL INHERENT CYBER RISK – CYBER RISK TOLERANCE – CYBER INSURANCE

RESIDUAL CYBER RISK EXPOSURE = TOTAL RESIDUAL CYBER RISK – CYBER RISK TOLERANCE – CYBER INSURANCE

CYBER BUDGETING

Demonstrating how cyber resources and tools will reduce risk is a key ingredient to getting the needed funding for your cyber security program. When each vulnerability is associated to an system, and the systems are classified in terms of value, the prioritization becomes clear. This also provides a way for risk owners to accept risk that cannot be remediated in a certain time frame. Aligning cyber budgets to a strategy is the key to effective cyber risk management.

Cyber Strategy aligning risk tolerance, cost and insurance

Cyber budget aligned to system value, risk and vulnerabilities

Allowing the CISO to document and prioritize capital and operational expenditures associated with cyber risk in relationship to the types of systems and vulnerabilities and their risk levels is imperative to a clear cyber security strategy. Each vulnerability or finding cost is captured and aggregated into the cyber budget.

GDPR PRIVACY IMPACT (PIA) AND RISK ASSESSMENT

The new European Union General Data Protection Regulation (GDPR) is effective in May of 2018. EU 2016/679 requires a level of data privacy and security controls that are above and beyond what most organizations currently have in place. Any company that processes EU citizens’ private information must sort through the prescribed compliance measures or risk facing large penalties. InnoSec offers a number of GDPR resources that allow you to track compliance and meet the system controls necessary for GDPR compliance.

EU citizen personal data that is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Alignment with these requirements can reduce the chances of triggering a Data Protection Authority (DPA) to investigate a company’s privacy practices after the GDPR takes effect in May 2018. DPAs can impose a fine on companies of up to 4% of annual global revenues for egregious violations of the GDPR. Member states can also add to these fines. The Netherlands, for instance, has more than doubled its own fining capacity to 10% of annual revenues. European privacy advocates are pressuring DPAs to fully exercise these new powers after May 2018. To manage this risk, multinationals should have a means to demonstrate alignment with the GDPR requirements and communication of this program with DPAs that have jurisdiction over their major European operations.

There are two major categories of requirements for GDPR:

• A Privacy impact assessment (PIA) to ensure systems that process GDPR data have adequate levels of confidentiality and integrity

• Risk assessment of the technology as it relates the rights of the individual

Having visibility into each will boost a corporation’s compliance visibility with EU data-protection authorities. Alignment with these requirements can reduce the chances of triggering a EU Data Protection Authority (DPA) to investigate a company’s privacy practices after the GDPR takes effect in May 2018.

INNOSEC PRIVACY IMPACT ASSESSMENT AND RISK ASSESSMENT

A privacy impact assessment is a set of security control tests that measures the confidentiality and integrity of each system that processes GDPR data and the risk associated with it. It provides scores that need to be reviewed against thresholds to determine if remediation actions need to be taken to align the level of confidentiality and integrity to GDPR standards for each system. InnoSec has automated the PIA and Risk Assessment to ensure companies a simple way to provide DPAs the view into the system confidentiality and integrity and the risk associated with GDPR.

Additionally, InnoSec provides a GDPR management module to do a gap analysis and track each article in terms of compliance, budget and manage the work associated with GDRP.

PIA and Risk Assessment Scores

GDPR Gap Analysis

SUMMARYCyber security risk and GRPR compliance are complex topics that can be simplified with automation. Resources are scarce in cyber, and getting this data in real time, instead of in unmanageable excel spreadsheets provides an unprecedented edge.

AUTHOR: ARIEL EVANS, CEO

Isreal: +972 58 412 0028US: +1 888 311 8650info@innosec.com

The modern CISO must be able to make the case for how cybersecurity impacts their business directly – and one of the most effective ways to accomplish that is through evidence-based metrics that talk the board’s language. This is where InnoSec can help. Contact us to see how STORM, InnoSec’s Cyber Security Risk Management platform and GDRP assessment can enhance your cyber security and GDPR programs- and give you the tools you need to create compelling metrics at the click of a button, request a free demo today.