1 / 29

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program. Chris Houlder. GRC-W03. CISO Autodesk, Inc. @ chrishoulder chris.houlder@autodesk.com. Husam Brohi. Director, Cybersecurity and Privacy PwC LLP @ husambrohi husam.brohi@pwc.com. What Are We Here To Do.

mystery
Download Presentation

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program Chris Houlder GRC-W03 CISO Autodesk, Inc. @chrishoulder chris.houlder@autodesk.com HusamBrohi Director, Cybersecurity and Privacy PwC LLP @husambrohi husam.brohi@pwc.com

  2. What Are We Here To Do Share our story and walk through the process and key considerations for taking our cyber risk program from concept to launch in under 6 months Discuss how risk management serves as the core of our cybersecurity program and strategy Provide lessons learned with you and discuss the challenges we faced, hoping that the approach we took will be useful in your journey This is NOT a discussion on risk management methodologies or artifacts

  3. “If you're not confused, you’re not paying attention.” • ― Tom Peters, Thriving on Chaos: Handbook for a Management Revolution • “Any darn fool can make something complex; it takes a genius to make something simple.”  • ― Pete Seeger

  4. Situational Context Autodesk undergoing massive business transformation to cloud subscription model Multiple, interrelated disciplines operating in federated manner Agile and DevOps mindset viewed security, risk and governance as barriers Risk at center of Board and Senior Executive Agenda Executives wanted more real-time, transparent reporting beyond what Enterprise Risk Program (ERM) was providing

  5. Our Challenge Problem Statement What are our risks?What are we doing?Is it enough? Develop a strategic vision and program for effectively communicating our holistic risk posture and response – and move everyone towards a common direction Overcome a skeptical customer Align strategies and investments Information Security Product Security Data Privacy Board Business

  6. Our Approach – Top 5 Secrets #3 Go Agile – Build and iterate #2 Focus on strategy first #1 Take a holistic view of Cybersecurity #4 Create a risk management culture #5 Use risk for decision making

  7. “In union there is strength” • ― Aesop, Ancient Greek Fabulist

  8. Our Approach – Top 5 Secrets #1 Take a holistic view of Cybersecurity

  9. Understand That Cybersecurity is Multi-Discipline Scope: Focus on “big picture” view of risks, investment and maturity of capabilities – build a common platform which spans: Data Privacy Product Security Information Security Business Led IT Strategy Strategy Strategy Business Led IT Investment Investment Investment Business Led IT Capabilities Capabilities Capabilities

  10. Unify Purpose and Approach Business Drivers Shareholder Value Customer Loyalty Brand Protection Legal and Regulatory Commitments Innovation and Agility Information Security Program Execution Security Strategy, Governance and Management Risk, Compliance and Policy Management Third Party Security Management Security Architecture and Operations Identity and Access Management Incident and Crisis Management Threat Intelligence and Vulnerability Management Information Privacy and Protection Physical and Environment Security

  11. “The essence of strategy is choosing what not to do” • ― Michael Porter, Harvard Business School Professor

  12. Our Approach – Top 5 Secrets #2 Focus on strategy first #1 Take a holistic view of Cybersecurity

  13. Multi-Tiered Risk Assessment Strategic Risks Uber Risks (ERM)Risks that could affect the achievement of business outcomes are classified as strategic and enterprise risks. Intended Audience Executives and Board Level Tier 0 Tier 1 Security Risks (SRM)Cybersecurity risks to organization strategic initiatives and sensitive information derived from Uber Risks. Executives, Board Level, Security Risk and Compliance Tier 2 Information/AssetAsset and information level (systems, services, etc.) risks based on security risks. Business Units and System Domain Owners Tactical Risks

  14. Framework-Agnostic Approach Risks Cyber Readiness Risk Action • Risk analysis/threat model • Asset scoping • Capability maturity • Key security controls • Risk profiles • Risk remediation

  15. Risk Scenarios Tailored To Audience with initiates against leads to Actor Intent Event (threat type) Attack Surface (threat target) Consequence • Hacker • Employee • Third party • Customer • Competition • Nature • Accidental • Malicious • Environmental • Malware attack • DDOS attack • Theft of data • Social engineering attack • Breach of platform • Theft of physical items/hardware • People • Customer • Facilities • Infrastructure • Information assets • Platforms • Loss of sensitive data • Loss of data integrity • Loss of intellectual property • System unavailability • Fraud • Legal/regulatory non-compliance

  16. Example of Cyber Risk Scenario • <Risk ID> Third Party accidentally breaches cloud platform resulting in loss of customer data

  17. “Make it simple, but significant” • ― Don Draper, Fictional Character from Mad Men

  18. Our Approach – Top 5 Secrets #3 Go Agile – Build and iterate #2 Focus on strategy first #1 Take a holistic view of Cybersecurity

  19. Go Agile – Build and Iterate Minimum Viable Product • Sprint # 1 – Internal Team Development / Refinement • Sprint # 2 Strategic Planning Process • Raised everything a level • Directional quantification versus precision • Threat modeling • Establish a method for assessing OE (defense levels) • Audits and assessments aligned to this process – practical use of results • Start with proxy data • Support strategic planning • Board level communication within 6 months • Sprint # 3 Pilot for Executives Minimum Viable Product Lifecycle

  20. Building MVP – OE and Risk Valuation Tools

  21. “If you don’t get culture right, nothing else matters” • ― John Taft, Former CEO of RBC Wealth Management

  22. Our Approach – Top 5 Secrets #3 Go Agile – Build and iterate #2 Focus on strategy first #1 Take a holistic view of Cybersecurity #4 Create a risk management culture

  23. Design Principles Main Objective Intended Outcomes “Develop an efficient and effective system for enabling organizationally aligned risk decision making, risk reduction/mitigation and continuous monitoring.” Accountability and responsibility for risk oversight and ownership shall be defined and with the “right people” 1 Decision making on risk treatment (funding, resource, etc.) should be consistent, efficient and effective. Enhance stakeholder risk IQ 2 Align organizational value Decisions taken shall be implemented with strategic alignment and executed to ensure proper and effective risk mitigation. Achieve stakeholder buy-in 3

  24. “In real life, strategy is actually very straightforward. You pick a general direction and implement like hell.” • ― Jack Welsh, Former CEO of General Electric

  25. Our Approach – Top 5 Secrets #3 Go Agile – Build and iterate #2 Focus on strategy first #1 Take a holistic view of Cybersecurity #4 Create a risk management culture #5 Use risk for decision making

  26. Use Risk for Decision Making and Take Action Benefits of Risk Based Decisions 01 Cybersecurity investments are not revenue generating – it’s purely a risk tolerance discussion 01 Cybersecurity investments are not revenue generating – it’s purely a risk tolerance discussion Decisions on how much to invest depend on how much risk the organization is willing to tolerate 02 Decisions on how much to invest depend on how much risk the organization is willing to tolerate 02 • Process Reporting and Efficiency • Evaluate efficiency of risk controls and processes and refine program based on measured performance over time. • Resource Forecasting • Enable better decision making by forecasting needs for headcount and skill sets to target hiring and training efforts. Quantifying the risk requires inputs from multiple frameworks, processes and skillsets 03 Quantifying the risk requires inputs from multiple frameworks, processes and skillsets 03 04 Defining cybersecurity risk in business context and estimating exposure is a relatively new concept • Technology Investment • Prioritize investment decisions for technology implementation, aiming to maximize reduction of risk per dollar spent. 04 Defining cybersecurity risk in business context and estimating exposure is a relatively new concept The relationship between defensive capabilities and cybersecurity business risks is the key to informed investment decisions

  27. Closing Summary Program Stand Up • Focus on “What” • Capability oriented approach • Duplicate, disparate efforts; bottoms up prioritization • Difficulty including executives in technical discussions • Focus on “What” and “Why” • Risk oriented, targeted approach • Unified activity aligned to common risk reduction goals • Ability to articulate investment at board level through risk data support #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – build and iterate #4 Create a risk management culture #5 Use risk for decision making After Before

  28. Future State VisionArticulating ROI on Risk Investments in Dollars • What’s next? • Enrich data-set of tool by integrating output from our threat management capability • Measure “OE” across the organization through controls efficacy and capability maturity assessments • Continue to enhance the risk modelling tools to help quantify risks in dollars and measure ROI of risk investments, improve our strategy, planning and budgeting

  29. Apply What You Have Learned Today • Next week you should: • Assess how you are communicating the value and focus of your program • Do you discuss technology without capabilities? Capabilities without risk? • Recommend framing the discussion from Risk to Capabilities to Technology 1 2 • In the first three months following this presentation you should: • Begin your cultural change to risk management – assessment, ownership and reduction Within six months you should be able to articulate a response to three main questions: What are our risks? What are we doing? Is it enough? . 3

More Related