cybersecurity-in-the-c-suite-a-matt

9
Cybersecurity in the C-Suite: A Matter of “Need to Know” MARCH 11, 2015 BY CHRIS KENTOURIS LEAVE A COMMENT Cybersecurity has been described as everything from a top-down corporate mission to a shopping list for software packages that monitor networks and systems for suspicious activity. Given the breadth and complexity of even identifying the risks, it’s no wonder that all sorts of management are discovering they’re now riding the cybersecurity bus. Nowhere is this accumulation of corporate talent more apparent than in the C-suite, where according to industry experts, everyone is eventually involved. That means the chief executive officer, chief information officer, chief operations officer, chief technology officer, chief risk officer, chief compliance officer and let’s not forget the chief information security officer. With regulators such as the US Securities and Exchange Commission and Financial Industry Regulatory Authority breathing down their necks, fund management shops, broker-dealers and banks need to figure out what to do, who’s in charge, and how much information to share. What was that last one? Are cybersecurity programs discussed on a need-to-know basis? Sometimes that’s the case, and that’s not the only sensitive internal issue at the top management level. HOME OPS TECH REGS CONTACT THE FINOPS STORY SUBSCRIBE LOG IN Page 1 of 9 Cybersecurity in the C-Suite: A Matter of "Need to Know" 3/16/2015 http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

Upload: yigal-behar

Post on 07-Aug-2015

9 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: cybersecurity-in-the-c-suite-a-matt

Cybersecurity in the C-Suite: A Matter of “Need to Know”MARCH 11, 2015 BY CHRIS KENTOURIS — LEAVE A COMMENT

Cybersecurity has been described as everything from a

top-down corporate mission to a shopping list for

software packages that monitor networks and systems

for suspicious activity. Given the breadth and complexity

of even identifying the risks, it’s no wonder that all sorts of

management are discovering they’re now riding the

cybersecurity bus.

Nowhere is this accumulation of corporate talent more

apparent than in the C-suite, where according to industry

experts, everyone is eventually involved. That means the chief executive officer, chief information officer,

chief operations officer, chief technology officer, chief risk officer, chief compliance officer and let’s not

forget the chief information security officer.

With regulators such as the US Securities and Exchange Commission and Financial Industry Regulatory

Authority breathing down their necks, fund management shops, broker-dealers and banks need to figure

out what to do, who’s in charge, and how much information to share. What was that last one? Are

cybersecurity programs discussed on a need-to-know basis? Sometimes that’s the case, and that’s not the

only sensitive internal issue at the top management level.

HOME OPS TECH REGS CONTACT THE FINOPS STORY SUBSCRIBE LOG IN

Page 1 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

Page 2: cybersecurity-in-the-c-suite-a-matt

It has become a given that addressing cybersecurity risk isn’t only about spending money on technology. It

is also about putting the right program in place. Defining that program can involve sorting

out misunderstandings, conflicts of interest or simple ignorance. The result: a longer planning cycle than

anyone expected, and in a worst case scenario an actual breach while those in charge are dithering. That

breach typically means stolen investor or proprietary data, legal and public relations repercussions, and

even a regulatory fine.

Who Knows What

It is logical to presume that the CEO should be the one steering the ship and barking orders at the CTO or

CISO to get things done — that is, shoring up any holes before the ship sinks. Mistake One: the CEO thinking

he or she understands what managing cybersecurity risk is all about. Mistake Two: the CTO imagines he or

she is up to date on what cybersecurity is all about. Mistake Three: the CTO tells the CEO in detail everything

that needs to be done. Mistake Four: the CEO comes out of the meeting thinking that cybersecurity risk

management means checking off boxes.

In baseball, it’s three strikes and you’re out. In cybersecurity, all it takes is one. Too often, that first strike is the

CEO presuming that the task of handling cybersecurity can he handed off to the CTO on the presumption he

or she will do the right thing. “Surprisingly, CEOs will only ask blanket questions to CTOs or CIOs such as how

is our cybersecurity risk management and do you have a handle on it,” says Eric Anderholm, chief executive

of Sergeant Labs, a La Crosse, Wisconsin-headquartered firm specializing in monitoring cybersecurity risk.

“Such a question could erroneously generate either a yes or no type of response and cybersecurity risk

management can’t be handled with black or white answers. How about asking, what are we doing

specifically to address cybersecurity risk and is it working?”

What is a bad answer? A vague response or laundry list of software that should be installed. “If the CIO or

CTO can’t provide details or trends the CEO can understand, or if he or she believes that buying the right

software eliminates the threat, there is a good chance the firm will have a cybersecurity problem,” says

Anderholm.

Granted, buying the right technology is a good idea but understanding just what that technology does could

require far more tech knowledge than a CEO would have. And it’s not even certain that every CTO would

understand it either. “Most CTOs are more qualified in addressing which applications are necessary for

running the operation, and what business continuity is necessary,” says Warren Finkel, chief executive of

ACE IT Solutions, a New York-based cybersecurity technology firm. “The landscape of cybersecurity threats

is constantly changing and the CTO can’t keep up with every scenario. ” Therefore, third-party experts

should come into the equation to do a more thorough analysis of what is needed after the basic questions

are asked.

Covering the Bases

What are those basic questions? Here is Finkel’s list: is anti-virus installed on every system; are computers

and servers being updated with security patches and updates; which employees have access to which data;

is data encrypted; are employees using Dropbox or other cloud applications, and have they been trained in

cybersecurity risk and social-engineering con games such as phishing?

Page 2 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

Page 3: cybersecurity-in-the-c-suite-a-matt

Once the answers are in, an analysis can be done of how well the firm’s current cybersecurity risk mitigation,

or lack thereof, will hold up against each of three risks — technical, financial and regulatory. Case in point: is

the right infrastructure in place to prevent a loss of data and which data is the most at risk for loss? Next up:

if we lose the data how much will our financial loss come to? Last but not least: will the program pass

muster in an exam by either the SEC or FINRA?

With so much information and analysis in play, the program can get bogged down unless communications

are limited to what people need know to play their roles. This is true even at the highest level. Providing the

CEO with too much information could short-circuit his or her ability to make any decisions. “CEOs could

easily become enmeshed in the nitty-gritty of tackling individual applications or individual tasks,” says

Daimon Geopfert, national leader for security and privacy services for consultancy McGladrey in Chicago.

That means he or she will be distracted from taking the broad view of the overall program, which should be

flexible enough to accommodate changes in the level of risk, business lines or technology advancements. A

better idea for briefing a CEO: present trends in security for the overall organization rather than daily issues.

Enabling the CEO to focus on the firm’s current cybersecurity baseline and tracking consistent improvement

over time offers a sense of progress or indicates where resources are needed at a high level. The only

specific daily issue that should draw his or her attention are “big ticket” items that present oversized risk

such as cybersecurity incidents.

Quantifying Risk

Just how big are the financial risks? The larger question is who has the data and insight to figure that out.

The CEO might unthinkingly look to technology staff for dollars-and-cents, since the data assets are under

their control. But financial risk management isn’t their speciality. Chief information security officers might be

a better bet, but only if the firm has one. Chances are it doesn’t. Only the largest banks, broker-dealers and

asset managers have such dedicated professionals. Everyone else likely relies on the CTO or CIO.

So what’s left to do? How about pooling knowledge. “Have the CTO, CIO, and risk manager in the same room

to come up with the right risk metrics and explain what is necessary,” says Bryan Seely, a cybersecurity

consultant based in Seattle. “Those metrics also need to take into account information provided by the CTOs

staffers, who will be able to filter out the noise from each business line, on what they want and what is

realistic.”

Case in point: staff might want remote access or more access to information they shouldn’t have. The CTO

can’t afford to buckle to these requests without thinking about the security risks involved, which is what

some inexperienced ones do. In fact, CTOs may have a conflict of interest in monitoring cybersecurity risk

for no other reason than their primary agenda being to provide access, availability and ease of use. Pursuing

those goals may contradict best practices for cybersecurity. If the same person has dual roles of overseeing

both availability and security, there is a risk that security will not be the winner when it comes to conflicts.

“For many CTOs, the balance between availability and security is often over-weighted to the one that makes

their users happy,” say Geopfert.

Of course, it will eventually all come to funding. Does the CEO want to spend the money to ensure the best

cybersecurity risk mitigation program possible or will it just be the minimum? Not surprisingly, some CEOs

Page 3 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

redme
Highlight
Page 4: cybersecurity-in-the-c-suite-a-matt

want to save money and do the bare minimum. “What can we do to satisfy regulators, is the common

question we hear, because they don’t view cybersecurity as offering a competitive advantage. They just look

at the cost,” says Yigal Behar, chief executive of 2Secure, a New York-based cybersecurity technology

provider.

Getting to Yes

So just what can be done to persuade a recalcitrant CEO? The fear factor, especially when the regulators are

carrying a big stick, can be persuasive. But it can also backfire. Granted, explaining how the SEC or FINRA

might fine a firm if it doesn’t have the correct program in place could generate some interest, but it is

unlikely to move beyond the level of checking off the boxes. Even worse, the chief compliance officer might

sell the CEO on the idea that earning a certification is the best way to move forward, but that will all depend

on what the certification covers. “At best it is the bare minimum. It only means the firm has completed the

basics and it could easily focus on only one aspect of cybersecurity or some small part of the environment,

rather than the full monty,” says Geopfert.

He advises that firms think of compliance as the first mile in a marathon. It is a good start, but there is a lot

left to do. Organizations need to move beyond compliance with a regulation or standard, into a process

meant to improve the maturity and effectiveness of their cybersecurity program over time. A solid start is to

compare the current cybersecurity governance and technical capabilities against a major standard such as

ISO 27002 or NIST SP800-53, both of which have been specifically cited by the SEC to determine a firm’s

strengths and weaknesses. Focus on getting an entire program on prevention, detection and correction at a

basic level before trying to deploy highly advanced solutions in one area, recommends Geopfert.

One way to persuade a CEO of the need to spend on cybersecurity is to have the chief risk officer deliver

the bad news alongside the chief technology director, suggests Seely. The bad news: just how expensive it

can be if sensitive data is lost. Client data is often considered the most significant asset at risk, followed by

trading strategy — the secret sauce of how a firm makes money. Financial forecasts of how well the firm is

expected to perform are next in line. Last, but not least, bring out the numbers of how much each type of

security breach will cost, with the firm’s preparedness just as it is now.

If the CEO has any doubt the firm is vulnerable, it’s time for a penetration test — an authorized hacking

attempt to help illuminate security weaknesses. “Penetration testing offers the most effective way of rapidly

identifying a network’s most serious security risks and prioritizing remediation efforts,” says Finkel. What’s

more, it can be used to identify which current security protocols are effective, and to prove to regulators as

well as investors that business systems have been tested and are secure.

Finkel recommends that penetration tests be conducted annually, and the results used to

adjust investments in security personnel and technology. Naturally, technology spending will have to go

alongside human engagement in the program. That translates to educating staffers on how to stay alert for

any potential data breaches and what to do if one is suspected, so staff need to know who to alert and

when. CEOs don’t have to be told of every attempted breach as it takes place, but they do need to

know what was done to prevent any financial loss. Should an actual breach occur, staff should know what

the escalation plan would be, who is to be notified and when, and what measures are in place to mitigate

damage.

Page 4 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

redme
Highlight
Page 5: cybersecurity-in-the-c-suite-a-matt

Not Whether but When

Given the sophistication of cybersecurity criminals, experts say that its not whether a breach will ultimately

happen, but when. Taking preventive steps can go only so far. That’s where third-party cybersecurity liability

insurance can fit into the equation. Much like health insurance, it can be used as a last resort to pay off

unforeseen expenses such as claims from investors, costs of regulatory investigations, forensic

investigations to locate the breach and identify how it occurred, privacy notification costs, public relations

campaigns for crisis management, and business interruption.

Surprisingly, hedge funds can end up spending the least on cybersecurity liability insurance because they

have less risk than their traditional fund peers or banks and brokerages, according to Richard Maloy, chief

executive of Maloy Risk Services, a cybersecurity insurance broker in New York. The reason: they hold very

little personally identifiable information in their systems because the data is held with fund administrators. By

contrast, a registered investment advisor can have thousands of individual client accounts and family

members’ social security numbers in its systems.

Having established cybersecurity insurance procedures offers the added benefit of keeping down the cost

of insurance for fund managers. Policies can range from as little as US$5,000 for funds with up to US$250

million in assets under management to over US$13,500 a year for funds with over US$1 billion in assets

under management, says Maloy, whose firm specializes in alternative investment funds. Insurance may be

an expense a CEO would consider a bargain.

Still: word to the wise, insurance isn’t a complete panacea. Coverage may be capped at only US$1 million.

Prevention is still king.

(Visited 132 times, 12 visits today)

FILED UNDER: COMPLIANCE, FUNDS, RISK, SLIDER

TAGGED WITH: DATA, FINRA, FUND OPS, HEDGE FUNDS, SEC, SECURITY

Leave a Comment

You must be logged in to post a comment.

Need To Register?

20 20 1

Page 5 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

Page 6: cybersecurity-in-the-c-suite-a-matt

Search this website…

THE FINOPS STORY

Welcome to FinOps Report. I'm Chris

Kentouris, your editor.

Ho, ho, ho and happy new year to all our

wonderful readers!

We wish you spectacular successes in 2015,

zooming through this year's mountain of

challenges with clear-eyed aplomb. And of

course, being recognized with appreciation and

compensation for your indispensable work.

One thing you don’t need in your life this year is

the three-article-a-month limit at FinOps Report.

Recognizing how annoying that is for many

readers, we decided to give you a massive break

– from the frustration of trying to get your

companies to pay your subscriptions.

We love that you read us. We want you to have

all the FinOps you want. So we’re taking the

subscription price down to $15 every quarter.

Think you can afford that out of your own

pocket?

We're counting on it.

And in response to the inevitable, unhelpful

questions about whether we’re feeling okay, and

have we considered how this looks to price

ourselves so low, and don’t we understand that

your companies won’t pay for it, we have this to

say:

You’re welcome. We know you appreciate our

hard work on your behalf. Now pull out your

personal credit card and sign up. It’ll make you

Page 6 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

Page 7: cybersecurity-in-the-c-suite-a-matt

feel better and it will make us appreciate you

even more, if that’s possible.

Stay safe tonight. See you next week. We have

more great stories in the works for you.

Read More…

SIGN UP FOR FINOPS ALERTS!

First Name *

Last Name *

Email *

SUBMIT

ARCHIVES

› March 2015 (2)

› February 2015 (6)

› January 2015 (6)

› December 2014 (6)

› November 2014 (7)

› October 2014 (10)

› September 2014 (9)

› August 2014 (11)

› July 2014 (12)

Page 7 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

Page 8: cybersecurity-in-the-c-suite-a-matt

› June 2014 (11)

› May 2014 (9)

› April 2014 (12)

› March 2014 (11)

› February 2014 (12)

› January 2014 (14)

NEWS TOPICS

AIFMD AML Brokerage Ops CARDS CFTC

Clearinghouses Collateral ComplianceCorporate Actions CUSIP Custodians Data

Depositories Dodd-Frank DTCC EMIR ESMA FATCA

FCA FINRA FIX FSB Fund Ops Hedge

Funds Innovation Investment Ops KYC Matching

Middle Office Ops Ops Risk Outsourcing Post Trade

Private Equity Reconciliation Regulators

Reporting Risk Mgt. SEC Security Settlement

Standards Swaps T+2 UCITS Valuation

Technology

Technology

Data

Infastructure

Innovation

Ops Risk

Regulations

Reporting

Risk

Rules

Standards

Operations

Operations

Clearing

Custody

Financing

Funds

Return to top of page

Copyright © 2015 FinOps · Privacy Policy

Page 8 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/

Page 9: cybersecurity-in-the-c-suite-a-matt

Page 9 of 9Cybersecurity in the C-Suite: A Matter of "Need to Know"

3/16/2015http://finops.co/compliance/cybersecurity-in-the-c-suite-a-matter-of-need-to-know/