Getting Cyber Right – Toward a ‘Reasonable Level of Care’

ISMG EXECUTIVE ROUNDTABLESponsored by Fortinet

Agenda6:00 – 6:30 p.m. Registration, Networking

6:30 – 6:45 p.m. Introductions & Opening Remarks

• Nick Holland, Director, Banking and Payments, Information Security Media Group• Jonathan Nguyen-Duy, Vice President, Strategy & Analytics, Fortinet

6:45 – 8:15 p.m. Roundtable Discussion

8:15 p.m. Closing Remarks

8:30 p.m. Program Concludes

Introduction Cyberattacks and data breaches have become a standard business risk. With data breaches seeming to make daily headlines and hackers developing innovative methods to penetrate cyber defenses, businesses must contemplate what “reasonable” security posture they must implement for when, not if, a data breach occurs.

The industry still needs to have a common definition for “reasonable” to have an expectation that will build that level of protection and trust in security posture when collectively doing business together, and to demonstrate or prove a security risk posture in a dispute resolution, be that in a court of law or otherwise.

What does a “reasonable” security posture look like in today’s threat landscape? And what framework makes the most sense to maintain a “reasonable” degree of protection while not handicapping organizational productivity?

Today’s executive roundtable on Getting Cyber Right – Toward a ‘Reasonable Level of Care,’ will provide answers to these and other important questions.

Guided by insights from Jonathan Nguyen-Duy, vice president of strategy and analytics at event sponsor Fortinet, this invitation-only event will offer exclusive insights on how organizations can prepare to meet the challenges of the inevitable data breach and its aftermath. Among the discussion topics:

• Where are organizations falling short when it comes to a “reasonable” cybersecurity posture?• What’s the best way to implement zero trust and continuity-of-operations strategies?• How do organizations walk the tight rope between effective cybersecurity and operational viability?

You’ll have the opportunity to discuss important issues with a handful of senior executives and market leaders in an informal, closed-door setting, from which you will emerge with new strategies and solutions you can immediately put to work.

Getting Cyber Right – Toward a Reasonable Level of Care 2

Discussion PointsAmong the questions to be presented for open discourse:

• How do you define a “reasonable” cybersecurity posture?

• Where are organizations falling short when it comes to a “reasonable” cybersecurity posture?

• How do enterprises meet the requirements of NIST, GDPR, CSF, ISO and more? Is there a viable one-size-fits-all approach?

• How do organizations walk the tight rope between effective cybersecurity and operational viability?

• Is a “zero-trust” posture realistic for today’s organizations?

• What investments are you making to maintain a “reasonable” cybersecurity posture?

Getting Cyber Right – Toward a Reasonable Level of Care 3

About the ExpertJoining our discussion today to share the latest insights and case studies is:

Jonathan Nguyen-DuyVice President, Strategy & Analytics Fortinet

Nguyen-Duy leads strategy and solutions development at Fortinet, where he focuses on using the Fortinet Security Fabric to address the most challenging cybersecurity issues. With extensive experience working with global enterprises and nation-states, Nguyen-Duy is responsible for developing innovative security solutions from the IoT edge to multicloud ecosystems.

Prior to joining Fortinet, Nguyen-Duy served as the security CTO at Verizon Enterprise Solutions, where he was responsible for strategic technology partnerships, the Verizon Cyber Intelligence Center, and the award-winning Verizon Data Breach Investigations Report. While at Verizon, he also led the defense and national security cyber practice, responsible for data analytics and continuous diagnostics and mitigation solutions.

About FortinetFortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network – today and into the future. Only the Fortinet Security Fabric architecture can deliver security without compromise to address the most critical security challenges, whether in networked, application, cloud, or mobile environments. Fortinet ranks #1 in the most security appliances shipped worldwide, and more than 300,000 customers trust Fortinet to protect their businesses. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

Getting Cyber Right – Toward a Reasonable Level of Care 4

About the ModeratorLeading our discussion today is:

Nick HollandDirector, Banking and Payments, Information Security Media Group

Holland, an experienced security analyst, has spent the last decade focusing on the intersection of digital banking, payments and security technologies. He has spoken at a variety of conferences and events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine, The Economist and the Financial Times. He holds an MSc degree in information systems management from the University of Stirling, Scotland.

About ISMGInformation Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from the North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

Getting Cyber Right – Toward a Reasonable Level of Care 5

NOTE: In advance of this event, ISMG’s Nick Holland spoke to Fortinet’s Jonathan Nguyen-Duy about “reasonable” security. Following is an excerpt of that conversation.

‘Reasonable’ SecurityNICK HOLLAND: How do you define a “reasonable” cybersecurity posture?’

JONATHAN NGUYEN-DUY: While many standards, regulations and frameworks cite the implementation of a reasonable level of care in implementing technologies and processes to identify and mitigate risk, there’s very little in the way of a prescriptive definition of what a reasonable level of care should look like. The only guidance comes from the California Consumer Privacy Act, which cites the CIS Critical Security Controls as the basis for a reasonable level of care.

Security professionals are left to work with general counsels on applying the reasonable care standard to cyber. In essence, a reasonable level of care would be what a reasonable person would do to protect their organization given their risk posture, compliance requirements, operational requirements and threat environment.

Coming Up ShortHOLLAND: Where are today’s organizations falling short when it comes to a “reasonable” cybersecurity posture?

NGUYEN-DUY: Organizations are facing challenges due to a lack of visibility, integration and automation in their security solutions – complexity is the basis of most security challenges. Key questions to ask are:

• Is it reasonable if you don’t know what’s running in your environment or its configuration?

• Is it reasonable to protect against advanced threats with no threat intelligence feed?

• Is it reasonable to operate multiple security products with no centralized management or automation?

• Is it reasonable to not encrypt critical data? • Is it reasonable to not have at least annual penetration tests or

risk assessment?• Is it reasonable to not implement and have third-party attestation

of controls?• Is it reasonable to focus on prevention rather than risk management?

CONTEXT

Getting Cyber Right – Toward a ‘Reasonable Level of Care’ Q&A with Fortinet’s Jonathan Nguyen-Duy

“In essence, a reasonable level of care would be what a reasonable person would do to protect their organization given their risk posture, compliance requirements, operational requirements and threat environment.”

Jonathan Nguyen-Duy

Getting Cyber Right – Toward a Reasonable Level of Care 6

Security FrameworksHOLLAND: How do today’s enterprises meet the myriad requirements outlined by NIST, GDPR, CSF, ISO and more? Is there a viable one-size-fits-all approach?

NGUYEN-DUY: There’s no one standard, but the CIS Critical Security Controls and the NIST Cybersecurity Framework are a good basis. Each organization’s risk profile and tolerance is different, so CISOs must formulate appropriate risk management strategies based a reasonable level of care.

Striking a BalanceHOLLAND: How do organizations walk the tight rope between effective cybersecurity and operational viability?

NGUYEN-DUY: That’s the central question. The key is implementing a reasonable level of care to identify and mitigate risk while ensuring the operational viability of the enterprise. That’s why balancing security with resilience is key.

For example, the need to not over-segment to the point of inhibiting productivity can be balanced by encryption of back-ups to ensure minimal disruption in the event of an incident.

Zero TrustHOLLAND: Is a “zero-trust” posture realistic for today’s organizations?

NGUYEN-DUY: Zero trust networking principles are still relevant but need to be updated to account for new hybrid multicloud operations. Going forward, zero trust strategies should also ensure that an organization:

• Identifies, authenticates and validates every request for network access;• Validates the need for network access (“need to know” basis);• Logs and monitors everything;• Encrypts data in transit and at rest;• Backs up data for resilience.

Compliance IssuesHOLLAND: What advice do you give for organizations to keep in line with an increasingly regulated cybersecurity landscape?

NGUYEN-DUY: Absolutely maintain compliance programs but keep in mind that compliance does not mean security. The only questions asked in the aftermath of a data breach are whether a reasonable level of care was implemented in the identification and mitigation of risk. The board will need to account for:

• What did you know?• When did you know it?• What did you do about it?

Work with legal counsel and risk managers to implement a risk management strategy that facilitates continuous assessment of risk and trust. Consider migrating to an integrated fabric-based approach to network security that features integrated devices, end-to-end visibility and detection as well as automated mitigation powered by AI-powered threat intelligence. n

Getting Cyber Right – Toward a Reasonable Level of Care 7

Notes

Getting Cyber Right – Toward a Reasonable Level of Care 8

Notes

Getting Cyber Right – Toward a Reasonable Level of Care 9

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io

CyberEd