Assessing Cyberscurity Risk: Are We Getting Value from the Effort?
This class is oriented towards corporate board / audit committee members, C-Level executives and accounting / legal firm managing partners. This is for 4 hours of CPE, on-site class instruction with significant class interaction.
Assist board members, enterprise & professional services leadership to better understand the different ways their organization addresses corporate cyber-risk. By assessing the overall effort, they ensure a holistic effort that generates business value & minimizes cybersecurity risk exposure. This course provides a comprehensive overview of the various approaches to cybersecurity risk assessment, how used, insight to be gained from the assessment, along with case studies, and group discussion to aid leadership judgment.
Course Background & Content
Today, there are many different approaches to assessing cybersecurity / enterprise IT risks. Everybody has an opinion on preferred vendor solutions, but what should you really be looking at? In many cases a corporation may have several different efforts underway to address risks & implement solutions, dependent upon their business function: IT, Finance, Legal, Operations, Insurance / Risk Management. Sometimes they consult with each other and sometimes not, possibly developing conflicting projects that could still leave an enterprise exposed.
- Functional approaches to assessing cybersecurity risk:
- Information Technology / Security Officer perspective: technical oriented, use software, hardware investments to mitigate threat risks; data center & security operations command center focused
- Auditor / Legal / Risk Management perspective: internal controls, governance & compliance oriented. Possibly use insurance policies to assist with financial transfer.
- Operations perspective: equipment automation / ‘Internet of Things’ oriented, using equipment vendor installed security controls to improve operational productivity.
- Finance / Tax Planning perspective: Financial budget and controls over financial statement reporting oriented; possibly use captive insurance company for tax planning, to extend corporate self-insurance.
- Brief review of cybersecurity risk assessment standards & frameworks
- Review of various frameworks, with emphasis on NIST - CSF usage by various professional groups
- Review of various risk assessment efforts, reporting & how used
- Technical security consulting efforts: Vulnerability scanning / Penetration testing, Microsoft Score, services by technical vendors -- CISCO, technical security consultants, Big 4 consultants, IT outsourced / managed service providers
- COSO Internal Control Framework: Sarbanes - Oxley Act required management certification & description of controls
- AICPA: SOC for Cybersecurity attest
- ISACA: CISA attest & reporting function, with focus on IT Governance
- ISO 27001: Standard certification & reporting
- Insurance broker tools for assessing risks & assisting underwriting efforts
- How do I ensure my company has the appropriate leadership?
- Depends on who really is driving the process; ‘Tone at the Top’ still rules. The board needs to ensure that executive leadership really has the appropriate personnel representation & training efforts
- Does your firm consider their critical customer & vendor electronic connections? Supply chain risk has become more intense as firms develop their security systems but have not really checked on their supply chain partners. [WSJ article on Department of Navy cs issues]
- Do you understand your firm's Enterprise Risk Matrix?
- How do you measure & monitor such efforts?
- Does all 'cybersecurity effort' end up with your IT Security Officer? This is only part of the solution. Leadership needs to understand limitations to technical solutions & ensure they are aligned to business objectives and not just reactive to the 'threat of the day.'
- Behavioral, cultural, organization elements can create your greatest risks
- Gaining alignment to business objectives
- Cybersecurity awareness training for everyone on staff and key vendors / business partners
- Does my cyber risk insurance policy really cover my exposure?
- Who participates in the insurance policy review process?
- Does the policy coverage align to my company's critical risk exposures that I am seeking to financially transfer?
- Why are insurance carriers willing to write cyber risk coverage? Especially given the seemingly unending threats and lack of historical data.
- Should I use my captive insurance operations for cyber risk & related customer data privacy liability exposure?
- Lack of enterprise transparency creates exposure and wasted resources
- Cross functional effort is necessary to ensure critical business risks are identified, analyzed, mitigated, transferred and understood.
- The exposure / threat is ever present; so be prepared
- Efforts can be leveraged to reduce impact from incidents and improve value from cyber-risk insurance policies.
- Open question & class discussion
Primary Instructor - Pete Nassos, CPA, CISSP, CPCU, CITP, SOC for Cybersecurity: Pete brings a broad and deep business experience to this course, with over 38 years corporate experience at DuPont, KPMG, Dell Services and enterprise software firms. He has worked with many large corporate clients developing process & control improvement projects, along with outsourced, managed services engagements. Pete is AICPA certified to provide cybersecurity risk assessments and attest reports. He is also a licensed insurance agent and advises clients on procuring appropriate insurance policy terms, with focus on professional liability & cyber-risk.