for reputation management information security: …...bitsight for vendor risk management. 4 of...
TRANSCRIPT
Information Security: What Boards Need to Know for Reputation Management
Dave Fachetti, EVP of Strategy & Board Member, BitSight
Reputational Risk Is a Strategic Business Risk
2
On average, 25 percent of a company’s value is directly tied to its reputation.
87 percent of executives rate reputational risk as more important than other strategic risks.
*Deloitte, Global Survey on Reputation Risk 2015
Reputational risk is influenced by every major strategic business risk.
$$$Legal/Regulatory Fines & Penalties
Financial Performance Perception
Product/ServiceFailure
Ethical Concerns (Scandal)
The Nature of Business Expands Reputation Exposure
Your organization
Tier 1-N Suppliers
Inventory Planning
Shipping
Labs
Licensing
Sales Agents Distributors
Loyalty Partners
Call Center
Warranty Processing
Office Products
Waste Disposal
CleaningRecruiting
Benefits Providers
Payroll ProcessingAdvertising AgencyHardware
Lease
Licensed Vendor Solutions
Disaster Recovery
Hosted Vendor Solutions
Infrastructure & Application Support
Contract Manufacturing
Brokers/Agents
Legal
InsuranceMarketing
Human Resources
Facilities
Contracts
Sourcing
Logistics
R&D
Franchise
Certification Bodies
Joint Ventures
Distribution & Sales
Customer
Customer Support
Media Ad Sales
Technology
Fourth Parties
70% of organizations have “moderate” to “high” dependency on external organizations.1
83% of organizations have experienced a third-party incident in the last three years.2
Companies continue to expand their digital ecosystem.
...Which poses new risks to the business.
1 Results from 2019 Deloitte survey2 Deloitte — EERM 2019 Survey
Breaches Dominate the Headlines
4
Many are the result of third-party exposures.
They Have Real Economic Impacts
5
Governments, Regulators & Industry Groups Are Acting
6
Recommended Guidance Laws/Regulations
NIST SP 800-171 Security Requirements in Response to DFARS Cyber Security Requirements
GDPR Affects all organizations doing
business in the EU
“ [Suppliers should] develop a capability to monitor, assess and communicate product cyber security related incidents and concerns to assess all potential risks to aerospace systems and aircraft operations. These capabilities are key to ensuring that organizations are prepared to effectively respond in the event of a cybersecurity related incident.”
HIPAA
Civil Aviation Cybersecurity Industry Assessment & Recommendations
So What About Cyber Reputation?
7*A commissioned study conducted by Forrester Consulting on behalf of BitSight.
Better Security and Business Outcomes With Security Performance Management
Cyber risk is directly tied to company reputation:
● 82 percent of respondents agreed that the way partners and customers perceive information security is important to critical business decisions.
● 48 percent of C-suite respondents indicated that attracting new clients was more difficult following a cyber security incident.
● 38 percent of organizations polled indicated they had lost business due to a real or perceived lack of security.
Direct relationship between cyber risk perception and business outcomes.
It’s Not Just Your Customers That Care
8
Investors & Shareholders
Strategic Customers/Partners
Insurers
National Government & Regulators
YOUR COMPANY
Metrics to Demonstrate Cyber Reputation
9
Performance Metrics Performance Metrics Used by Organizations
Creating consistent, understandable and measurable performance metrics enables you to show progress to key stakeholders:
● 63 percent of organizations have adopted standardized performance metrics.
How do you measure security performance today?
50% — Percentage of malware incidents blocked.
50% — Percentage of intrusions blocked by firewall/network security.
45% — Percentage of cybersecurity risk ratings.
45% — Percentage of phishing/malicious emails filtered.
50% — Percentage of data loss prevention (DLP) incidents generated
Metrics Drive Better Outcomes
10
Companies With Formalized Security Metrics Reap Benefits
Companies with formal security performance metrics are more likely to have seen a budget increase of 10 percent or more over last year.Resources
Companies with formalized metrics are more likely to take action to address gaps, including implementing new technologies, updating policies and procedures, and increased security training.
Behaviors
Business leaders believe that increasing security performance drives benefits:
● 74 percent of the C-suite say increased security performance would improve company financial performance.
● 81 percent indicated it would improve the company’s overall reputation.● 82 percent noted it would strengthen business continuity.
Business Outcomes
11
Sources: A2018 BDO Cyber Governance Survey; Nasdaq: The Accountability Gap: Cybersecurity and Building a Culture of Responsibility
Boards are being increasingly exposed to cyber security information.
But many board members don’t know how to interpret and act on information provided by management.72% of board members say
they have been more involved in cyber security over the past 12 months.* 91% of board members
cannot interpret their organizations’ cyber security reports.*
Translating Metrics to Board-Level Context
Why Is There a Disconnect With the Board?
12
Focus on Operational Performance
Lack of Cyber Security Expertise
Lack of Comparability
“Management still reports on cybersecurity with… highly technical data that are out of step with the metric-based reporting that is common for other enterprise reporting disciplines.”
“Management can and should deliver reports that are benchmarked, so directors can see metrics in context to peer companies or the industry.”
“Most boards have only one director serving as a tech or cyber expert.” article
blog
blog
- James Lam and Jack Jones
- James Lam and Jack Jones
- Catherine Allen, Board Member Synovus Financial and El Paso Electric
Critical Supply Chain/VendorsMy Organization
Operational ExcellenceIncidentsDiligence
System compromises and data exposure.
Configuration, patching and hardening.
Program MaturityIdentifyProtectDetectRespond Mitigate technical and
brand damage.
Automated and manual analysis of data.
Defensive controls and procedures.
Situational awareness: assets, policies.
710790
2.92.7
Executive Summary• Prior to June 2018, at top of industry range.• Eighty-point drop due to configuration of external systems.• Can recover all points quickly.
Executive Summary• Vendors range from 480 to 760.• One public compromise, Acme PII exposed.• Reassess three vendors (partial/contextual).
Example Board Reporting
14
Other Impactful Metrics
Performance Benchmarking
How are we doing in comparison to others in our industry?
Selection Onboarding Assessment Monitoring
Incident Response
Remediation
Board Reporting
Collaboration
Vendor Management Workflow — Key Questions
● Are we evaluating new and existing suppliers for cyber risk exposure?
● Do we have continuous monitoring of critical vendors across key business risks?
● What compliance standards have downstream effects on my suppliers? Is this a part of our assessment process?
Key Questions
Are We Evaluating Important Cyber Risk Exposures?
● Active Infections/Incident Response
● Email Security
● Vulnerability Management and Asset Management
● Encryption
● Employee Behavior
● Breaches and Incidents
● External Exposures
BOSTON, MAHEADQUARTERS
450+EMPLOYEES
$150 MILLION+CAPITAL RAISED FROM BLUE CHIP INVESTORS
EXPERIENCED LEADERSHIP TEAM WITH RECORD OF GROWING SUCCESSFUL COMPANIES
GLOBALOFFICES IN SINGAPORE, LISBON AND RALEIGH
2011FOUNDED
THE LARGEST, MOST ENGAGED ECOSYSTEM
1,800+ 25,000+ 20,000+ 350,000+ 105,000+ 15M+Customers Worldwide
Users Ecosystem Comments & Tags
Rated Organizations
Pieces of User-Generated Content
Domains
BitSight Security Ratings
• Data-driven rating of security performance.
• Non-intrusive SaaS platform.
• Continuous monitoring.
• Objective, quantitative measurement.
CONFIDENTIAL
Security Ratings — Actionable Metric for Board Reporting
18BITSIGHT CONFIDENTIAL
BitSight aims to bring market efficiency to cyber risk interactions through a standard metric.
IT/Security
Insurance
Investor/M&A
TPRMGovernment/Regulatory
Supply ChainStandard
Metric
A common metric creates greater market efficiency, fostering broader and more substantive participation in the ratings system.
A Standard Metric
of the top five investment banks use BitSight for vendor risk
management.
4 of Fortune 500 companies use
BitSight.
25%government agencies,
including U.S. and global financial
regulators, use BitSight.
40+of the world’s cyber insurance premiums are underwritten by BitSight customers.
50%of the big four
accounting firms use BitSight.
4
G L O B A L B L U E C H I P C U S T O M E R B A S E
CONFIDENTIAL
Broad Market Adoption
Oversight
Accountability
Education
● Use new technologies to get an independent, comparable view of cyber security performance to track reputational risk.
● Understand the performance metrics that can help drive decision-making and effective allocation to achieve goals.
● Ensure that cyber security roles and responsibilities are clear across the board and management.
● Don’t delegate cyber reputation to a subcommittee — make it a frequent board topic.
● Invest in learning about the cyber risk landscape, the regulatory environment and how this dynamic risk can impact your business.
Board Members
Key Takeaways
Questions?
*A commissioned study conducted by Forrester Consulting on behalf of BitSight.
Better Security and Business Outcomes With Security Performance Management
Strong, Validated Correlation to Data Breach
If 50 percent of computers run outdated operating system versions.**3x
If the Botnet Grade is B or lower***or the File Sharing grade is B or loweror the Open Ports grade is F.
BitSight provides a measurable range of risk and is the only ratings solution with a third-party verified correlation to breaches.
2x
<400
400-500
500-600
600-700
>700
x5
x4
x3
x2
22
Likelihood of Suffering a Data Breach
If the security rating drops below 400 as compared to an organization with a rating of 700 or higher.*
5x
*AIR Worldwide reviewed and approved our data and analyses. ** A Growing Risk Ignored: Critical Updates. *** Beware the Botnets: Botnets correlated to a higher likelihood of a significant breach.
Goal: Monitor the information security disposition of critical third-party service providers.
Monitor thousands of third parties.
Evaluate risk rating for each provider.
Determine risk areas for action.
Actions by BitSight
6X
Third-party expansion coverage with same FT employees.
Results
24
Third-Party Monitoring Produces Measurable Results at Scale for
Monitor thousands of third parties.
Evaluate risk rating for each provider.
Determine risk areas for action.
Impactful Results From Vendor Collaboration
Average points increased across
this group.
50
Onboarded 496 suppliers and engaged with BitSight Security Ratings as part of this process.
56% saw a rating
increase.
276
*Suppliers onboarded between May 1 and October 31. Ratings compared between May 1 and December 4. 25
© Assent Compliance 2019
HALF PHOTO LAYOUT: CLICK LAYOUT IN THE ABOVE TOOLBAR FOR MORE OPTIONS
26
Q&AQUESTIONS?
| #Insight19
© Assent Compliance 2019
SECTION DIVIDER: CLICK LAYOUT IN THE ABOVE TOOLBAR FOR MORE OPTIONS
THANK YOU!