Download Presentation Title

The Differences in CISOs’ and
Risk Managers’ Views
.
John (Jack) Hampton
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other
authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied,
distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2010 Gartner, Inc. and/or its affiliates. All rights reserved.
Overview
Goal: Examine cybersecurity from the difference in
perspectives asked by chief digital information
officers and corporate risk managers.
Setting: A cyber-attack on the computer system of
a trans-continental trucking company.
Outcome: Understanding of an aspect of joint
decision-making in cybersecurity management.
Starting Point
If we ask the wrong questions, we will get which of
the following?
 The right answer.
 The wrong answer.
 An accurate answer that is useful.
 An accurate answer that is useless.
Question
Is it worth spending $10 million to avoid a $1 million
cyber loss?
What Damage can be Done?
• Theft of data.
What Damage can be Done?
• Theft of data.
• Asset damage.
What Damage can be Done?
• Theft of data.
• Asset damage.
• Business disruption.
What Damage can be Done?
• Theft.
• Asset damage.
• Business disruption.
• Proprietary information. Competitive information.
Business interruption. Supply chain risk. Natural
catastrophes. Fire. Explosion. Changes in
legislation and regulation. Market stagnation or
decline. Loss of reputation or brand value.
Intensified competition. Cyber crime. IT failures.
Espionage. Theft. Fraud. Corruption. Quality
deficiencies. Serial defects.
Who Briefs the Board?
• Chief Information Security Officer?
• Risk Manager?
• Chief Financial Officer?
• CEO?
What is the Message?
• Chief Digital Information Officer.
• Risk Manager.
• Chief Financial Officer.
• CEO.
View of Risk Manager
Internal
Environment
•What is the internal philosophy and
culture?
Objective Setting •What are we trying to accomplish?
Event
Identification
•What could stop us from
accomplishing it?
•How bad are these events?
Risk Assessment •Will they really happen?
Risk Answer
•What are our options to stop those
things from happening?
do we make sure they don’t
Control Activities •How
happen?
Information and
Communication
•How [and from/with whom] will we
obtain information and communicate?
Monitoring
•How will we know that we’ve achieved
what we wanted to accomplish?
Source: Committee of Sponsoring Organizations
of the Treadway Commission www.coso.org.
Used with permission.
10
What is Being Protected?
•800 Business Risks. Consolidated into 20
categories:
•2100 Common Risks Group-wide
exposures.
11
Network and Communication Structure
- Business risks in the external environment, operational processes, and internal environment External
environment
Country-specific
risks
Natural
disasters
Laws and
regulations
Operational
processes
Business partners
Customers
Technica
Subcontractor Supplier
l
s
s
partners
Delayed
technological
development
Manufacturing
Lack of
differential
technology
Increasing
competition
due to competitors'
products
Falling market
prices
Dependence on
specific business
partners
Inadequate business
partner handling
R&D
Failures to respond
to changing
customer needs
Marketing & Sales
Delayed
production
Failures of sales
channel
strategies
PL and quality issues
Cost increases (increasing inventory, soaring material costs, declining yield)
Delayed collaboration due to insufficient linkage between divisions
Internal
environment
Informatio
n
Organization
Human
resources
Internal
infrastructure and
organization
operations
Staff allocation and
development
Insufficient
manufacturing reforms
and IT innovations
Structural reformrelated issues
Competitors
Failures of sales
promotion
Business Structure
Segment
AVC
Networks
Global
and
Group
Head
Office
Home
Appliances
Business domain
AVC
Panasonic AVC Networks Company
Fixed-line communications
Panasonic Communications Co., Ltd.*
Panasonic Mobile Communications Co., Ltd.*
Mobile communications
Panasonic System Solutions Company
Systems
Panasonic Shikoku Electronics Co., Ltd.*
Home appliances, household equipment,
healthcare systems
Matsushita Home Appliances Company,
Matsushita Refrigeration Company*
Healthcare Business Company
Lighting Company
Matsushita Ecology Systems Co., Ltd.*
Lighting
Environmental systems
CISC
Components
and Devices
Panasonic
Design
Company
R&D divisions
Semiconductor Company
Display devices
Matsushita Battery Industrial Co., Ltd.*
Batteries
Panasonic Electronic Devices Co., Ltd.*
Electronic components
Motor Company
Motors
Solutions
Panasonic Automotive Systems Company
Automotive electronics
Semiconductors
Head Office
Business Domain Companies and Group Companies
FA, Corporate eNet Business Division
Others
Panasonic Factory Solutions Co., Ltd.*, and others
Sales division
Overseas
divisions
MEW and PanaHome
JVC
Matsushita Electric Works, Ltd.*, PanaHome Corporation*
Victor Company of Japan, Ltd.*
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other
authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied,
distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2010 Gartner, Inc. and/or its affiliates. All rights reserved.
Linkages and Control
(2) Establish a G&G Risk Management Committee to address the current problems
After the Committee's
establishment
Establishing and improving Group-wide RM system
Instructing risk assessment
<Roles of the Committee>
[1] Establishing and improving
Group-wide RM system
[2] Conducting Group-wide risk
assessment
[3] Reporting to the President,
and Board of Corporate
Auditors
[4] Studying possible measures
to prepare for major risks;
suggesting such measures to
President and Corporate
Functional Divisions
[5] Improving Group-wide
support systems against
emergencies
Committee
Corporate Functional
Division A
G&G RM
Committee
Domains
Support
Subsidiaries
Committee
Corporate Functional
Division B
Support
Corporate Functional
Division C
Corporate Regional
Management
Divisions /
Regional HQs
Results of Groupwide risk
assessment
Secretariat
Collecting risk information from
across the Group
14
Clarify Cyber Risk Management
(4) Information systems
1. Disasters and accidents
Earthquakes, typhoons, tsunamis, floods, and
other natural disasters
General Affairs Group, Overseas
Security management Office
Fires, explosions, airplane crashes, terrorist
attacks, and other major destructive or violent
events
General Affairs Group, Corporate
Personnel Group, Overseas Security
Management Office
2. Politics, economy, and society
Shutdown or malfunction of information
systems and communication networks
General Affairs Group, Corporate
Information Security Division
Unauthorized use of information systems
General Affairs Group, Corporate
Information Security Division
Inadequate security measures related to
information systems
General Affairs Group, Corporate
Information Security Division
(5) Environment
Wars, civil wars, conflicts, etc.
General Affairs Group, Overseas
Security Management Office
Corporate threats, abduction, and violent civil
unrest
General Affairs Group, Overseas
Security Management Office
Environmental pollution
Corporate Environmental Affairs Group
Waste treatment
Corporate Environmental Affairs Group
Environmental regulations
Corporate Environmental Affairs Group
(6) International relations
3. Operations
(1) Quality, CS, and intellectual property
PL and recall issues, other quality problems
Corporate Quality Administration
Division
Failure in complaint-handling
Corporate CS Division
Intellectual property right infringements
Corporate Intellectual Property Division
(2) Sales and procurement
Violation of security export control
Corporate Legal Affairs Division
Trade issues
Corporate Legal Affairs Division
(7) Finance
Bad loans and business partner bankruptcy
Corporate Accounting Group
Tax and accounting system changes
Corporate Accounting Group
Exchange rate fluctuations
Corporate Finance & IR Group
Violation of antitrust (competition laws)
Corporate Legal Affairs Division
Interest fluctuations
Corporate Finance & IR Group
Bribery
Corporate Legal Affairs Division
Stock price fluctuations
Corporate Finance & IR Group
Violation of Subcontractors Act
Corporate Procurement Division
Corporate Accounting Group
Soaring raw material prices and unavailability
Corporate Procurement Division
Impairment of long-term assets and deferred tax
assets
(8) Labor issues
(3) Information
Human rights issues, including sexual
harassment
Industrial Relations Group, Corporate
Personnel Group, Overseas Security
Management Office
Corporate Information Security
Division
Employment
Corporate Personnel Group, Industrial
Relations Group
Information security incidents related to products
and services
Corporate Information Security
Division
Industrial accidents
Industrial Relations Group
Insider trading
General Affairs Group
Trade secret leakage
Corporate Information Security
Division
Private data leakage and violation of privacy
Health issues such as infectious diseases
Relations Group, Overseas
15Industrial
Security Management Office
Cyber Walls
What cybersecurity arises from building a 30
foot wall?
What are we keeping out?
• Web application attacks.
• Point-of-sale intrusions.
• Insider and privilege misuse.
• Miscellaneous errors.
• Physical theft and loss.
• Crimeware.
• Payment card skimmers.
• Cyber-espionage.
• Denial of service attacks.
A Payment Process
Supplier
Electronic
Computer
Check
Electronic
Trucking
Bank
Invoice
Company
Account
Electronic
Offsite
Records
Backup
Where are the Walls?
Supplier
Electronic
Virus
Check
Electronic
Trucking
Bank
Invoice
Company
Account
Electronic
Offsite
Records
Backup
The Walls?
Supplier
Electronic
Virus
Check
Electronic
Trucking
Bank
Invoice
Company
Account
Electronic
Offsite
Records
Backup
Huh?
Supplier
Electronic
Virus
Check
Electronic
Trucking
Bank
Invoice
Company
Account
Electronic
X
Records
Offsite
Backup
Question
 A worker was told she would lose her one day off
a week for persistent lateness.
 She responded by overturning a table and
damaging a computer on it.
 Security intervened, pinned her arms behind her
back, and dragged her out of the room.
 A few weeks later she posted on Facebook that
she felt hopeless and alone.
 Should this person have access to your computer
network?
Answer
Maybe not.
 The incident happened on December 20, 2009.
 In January 2010, she gave Wikileaks 500,000
electronic documents known as the Iraq and
Afghan War logs.
 Operating managers were not talking to IT
managers.
Questions to Ask
Do we have too much IQ? – Walls.
Do we have too little EQ? – Doorways.
Lesson Learned
OK to Ask: “How high is the Wall?”
Also Ask: “Who has the keys?”