This panel at the NetDiligence® Cyber Risk Summit provided insight on the practical concerns and decisions that Chief Information Security Officers (CISOs) have and make regarding their overall obligations to risk management.
Tom Gallo, Vice President, AllClear ID
Anahi Santiago, Chief Information Security Officer, Christiana Care Health Care System
Mary Chaney, Attorney, The Law Offices of Mary N. Chaney, P.L.L.C.
Todd Bearman, Vice President, Chief Information Security Officer, TE Information Systems
What is important to do post breach?
There is much at stake after a breach. In the aftermath, it is important to have the right communications to your stakeholders. You want to put them at the forefront of everything. These are people who are attached to information systems. It is important to remember the people aspect.
The aftermath is an opportunity. It is an opportunity to increase your security posture by evaluating what happened and what you can do better in the future. That is the learning opportunity.
How do you help the c-suite understand ROI of a cyber security budget?
Cyber security is a principle risk for every organization and most executives understand that. It is critical, though, that you help them to understand the scenarios that worry us most. They also need to understand the ROI of the size of budget they provide to help mitigate the risk. The less budget CISOs have, the worse the outcome when the breach occurs.
There is a great risk associated with not doing anything and you need to help senior management understand that. Share various cost potentials. For instance, the cost of identity theft related to credit card records versus hospital records is vast. Once they know the cost, it becomes a business decision.
How do you deal with an emerging business appetite for innovation and, thus, risk?
It is our job to find the emerging risks, but we cannot do it alone. Start by looking at the risk based on a product line, then find those people who will be responsible for risk related to each product. Try to implement the ‘you build it, you own it’ mentality with the brain trust on each product. You have to build this culture.
Transparency and communication with all departments is critical. The challenge has always been to gain their trust, so they come to you to evaluate the risk before they embark on new projects. You have to break down the silos.
Now that you have identified the unknown, how do you prepare?
You have to prepare by making the necessary connections now with the contacts you will need if an incident occurs. You have to know who to call and what to do. The best way to do this is to create a formal response plan. This includes vendors, but also internal I.T., Human Resources and Communications.
Forecast the breach, identify where you are not ready, and practice, practice, practice. If you are not testing your plans, you will not be ready.