Managing Cyber Risk
(is your business)

One-hour informal gathering to review course objectives, learning approach, and environment, and most importantly, get to know each other!

Cybercrime has evolved from the work of isolated hackers to include that of states and organized groups. Its focus now is less on individual exploits aimed at stealing customer data or trade secrets and more on systemic campaigns with broad impact. We will:

• Survey the landscape of cybercriminals. Who are they and who they are becoming?
• Consider the range of cyber targets from high-profile individuals to organizations, nation states, and even economic systems.
• Explore their motivations. What are they after – confidential information, disruption, ransom?
• Drill into two case studies: the very recent SolarWinds Orion exploit as well as the Notpetya attack, the most impactful cyber event on record.

Governments play an important role in regulating and responding to cyber risk. They can, depending on circumstance, be both ally and adversary. We will:

• Demystify the complex regulatory and statutory context for cyber risk. What is my organization obligated to do and why?
• Evaluate government’s role as partner in monitoring cyber risk and detecting cyber incidents.
• Learn what various authorities do after an event. What will they do to catch the bad actors? Will they come after us?

Large organizations are under constant attack from cyber criminals. A working knowledge of both the principal types of attack and of the methods (vectors) used by attackers is a prerequisite to managing cyber risk. We will:

• Survey the principal types of attack considering similarities and differences between data breach, denial of service, malware/wiper, and ransomware events.
• Explore attack vectors including social engineering, phishing, software and network vulnerability exploit, and supply chain injections.
• Consider in depth the specific challenges of ransomware and the unique dilemmas it poses to enterprises and public authorities.

You are only as strong as your weakest link. Complex supply chains which extend far beyond the organizational firewall bring with them both significant cyber risks and responsibilities.  We will:

• Evaluate how cyber risk cascades through networks of partners and providers, creating complex mutual obligations to protect and defend.
• Explore both commercial and legal implications of these obligations with a particular focus on legal trends regarding liability and indemnification.
• Consider cross-national differences and jurisdictional hotspots and their influence on an organization’s cyber risk posture.
• Gain hands on experience with tools to measure and evaluation your supply chain partners.

Exercise - With Friends Like These: Real Time Analysis of Your Supply Chain Partners

Managing Cyber Risk requires behavioral change across the organization. Several groups and government bodies have built models and frameworks to codify and institutionalize best practices and processes to protect organizations from cyber criminals. We will:

• Explore the concept and operation of cyber control frameworks and their relation to broader approaches to quality (ISO) and audit (SOC) protocols.
• Compare and contrast 4 general principal control frameworks (NIST, CIS, ISO and COBIT) along with specific industry extensions like HITRUST for Healthcare and PCI for payments.
• Identify key weaknesses across the frameworks and discuss strategies to address them.

Cyber risk is a moving target. The evolving nature of the threat, the diversity of its targets, and the complexity of supply chains, including critical infrastructure, through which attacks often happen makes risk quantification both challenging and error prone. We will:

• Survey several case studies to categorize the types of costs organizations face when they are attacked looking specifically at the impact of data loss, system restoration and remediation, business interruption, legal and regulatory consequences, and ransom.
• Evaluate frameworks for quantifying your organizations cyber risk.
• Develop an approach to quantifying and justifying investments in cyber protection and risk mitigation.
• Simulate the impact of cyber events of varying likelihood and severity.

Exercise - How Bad Can It Be: Simulating Likely, Unlikely, and Worst-Case Scenario

Cybersecurity is the fastest growing segment of the enterprise technology market. According to Gartner, the information security market will reach $170.4B by 2022. We will:

• Develop a working knowledge of the principal types of security technology (Authentication/authorization; endpoint protection; network segmentation; SIEM) and their role in protecting organizations from cyber criminals.
• Consider the impact of the race to the cloud and how providers like Amazon, Microsoft, and Google impact your organizations cyber risk posture both positively and negatively.
• Learn what security teams in your organization do on a daily basis through a simulation that takes you inside a security operations center.

Exercise - The Room where It Happens: Inside the SOC as an incident emerges

Cyber Insurance is the fastest growing form of insurance in the market. The scale of recent cyber events, however, have led many to doubt both its effectiveness and viability. We will:

• Learn what cyber insurance typically covers and what it doesn’t.
• Evaluate its role as part of a holistic cyber risk management strategy.
• Consider its uncertain future as well as the role that government may be called to play as backstop in insuring against catastrophic cyber events.

It’s a question of when, not if. Organizations need a holistic approach to manage cyber events across the business to mitigate their impact and maintain the confidence of customers and partners.  We will:

• Explore the cyber “kill chain” and how it works to respond to the full lifecycle of a cyber event and limit damage.
• Consider approaches to the restoration of key systems and business processes, the remediation of vulnerabilities, and management of economic and reputational business consequences.
• Drill into forensic methods to identify and prosecute offenders.
• Simulate a breach event in a live table-top exercise.

Exercise - Putting the Toothpaste Back in the Tube: Table-Top Exercise after a mock Breach

You are now ready for the Board Conversation. What should you say?  We will:

• Drill into the elements that should be part of your organization’s cyber risk plan and create a template suitable for senior executive review.
• Discuss your role as a leader in protecting your organization from cyber criminals.
• Revisit the two case studies to evaluate what might have been done differently to have reduced their impact and cost.