Cybersecurity and The Board

1

• The SEC, NACD, and all of the “Big 4” firms have issued guidance in the last 2 years on

boards needing visibility in order to manage cybersecurity risks.

• I just want to acknowledge how surreal this is. A very complex, extremely technical,

adversary-driven set of problems is a topic of conversation at the highest levels of your

organization. Or, if it’s not a conversation at those levels, that puts your organization in a

fast-shrinking minority.

• How did we get here? What changed?

• As technology and business professionals – or simply as people that read newspapers and

watch TV – we are aware that cybersecurity threats have achieved fever pitch. However,

we also know that cybersecurity risks have been around since our organizations went

online 15-20 years ago.

• There are a combination of forces and events that get us here. Understanding them is a

key to solving the puzzle within our own organizations.

• Let’s start with the board – In 2009, following the financial crisis, the SEC amended its

rules to require companies to disclose the board’s role in risk oversight.

• This rule change creates the backdrop for our story. And it is against this backdrop that

three interrelated forces come together to shape the rest of the dialogue.

2

• The first force is that 7-8 years ago, the sophistication of attackers began to out-pace

available security controls.

•This sophistication is both technical and operational:

1. A market for stolen data is built. Intrusions for profit are now a thing.

2. Malware becomes available for sale in these same underground markets. You can now

go into business as a hacker without ever writing a single line of code.

3. Technology that obfuscates malicious code becomes commonplace, allowing attackers

to reuse code even after anti-virus signatures can detect it, keeping the cost to attackers

low and allowing malware authors to maintain profit.

• Compare this to the disruptive network worms and website defacements we faced only a

decade ago.

• Also realize that the firewall and anti-virus technology you have today is largely the same

thing you had 10 years ago.

3

• The second force is the impact regulatory changes have had in driving “sunshine” into the

environment around data breaches.

1. Since 2003, when California enacted SBS1386, the first law to require companies to

notify victims in the event of their personal information being stolen, 46 other states

have passed breach notification laws. Michigan’s law went into effect in April of 2010.

2. In 2009, HIPAA’s HITECH amendment requires healthcare entities to disclose publicly

any time 500+ individuals are affected.

4

• So we have highly motivated, well-equipped attackers operating in an environment where

victims are required to publicly disclosure data breaches.

•This has led to a seemingly endless stream of news stories and reporting on cybersecurity

intrusions over the last 3-4 years.

5

• Now here we are in 2014. This pair of forces now figures centrally in the discussion

between the board and the CIO.

• At this point, you may be wondering if this set of circumstances hasn’t created some sort

of a widespread misconstruction about .

• Have we achieved a level of hysterics that is causing boards to manage risk by headlines?

• That is a completely legitimate question, and one I won’t directly attempt to answer here

today.

• Instead, let’s seek to understand the role cybersecurity incidents play in the larger context

of our organizations.

6

• The Ponemon Institute, for it’s 2014 report on the cost of data breaches, surveyed 314

organizations world-wide that had experienced a data breach of some kind.

• (The fact alone that they surveyed 314 companies that had a data breach in 2013 is

interesting – do you feel relieved or alarmed?)

• Surveyed organizations reported breach costs that ranged from $135K to $23M.

• The data also showed, not surprisingly, that the number of records exposed correlates to

the cost of the breach.

7

• However, per capita costs – meaning the cost per breached record – were also widely

variable, ranging from a few dollars to as much as $459 per record.

• Also not a surprise, especially in light of the regulatory environment we spoke of earlier, is

the fact that the US per capita cost is the highest, with an average of $201 per record.

• From a purely financial perspective, a single data breach event may or may not be

significant within an organization. And since we understand that the cost of a breach scales

with the size of a breach – which logically would also scale with the size of a business – we

can assume that it would take more than a single data breach to bankrupt most companies.

8

• In January 2007, TJX – the company behind TJ Maxx, Marshalls, and several other retail

chains – went public with the news that it had been the victim of hackers who had stolen

over 45M credit card numbers and another 450K social security numbers.

• At the time, this was the largest data breach in US history. That record has been broken

several times since then.

• The company paid fines to banks, provided customers with credit monitoring, spent

money to improve its technology security, and in September of that year settled a class-

action lawsuit for a reported $10M.

• However, as we look at the companies stock performance over the last decade, it’s clear

that not only was the breach not devastating to the company’s quarterly performance while

it was happening, it has not had a lasting impact on TJX or its brands.

9

• Why in the midst of these awesome graphs and stats would I show you pictures of jets?

• “Because jets are cooler than bar charts?”

• If I told you that the top picture is the F-35 Lightning joint strike fighter developed by Lockheed Martin and flown for the first time in 2006?

• …and that the bottom picture is the Chinese J-18 stealth fighter, believed to have first flown in early 2013?

• Now if I told you that both planes have vertical take-off & landing (VTOL) capabilitiesbased on similar thrust vectoring designs?

• Not all data breaches are of private customer data.

• In May of 2011, Lockheed Martin confirmed that, along with RSA’s SecureID secret keys, they had been hacked. The suspect was a group referred to as “APT18.”

• Two years later, in May of 2013, Lockheed confirmed that hackers believed to be operating at the direction of the Chinese government had been targeting the joint strike fighter.

• In September of 2013, the first picture of the J-18 shown here surfaced in Western media.

10

• At the start of 2011, Sony and its Sony Computer Entertainment America (SCEA) division

are locked in a battle with Microsoft for online gaming territory.

• Sony launched Playstation Network, signed exclusives for the PS3 console which sold well

during the preceding Christmas season, and are preparing to dominate the online gaming

market.

• They double-down on the Playstation Network investment, quietly preparing to launch

Qrocity, a service to stream music and movies to PS3 and other consumer devices to

compete with iTunes and Netflix.

• Then, in February, the Fukushima earthquake and subsequent tsunami strike Japan. This

knocks the Nikkei on it’s butt, and takes electronics factories offline for months while they

retool and recalibrate.

• As if that wasn’t enough, Sony has just signed a $650M deal to acquire a facility in

Nagasaki owned by rival Toshiba, which also closed as a result of the earthquake.

11

• We come into the Spring of 2011 with Sony in a precarious position – manufacturing is

down, capital is overextended with no clear sign of return. The revenue stream that could

save them, their big bet, is SCEA and the Playstation Network.

• Which is then hacked. A lot. So much, Sony gets sued.

• George Hotz story, Anonymous, LulzSec

12

13

• And then, a year after the nightmare begins, Howard Stringer resigns. Sony’s stock is at

half of its share price from prior to the earthquake.

• Even now, it’s 52wk high is only $20 a share. Sony still has not recovered from 2011.

• By all accounts, Stringer was well liked by Sony’s board, as evidenced by it accepting their

accepting his recommendation of successor, Kaz Hirai.

14

• In 2013, Target is facing flat growth at a time when retail is overall recovering from the

recession.

• Target has invested $4.4B in an expansion plan to open 124 stores in Canada. In FY13, this

expansion netted a loss of $169M for Target.

15

• Target goes public with the fact that they were compromised, and credit card numbers were stolen from their payment system.

• There was a lot of blaming and shaming done in the press in the early days. Losing 70M customer credit card numbers is a huge problem.

• But I am here to tell you that Target did a great job. We’ve known their incident response team for years through conferences and a product advisory board both companies sat on. They were well-staffed, well-trained, and well-equipped. The vulnerability in the network design of their stores that let the hackers pivot from the HVAC vendor to the payment network was known. (Like TJX’s wireless, it was deemed too expensive to fix.)

• The fact that they were hacked the week before Thanksgiving, were alerted, detected, responded, and recovered from the breach in a little over two weeks time is phenomenal. Don’t believe me? Here’s how other companies that suffered similar breaches did:

• Nieman Marcus (2 months)• Kmart (2 months)• Dairy Queen (at least 3mos – they still don’t know)• Jimmy John’s (4 months)• Michaels (5 months)• Home Depot (6 months)• Goodwill (18 months)

16

• Jan 9 – Target releases a single statement to the public about the total size (70M) of its

data breach and its 4th quarter performance where they predict an $800M loss, mostly

from the failed Canadian expansion plan.

• Was this an intentional move to conflate the two issues and give the board a new story

about firing Steinhafel?

• The stock trades even lower on news of layoffs of 475 people from Target’s corporate HQ.

• In early May, Steinhafel resigns.

17

• Neither Steinhafel nor Stringer were fired solely because their company suffered a breach.

• But where turmoil and performance issues loomed, the breaches served to erode all of

the margin these executives had.

• Because the breaches became PR incidents, they put the CEO and the company in the

spotlight at an already challenging time.

18

• I have a rule about presenting on cybersecurity topics: If you present a problem, you must

also offer a solution.

19

• These are the four things you must have within your organization in order to provide oversight and management of cybersecurity risks.

• These will enable board-level visibility, actively manage risk, and enable your organization to act in a trustworthy way that protects your brand in the event of a breach.

• Impact Assessment• Identify and articulate the ways that a cybersecurity incident could negatively impact your organization• This is not an IT-only exercise, and should include input from Risk, Finance, and Marketing

• Cyber Risk Management• Create (or better yet, use an existing) risk assessment framework.• Update it regularly• Use quantitative scoring of risks to create metrics and priority• Priority drives an action plan, which begets funding and project requests to address top risks

• Cybersecurity Monitoring• You need the technology and the people necessary to identify and respond to attacks• Attacks are a daily occurrence.• Focus not only on real-time detection and response, but also on the ability to retain evidence so you can search it later when you learn something new

• Incident Response Planning• The organization needs a plan for how it will respond to a breach if one occurs• Large list of stakeholders, they all need to be involved• Prepare and practice the plan

• Example: Time to spin up credit monitoring

20

21