Partnership with a CFO: On the Front Line of Cybersecurity

SESSION ID:

#RSAC

Terry Ragsdale

Partnership with a CFO:On the Front Line ofCybersecurity

GRC-T11

CFOLSQ Funding Group

Dr. Christopher PiersonCSO and GCViewpost@DrChrisPierson

#RSAC

Setting the Stage

2

#RSAC

Setting the Stage

3

Ernst & Young: Americas March 2014 CFO: need to know insights for CFOs

PwC's 2015 Annual Corporate Directors Survey

enRaged?enRaged?

#RSAC

Setting the Stage

4

Ernst & Young: Partnering for performance Part 3: the CFO and the CIO

#RSAC

Setting the Stage

5

4 Key Areas:Understanding DriversEducating PartnersCompelling ArgumentsGovernance & Team

#RSAC

Understanding Drivers

#RSAC

Understanding the Drivers

7

CFO Goals:Business OpportunitiesGenerate ProfitBusiness PredictabilityBoard & Investor RelationsFunding/Capital Raises

CSO/CISO Goals:Not in the NewsReduce Risk/Keep SafeBusiness Enabler

#RSAC


8

Execution:Trusting the NumbersMaking them Confess

Enablement:House in OrderFunding the Strategy

Development:Defining the StrategyTelling the Story

EY-CFO-need-to-know-Insights-for-CFOs

#RSAC


9

Risk ReductionFrequencySeverityLikelihood

Metrics to Illustrate

Customer Trust

Ignoring the 0.1% Risks

#RSAC

Educating Partners

#RSAC

Educating Partners: News

11

Cybersecurity Incidents:Your SectorNationwide

Risk Management Data

Risk Data from Insurers

Financial/GAAP PublicationsTarget CFO Testifying before Congress in 2015

#RSAC

Educating Partners: Technology

12

Focus on Consumer Tech

Focus on Impact not TechRisk not Security (directly)Bring back to Business

Transition to Company

#RSAC

Educating Partners: Board/Executives

13

Intense BoardAttention

Reputational ImpactDiffers

Credibility is aBusiness Value

SEC OversightShareholderDerivative SuitsKPMG: Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom

#RSAC

Compelling Arguments

#RSAC

Compelling Arguments: What works?

15

Financial Arguments?Cost SavingsRisk Details

Security Studies/Risk Studies?Breach CostsCybercrime CostsLitigation Costs

Evidence of Current/Past Issues?Tied to Past Control Costs

#RSAC


16

Tying Controls to Business Goals?

Shifting CapEx to OpEx (from Balance Sheet)?

Streamlining Efficiencies?

Current News?

Fear Mongering?

#RSAC


17

#RSAC

Compelling Arguments: Hypothetical

18

MDM Management & Encryption

Average Cost of Data Breach in U.S. $154 yr./record

Average Number of Records on Devices – 1,000

Costs of Encryption and MDM per device is $250/yr. per device

#RSAC

Governance & Team

#RSAC

Governance & Team: Risks, Options

20

How do you Communicatethe Risk?

Tracking Results

Ensuring Controls andBudget Solve forMeaningful Business

Tie Business Wins toTeam Efforts

#RSAC

Now What? Application

#RSAC

Start Now Weeks & Months Ahead Within One YearCollecting NewsworthyArticles

Business Goals, Priorities, andOpportunities for Cyberthrough Business Evolution

Tie budget to true risks thathave surfaced recently –especially among competitors

Reviewing Consulting, Board,GAAP, NACD, and FinancialGuidance Materials(KPMG, EY, PwC, and Deloitte)

Review and Track MonetaryResearch (Ponemon, Gartner,Data Breach)

Transition budget from CapExto OpEx models wherepossible and show 3-5 yr. costsavings

Personal technologies to latchonto in terms of risk orbusiness advantage

Options for Enterprise RiskManagement partnerships orcommittees

Getting Board and ExecutiveManagement Interest andcreate business value

Research your CFO, Boardmembers, other Execs

Meet with the CFO when youdo not need anything

Seek financial learningopportunities; help CFO

Time to Apply!

22

#RSAC

Thanks & Contact

23

Dr. Christopher PiersonChief Security Officer & [email protected]

Terry RagsdaleChief Financial OfficerLSQ Funding [email protected]