Meeting the Boards

Demands for Security,

Compliance, and Audit

Milt Rosberg
Global VP, Vanguard Integrity Professionals
CAU01
The Pressure Is On

2
Board Assurance & Stakeholders

Concerns:
• Meet Regulations
• Avoid Penalties
• Reputational Risk
• Improve Operations

3
Stakeholders – Silos are changing

• Responsibilities
• Organizationally

4
Mainframe and Open Systems Responsibilities

5
All Hands on Deck

6
Cybersecurity Leadership & Teamwork

7
Leadership Teams Fighting Cybersecurity Risks

• CIO
• CISO
• CTO
• CSO
• CCO
• CHRO

8
Managing External and Internal Risks

9
Government Intervention is Growing

10
Separating Operations from Compliance
Soooooo Many Rules!!

11
Managing Audit Demands & $$$

• Internal Auditors
• Outside Audit Firms
• State Requirements
• Federal Requirements
• Industry Requirements
• International Requirements
• Home Grown Compliance

12
The Breach ? $$$$ go up over time

Time it takes
• 206 Days to Discover
• 314 Days to Contain
• $ 740,000 to notify
• Lawsuits

13
New Challenges – Big Risk

The Internet is Everywhere

Office Boarders - Gone
Employees on multiple devices
54% of Organizations say
Employee
Threats Everywhere
Result: Need a Wide-Range
Security Strategy

14
Global Cybersecurity Spending Big Increase

• 2004 $ 3.5 Billion

• 2018 $114 Billion
• 2019 $124 Billion
• 2022 $ 170.4 Billion
• 2025 over 1 Trillion

15
Connecting The Risks – Where To Spend The $$$

• Integrity of Systems
• Documented Security Policies
• Security Ops & Procedures
• Mitigate Previously
Discovered

16
Risk Responsibility Belongs To Who ?

• Bigger Walls Don’t Work

• All Business Digitized
• Security = Active Combat
• Data Fraud/theft
• Cyberattacks

17
IT Functions vs Threats - Important Biz Risk

18
CISO leadership

• Viewed as Equal Partners

• Collaboration w/CIO
• Security Across IT
• Digitized Environment

19
CISO Understanding the Insider threat risk

• 2,500 Breaches Daily

• More than 34 % of Biz
• 66 % expect insider vs external
• Over 70 % not reported
• Trusted biz partner – 15 – 25 %
• 55 % privileged user threat risk
• 85 % Actual Damage ?
• Fraud, $$$, & IP

20
Insider Threats – The Wolf in Sheep's Clothing

Only 0% is acceptable
Average 35% of all corporate hacks were from known users from inside the company.
Only need 1 exfiltration
Internal and External Access

Control and secure access to

the entire IT infrastructure

Bigger and Taller Walls ? Security Server

• Insider Threat
Database
• Many Angles of Attack

22
Insider Espionage, Know Your Surroundings

A Russian man was arrested and accused of trying

to recruit an employee of a Tesla factory in Nevada
to put malware on the company's computer
network, extract data and extort ransom money
from the company.

The malware would first appear to be an external

attack getting the attention of company security
and hiding the second attack which would
ultimately extract data. The final result would be a
ransom.

23
Insider Threat Best Practices

• Prioritize related intelligence

• Insider threat management programs

• Balance privacy vs. security

• Understand root causes

• Measure key statistics

• Be vigilant

• Involve Legal and HR

24
2018 to 2020 31% Cost Increase

Since 2018 insider threats have

increased by 47 %
The CISO team Concerns
• Corporate Liability
• Financial Risk
• Bottom Line Impact

25
Risk Appetite & Tolerance $$$$

1. Business 1) What matters?

Values
2) How do we protect it?
2. Cyber 3. Risk
Perspective 3) What is the risk?
Intelligence
4) How can we validate?
4. Operational
Data 5) How much?

26
Basic Steps – Answering the “How Much” ??

Develop a plan
Gather Information
Discover Vulnerabilities
o Scans - Pen Test
o Current controls?
o “Open Doors”
Comprehensive Report

27
Step One - Planning

• Define & Document

• Assessment Objectives
• Project Scope
• Rules of Engagement

28
Step Two - Gathering Information

• Collect Target Information

• Examining Key Information
• Review Systems Infrastructure
• Validate Anticipated Opportunities

29
Step 3 - Discover Vulnerabilities

• Leverage Automated Tools

• Utilize SME Knowledge
• Find and Document Discoveries
• Validate Findings and Severity

30
System “Knobs” Set Correctly ?

• Authorized Libraries
• ESM Controls
• z/OS and Unix Services
• Excess Access

31
Locate all the “Back Doors” & “Open Doors”

• Code Scanning
• Pen-Testing
• Vulnerably Scans
• Surveillance

32
Delivering the Comprehensive Report

33
Step 4 – Stakeholders Comprehensive Report

Risks Analysis from

Policies, Procedures & Systems
Detected Vulnerabilities Ranked

Remediation Options
Leverage In-house Skills
Use Industry SME
Integrate Managed Services

Results
Deploy Options Combinations
Meet External Regulations
Exceed Internal Audit Demands

34
Data Loss Effects 3.5 Billion Where did it go?

35
Lock Your Systems Down

36
Questions
How to Contact Us
Vanguard Integrity Professionals
6625 South Eastern Ave., Suite 100
Las Vegas, NV 89119-3930

Direct/International: (702) 794-0014

Toll Free: (877) 794-0014
info@go2vanguard.com

37
Session Evaluation

Be sure to rate your

experience using the
VSC2020 app.

Your opinion helps

us bring you the best
experience.
Please let us know
your thoughts.

38
Legal Notice
Copyright
©2020 Copyright by Vanguard Integrity Professionals, Inc. All rights reserved. Unauthorized reproduction, modification, publication,
display, or distribution of this work in any form is not permitted. Criminal copyright infringement may be punishable by fines and/or
incarceration. Recording of live or online presentations is not permitted. The use of session, event, staff, or presenter images is not
authorized including but not limited to posting images on social media. With respect to presentation materials such as hand-outs or slide
decks, registered participants are permitted to reproduce, distribute, and display such materials internally within their organizations for
non-commercial educational purposes only. All other uses must be expressly granted in writing by Vanguard Integrity Professionals,
Inc..

Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator Vanguard IAM Vanguard ez/Token

Vanguard Advisor Vanguard GRC Vanguard Tokenless Authenticator
Vanguard Analyzer Vanguard QuickGen Vanguard ez/PIV Card Authenticator
Vanguard SecurityCenter Vanguard Active Alerts Vanguard ez/Integrator
Vanguard Offline Vanguard Compliance Manager Vanguard ez/SignOn
Vanguard Cleanup Vanguard Configuration Manager Vanguard ez/Password Synchronization
Vanguard PasswordReset Vanguard Policy Manager Vanguard Security Solutions
Vanguard Authenticator Vanguard Enforcer Vanguard Security & Compliance
Vanguard inCompliance Vanguard Alert Connector Vanguard zSecurity University
Trademarks
The following are trademarks or registered trademarks of the International Business Machines
Corporation:

CICS IMS S/390 z9

CICSPlex MQSeries System z z10
DB2 MVS System z9 z13
eServer NetView System z10 z14
IBM OS/390 System/390 z/Architecture
IBM z Parallel Sysplex VTAM z/OS
IBM z Systems RACF WebSphere z/VM
IBM z14 RMF z Systems zEnterprise
Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation in the United
States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.
Content sources: World Economic Forum Global Risk Report (GRR), IDG Tecktalks (CIO.com), Security
Boulevard, Ponemon Institute