Doubling down on Compliance - Dirce E Hernandez

in the game as a cyber risk management subject matter expert he's got different vertical from the health Industries private companies education and he'll be speaking to you so I'll turn over to Mr Hernandez thank you forgot Financial Services F which is basically what the talk is about today um any lawyers in the room really okay awesome um so we have our disclaimer right um you know I won't go into the fine frint of reading each and everything that you see on the screen But ultimately uh most importantly my thoughts are solely my own uh and not represent any of those here you know as far as representing our employers from present and yester year and of course

bides right and obviously I'm not a lawyer like I mentioned nor did I sleep at a Holiday last we know so some regulatory history from the historical perspective on compliance and regulations we have the star staring Ox act obviously we all know how that one came about uh with the financial situation there in with Enron and you know a lot of the bad uh business dealings happening at that point in time and then obviously in October 2011 the SEC came up with the division of corporate financing publishing some uh disclosure topics and Regulatory uh you know statutes and then obviously in the February 2018 the commission uh on statement on guidance of public security disclosures kind of came about and this

for where we stand today right to talk about materiality cyber security risk reporting those in the timely flashion warning around tra tra and cber security incidents are happening and then materiality which we're going to get into this in that's more the historical perspective so nydfs right um nydfs is the New York Financial Department of Services for cyber cyber security regulatory uh enhancement and oversight uh it's called 23 nycrr part 500 um basically you know this law has been enacted has been in place for years now they just really made their last changes for the Second Amendment this past year in November uh basically the main takeaways as you reading everything on the screen is focusing on incident response doubling

down on intern response from that perspective uh Gap assessment in all the areas that are covered right they run from 500.1 all the way to 50016 17 all the areas uh in that so I won't you know this won't be a new test to actually de dive into the regulation um because I don't want everyone fall asleep with it uh on this topic but at the same time it's good to know the regulation understand the areas that it covers um basically the new requirements on certification is all about risk assessment the nyd calls a risk assessment the Harden drivers what does that tell you like the regulatory agency is telling you that that's a Harden

driver you might want to you know put you know put attention to that and use that and that actually drives the regulatory uh Cadence right normally Cadence are yearly or annually now it's based on any material changes on your risk assessment and your risk profile so keep that in mind the SEC right the SEC materiality rule that's been that's been a top of mind for a lot of folks um basically started uh in the Depression years in 1933 um passed in the security exchange Act of 1934 two main purposes right uh you know public must tell the truth about the business uh securi that they're selling the risk involved obviously you know you you'll see that a

big uh iterative approach on this is being honest being transparent talking to the truth right uh those who selling trade Securities Brokers dealers and exchanges must treat invest fairly and honestly it's so about protecting the end user the investor especially the publicly traded out that's basically the main game of SEC so the new s c security rule took effect in 2023 um you know basically the big one about this one is dis closing materiality disclosures 4 days after the business has determined that there's a material security incident or event happening um you know the the changes happened in September 4th 2023 2023 so they're actually happening now uh and we as we go through the presentation I'm

G I just got you know some news that happened two days ago which is really interesting but at the same time it's not surprising right based on the SEC materiality role uh you have to report those in your 8 so you're familiar with 8K forms 10K forms based on you know the processes identification of risk everything that's happening from a cyber security perspective they're written you know from the SEC perspective to report those in the 4-day threshold that they have to report right so describing the management role in assessing the risk R and managing those Cy security risks It ultimately falls down on leadership right so there's got to be accountability on the leadership from

the top down to make sure that there's insight into C security plan the program how that's being enforced how's that's being adjudicated how controls are actually helping you reduce risk burn down risk in your organization to ultimately like I mentioned protect the investor protect the end user um as actually the mandates are around you they've been around for a long time you know uh disclosure materiality security incidents have been around for a long time time uh obviously we heard of gvpr the 72h hour uh rule for notification Hippa those in healthcare right probably no for in and out high-tech uh pcss with the new pcss uh you know uh you know regulation that's coming out um a lot of people are

getting prep for that right I think a big a big new driver of pcss is risk assessment as well you know surpris right I mean they want to really uh you know double down on risk assessment and having really good regulatory uh you know compliance oversight your controls and tie those into pcss protecting car data and all those different things right and then cersa uh the government is really getting involved and doubling down helping with private sector and working together to help down uh reduce uh risk obviously they're seeing a little bit more from the infrastructure ceral infrastructure water oil and gas but you know that's a mandate from the government talking to you know three

three business days to report those incidents from a critical infrastructure and partnership perspective right the new SEC rules require registered public companies both us and foreign uh to disclose these describ risk management practices like I mentioned within the four days uh in your 8K so that's a really important thing to keep note of uh and ultimately you know there's a lot more you know uh fires right that are happening based on the regulatory rules that are in place U ultimately comes down to materiality right uh a materiality is meant to be you know uh perceived in different lights uh By Nature the regulatory mthods um what materiality actually means is bed by Nature right so you have to Reon of that

uh if you ask if you ask what materiality is too many times you're probably doing it wrong right you're probably not having the right approach uh information material if there's a substantial likelihood that a reasonable shareholder would consider it important making an investment decision or it would have to Neally alter the total mix of information made available right it's also important to know that a series of individual IM immat immature IM material items if you kind of snowball them and bring them together it's considered material right so you know you want to PE you don't want to PEC meil different threats and different vulnerabilities because ultimately they might come back and compound and make the material into

them so complying C uh and Regulatory cover your bases right um obviously adapt adapting you know and identify the root CA when you're doing um you know I've been I've been a s secury auditor for a major Financial organization Global Financial organization and obviously you want to look at the root cost right when you look at your uh your assessments your controls planning and managing those operations so it's basically adapting anticipating protecting responding right so you know basically the main one the main takeaways on this slide is assessing the materiality recovery time objectives from an inter response I mentioned that was probably the biggest driver for the NFS and SEC uh you know cyber security

disclosure rules and then patch the vulnerabilities right not patch all the things because it's basically impossible to patch all things but you get the you get you get the G right you understand that based on the criticality uh and ultimately you know I'm not talking about it here but how do you drive what needs to be patched you need to have an accurate asset inventory right and ultimately that's a pain point for a lot of people right U to understand what assets are out there kind of like the Glazer you know you see everything that's on top but you don't see anything that's on the bottom API for all technology for all and then obviously

shadow shadow it is a big deal and it happens uh and I've been in I've been in organizations where you know people go around the normal procurement processes right to acquire technology and that introduces a lot of risk and and danger for an organization um any questions on this slide this one a big one right adapting protecting responding uh you know and understanding that assessing and materiality comes from all those different functions that you're doing from second where do you start on this wheel where do you start on the wheel I mean that's a great question um I mean literally uh I I think asset inventory is probably the way that you want to start to understand what you have in

your environment what you can what's Crown UL what's what's important for the organization and then take it from there so that's a you know I I know it's a lot to take in but yeah you have to start somewhere that's a great question thank you so I had a sh shed a tear moment from the 2023 Texas cyber Summit that happened last year in Austin uh so you know the most hacker person you can see you know like hoodie and black hat and stickers and you know they go to Decon they go to all the all the different security conferen you can talk and you know red team 100% you know offensive person right and he was given a

presentation and he was talking about Sim Sor EDR xdr Crow strike everything that they're working with but then he started talking about a risk register and I'm like I just started I just kind of I perked up when he said that and you know a little tear CL on my face because you know it's not every day when you have an offensive security and attacker and hackers talk about reporting uh to Senor leadership through a risk register documenting the risk looking at the control working with your second line those are familiar with the three lines of the defense model first line operational second line risk and oversight and then third your audit threads right printed audit right so you

know it's interesting right so more and more there there's more and more information more and more you know aware Ness out there that you have to work with those areas and those lines of buiness to you know reduce the threat understand the risk and basically you know better your risk posture and better your controlling life so that was a a a come to Jesus woman for me because obviously I've been in this space I've been operational I've been an offensive person I've been the firewall guy you know just one person I remember I ran security team it was just myself for three years um so the firewall guy the GRC guy the defensive guy you name it I

did right so having those different things in place and having those that team effort is going to get you to a really good place so understanding the nuances of what the red team does the blue team and your GC controlling monitoring you name it right that's all part of it um to talk to go down to materiality right this is a a materiality rle I got from a you know really really important uh Source szo that's out there that that you know has a lot of uh you know me and a lot of experience in this you want to look at the the the brand right reputational damage is huge uh focus on protecting others the way I see it you

want to look at it three levels right you know what's going to be catastrophic if something were to happen what's going to you know completely take us out of out of the out of the loop you know shut that shut it down for good and then take it to the next level right uh you know is it something that's going to really hurt us but we we will survive we we will still continue and then all the lwh hanging towards everything else right so focusing from that perspective you have the availability confidentiality Integrity we all heard the C Tri but put it on the materiality terms and risk what's going to impact your uh reputation what's going to impact your

your governance your risk your management because that's what you know leadership and what that's what Regulators want to see right so it's a different way of seeing the CIA Tri an example but different ways to actually acknowledge that and have that Comm measured assistance for all the areas and what actually what's going to get to you know hopefully get the CEO and everyone to approve and get on board because you know nydfs one of the new requirements is not only the C signs off and then the CEO has to sign off and it's a double thing they put their name to that right so there's something that happen and we all see what happened with

the solar wind CEO right uh and that situation that's happening uh so it's really important right to double down on the accountability and the transparency and that nine box of C security materiality is going to kind of help you understand from a brand perspective from a representational perspective what's going to be most important for those areas to really you know lock down and keep those things in if you find what's materially important to you you advantageous materially you're going to probably find the bad things that are actually happening too as well from the materiality perspective so go after the good you find the bad and vice versa regulatory work flow right never said it and forget it you know it's it's

not as easy as just you know doing it once and that's it it's continuous right it's a continuous life cycle having those influences what regulations are are calling on the your bucket you might work with HIPPA you might work with PCI you might work with gova your financial institutions if you're state government T 202 right I was in state government I understand what that is uh so the depending on those influences and those regulations you start looking at the controls that are applicable to those areas and how you can actually consolidate condense them and what's basically applicable to you not all the controls are going to be applicable to you what's going to be applicable to you

hold hold how those in whether through a JC platform or just you know good old spreadsheets I mean obviously you want to be automated we live in 2024 there's really no reason why we just be relying on spreadsheets over spreadsheets over spreadsheets on controls and you know government risk compliance efforts uh but yeah so that kind of shows the the path of operational execution and be defined be prescriptive are you going to be doing something quarterly are you going to be doing something monthly just to say uh you know could be doing it at this point should be doing it at this point be more precise on the timing right and the mitigation uh protocols

and risk management evidence collections continuous Improvement that's a continuous cycle it's a vicious cycle because ultimately you have this assessment happening this and then you have another team asking for this information for another assessment so it really compounds and I can see the the burn for the teams right as they're getting more and more asked about different regulatory uh assessments and you know engagements it's really good to kind of have that Consolidated to make your life easier you know offensive and security security practitioners um ncsf 2.0 show hands who's who's heard of the ncsf awesome right so NSF is obviously not to be prescriptive for you to know what you're doing but it's really good to actually

have the foundation for the protocols it really literally says it's guidance right it's not actually a regulatory mandate used by any organization regardless of it size right whether you're small medium or large organization you use it right based on the maturity the CSF is not going to tell you how to prescribe those outcomes they do have uh implementation TI this year or for for CSF 2.0 to really make a really good use case for leadership to understand how you can apply the CSF and those controls around that but it's just a really good foundational uh start to having really good suby risk uh management uh posture and risk management uh you know evading of threats and bilities that are out there

uh privacy right we can't be talking about security and regulations it's not about privacy as well right so USA is going to get it own thing too right uh you know there's happenings in Congress happenings in and you know and uh those levels of government to look at you know patchworks of different state laws that are happening we all heard CCPA uh California CPR right all these other states are you know kind of working G their own privacy legislation But ultimately comes down to you know are we going to have a unified law for the United States in privacy terms and what's actually going to what actually that means right they're going to be looking at data minimization covered

algorithms data purp purpos having actually a data PR data privacy officer like an actual leader accountable for data privacy and privacy efforts right and then obviously with targeted advertising security of data and then AI right the AI the whole AI you know monster that's there happening how that's going to impact privacy that's going to impact the the actual workflow of those environments right so think about that it's understandable that it's really important to understand what's being applicable to you but keep that in mind that that more regulation might be coming down the line in regards to privacy um so why should I care well the Hammer's dropping right look at all those um you know functions of uh you

know gdpr you know Amazon G up it might be a drop in the bucket right because they make a million a billion dollars a minute based on sales right but you know you know a lot of organizations do not have those funds and don't have the amount of Revenue and Equity to you know deal with these sorts of you know fines and penalties right so uh you know commission filed 784 enforcements obtain orders for nearly $5 billion in financial remedies and distribute nearly a billion dollars to harm investor that's a lot of money um so ultimately the hammer is coming it's dropping more and more you start seeing that and a lot of organizations kind of like waiting

they're taking a Wai and see approach of how someone's going to get Ding and how why they get D and what can do to prevent that from happening to us right um but you don't want to be that person that gets D first and then having that out there for everyone to kind of replicate what not to do and what you did wrong right so all these I'm not going to go down the line right but you know all these are companies that you heard of uh I I know you all gotten some uh I know did anyone get the AT&T letter about the uh disclosure breach I I got that one I'm sure you probably got

T-Mobile I mean it's unfortunate right and you know our data is out there uh and that's that's that's bad it's not good compliance is always different for everyone right so you know based on what's applicable to you the influences the regulations that applicable to your environment to your to your structure that's how you're going to know what actually is important to you from that perspective right so you know I'm not a lawyer but you know lawyer will tell you you need to document right if it didn't if you don't document it didn't happen that's first and foremost that's the that's a lot of the land so documenting and having those Target you know having that one year the the now you know near

future sort of approach right understanding the goals the road maps right because obviously The Regulators want to see how your information security program is now what is what is Outlook in the future for a three five year perspective and actually what you're working on to deal with some of the different things You' called out yourself right your aotter is going to call out findings are going to call out different situations that you need to work on so keep that in mind based on the industry based on your Revenue based on your allocation of resources let's face it you know usually teams don't get resources until you get popped right until you get B uh and that's

unfortunate but you want to be making the case because you know obviously information security is a cost center it's not a cost Revenue generator so okay we're going to save yourselves all this money how can we do that you show them that right uh and and ultimately you know worst case scenario catastrophic events you know you want to do do in Gloom either right but you want to be realistic and set those realist expectations with those teams as they're doing that sort of work so the compliant is the game plan for everyone right did I just not myself because I just said it was based on your Bo based on your vertical right but there's different things that everyone

can do right inventory I talked about risk risk management inventories identify all your key stakeholders all the race standards all the reviews pertinent to your uh existing policies procedures you know GRC is a really big deal having policies having standards having Sops whatever it is you do make sure it's you know done the right way way documented the right way you know implement it the right way in a JC platform or like I mentioned spreadsheets if you don't have those flexibilities to use a service now and Archer those are familiar with those uh you know platforms and then crown jewels what's going to be most important for that organization to protect what's the crown jewels right asset Vis asset

visibility gaps right control gaps in those areas of what you're protecting from that perspectives operationalize right cyber security awareness training the number one thing that all these regulations have is what everyone has to have a cyber security wear training program that's first and foremost that's basine now um so if they see that you don't have a Hy security pro program you're not doing fishing tests on on the network on the environment they're going to than you for that it's going to be a big deal because basically ultimately the end user which is people up you know working for that organization they're not getting that cyber security hygiene they're not getting their awareness hence you're going to have issues and

then comes back to that really it's like basically you know it's like having no insurance when you get in the car W and you know you you're basically responsible and it was your fault uh racing um you know races are huge right having a responsibility Matrix to understand who's accountable who's going to be informed who needs to do all these things on you know from a you know cber security posture regardless of the URC team you're in the fireball team pki team everyone needs to understand what their role is and how it actually pertains in the bigger picture of things right so reporting Cadence how you going to have that reporting cadences to your to your leaders in leadership and then

next step always implementing implementing the new Cyber R processes to be fully compliant with the regulatory obligation so that's why you work with the legal team with your compliance folks to say okay are we meeting these things how are we meeting that they're going to ask for proof and don't think of as an audit because everyone has audit as like you know it's a bad thing and you know they're going to come back and get us uh you know don't be that don't have that confrontational relationship easier said that does right depending how the Auditors uh you know conduct themselves and work but ultimately we're all working for the same organization so if we're going to lose funding or we're

going to get dang their teams are also going to get Ding and then you're going to have issues with funding you might have layoffs I mean a lot of things are happening in thech industry right now based on different things that the company's the bottom line right ultimately what's going to get them to save their money and be operational so materiality governments who decides what's material what do youall think is the CEO is the CFO is the general Council the CIO is it the board what do youall think board the Auditors legal right your lawyers right they should rign always in my honest opinion everyone else has input right so legal has to make that call I seen so many different

times when legal and you know the Cyber teams say oh we had an incident we have a breach if legal doesn't tell you to say that you don't say that right uh because you get into this whole you know song and dance like why are we calling an incident when legal and the team organization decided that it wasn't an incident so always revert to legal and always make sure they understand that everyone's on the same page but the call has to come from them and it Cas Cas down to everyone right and you start with what's already known what's material right read your financial reports if you have those talk to everyone material curiosity no one's

actually discussed that that's a new term that I heard it uh in you know different webinars and webcasts uh cook into the corporate teams right if they have business line departments um Tech MBR heard MBR like a you know a master business record they kind of get together quarterly basis uh they review different things that happening in the organization if you're plugged into all those things you're probably going to have a better idea what's material what's going to be more important for the organization to hook at that right and then work with your second line if you have Enterprise risk management teams in place and then don't forget our audit friends audits also going to be

important understand the audit plan the coverage what's what's in roll what's in plan for coverage 2024 2025 what audit you going to hit up be you be ready be up front and you have more information to be honest and transparent here here it is what do we do get better and that's the really type of relationship you want with your AIT teams so aren't you glad you live in Texas right look at all these roues right you consumer Privacy Act Colorado data Privacy Act obviously we know gdpr uh CCPA uh Connecticut right well guess what I spoke too soon right starting in July of 2024 Texas is going to get their own privacy legislation right enacted

enabled uh it's called the TDP TSA did anyone know that show hands right so be ready for that right it's going to be something like I mentioned cluster you know cluster fudge of different organizations different states are going to be looking at privacy and how that's actually going to happen and have an impact on us right um so that's a that's that's really want to look at and then in the United States is doing maybe a national one we we need to be aware of that right so you know it's it's coming right so you know be ready be understanding what compliance can help uh and understanding the rule the regulations how is it's going to impact

our business right from a consumer perspective even for us as consumers as we buy stuff I mean we all see those little banners privacy notices here click accept dog cookies all that nice stuff it's going to probably get a little bit more robust as here as we live in Texas even where you know are you know Mom and Pop shops too because they have to adhere this privacy leg ation once it's enacted so ultimately you want to have an out tal output right if you want to be the man you're going to pay the man right so you know let's do a little example right um state agency uses three influences let's say they use NSF 2.0

the 853 control family show hands is anyone familiar with that okay and T to2 so basically give or take it's around 2,000 controls that you're looking at right so let's say let's say you have an assessment happening right so you have two resources they work four ways at 320 hours just in checking Implement and document updates right and then updating the documents that's another 320 hours for those same resources and then you look at the controls you gather that evidence you can go down the line right so it starts building up right literally you have 2560 hours of fully loaded work and they say they charging $120 an hour and that's that Baseline and that can be

frugal right because I mean your big four your kpmg's your e they're probably going to charge a lot more than that right uh and that's modest right but if you really hone in and see what controls are really applicable to you you can literally reduce them by half depending on what influences you have you just sa yourself half of that 30 37k as an example as a total cost right so you save some money right compliance paid off it's sexy right they always think compliance is not sexy JC is not sexy well in this case you save money right you think that's you know doesn't get more sexier than that so just an example right obviously go in financial services

those numbers you can multiply in tfold right based on all the different things that are happening from a cost perspective but it shows that if you know how to do what you're doing you're going to save money right you might not make the company money but at least save the money and understand your control uh Effectiveness and maybe have have more res if have another days right not necess focus on an assessment at one point given time so keep that in mind somebody uh I've been teaching right I've been teaching TX security since 2012 to got my masters and then one of my students this past year told me well there's never iners in GRC and I

started thinking like yeah you're right and then I saw this and like I had to backtrack and said now I don't believe in that so much right the security controls can kill new research finds that hospitals experienced data breach we all seen that right with uh data breach that just happen the death rate among heart attack patients increased in the months and years afterward The increased mortality rate doesn't appear to be due to the perpetrators themselves the hackers aren't controlling the allocation of medication or doctors rather the issue may allow may allow how with the healthare systems adjust their cber security after an attack according to a study so that's pretty big so it's not I mean the hackers are going to get

what they want they want the money but ultimately you know collateral damages people dying on on on you know in hospitals and that's that literally those controls kill people at that point in time if you think about it right so the issue May lie with how Healthcare organizations deal with cyber security so now it gets real now there's actually a tangible thing that you know I mean I want to go to a hospital I don't want to die because someone didn't do their due diligence and how they handle the control environment cyber security posture and all those good things right so after the data breaches as many as 36 additional deaths for 10,000 heart attacks occurred anly at the hundreds uh

of hospitals examining the new study heart attacks R ranked among the most Medical emerg in the US so think about it I mean that's 36 different people that died because of you know bad cyber security posture cyber hygiene whatever you want to call it and bad controls right from a cyber security perspective that's horrible I mean you know that's horrible and we seen this I seen things in the news when they have ransomware attacks at hospitals you know that you know they make the attribution to people dying because of that ransomware attack because systems were not up online you know there's no life available based on that system being down to a rare attack as an example so

keep that in mind cyber security remediation and Hospital s be slowing down doctors nurses and other health professionals as they offer emergency Cardiac Care so you know they have to they're conent of that but they understand why it is that you're doing what they're doing so statistics with regulatory impact right so 76% have felt some sort of pressure to dilute the reality of security risk right I mean so leaders are pressured to kind of you know make it seem like it's not really that big a deal that's a big big percentage right the nsad found that 61% of corporate directors will compromise on information Carri for the sake of a business objective that's a problem

because they want to be in Innovative they want to you know uh you know turn to Market they want to do something that's going to get them more money but at the expensive cber security so that's a lot that's a lot of people isaka reported that 84% of Business Leaders were confident in their security posture only 31% security staff had confidence we saw that with solar winds right even their own solar wind people were you know coming back and saying that there's had H like tatto twist cheese or grilled cheese or something that's what they said in the finding right so if the leaders are saying one thing and the people on the ground are saying another

thing that's a big problem right as I mentioned you have to really be on the same page and if you're not you're going to have issues for we all know what happened with the former Uber uh Uber security Chief found guilty of continued the data breach the SEC adoped the cyber security risk and management strategy government disclosure rule of July 20123 and then the SEC we all know what happened with solar wind they sued the siso and Co for disclosure of control failures uh in their environment right that happened October of 2023 so it sounds cliche as anyone heard this people process technology I think you know we probably you know those that are in this field probably seen this a

million times over and we're just you know it just it's cliche but it really is it really does come down to hammering down on people processing technology right understanding those three areas understanding what risk what cyber security materiality events can come out of those three different areas and understanding that right so it sounds cliche but it really is what we have um so like I mentioned always take a breath think and hack right think about the cat catastrophic event level what's going to you know completely take us out wipe us out um always you know understanding what could kill us the extinction level event and then everything under that right you know what can really hurt us from a

reputational perspective or we're still we're still going to survive that right and those controls and how do you deal with that if you put yourself in that mindset you're probably going to be a better you know have more reactive and better proactive approaches to dealing with cyber security risk management as a whole so so what can you do what you should do as anyone heard BL with army folks in the house right bottom line up front I'm X USA so that's why I learned that one uh material assessment uh can and should inform both reporting risk largely Looking Backward right and your strategy looking forward uh to manage and mitigate the risk where to start

start with the business the financial statements like I mentioned um like I mentioned find a material benefit what's really important for the organization it will lead to material risk the good will lead you to the bad and understand how you protect those things from happening focus on how an information asset can be compromised look for direct and indirect relationship that can cause exposures right go beyond the attack surface and look that attack depth that exists attack and Deb surface you know defense and de that sort of approach and then shift to exposure management versus vulnerability management right prioritize prioritize prioritize automate automate automate whenever possible Right otherwise you your time to contextualize will take too long and

the complexity will be too great it sounds easier said than done but that's the things that we have to look at and do from a you know from that risk management perspective and addressing regulatory oversight and uh addressing regulatory issues so the end at the end of Thea you want to ask yourself these questions right how do you manage TR risk your come to Jesus moment what would Jesus do right is it enough how do you know like how do you know when how do you know right and they I answer everything with honesty was it driven by the data right one thing to say one thing right like I mentioned but if the data says those

things that you're saying and it's a line the data speaks to that you're probably going to be in a better spot if if the data saying is pretty bad you might want to work on that and fix those things right because ultimately the data is going to come back and bite you because especially you tell a completely different story that's not align and cor and correlating with the data um this one's a big old slide right but I mean I just wanted to drop that in there at the very end um so significant e efforts are happening right I mean you see that you see obviously we seen the little name right everything's fine you're on fire

looking at you know uh the forensic incident response understanding reporting organizations may need to report incident while doing investigating them especially if you have four business takes to report it you're you're probably going to be dealing with a bridge and incident at that point in time it's not going to be oh we're just going to report something after the fact no you're doing it at that time in flight so look at addressing the assets like I mentioned I'm going to double down on asset Avenues re revenues Asset Management 100% know that know what's happening in your environment have qualitative risk assessments have quantitative risk assessment have hybd risk assessments reputational risk I mean a lot of people

don't even include reputational risk in their risk posture risk environment risk profile um you know and if you don't have those you're going to basically have a blind spot in regulatory reporting from a risk perspective as well so you know so basically the gap between Gap regory reporting your it teams material impact helping those financial impacts and working those together because if you're publicly traded you have to have all your financial disclosures all your financial uh statements in play how they're aligning to the cyber security program how they're aligning to the infos program how they're working together that's one thing right and then like I mentioned the number one denominator on all the regulations that are happening

in the world right now is cyber security training if you're not training your folks in cyber security you're doing it wrong you're basically starting on the wrong foot and you're probably going to have a lot more issues uh you know probably sooner rather than later so keep that in mind so those that went to the anyone uh Len Mr Rob dodson's tabletop exercise awesome right tabletop how do you engage that you tabletop the hell out of it right look at that uh you know supply chain attack which we just covered on the last presentation um look at that scenario I'm not going to go into it word for word but look at all the questions that you're asking

yourself right who's going to be responsible to handle it right if your internal team your corporate Network are down how you goingon to be able to communicate with each other right how would you evaluate that materiality component and impact in that sort of company a uh situation where they have irre irregularities in the work in the software patches right and how that organization is dealing with a supply chain attack right so you know you start thinking about you're not going to do it until you put yourself in a situation that how would you do it like don't wait for that to happen be proactive and do a tabletop right understanding what the the situation is if you have a lot of

cyber supply chain um you know U you know vendors you work with you might want to do a table toop around this specific uh area if that makes sense too close to home this one's interesting right so this one did happen in real life so we'll go we'll get into it so ioc's right patient zero was the CEO right it's basically the CEO's son somebody took a picture of got an email from his grou girlfriend and that picture was weaponized right it was actually a real picture of his kid and understanding how that input so actually went from the house to the business right so do you have an in response plan that specifically BFS attack on SE on

your leadership structure right on their home systems because ultimately that came from a picture from an email from home of their son right and that that picture had weaponized and obviously infil tra into the network and at work and understanding that actually takes uh cost of fire and infite response have come in and thef and all your stuff happen right so how would you handle whole compromise that leads into the organization compromise how do you evaluate materiality in that instance right who makes that call I mean because ultimately you're getting to more you know more uh that's where Lego needs to get involved right to understand it's a CEO that got hacked you know we got to

you know address it appropriately probably get his own machine take it off the network and inspect it do forensics analysis on it uh you know that's probably what I would do uh but it's the perfect fish right because the fish came from a a reputable Source his girlfriend with a weaponized you know probably stenography attack on that picture file of his child right so it's not something that be clicked on that would look weird or anything like that it's not the normal fish it's a perfect fish so uh more and more situations are happening uh there's a lot of companies like black cloak out there that have that hand handle seite leadership security um and

high-profile like you know your your uh you know celebrities and things like that they look at these perfect fish scenarios all the time and they cycle through them um so but those in Enterprise and know more organizations that don't really realize that's actually an avenue for an attack and something that we might we might want to realize and keep them to account so last but not least this just happened two days ago I took the uh Matthew olon reported that on LinkedIn so the Assistant Attorney General for National Security stated the Wall Street journal's Tech live which happened a couple days ago cyber security conference at a number of occations justice department has delayed company's

disclosure because making the attack public will create substantial risk and raise National Security conc so there's a few caveat so reporting SEC materiality disclosures for cyber security disclosures one of the one of those is if it causes you know uh you know national uh you know Crees National concern or you can be a national incident they might have to delay the disclosure of that is anyone surprised so now a lot of organizations might be getting hacked but we might not know about it if you're a publicly you know uh traded company if you're an investor that organization based because it was supposed to be a national security threat hence they're not reporting they delay in the reporting that's

and that just happened a couple days ago and I'm and I'm probably G you know probably engaging to see and not surprised to see that you're going to see a lot more of that right um but you know what's the whole point of doing all this and Reporting if a lot of people are not reporting and kind of throwing it under the under the under the bus basically based on you know oh it's National Security it's going to impact your National Security it's really important and then once they do dis close that how what's the what's going to be the the effect of that what's going to be the repercussions of waiting a certain amount of time of not

disclosing those C secur incidents so just something to keep in mind right so we really don't think those things about when we're talking about cyber security regulation whether it's ndfs SEC Hippa Goa you name it um so it's just one of those things that are happening in the environment uh and with that thank you for my

presentation question no questions I know I covered a lot yes can you talk about a post ransomware attack with hospitals like is that because systems are down or unavailable to the staff I just don't know a lot about this and I'm curious like why that happens U was direct from a hospital I wanted to go home when I was there Lally their inventory was not there so literally I have to a scrip get scanner each and that hospital scanning each every point line whatever it is make sure we have visibility right from there we get a risk what that data is what tell and I'm guessing those didn't have any right so to your question hypothetically there's

a ring where you know probably the after after action item down how long come back up be the number one driver if people were to have those situations that need to be somewhere else she could sit not working and you know have their life at R so that's a really good question but yeah I mean from a hospital perspective inventory any other question yes hey this is really us entric I'm assuming that many of us work in multinational corporations so what are your thoughts on compliance with regulations outside the US I mean obviously know them right understanding working with me that understand that regulation ISO 2700 I mean I I stood up ISO 2700 isms programs uh and obviously

from a privacy perspective gdpr the EU rule uh and then more and more uh s security happening on that side of the world right so understanding what those things are how they apply to those you know entities right because a lot a lot of us have entity types or field types or we have field field members that are outside the the US normal reporting protocols so I'll probably say that do a risk assessment of all your Regulatory Compliance you know avenues that have impact to your team and then look at to see how the life with actually what happening on the US side do you have a US headquarters as an example but yes I

mean obviously this is more us Centric but compliance is here in China right security is here in China is all the same thing make sure you apply the right control based on the environment that you're in have a quick question yes ma'am um so I think one of the Bigg issues that I see is lack of data data coming the first and trying to encourage them that nothing is too small having processes that allow for them to are security awareness R and Reporting right the reporting aspect so what have you seen in terms of best practices how do

you and I seen you know basically from the training we company we have something called report the fish they have a cyber wi sport like an actual score card that kind of kind of like competition between twoam to see who's going to have the best typ security cluster within the N distances to make a little bit more pide if you can uh you know they get they get Bravo points I guess it's an internal intented to you know you know provide you know get things from the merch store as an example like have some sort of incentives for teams to report different things and call out different things uh organization do it differently but ultimately comes out training as a and

understanding reporting those small things because something might be small like something material or it can be something benign that really is a bad thing happening that would probably CA a big Bri right so it all comes down to the education all comes down to the war thank you any more questions all right well thank you

[Music] appreciate stra MO