IT Risk Management

Lecture 1
IT Risk Management, IT
Governance, and Cyber Risk
Management Overview
 Topics

1. Course Overview

2. Introduction to IT Risk Management

3. IT Governance

4. Cyber Risk Management

Course Overview
Course Overview
Shahryar Shaghaghi
Principal, Leader of Cybersecurity and Privacy Advisory,
CohnReznick
ss5602@Columbia.edu
(917)972-9313

u 30+ years in IT, operations and risk management consulting

to global organizations; led complex global cybersecurity
implementations at Citigroup

u As a member of AICPA Center for Audit Quality (CAQ) and

Assurance Services Executive Committee (ASEC)
Cybersecurity Working Groups, developed SOC for
cybersecurity service to help auditors identify cyber risk

u Develops strategy and implements programs to increase

profitability, manage cost, risk and compliance

u Previously Partner at BDO, Head of Technology Advisory and

Global Leader of Cybersecurity; Partner at Kurt Salmon, CIO
Advisory Services; Director of Transformation and IT Risk
Management at Citigroup; Technology Advisory Partner at
Deloitte Consulting; Technology Integration Services Director
at PWC; Senior Manager at Andersen Consulting (Accenture)
 Course Overview

1. Attendance

2. Participation

3. Assignments, quizzes, projects, tests

4. Understanding of grading system

5. Interaction throughout the course

Introduction to IT Risk Management
 IT Risk Management
What is IT Risk Management?

Multiple definitions exist:

IT risk management is the program and supporting processes to

manage information security risk to organizational operations
(including mission, functions, image, reputation),organizational assets,
individuals, other organizations, and the Nation, and includes: (i)
establishing the context for risk-related activities; (ii) assessing risk;
(iii) responding to risk once determined; and (iv) monitoring
risk over time.
Source: NIST

IT risk management is the process of identifying vulnerabilities and

threats to the information resources used by an organization in
achieving business objectives, and deciding what countermeasures, if
any, to take in reducing risk to an acceptable level, based on the value
of the information resource to the organization.
Source: ISACA
8
 IT Risk Management
Is there a difference between the two definitions? If so, what is the
difference?

9
IT Governance
 Enterprise Governance

What is Enterprise Governance?

Enterprise governance is a set of responsibilities and practices

exercised by the board and executive management with the goal
of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and
verifying that enterprise’s resources are used responsibly.

Source: ISACA

11
 Enterprise Governance
There are two key dimensions of enterprise governance:

• Conformance
• Performance

Conformance (corporate governance):

- Takes historical view
- Compliance is subject to assurance/audit
- Well-established oversight mechanisms (Audit
Committees)

Performance (business governance):

- Takes a look forward
- Focuses on strategy and value creation
- Typically does not have dedicated oversight mechanisms

Source: International Federation of Accountants,

Enterprise Governance: Getting the Balance Right, USA 2003.

12
Enterprise Governance

Source: Implementing IT Governance, Dr. Gad J Selig

13
 IT Governance

What is IT Governance?

It governance formalizes and clarifies oversight, accountability and

decision rights for a wide array of IT strategy, resource and control
activities. It is a collection of management, planning and performance
review policies, practices and processes; with associated decision
rights, which establish authority, controls and performance metrics
over investments, plans, budgets, commitments, services, major
changes, security, privacy, business continuity and compliance with
laws and organizational policies.

Source: Implementing IT Governance, Dr. Gad J Selig

14
 IT Governance

IT governance (ITG) is defined as the processes that ensure the effective

and efficient use of IT in enabling an organization to achieve its goals. IT
demand governance (ITDG—what IT should work on) is the process by
which organizations ensure the effective evaluation, selection,
prioritization, and funding of competing IT investments; oversee their
implementation; and extract (measurable) business benefits. ITDG is a
business investment decision-making and oversight process, and it is a
business management responsibility. IT supply-side governance (ITSG—
how IT should do what it does) is concerned with ensuring that the IT
organization operates in an effective, efficient and compliant fashion, and
it is primarily a CIO responsibility.

Source: Gartner

15
 IT Governance

Governance of Enterprise IT is a governance view that ensures that

information and related technology support and enable the enterprise
strategy and the achievement of enterprise objectives; this also
includes the functional governance of IT, i.e., ensuring that IT
capabilities are provided efficiently and effectively.

Source: ISACA

16
 IT Governance
Scope of IT Governance:

• IT principles
• IT architecture
• SOA architecture – service oriented architecture (SOA)
• IT infrastructure
• Business application needs – specifying the business need for purchased or
internally developed IT applications
• IT investment and prioritization
• People (human capital) development
• IT governance policies, processes, mechanisms, tools and metrics

17
IT Governance

Source: Implementing IT Governance, Dr. Gad J Selig

18
IT Governance

Source: Implementing IT Governance, Dr. Gad J Selig

19
 IT Governance
IT Governance Challenges IT Risk Management Areas
Total Cost of Ownership &
IT Value Proposition
IT Governance Processes
On Demand Management & IT IT Strategy
Investment
Business Continuity and Disaster
Recovery
Business/Competitive Intelligence

Risk, Control and Audit Oversight

Compliance Processes

Systems Development Lifecycle

Architecture & Applications
Information Systems Architecture

Security IT Security

Program and Project Management

Asset Optimization
IT Operations Management
20
Vendor Management
IT Governance
1

Source: Implementing IT Governance, Dr. Gad J Selig

21
IT Demand Management

Source: Implementing IT Governance, Dr. Gad J Selig

22
 IT Governance

Strategic questions - Are we doing the right thing?

Is the investment in IT:

- in line with our business vision and strategy? Is the board and/or
executive operating management involved and committed?
- consistent with our business principles, plan and direction?
- contributing to our strategic objectives, sustainable competitive
differentiation and business continuity support?
- providing optimum value at an acceptable level of risk?
- representing a long-term view (roadmap)
- including an architectural roadmap, based on a detailed analysis of the
current state or condition of IT?
- Does the CIO have a seat at the “C” table?

23
 IT Governance

Value questions – Are we getting the benefits?

Is there:
- a clear and shared understanding and commitment to achieve the
expected benefits? In what areas? How?
- clear accountability for achieving the benefits, which should be
linked to MBOs and incentive compensation schemes, for
individuals and business units, or functional areas?

24
 IT Governance

Delivery and execution questions – Are we deploying well and

effectively? How do we measure our results?

Metrics include:
- scalable, disciplined and consistent management, governance,
delivery of quality processes
- appropriate and sufficient resources available with the right
competencies, capabilities and attitudes
- a consistent set (of metrics) linked to critical success factors
(CSFs) and realistic key performance indicators (KPIs)
- succession planning

25
Cyber Risk Management
 Cybersecurity Risk
Today’s cyber threat landscape Management

u Breaches increasing across

industry

u Breaches are more

sophisticated, on a larger scale
and have greater impact
2017
u Multiple incentives & types of
breaches/threats

u Phishing, DDOS and Ransomware 2016

are the most common
2015
u U.S. has the highest average
Cost Per Breach 2014
HackingTeam

2013

2012

2011

2010
u Data breaches have serious financial consequences for
2009 organizations

2008 u According to the Ponemon Institute’s most recent annual

study, the average organizational cost of a data breach in
2007 2016 was $4 million, or $158 per compromised record
 Cybersecurity Risk
Today’s cyber threat landscape Management

Ransomware: One of the most common attacks in 2017 and 2018

 Negative impacts of cyber attacks
Functions most likely to be affected by a public breach

Today’s
Landscape

9
 Digital World Reality
u Digital transformation will continue and
therefore cybersecurity landscape is
constantly evolving.
u Today we have 10 billion devices
attached to Internet. In 2020 we will
have 50 billion devices connected to
internet.
u Since hackers only need to be right
once and those who protect the
organization need to be right all the
time, your cybersecurity program needs
to be constantly evolving.
u In order to evolve, it is vital to
understand who is after you, what
motivates them and what they are after.
u Understanding the landscape is a key
element in any successful cybersecurity
risk management program.
2018 – The Year of the Defender
„ Organizations will start managing cyber as enterprise risk

„ Organizations have made small yet meaningful strides:

§ Number of days to detect breach is down

§ Number of days to contain breach is down

„ GDPR makes cybersecurity everyone’s problem

„ Changing the equation: Cloud will be the integral component of our defense strategy

„ Board level topic of discussion

„ Security is everyone’s problem

„ Lack of alignments between CIOs, CISOs, and business is going away

„ Two areas most are looking at:

§ Threat intelligence, early detection using AI and machine learning, behavioral anomaly detections

§ Incident Response planning and testing is a must and it involves all major functions of the organization
 Cybersecurity Framework
Business IT Compliance

Drivers
• Strategies • Strategies • Methodology
• Threats • Architecture • Data
• Risk tolerance • Organization • Standards

Enterprise Security Framework

Security Operations Governance Incident Response

• Access management
• Directory management
• Authentication
• User administration
• Remote access
• Application security
• Pen Test / Ethical Hack
• Change management
• Vulnerability management
• Patch management
• Spam, anti-virus, & spy-ware
• Data protection-encryption
• Security program
• Policies
• Standards & procedures
• Threat & risk assessment
• Risk management
• Metrics & reporting
• Asset classification
• Awareness
• Security assessments
• Remediation management
• Vulnerability alerting
• Vendor management
• Incident detection
• Incident response plan
• Disaster recovery plan
• Data restoration
• System monitoring
• Log Control
• Event management
• Escalation
• Enterprise response plan
• Communication plan

People/Organization Risk Management Infrastructure

• Patch levels
• Roles & responsibilities • Third-parties / Vendor Risk
• Application Security
• Training • Risk Transfer & Mitigation
• Cloud Security
• Awareness • Risk Assessment Program
• Data center

We incorporate the NIST Cyber Security Framework into our methodology

Identify Protect Detect Respond Recover

28
 Areas of Cyber Risk Management

Awareness & Access Controls Anti-virus &

Categorize Data
Training and Credential Malware
Management

Policies & Business Macro

Continuity Configuration Scripts
Procedures
Planning

Application/ Software
System Cyber insurance Spam Filters Restriction
Inventory Policies

Security Incident E-mail App

Operations Response Detection Whitelisting
Center

Software Third-Party People

Patching Vendors
Most businesses will be hacked because it is easy

„ Have not fully assessed their cyber risks

„ Have not classified their data

„ Don’t have basic security controls in place

„ Many use social media to market their

products and services

„ No budget or limited spending on security

„ Lack of internal security talents

„ Use unencrypted devices and unsecure emails

for sensitive data

„ Depend on third parties for various functions

„ Most concerned about loosing their customer

data and bank account
What should they do to minimize impact of attack?

„ Start by assessing your cyber risks; what is core

to your business; asset valuation

„ Understand motives for the bad guys

„ Evaluate internal capabilities and talent

„ Outsource to MSSPs and hire consultants

„ Treat this as cost of running your business

„ Determine who has access to what

„ Classify and segment your critical data

„ Perform backups and patch management

„ Conduct on-going security awareness training

and social engineering testing

„ Have a tested Incident Response Plan

 Available Resources
„ NIST Framework
Identify, protect, detect, response, recover

„ SSDs for encrypted backups

„ Windows 10 BitLocker (hard drives and

USBs); Podio by Citrix for secure portal;
SSL/VPNs

„ SBA – cybersecurity related guides and

links

„ CIS – Center for Internet Security

„ DOD – security awareness videos

„ Verizon - cybersecurity report

„ DHS – Stop.Think.Connect. Toolkit

„ InfraGard and FBI partnership

 Potential roadblocks

“We have cyber already

covered by our IT “We do an annual penetration
department.” test. We’re covered.”

“We don’t have a budget for this.”

“We have a robust “We don’t have sensitive data so we

don’t need a cyber risk management
intrusion detection and program.”
effective cyber program
already.”
“Our management and board don’t
fully understand or support a
cybersecurity program.”
 Case in Point

Discussion:

Does Blockchain Tech Solve Security Problems or Cause New Ones?, Penny
Crossman, American Banker, August 18, 2016

https://www.americanbanker.com/news/does-blockchain-tech-solve-security-
problems-or-cause-new-ones

You are on the Board of the Directors of a Financial Services company, which you
have been informed is investing in the Blockchain technology. What are the
questions that you would pose to the company’s C-level executives? How would
you classify this type of investment? How would you measure its value?

38