Join Ilan Abadi, Chief Information Security Officer at Teva Pharmaceuticals, as he describes effective real-world strategies for presenting OT Risk to the Board of Directors.
A key goal of the BoDs of most enterprises is to maintain an appropriate balance between protecting the security of the enterprise, its ability to function, and control financial outlays from losses. The Board cares about business outcomes as opposed to technical details. When addressing the Board of Directors, learn to anticipate and answer these 5 key questions:
- When is cybersecurity not an IT issue?
- What are the legal implications of OT risk?
- How can the BoD get and maintain adequate access to cybersecurity expertise?
- What is an adequate risk management framework and budget?
- Which risks can be avoided, which can be accepted, which can be mitigated through technology and which can be transferred through insurance?
Daniel Shugrue, Senior Director of Industrial Cybersecurity, will also discuss how a modern OT cybersecurity platform can provide a spectrum of mitigation and protection options for reducing key risks to your companys most critical functions.
Ilan Abadi is the VP and CISO at Teva Pharmaceutical, a 19b USD multinational pharmaceutical company. He has 19 years experience in security at global firms where his responsibilities include management of cyber incident response in heavily regulated OT environments. Ilan’s previous positions include a stay as CISO for Israeli Satellite broadcasting and in the cybercrime unit at the National Israeli Police. Ilan is currently pursuing a degree at Art History in Tel Aviv University.
Daniel Shugrue is Director of Industrial Cybersecurity at CyberX, an ICS Security provider. He has 20 years of experience working in software and security technology. Prior to working at CyberX, he directed Security Product Marketing at Akamai Technologies and worked in Product Marketing at RSA, the security division of EMC. Daniel lives in Boston, MA, USA with his two sons.
CyberX delivers the only industrial cybersecurity platform built by blueteam cyber-experts with a proven track record defending critical national infrastructure. That difference is the foundation for the most widely-deployed platform for continuously reducing ICS risk and preventing costly production outages, safety failures, and environmental incidents.
Thank you very much Carol and welcome listeners around the world, and thank you for logging on and joining Ilan and me today. I’m very happy to have Ilan on the webinar today, Ilan Abadi is the vice president and CISO at Teva Pharmaceutical Industries Incorporated, which is a $19 billion multinational pharmaceutical company. He has 19 years of experience in security at global firms where his responsibilities included management of cyber incident response and heavily regulated OT industries. And his previous positions include being the CISO for the national Israeli police and the CISO for a leading satellite broadcast firm. Welcome, Ilan, to the Webinar.
Thank you very much Dan, welcome you also, and all of course.
Thank you. So to just jump right in we’re going to cover today why present to the board of directors, what’s to present to the board, including establishing the scope of risk, tying risk to business value, introducing a framework for thinking about cyber security, enlisting board support, establishing metrics and then finally some tips and tricks on how to present to the board.
I want to jump in with the why with a proverb from one of my favorite management consultants Peter Drucker, who used to say that… used to quote a Danish proverb that said essentially, “Never go to the prince until he asks for you twice.” So basically if you can do your job without asking for support from management or the prince, just go ahead and do it. Having said that, there are several advantages to having an opportunity to go before the board. And so there are reasons why you might even want to ask to see the prince in other words and those are you can get visibility for your own efforts. You can probably most importantly get budget, but budget isn’t always the limiting factor in security, sometimes it’s getting time from coworkers or from other departments and getting cooperation from those departments.
So those are three reasons why you might actually want to go to the prince or the board. But then the other reason is you present to the board because the board wants you to especially in recent years with more and more media attention to attacks and vulnerabilities.
The board is likely going to ask you to present whether you want to or not, and in fact, Gartner said in 2018 that by 2020 which is just next year, 100% of large enterprises will be asked to report to the board of directors on cyber security and technology risk, at least annually, which is up from 40% now. And actually I wanted to ask Ilan to chime in and just to get his experience at Teva over the years, how often does the board ask you to speak and has that shifted over the years?
Thank you Dan for the questions. So I first want to say that I liked the prince the twice that you need to ask you. But I think when the board is asking you to come it’s an offer that you cannot refuse, like you have in the Godfather, cannot refuse that you need only once they are going to ask you come.
So, I think it’s about, I mean how many times – I think most of the time it’s one in a quarter and sometimes there is a very tight scheduling for the board, so it can be three times and sometimes some you do sometimes, five, six times because there is some big events, cyber event is happening, like WannaCry, and this is put all the member of the board on kind of an anxiety.
And then they ask you to come and to see if there was any what the exposed to the risk of the organization of the business and how are we dealing with that and if we are in control with that. So, it can come from three times in a year and five, six times. And I think that if there is a big event that impacts the business, you probably will go to the board not in a nice way but it’s between three, six, seven times, sometimes in a year in dependent on the year then.
That makes sense. So, sometimes you’re reporting proactively on metrics that you’ve set up, other times you’re going to react to news if I understand you correctly?
Yeah. Has there been an evolution in terms of to whom you are reporting, like sometimes you report to the board itself and does the board also have committees set up?
So it depends on how the company is considering the cyber risk. If the cyber risk is one of the risks that’s managed by the board or by the risk office, you probably will need it to go to the audit committee board for that and they are managing the risk the company that you’re working in. And then they are responsible to to work with internal audit in front of you. They are responsible for the whole day at the chart and all the reports that you have. And they are also providing to the much wider board for that. So can depend about how the company’s managing, it could be the board themselves, it could be the audit committee of the board.
Okay. That makes sense, thank you. So, either reporting directly to the board in your case or to the audit committee, which actually, what we’ll get, we’re actually going to talk a little bit about establishing frameworks and answering to regulatory bodies. It makes sense that the audit committee would be the committee in many corporate structures or models of governance that would have oversight over security.
So I wanted to talk about… So, that’s sort of the why. If we get right into the how, the first step in the how is to establish with the board the scope of risk. And from the customers in general with whom I’ve spoken, there’s a fine line between convincing the board of the risk, we’re talking about risk and spreading fear, uncertainty and doubt.
But I think it can be useful to talk about why the risk is growing or what are the drivers for the risk. And in this case, I’ll often point or customers will point out that the rise of bitcoin has been a big factor. So in other words, anonymous currency makes payoff in ransomware for cyber criminals easier.
The other reason, or driver, is industrialization. So cyber weapons are more widely available for purchase so that the hackers no longer need skills. They really only need motives. You don’t have to know how to code. They just need to know how to use the tools. In some cases, even the services that are for hire.
And then the third driver is the nationalization of threats and that’s the difference between a group of pranksters in their parents basement and, of a group that is actually funded with GDP levels of budget and resources and that makes an attack, likely like Triton to, have an effect of not just monetary loss but even potentially loss of human life.
Are there other points, Ilan, when you’re establishing the scope of the risk? In other words, in the proactive meetings with the board or the audit committee that you’ll refer to or use?
So, thanks Dan I can tell you that… I’m going to talk about the current situation with the board. I think most of them, board members, if fully aware of the cyber risk, they can hear the news, the media that you have every day. So they’ll have kind of an anxiety.
We need also to understand that they have kind of a lack of technical, some of them have some technical skills or knowledge and for that from the previous work or job or position, but they’re in a kind of, in anxiety. And then you need to manage that, so they should think in the beginning all over.
And then you have to make an order what you think is CISO, you are exposed to the risk and this is really a gentle work when you focus in that you also need to understand there are very smart people in the board.
You cannot just make tales and things like that. So you need to be related to the business. And as you mentioned in your slide, and we can see that, you can see that in this slide, this is the three vectors, but some industrial have other vectors, like for example, some groups, activist groups that are really an actor in this game.
And it’s independent of which industry you are, which country you are working for, this company is working for or recognizes, so you have other vectors and it’s very specific to each manufacturing industry. Thank you Dan.
That makes sense. So, I mean, one example from recent news is, if we have listeners who are in the manufacturing industry, they’re probably familiar with the ransomware attack on Norsk Hydro back in March 19th of this year. And it’s really- It’s a sobering a lesson in terms of just how much damage a ransomware attack can do. So I have a quote here from the Norsk Hydro CFO, and by the way, Norsk hydro was really admirably transparent in discussing what happened in Norsk hydro.
And I think the industry can learn both from the facts that they shared and also how they shared it, in terms of just being as transparent as they were. But it’s sobering because, you see the plants were shut down the worldwide, the screenshot on the right is an actual paper notice that was put on the doors of the manufacturing plants at Norsk hydro. They couldn’t use, they couldn’t send messages over email because the computers were down. So we actually had to put physical pieces of paper up to tell people not to connect to the network.
And, so if you’re showing or talking to the board, either reactively or proactively about this, it’s a good opportunity to tie cyber risk to business value, right? If when you’re talking about risk of downtime, you’re essentially talking about lost revenue, you’re talking about safety incidents, you’re talking about the detrimental effect on brand value. And when you’re talking about environmental damage, you could be talking about regulatory fines or also brands damage. And then there’s the possibility of IP theft which can lead to loss of competitive edge.
So the business values or the terms that the board is more used to thinking about and dealing with are on the right here, and you could even give a real world example, like this picture that was again and supplied by Norsk hydro of their plant after the attack. You can see that the screens are actually black, have gone black.
And Norsk hydro estimated themselves just one week after the attack, which is, it took them longer to respondent. But just one week after the attack, they said they had losses of 41 million US dollars. Now if we were to back that up and modeled potential losses for the board and another situation, we could, as an example, take the operating revenue of the firm. And this is that these are the actual numbers, operating revenue numbers from Norsk, which is of course publicly reported of $18 billion.
And you look at it and make some assumptions and in your case with a CISO, so you’ll have these actual figures. You won’t have to assume, but you could say, well we have 260 actual working production days, which comes out to 69 million US dollars a day. The operating capacity after the attack averaged about 88%. Obviously that’s going to vary by production line. And then, the number of days that reduce capacity in this case, just five days after the attack, resulted in $40 million in losses.
So I want to pause there and just ask Ilan for his experience on whether or not this the type of model you might use and what other ways you have to communicate this type of thing to the board.
Absolutely. Everything is about the business, how you going to deal with the revenue and everything. But it’s not just about the revenue, Dan, it’s also about safety, human safety. I don’t know if the people that listen to us, so the webcam that was released by hydro and I think one of the first sentence was there is no personnel harm or bodily harm that’s happening.
So cyber attacks can also make some harm to the bodies, to the employee and this also needs to be considered. So it’s about the money. You can calculate how much it’s going to take. I must say that 40 million is a, sounds like big money, but it’s definitely not big money.
We absolutely aware that in the past, when I sit past, it’s about 12 months ago, or a little bit more than that. There was big losses, like half a billion dollar for some company. And there was another $1.2 billion loss for a company that is, they claim to the insurance.
So of course it’s about the money. It’s about the revenue. It’s about safety or the employee safety, for that, all kind of those examples you need to bring to the board. And this is part of the scenario of the risk if something goes wrong. As I said in my last previous answer, it’s also considering about what kind of business you’re doing, what kind of manufacturing do you have and what can be the outcome – is it going to be a break or explode, like heating the reactor too much? And things like that.
So it’s dependent on industry, but definitely you can use those vectors and those calculation to represent what the impact can be. And I don’t know if I can say unfortunately, but yes, I can say unfortunately. And we can see big losses to companies, more than $40 million, much more than $40 million.
Noted. Thank you. So, thank you first of all for bringing up the risk to human life and safety, I mean, even though the board is business oriented, we can’t lose sight of these things. And note that 40 million might seem like a large number on the surface, but we’ve seen much larger losses taken by companies, especially in the wake of the WannaCry ransomware attacks.
So moving on to, once you’ve established the rescue, you want to have a framework in which to think about cybersecurity. And there are analysts frameworks like, those provided by companies like Gartner and then, national standards, organizations like NIST that are both good models for proactive boards who want to provide a structure to their OT security efforts.
In some cases proactivity is not required because legislators in the US and you have mandated adherence to industry and governmental regulations. So, of the regulations NIST 13, probably have the broadest impact as it applies to enterprise to provide what they call “Essential services” in the critical infrastructure sectors such as energy, transportation, water, health, banking and financial and digital infrastructures.
In addition to that, enterprises and other sectors such as manufacturing and pharmaceuticals, chemicals, oil, and gas are voluntarily leveraging the NISD guidelines as a framework for improving their operational resilience. So MSI, which is European based, and I put the emblem for them here from the European Union Agency for national information security.
It’s really the first regulation to define what they called minimum standards of due care for protecting OT networks. And that means that in the case of major safety or environmental incidents, enterprises can be held negligent and financially liable for not having taken minimum steps to prevent a catastrophe. Even non-EU enterprises.
So US organizations, as well as EU organizations are affected by NISD because they have operations in the EU. So a couple of examples of frameworks that you might use and then I’ll hand over to Ilan for his experience. But one would be this, the Gartner adaptive security architecture or protection from advanced attacks.
So, a security system needs to be able to prevent, detect, respond and predict. And then another would be the NIST cybersecurity framework. So in other words, you need to identify, you need to prevent, you need to detect, respond and recover. So in your experience, Ilan, are frameworks helpful or is this sort of overkill or just overhead for the conversation with the board.
Or in your experience, do you actually use a framework when talking to the table board? And you might be on mute Ilan.
Yup. Sorry for that, it was automatic, maybe someone hacked my computer and got it to mute. So I’m sorry for that. So what I’m saying, it’s a tool that you can work with the board. And you have two approaches for that; the first approach is that nobody ask you and you need to be complied with one with one of the same standards. If it’s ISO 27001, if it’s the NIST or other regulation for that. So you can put that thing in your slides when you showing to the board, how are you doing? What is your score? And what is the domain? And what is more relevant to you and to your business for that? So this is a very good tool.
Also if you are not to comply or mass mandatory to use those kinds of framework, I think from my perspective and my experience, it’s very helpful. Me, myself, personally certify for ISO 27001. Even I don’t need to do that from a compliance and also we adopt the NIST for the incidence response team. I think they are very good framework. You need to do some customize some, tailor-made to your organization, but there is really a structured way how you can manage an enterprise organization. Without that it will be kind of a… I don’t want to say chaos, but it’s not going to be in order. And you definitely need order when you’re dealing with cyber threats. Dan.
I love that example so yeah point taken even if you’re not speaking to the board, it can be useful to work with a framework. So, I love that you’re doing that even when you’re not actually having to adhere to a framework or a regulation.
And then I think the other point you made in support there is that the framework itself needs to be customized to your particular organization. So good point. I wanted to spend a relatively quick word on cyber insurance this is an idea that’s been with us for some time.
You mitigate some risks and you transfer other risks by insuring against them. And if you were going to do that, of course, the insurance policy itself needs to be highly customized to your particular organization’s needs. And what we’ve seen amongst our customers and prospects is that typically OT related cyber insurance will be more extensive than IT related cyber insurance.
And so when you present to the board of directors, you should do so with a financial model that enables them to engage in an informed discussion about risk transfer. Having said that, I mean we’ve seen and I, Ilan referred to this when we were talking about potential losses we’ve seen in the last year that in some cases insurers are not paying for the losses that are associated with cyber attack.
And the reasons that have been given, this is all in public domain, is that the insurance company anyway is claiming that cyber attacks, like WannaCry are actually acts of war and for that reason they’re not covered by insurance. So if you’re talking to the board about transferring risk, there is certainly something to consider. And I’m actually, I’m not sure Ilan I don’t know if we covered in our prep, is insurance part of the cybersecurity plan in your experience with past companies or has it been part of the plan with past companies?
Absolutely. Absolutely Dan. I can tell you… And this is something that you are dealing with the board also. This is one of the things that you’re showing to the board that you have transfer risk. It’s like a compensation, controlling our words. But it’s a transfer risk a for that. And this shall be reinsurance you need to write the policy. Write down the policy very, very carefully as you said about war of act, act of war and things like that. And you need to see in your, by the way, it’s not by the CISO Dan, it’s by the risk office. They need the to get the right policy, for the company.
And this is definitely things that the board is interesting in to understand what is the coverage and a guess, what if it’s a including third party vendors if it’s including like a wave, like a storm that happening, like WannaCry. If it’s a dedicated like APT advanced persistent threat, everything is the policy inside. And of course you need to, show to the companies due diligence, due care, and what your mechanism is of cybersecurity in the company.
I can say that in the last two years, I’m visiting once in a year in Lloyd’s in London. When we have the policy, we have all the companies making that policy, and they’re absolutely become very high level professional and they asking you very accurate and sophisticated questions.
So I can summarize that, the insurance is something major in your plan. We cannot say that we are bullet proof, and this is not if we’re going to get hurt, it’s when we’re going to hurt. So this is definitely a major actor in a cyber plan.
Thanks for that, so not an if but a when, if you’re thinking about things that way, then insurance is absolutely a part of the plan. So thanks for that clarification.
So another point that I, we’ve heard from other customers that’s important to cover is establishing the board’s appetite for risk. And this is a, another framework actually that also from Gartner that maps out the business impact on the vertical axis versus the likelihood of the scenario taking place on the horizontal axis.
So if you combine those two, you can get to risks rated from one to three, one being, loss of products, manufacturing secrets or two being the loss of some competence, and then three being actual degradation of production volume, certainly is the likelihood in the case of OT risk.
So if you can establish with the board what is their appetite, then you’ll probably have a better chance of explaining, where the improvement can come with the board’s commitment and resources, whether that be budget or establishing of metrics that help track people’s time.
So, one example of a way in which you can sort of gage the board’s appetite for risk. And, once you’ve done that, you can maybe more easily bring up the costs or the budgets that you’re asking for. So this is one example, there are, obviously the budgets are as varied as the companies that are asking for them. But, you might say, well we, in order to establish, our current level of OT risk, we need a third party to come in, possibly to do a vulnerability assessment or asset inventory.
We might need to hire someone to do incident response or have them on call. We might need to segment networks. I mean, these are all examples. CSOS in the call are probably familiar with, you might want to set aside time and money to upgrade legacy equipment, and then of course budget to monitor networks over time. Ilan, is cost typically a sticking point with the board when you go to the board or what’s the primary method that you use to, ask for a budget that you need?
Most of the time we’re not speaking about budget, I mean very specific budget. We’re talking about overall budget, how much we spend this year, how much we’re going to spend in our yearly plan for that day. Asking if it’s enough money. And this is very tricky question because sometimes in the boat, the UN also the CEO and the CFO of the company and you need to be very gentle with your answers that you cannot cry and say that I don’t have enough budget, I don’t have resources because the probably the next things that you do after you’ve been in the board, it’s to go to the unemployment agency.
So what I’m saying is it’s not just about the numbers, it’s about the action for that. Then if you harness the board to your plan and of course you’re doing that with the risk office. One of the things that I wanted to mention for those last slide that the show and about the risk that you need to be part of their line.
Yes, thank you Dan. You need to be part of their line with the risk office because the risk is presented by the risk office. Of course, you’re helping them to do the map and everything and then you come together with a risk office, the risk officer and the chief risk officer. And then you present that to the board how much money you spent on that. And there is a lot of questions about money but not in details, like do you have enough money to go to the OT environment? And what is the, the pace that you are doing, the segmentation or other things there for that? If you need to accelerate that, do you need more money for that?
And I said you need to be very gentle and sensitive with the questions, but we’re talking about the budget, we are talking about if there is enough or not enough. And as I said, this is very good tip to be gentle with them to understand what you’re answering for that and, that’s all, that’s what from perspective of budget. There is nothing and sometimes they’re focus in one area about the budget, but most of the time this is not about just the budget and how much you spent on that.
Great. That’s a really important point, and I remember, just for the listeners – Some of the stuff that we’re talking about now is fresh. I haven’t spoken to you Ilan before. So this is very much a live interview – others I’ve heard about already. And that actually leads into the point that I, one of my favorite points from our previous discussions, which is about, helping the board understand that OT security does not equal IP security and then how that ties into the ask for the board.
So, starting out from the differences between IT and OT security that are important to explain, because to the extent that the board already understands security, they probably understand it in an IT context. And so that means that they’re used to thinking about, if not, the actual protocols. But the idea that communication is standardized over the internet or over an intranet.
And of course they’re familiar with the fact that those PC’s that are being used, use a standard operating system familiar with Windows and, I have heard of Linux, they may not know the terms active vulnerability scans versus passive, but they know that, in the past companies have been associated with has had regular patching and upgrades.
All that is thrown out the window when it comes to OT. So we’re talking about non proprietary protocols. So in other words, if the communication standards or if the communications protocols are not standard, that means that the monitoring methods won’t see standard and will require specialization.
They may need to be reminded or educated regarding the fact that the devices controlling physical processes don’t use things like Windows and Linux and they use non standard deal embedded platforms, which again means that they’re, they require non standard security tools to monitor or to assess vulnerabilities.
And then they may not be aware that, just because you have an older Windows system, it doesn’t necessarily mean you can simply patch it because, patching. Well, and especially in pharmaceuticals, patching might and lead to having to retest drugs which can be enormously expensive and time consuming. So really everything in OT gets flipped upside down which leads me to this conclusion that it’s probably important to tell the board that OT is from Mars and IT is from Venus.
So having said all that, I want to hand back to Ilan and talk about, how do you harness the board to help you overcome these challenges in getting IT and OT to work together?
So I think this is a major point. I think this is one of the major points who is dealing with industry and with the OT, with SCADA and thing like that. The board member most of the time not understanding what is the different and the CISO duty is to explain to them in non technical language. You definitely cannot put on the slides, protocols and names of protocols or things like that. You need to just to make it more simple that they’re protected, they’re not protected, they’re not put at, because that and that and that. And this makes the expose much more a bigger to the risk. And the probability of course it’s much more higher according to that.
So this is a journey that you need to do with the board and let them understand that in their language, for that and you can ask for them and then you can harness the board. You say because most of the OT sometimes or not sometimes I think usually is not part of the IT, is by the engineering side or other operational a group of the company. And it’s a little bit, let’s say much more challenging to get inside there and to do some cyber activities inside, the plants manufacturing.
So you can harness the board to say that the challenges with that is to work with the engineering together. And there was a lot of boards that are an active board; when they hear something like that, they said, “Okay, the next time that you come to this committee, we want to see also the engineering side, what they are doing in cyber security and how they’re working with you.” And you just accept that with both ends.
Because when the board is asking to you… As I said in the beginning, this is a offer that you cannot refuse and, you must be participate in, the cyber game and to be part and actor with that. So in the beginning of the first stage is to let the board understand that the OT environment, it’s much more exposed. And the challenge is about that it’s to harness the manufacturing, the engineering side to your side. And then both of them, you and the engineering coming to the board together. And this is makes a huge different how the company, I mean the other side, the engineering side, how they are considering cyber and how much they’re willing to help you. Dan.
Great. So two points there, one is probably, point taken that this slide probably never be shown to the board because it does include, as you mentioned names of protocols, et Cetera. And your presentation needs to be simple to explain it in their language, what are the differences between OT and IT?
And then I think to highlight that second point you made and maybe we can dig on that a little bit further. You’re saying if I understand you correctly, you’re saying, when you speak to the board about the difference between IT and OT, their reaction might be, “I see, who can we talk to on the OT side or in the engineering side to ensure that communication is taking place in that cooperation is happening?”
And is it the case, I think you said, literally that, or I’m not sure if you meant literally someone responsible for plant management or engineering and OT would come to the board the next time with you. Or is it that you would have metrics that measure their participation and then report that back to the board.
So as I said, when you’re dealing with the board, you need to be very gentle and sensitive what you’re saying about that, what you’re showing to them for that. So what you’re doing, you’re doing kind of a plan how do you think we can approach the OT environment for that with really key measures, how we can measure the progress for that.
But you also notice, as I said before in my previous answers that you need to harness the engineering for that, and you can suggest very slightly, that the next time the engineering would show with you on the presentation, and you and engineering together will give the data to the board. In that way, you harness the board to helping you to go to the OT.
Great. I love it. So maybe to summarize again, the idea that you’re sort of helping the board to come to the realization that the CISO needs OT’s help and then establishing metrics that track OT progress along these, some security measure and then establishing with the board that you’re going to report back on that. And then once you’ve done that, when you go to OT and ask for their time, in a what’s an undoubtedly incredibly busy schedule and with many other pressures, they’re more likely to give them time, give you a time because they know that what they do will be reported back to the board.
Absolutely. And also they need, and if you are doing a really success about transferring the idea and kind transferring of the risk, they will need to be showing with you, to be presented with you, on the next time when you are in the board about the progress. So you harness them, they must participate physically with you on the board.
I love it. So if they have to go to a friend’s, then they will surely make sure that they are there?
So, jumping onto, once you’ve established what the costs are, whether it’s money or budget or whether it’s time from engineering. It’s important to outline that there are benefits associated with the cost outlay. Just point out that, here’s what the future state will bring us. Whether it’s avoiding revenue loss, production downtime, the ability to target costs more accurately, which is always a value to a CFO.
And then if we improve IT and OT communication, it means that the IT resources in which we’ve already invested, meaning the SIM, the UTM, everything that’s in your security operation center can be used to secure OT’s as efficiently. Assuming that you’re buying a tool that that can in fact integrate with those tools. And of course one would hope that you are.
And then the other benefit is that, if there is an attack or an outage reaction times will be faster because communication between the two IP it and the OT camp will have been facilitated.
Moving on, maybe coming back to a previous example of just talking about, the board versus the audit committee, we’ve seen a trend in the last eight years since the economic downturn that is, towards assigning specific resources to manage rescue. I mean you, you mentioned earlier Ilan, the risk officer as opposed to CISO, looking at insurance.
And so there are many committees on the board and they’ll directly manage compliance, finance and investment and some cases specifically cyber in other cases, maybe as in the case of some of the companies that you’ve worked for Ilan, an audit committee, will manage cyber. So I just wanted to sort of highlight that point. I don’t know if there’s necessarily another question here for you, Ilan, but sort of the idea that maybe a CISO needs to be flexible and be able to present not only to the board but also to whichever committee is reporting back to the board on cyber.
Yes. And also there was some, may I come in, Dan? It’s okay?
Yes. Go ahead.
Yeah, sure. So, and I can tell you that from my experience and that sometimes the board asking you to go to some other committees or other groups like executive and management and then to show them and to do to them some presentation about some subject that they to be aware for that.
So you, you get an assignment from the board also. And to do those kinds of things. And then I can tell you that, I think I told that in the beginning and today the board is kind on an anxiety. They have a direct responsibility for cyber effects for that. So I think it is something you need to guide them, how to go to that. There’s that.
So, a couple of other points before we think about metrics, who else is informing the board. So I wanted to give a couple of examples of, audit oversight directives and these are largely compiled by Gartner again. So one is that the boards are being told that they need to understand cybersecurity as an enterprise wide risk, and not just an IT issue.
As we discussed, they’re being told to understand the legal implications of risk. They’re being told that they should have adequate access to cybersecurity expertise, which I think, in some cases leads back to this question of whether or not there’s a specific committee assigned to oversee security.
They’re being asked to have an enterprise wide cyber risk management framework. So if you’re wondering whether or not the NIST framework or whether or not, NISD regulation like the Gartner, a framework would be useful, it’s likely that it would be a, as the alarm said, and as Gartner pointing out here and have some sort of framework is typically helpful in understanding something that’s large and as complex cyber risk.
And then, finally there’s a discussion of cyber risks, it should include which risks to avoid and which risks to transfer through insurance again, as we mentioned earlier. The other thing I wanted to somewhat briefly cover is, what types of questions should one be prepared to answer? What are the questions or maybe the curve balls as we say in the US parlance that the board might ask?
So if it gets me the most, obviously have we’ve been hacked or breached? And how do you know whether or not you’ve been hacked or breached? What are typically the best practices for cybersecurity? What’s our biggest weakness? I remember this one from previous companies where I worked.
Where a CISO who was honest about the greatest weaknesses in internal meetings was afforded a great deal of respect. And, you had, in order to build a plan, you have to start from present state and if there’s a weakness, obviously you need to be upfront about what that weakness is.
You know, is there an external auditor victim or a third party that can give us a vulnerability assessment for example. Is there, are there disagreements between the IT team and the board or the OT team and the board or IT and OT. Expose those, bring those to light. And again, that’s as Ilana mentioned, harness the board to help, smooth over those differences or, or fix those differences.
Dan, may I come in?
Go ahead, please. Yeah, please Ilan.
So from my experience, I can share also, add a few things that the board is doing except what we have in new slide here. So one of the things, sometimes they calling for experts from other companies and like EY, Deloitte, something like that. And they asking you to come and they have like kind of a presentation also.
And then they ask you correlated about what this person is doing and things like that. So you need also to face other expert that they bringing in, and the discussion of you It makes you a little bit nervous because sometimes the idea is not the same and you have a kind of a conflict with these things. Also they can ask you about a special committee for Cybersecurity, in some area for that it’s happened also.
And, what they can do also and, asking you regularly about dissipate. I can hear a lot about that. Do you have the clear BCP DRP plan for that? And this is a lot of questions running about that. So this is also kind of questions that coming in when you are dealing with the board.
Very good. Thank you for that. So a couple of other… Thank you for adding those. And I think there’s a couple of other examples here. I really like bringing in an expert, from a major consultancy for example, to speak about a risk. The last couple of slides of, well actually the last slide in terms of what to present is just to establish metrics, and I have… The metrics themselves should be simple, this slide is also quite simple. The metrics need to be owned, I guess somewhat obviously and of course they need to be actionable.
I’m very curious to hear Ilan, what are the types of metrics that you’ve established at the companies you’ve worked at? And maybe some tips on how to actually show those in slides. I know when we talked previously you couldn’t actually show the slide but you show for obvious confidentiality reasons. But if you can sort of walk through what’s the correct level of detail, how do you speak the board’s language when you’re talking about metrics, et cetera.
So, I can tell you that the metrics should be, as I said, not a very specific, not a lot of details about that. This isn’t something that you can measure. For example, you can show a metric, say how many events, cyber events you had in your company? And then how many ones were somewhere inside? What was the impact of that by numbers? Mostly about more by numbers.
How much phishing attempts and, how much will succeed in how much not will succeed. Something that there can be familiar, and you can give him the quantity, not just about the quality. So you can give him the quantity, how much your organization is dealing with cyber risk and cyber events inside. Along with that, you can go for the, and this is what’s about the quantity and for the quality you can give one example, I mean, a clear example of event or how sophisticated it was and how you deal with this sophisticated one.
So you can bring in for the metrics about numbers, about things that happening inside your network. And then you can do a focus at drill down for one event or maybe two events that show the sophistication of the event and how, your team, your everything was stopped, this event and how we deal with that event.
And there’s a lot of questions about that. Then sometimes, and this is very good slides and metrics that you can do, make it simple as you wrote, and give him numbers, give him kind of a time chart. How much it was in math for example each month.
If we see any kind of raise of the risk, increasing of the risk and then what you’re doing that and what we’re doing, if you get kind of an impact to the business. So what is the company, what is the mitigation activity, you doing about that? As I said, it’s very important to say that there is no bulletproof, and things happen, but we are controlled then. Dan.
Okay. Thank you for making that last point especially I don’t know that we stressed this at all yet, but to make sure that the board understands that there is no such thing as 100% secure and nothing is bulletproof. I think is an important point that we previously neglected to mention.
The other quick takeaway that I took there was that you’re saying yes you can and should be quantitative. You can measure things like number of events, instances of ransomware found. And maybe the thing that really stuck out to me was, something as mundane, if I may, as phishing attacks.
But still as important as phishing attacks because it seems like every time we hear about a new attack, the likely start of that attack vector is some sort of phishing attempt. And it’s, humans are in many cases the weakest link. And that’s not to say that humans are dominant, it’s to say that effort must be made to educate the people in your company and to guard against phishing attacks.
So what better way to do that then to report up to the board here’s how many, attempts we had and here’s how many people clicked through. And then the takeaway I had was to report this stuff over time. Right? I mean monthly, January, March, February, whatever. Here’s how many we saw, events, phishing attacks, et Cetera, and show either progress or devolution.
And then the last takeaway I think is that you made there is, to not just focus on quantitative but also focus on the qualitative, you can deep dive into a particular incident and talk about how your team responded. And at that point, if I understood you correctly, especially if you prepare for questions from the board about, what did or didn’t happen. So thanks for all of those points. I think the metrics, are a very important part of the presentation to the board.
Now having said all that, let’s take a step back and talk about, sort of, we talked about the why you would present and then what to present. Well, just a couple of quick points on, how? And maybe the most important point that you’ve discussed with me previously was the importance of just knowing your board. Who’s on the board,? What are their individual backgrounds? What’s the role they serve on the board of directors? And then what are their biases, right? Everybody has them.
And it’s important to know what they are. I think one of the things that you said earlier that, that impressed me was, or made an impression rather on me was that, some people on the border, I think the word you used was excitable, or maybe better or another word would be just, more interested in cyber and they’re going to proactively reach out with questions about, things that are being reported in the media.
And so, maybe you can point to a couple of points on, how to, once you’ve established who was on the board and who is more interested in less interested, how does that affect your, presentation style? Like how do you approach someone who’s more interested and how does that differ from how you approach someone who is less interested in the issues that you’re bringing to the fore?
Hi, so, I’m seeing that we are running out of time, so I’ll try to do that shortly, because I have a lot of things to talk about that. So this is kind of a process because, everybody know that you have to send the presentation a few weeks before the board meeting and they have to read that and then making question. So when you come to the presentation they supposed to already read that and to have their questions on a paper for that.
So and so you will understand. I mean almost not immediately, but during the presentation you will understand who is the person that really knows technology and who is his own anxiety, and who is bringing more knowledge for that, who is maybe a little bit agnostic for that.
And there was always will be kind of those characters for that, from my experience today, and I see that in the last state 10 years with the board, working with a board, like almost 11 is I’m working with boards, that today everyone is almost participating in the discussion. Some of them more, some of them less.
But that definitely, and I can tell you that it’s even go after the meeting, you get an email by the board or by the security secretary of the board. A lot of time after my meeting with the board that sometimes I have only 40 minutes, 45 minutes, and then they take more than one hour and then they have to stop because they are very tight scheduling. I get questions by emails and I have to answer them to the secretary of the board, for that.
So this is a process how, your board, who is them, the more technology guy who is coming from other industry and tried to bring in some knowledge for that, and then, and what the skills of them. So as I said, this is a process, and today most of them really getting into the cyber efforts.
Thank you Ilan. All good points. So what you mentioned, we’re running a little bit short on time. Lots of good content here to get through, briefly, in summary, what to present? When to establish the scope of the risk without getting into high risk business value, introduce some sort of framework, establish metrics. And, don’t forget to outline the benefits that your desired actions will bring. If I have the board’s cooperation budget, time, et Cetera.
Here’s how things will be better in the future and then of course, make the ask for budget time, cooperation, and that’s what the details, know the board itself, and anticipate questions. I wanted to very briefly covering when one is working for a cyber, an OT cybersecurity solution.
The two rather the five challenges to address are, knowing what you have in your network or you doing the appropriate asset inventory. Having some sort of vulnerability assessment. Doing continuous monitoring, making sure as we mentioned previously that whatever you’re using can be tied into your existing tools in the previously IT security operation center.
And then, have some sort of, have threat intelligence that can tell you about the vulnerabilities, and the PLC’s that you’re using or what the latest attack vectors are. Who is targeting us, targeting the company itself, and how?
And then finally, as we have, I’m going to leave a couple of minutes for questions here. I’ll leave this slide up so that people know about resources on the CyberX.io website, you can get a white paper that covers much of, but not nearly as much as we covered today with alarms.
That’s called presenting OT risks to the board. There’s also an ICS and IOT risk report that’s based on the over 1300 networks that we’ve monitored, since our founding. And then there’s a video interview with the Ilana Abadi. So if you want to put a face with the name, you can watch that.
And then we have events coming up. Two in the US one in Canada, one in Switzerland and one in Amsterdam. So if you’re in, if any of those areas, we very much would like to see you, and please stop by and, let’s make a connection.
Okay. So with that, I want to thank Ilan again, for his time. And of course I’m not saying goodbye yet, but if maybe pass back to Carol to see if there are any questions that’s Ilan or myself can answer.
All right. Thanks Dan. Yes, we do have quite a few questions that have come in so I’ll jump in and get started.
The first one says, traditionally OT does not report to the CISO, but instead of through operations. How are you addressing the issue that the asset owner and their supply chain OEMs, system integrators, suppliers, are the ones who ultimately decide what happens with the assets? And if they put security on the assets or not.
Go ahead Ilan.
Okay. I will take the of that call. So as I say, I just mentioned a few methods or let’s say tactics, how are you dealing with that? Because they’re not part of the IT and they’re not part of the CSO organization, you harness them through the board.
You say those domains are not in my responsibility, but they are exposed to the risk and they need to be managed. So, and you mentioned that you would be more than happy to share your knowledge and to help them to make cyber security. So I think that the next thing that happened in the board, almost immediately, they must come in and they coming in. That’s all.
Great. Thank you Ilan. Go ahead Carol.
Under what conditions could the insurance company’s claim act of war when they refuse to pay? If the attack nearly originated overseas or domestically or likely attributed to a state sponsored attacker?
So this is an answer that I don’t have, let’s say the expertise to answer that because, but it’s very tricky answers. It’s good, smart questions.
And the answer is, because most of the tech today, they’re coming overseas, they’re not coming from your region, not from your place, your country or something like that. They come all over the world by robots or by proxy’s.
So there is no evidence for a clear war, act of war for that. And this is about lawyers, how they dealing with the policy, what is whittling down and how they can do that. So I don’t have a straight questions for that. This is not my expertise, but it’s definitely complicated. Thank you.
Okay. Well, unfortunately we are out of time. Any questions not answered during this webcast can be sent to [email protected] And Dan and Ilan, I will be sure to forward you the questions that are already in the queue.