cyber security roundtable

Advertising Supplement to Business First

M a y 2 2 , 2 0 1 5 1A

s p o n s o r e d b y

c yber secur ity roundtable

A p a n e l o f l e a d e r s d i s c u s s e s n e w t h r e a t s t o c o r p o r a t e s e c u r i t y

s y s t e m s , t h e c h a l l e n g e o f f i n d i n g q u a l i f i e d I T p e r s o n n e l a n d t h e

e x p a n d i n g r o l e o f b o a r d m e m b e r s i n c y b e r s e c u r i t y m a t t e r s .

2A M a y 2 2 , 2 0 1 5

Adve

rtisi

ng S

uppl

emen

t to

Busin

ess F

irst message from the publisher

the panelists

the moderatorG A RY T Y L E R

Dave Calzi Managing Partner Louisville, Kentucky +1 502 585 6415 [email protected]

Dave is Managing Partner of the Louisville Office of Ernst & Young and has overall responsibility for the delivery of services to the Kentucky practice’s audit, tax and advisory clients. He has over 31 years experience serving as an advisor to numerous companies and audit committees in Kentucky and has extensive experience providing assurance and advisory services to global and public companies including manufacturing, distribution, health care and retail.

He is a Certified Public Accountant and a member of the American Institute of Certified Public Accountants (AICPA),

the Kentucky Society of CPAs and the Institute of Internal Auditors. Dave obtained a BS in Accounting from the University of Kentucky.

Dave is actively involved in key leadership roles in the following community organizations:

Catholic Education Foundation - Board Chair Fund for the Arts - Board of Directors

Greater Louisville Inc. – Chair, Business Leader Champions for Education Kentucky Center for the Performing Arts – Board of Directors Muhammad Ali Center – Board of Directors, Executive Committee and Finance Committee Stage One – Board of Directors University of Kentucky – School of Accounting Advisory Council

Dave’s previous involvement includes:

American Heart Association – 2014 Heart Ball Chair

Catholic Education Foundation – Finance Committee Chair Fund for the Arts – Board Chair Greater Louisville Inc. – Executive Committee and Board Member Kentucky Society CPA – Pave the Way Campaign Louisville Ballet – Board Chair and Treasurer Metro United Way - Chair of the 2009 campaign

Personal

Wife – Jamie Calzi – University of Kentucky, class of 1985 Daughter – Emily Calzi – University of Kentucky, class of 2014 Daughter – Madeline Calzi – University of Kentucky, class of 2017

STEVE CURRIE, Senior Manager / Ernst & Young LLP

Steve Currie is a senior manager in Ernst & Young LLP’s cyber security practice, and he is focused on cyber program management. He works with clients to assess, align and improve their cyber programs based on what matters most to their business. � is includes aligning and training people, developing eff ective processes, and leveraging enabling technology. Steve is a graduate of Iowa State University, B.S. in MIS and Accounting. Has CISM, CISA certifi cations, founded Cloud Security Alliance Chapter of Minnesota and is a member of ISACA.

DAVE CALZI, Managing Partner / Ernst & Young LLP, Louisville Offi ce

Dave Calzi is offi ce managing partner of Ernst & Young LLP’s Louisville offi ce. He has overall responsibility for the delivery of services to the Kentucky practice’s audit, tax and advisory clients. He has over 31 years experience serving as an advisor to numerous companies and audit committees in Kentucky and extensive experience providing assurance and advisory services to global and public companies. He is a Certifi ed Public Accountant and a member of the American Institute of Certifi ed Public Accountants (AICPA), the Kentucky Society of CPAs. Dave obtained a bachelor’s in accounting from the University of Kentucky.

MELANIE ROUSH, Director of Information Security / Yum! Brands, Inc.

Melanie Roush is the director of Information Security for Yum! Brands, Inc., the world’s largest restaurant company in terms of system units and the parent company to KFC, Pizza Hut and Taco Bell. She is responsible for global information security oversight and governance. She has 15 plus years of information security experience. Before joining Yum! Brands in 2013, Melanie was an information security architect with Procter & Gamble and spent seven years as the senior information security architect with the Walt Disney Co. She has a bachelor’s degree in information systems from Northern Kentucky University and is a Certifi ed Information Systems Auditor (CISA) and a Qualifi ed Security Assessor (QSA) recognized by the PCI Standards Council.

CHARLES LEBO, Vice President & Chief Information Security Offi cer / Kindred Healthcare

Charles Lebo is vice president and chief information security offi cer for Kindred Healthcare. He also has served as security offi cer for three other public companies, Tenet Healthcare, Vanguard Health Systems and PHS Correctional Healthcare. He has a history degree from Vanderbilt University, an MBA from MTSU, and various certifi cations, such as CISSP, PMP and CCHP.

TIM NALL, Senior Vice President / Brown-Forman Corp.

Tim Nall, senior vice president, chief information offi cer, has been employed by Brown-Forman for 15 years. He holds degrees from the University of Louisville J.B. Speed School of Engi-neering and U L’s College of Business. Prior to his current assignment, Nall held positions of increasing responsibility within BF’s Global Production group, including vice president, general manager of BF Wines and vice president, director of Technical Services.

It is not just the high profi le breaches of the systems of big global companies that dominate the news today. � ere are increasing concerns amongst large and small companies in all industry sectors. Ernst & Young LLP gathered a group of IT and Security professionals to discuss this issue, how it is changing and how is it aff ecting their companies. During the discussion I learned how security has evolved to be a major business topic and how these professionals are not just dealing

with this issue but adapting to the rapid changes to not only improve the security of their fi rms but to gain the attention of business leaders. � e information they are sharing is informative and valuable, the question is the business community ready to listen? I hope so.

Best Regards, Gary Tyler, Publisher of Louisville Business First

mailto:[email protected]

CALZI: What I really like about this group is that you all have varied experiences with cyber security. We’ve got a wealth of experi-ence here that will bode well with respect

to this conversation. The first question relates to just how the cyber, the IT security landscape, has changed in recent years and what you see as the drivers behind that change. A lot of things happened real quickly here even in the last year or two. What are you all seeing in terms of that? ROUSH: Certainly the targets and all the breaches are bringing awareness that the cyber security landscape is changing. In the past there have been new technolo-gies, but now every single day there is something new out there — a new technology, a new gadget, a new device, new cloud providers, new services. You really need to be able to stay in front of it. That really makes it challenging. The bad guys are certainly more sophis-ticated and they’re organized. They’re running it like a business and it’s not just for fun anymore and street credit. It’s for profit. So, I think those three factors re-ally have produced an adversary that we’ve never seen before. And it’s very challenging.

LEBO: It seems to be almost every day The Wall Street Journal has articles about cyber security and breaches, and the board reads The Wall Street Journal. So it cas-cades down. They’re now asking questions. Now every quarter there’s an expectation, an agenda item that I have to give the status of our key priorities about this.

NALL: Our business partners as well as the board and commercial marketing are all very much more aware of this now than they were because of the breaches. And that’s leading to more pressure. Just the research time for us has come way down. Now, you have weeks, maybe just days before you have to engage and enact some sort of tool to prevent something.

CURRIE: The expectations from the top down and from the customer have changed dramatically. Custom-ers expect you to protect that data explicitly, whereas before it was more of an inferred type of security. They expected it, but it wasn’t as vocal, it wasn’t out there. With the recent breaches, I think that has changed. If

you’re in the retail space, you’ve seen customers kind of move away from compa-nies that have had major data breaches. That’s a major business impact and the C- level impact is big as well because we’re seeing people in the C-suite being held responsible for these breaches. That’s changed the expectations for the security program for sure because now you really do need to be aligned to the business and you do need to have communications and expecta-tions with your customers as well as those within your own organization.

CALZI: Who are the bad guys? And what are some of the things that you’re seeing with the landscape chang-ing? There may be organizations that have a security program, but it may be built for the threats from five years ago, and so that landscape is changing as to who the bad guys are.

ROUSH: The bad guys are hackers or people who in-tend to do us harm, and they are continuing to change, too. As a community we should stay connected to each other and make sure we understand what’s happen-ing out there because what they’re going after today will change tomorrow. We have to continually try and anticipate what they’re going after.

NALL: Before it was virus protection, and then the bad guys were coming in with some objective, like going after a retailer for credit card data. Now you can be breached and not know about it, and they’ve got a long-term plan. They’re waiting to see what they can do. They might have a three- to five-year plan on what to do with your data that you’re not even aware of right now.

ROUSH: They can get into your environment, and they look around. They may not have a big game plan going in, but once they’re in, they see different oppor-tunities. CALZI: Talk a little bit about the motive. Melanie, you mentioned credit cards. It seems like also there are dif-fering motives and differing objectives for the bad guys,

whether it be trying to move the company’s stock price with breaches, short selling.

CURRIE: One of the things that makes it different now is that there’s a lot of information that we didn’t previously think was important that the attackers are finding is valuable. That goes all the way down to some-one’s name and e-mail address. It’s not just the social security numbers and the credit cards. It’s something as simple as having a distribution list because that enables them to execute future attacks. There’s a lot of infor-mation that we don’t historically or typically think of being extremely important and thus, it hasn’t had that protection level that we’ve expected from some of the other data. So, they’ve gone after easy targets, and you see breaches with massive amounts of customer infor-mation, even if it’s not financial information or social security numbers. But that’s still a very valuable target.

CALZI: What are the issues that companies need to address to actually improve their

level of maturity in cyber programs?

ROUSH: Traditionally we’ve always focused on keeping ev-

erybody out. Let’s make sure that our defenses are there and that they can’t get into our environment. That’s where we put our focus.

CALZI: So, put your big wall up.

ROUSH: Put a big wall up, moats deep, walls high and

keep them out. We still have to continue to focus on that piece of it.

We still have to make it difficult for them to get in. And we have to turn our attention now to

detection and response. The quicker that we can detect and have that right level of visibility, the quicker we can respond. And then the lower the impact is going to be for us as a company. If you are able to detect something quickly, respond effectively and send that message out, people would appreciate that. I think the detection and responsibility is where we have to focus. And we can’t forget about our people — education, education and education for our entities because they ultimately are that first line of defense.

NALL: We still need to keep the wall high, and so those costs aren’t going to go away, but that level of detection is going to be an added cost to a lot of organi-zations. Selling that up through the chain of command is imperative simply because it’s going to be significant, and it’s going to be additive to the bottom line.

LEBO: You mentioned a wall and with a thicker, bigger, stronger moat, you said that very well. Now we need to shift more toward awareness and spend more on the inside and educate our user base. We have 105,000 employees. Only a third of them or so have email. Almost all have access to the Internet. They can click on links just as easily. So how do we educate them and make them realize it’s a shared responsibility. We all have to protect our data, make people alert. Make sure everyone is looking for intruders, things that don’t look right, keeping people out. Then you’ve got your in-telligence. How do you make sure that you’re scouting outside the walls — looking for threats that are trying to come in, preparing for armies before they attack. And then you have what happens when they come in. How do you respond? So taking some of that money and shifting it from your wall and spending it in these other areas allows you to continue protecting to enable a paradigm shift.

M a y 2 2 , 2 0 1 5 3A


the discussion

The targets and breaches are bringing

awareness that the cyber security land-scape is changing.

M a i n P o i n t s

M e l a n i e r o u s h

ROUSH: I agree with the paradigm shift. And I think one of the most important things that we have to do is make sure that people really do under-stand that in an organization everyone has a role to play. And so it’s moving it outside of IT — because it can’t effec-tively stay within just IT — and making it a business risk that people understand and are rallying around to solve.

LEBO: OK. That’s a balanced ap-proach.

CURRIE: When there’s support at the executive level, at the board level, you see a lot more progress made in those programs and you see secu-rity taken more seriously within your organization, top to bottom. Where that’s a top initiative, we’ve seen those programs develop faster. They’re also more effective, especially in security awareness, when people know that someone is looking at them and that it’s on the CEO’s agenda. That tends to have somewhat of a cultural behavioral shift. But the other pieces are having some plan for your security program, some initiatives and having that well known throughout the organization. It’s important to let people know that you’re working on it, working on things that need to be improved.

NALL: And I love your comment about shared responsibility. But I think it’s also a little bit incumbent on employees to also educate themselves. A lot of people out there still think that if they don’t give their credit card number out over the phone, they’re safe. But if they go online, it’s better because somehow it’s always encrypted. I still think a lot of people are naive as to their risks, their personal risks. Until they start being more aware of their own consumer risk, our communication will be a little bit stifled with them just because they’re not ready to truly receive the message. If they’re not behaving securely in their personal life, you always question how they are behaving at work, and if our message is really effective.

ROUSH: If you can, tie the message to the employee’s personal life and home life. It does help get their attention. When I send out a communication talk-ing about “Secure the organization,” it’s going to be differently received than if

I say “Here’s how to pro-tect yourself at home.” And so, if you can help them start under-standing your point, what their liability is from a personal perspective and get them to change their behaviors at home, I think then it has a positive effect at work.

CALZI: When I started working in this industry, we didn’t even have a fax machine, and now I’ve got mul-tiple technologies. In some businesses they’re using all sorts of technology to provide services. Is that increasing the risk for businesses and how are folks dealing with that?

ROUSH: Yes, that’s changing things. So, today the customer wants to interact or they want to do something, they expect to be able to pick up their mobile phone and be able to do it. So if they can interact with your competitor through that multi device, then they will because it’s easier. It really puts a lot of pressure on us to allow the business to move quickly. I heard a gentleman talk, and I really liked the way he put it. If the business is going to have to move quickly, we need to allow them a path to move quickly. So security really needs to put the guardrails up instead of roadblocks. That allows them to move quickly without really falling off that cliff.

NALL: It used to be risk elimination — how can you get the absolute most amount, 99 percent of risk, elimi-nated? Now we’re dealing with a wider bandwidth, and we’re dealing with risk mitigation. How can we play along, compete with our competitors and make sure our consumer experiences are the same, if not better, while mini-mizing that risk? It gets to be a really tricky balancing act with what compa-nies are willing to take on themselves. How much insurance do you carry? Where are you letting your data go? And are you willing to let it go there if your competitors are about to go there?

LEBO: You’ve got all these applica-tions like drop box, so your data can go anywhere. There’s increased use

of iPads, especially in the health care world — well, everywhere. So your data is no longer just in that nice little secure box in your data center. It’s now out there. It’s everywhere. And how do you keep that safe? Plus in health care, there’s a lot of pressure to let the data be integrated. There are ACOs, and

now you’re dealing with other companies. So it makes it

very challenging. I’m finding that there’s

an increased dif-ficulty in find-

ing trained, experienced people. The salary expectation is so out of

alignment with the ex-

perience levels that we’re getting.

It doesn’t necessar-ily compare with the

iPads and the mobility and other things, but finding

staff is a challenge that is getting bigger and bigger.

ROUSH: It’s expensive to find good, skilled talent. Once you find them you’re also going to need to retain them because they do have options. I meet with a lot of different CISOs and talk about that challenge. It’s nationwide. Some of the companies are starting to partner with the Armed Forces to provide jobs for people coming out of the military with that different skill set. It’s getting creative on how to find those people and then retain them. But it’s a challenge that I’ve got, we all have.

NALL: I think you can get them if you can pay for them. You can even inter-nally train them. But then it becomes are you building that for your competi-tor, or just another company, with how easy it is to job hop in that space right now.

ROUSH: As a company we have to decide if we are trying to build a very skilled security operation internally or look to partner with third party part-ners to provide that skill set as they may be better able to train them and retain them.

CURRIE: The other thing around a security program and staffing model is having a progression path for the people that are there. It’s not always easy, especially in smaller organizations. But in a larger organization someone that works security events day in and day out needs to have some path that goes into that organization either up or somewhere else. We’ve seen people rotate from security out to architecture, security architecture, engineering or some of those other functions even within IT that can be very valuable. And think of building security in as you go. So if it’s mobile or cloud or something else, you’re thinking about the risks and adjusting those up front as opposed to them being tacked on the end. It’s a much more efficient process. And that’s a function the security people can do

because they’ve had exposure to some of the attacks and issues.

NALL: As these people develop, it’s important for them to also understand the business and how the business is using the technology, not just try to create Fort Knox. As a security profes-sional, you need to truly understand the risks and what the business needs to be allowed to do and then craft a strategy or tools around that plan. I’ve seen the security professional who really wants to go all out and create an internal king-dom of security, versus really relying on either the third party model or just truly understanding what a business’s needs are, and that’s critical, I think for a suc-cessful program.

CURRIE: Building guardrails instead of roadblocks.

ROUSH: I agree. I love the guardrails.

CALZI: As far as staff, are the universi-ties providing that pipeline of talented folks? What are those skill sets that you need? In security, what does that look like?

LEBO: I’d say it’s developing. Universi-ties are having a much heavier focus on degrees and addressing security. There’s a mix of the team to be built, and you can’t have everybody straight out of the university. You need to have other perspectives. Do you pull them from elsewhere in the business? As Mela-nie mentioned, the military is a good source, universities are a good source. Pulling from those two areas is a great way to supplement the team. You can’t be your own main pipeline.

ROUSH: I’m a big advocate for interns. Here, especially at University of Lou-isville. They’re doing a very, very good job training these students. We usually have one consistently from U of L, and they’ve just been very valuable. Within our organization the interns do have that progression path. Many people within YUM have started as an intern and now they are directors. But we are growing and evolving and need experi-enced people as well.

NALL: And it’s not only skill set, but it’s also the mindset. Don’t get too focused on just taking a computer science major and saying that you can do security. There’s that inquisitive, problem solving, always curious person. If you can ask those perfect interview questions to determine that, it’s great. That’s what you need.

ROUSH: Those are the skill sets.

NALL: Yes. I couldn’t agree with Melanie more. You probably have a lot of internal talent that you need to take a look at to see if you can further develop. If it comes internally, that’s the talent that’s more likely to stay and resist the pull from elsewhere.

ROUSH: Having that skill set is certainly important, but to me it’s only half of the qualification. The other half is understanding your business. So if you

C o n t i n u e d f r o m p a g e 3 A

4A M a y 2 2 , 2 0 1 5

Adve

rtisi

ng S

uppl

emen

t to

Busin

ess F

irst the discussion

Is the use of multiple

technologies to provide services

increasing the risk for businesses?

M A i n P o i n t s

d Av e C A l z i

can have people that understand the business and then develop their skill set, that’s ideal.

CURRIE: When you’re sourcing for a security position, you will find everyone now is a security professional, whether they really are or not. Finding that right individual to fit that position, especially if it’s an experienced position, doesn’t happen quickly. We’ve seen especially in smaller organizations that are looking to hire their first security person or an information security officer, that it’s tak-ing months to find someone. Previously, it maybe was a little bit easier.

ROUSH: If you are a global company, then you really have to be open to look-ing for talent globally. We’re headquar-tered here in Louisville, but we do have offices globally, headquarters globally.

CALZI: Does that skill set change because of differing countries, differing aspects to security, or is it pretty much the same job description, whether it’s in Shanghai or in Louisville?

ROUSH: Fifty percent of security is pretty standard. That other piece is looking for the right person to fit your culture and business. People coming from a slow moving, very methodical culture have a hard time transitioning to

very fast moving culture. It’s just looking for that right culture fit. But the security skills are pretty consistent.

CALZI: Obviously, security and infor-mation technology transcends country borders, but is there a different level of risk to operating in emerging countries?

NALL: The risk becomes more of a monetary investment question. With multiple entities in those emerging companies competing for those dollars, there is much more competition for the investment. Will your company invest what is need to really secure that area. Is your company doing what they need to do there? Companies need to treat this investment in IT security the same as they treat any other investment in emerging markets.

CURRIE: I agree with that. I would tack onto that the outsource model as well. When you’re dealing with third parties, a lot of the time you see a bottom line number, but that may not include some of the things you would expect for them to operate it securely within the environment. Sometimes there’s that baseline number, but you still need to think a little incremental on top of that for the investment and how to get that organization to work securely within the guise of what you

want them to do.

CALZI: Let’s talk about how outsourc-ing to third parties or other vendor relationships, makes it even that much more complex for your cyber security responsibilities.

ROUSH: We’re global, so we think about if we have enough resources in a country like Turkey, versus Australia or South Africa. We realize we have to partner with third parties in some of these areas. For me the critical thing about partnering with those third par-

ties is realizing that you can outsource responsibility but never outsource ac-countability, and that you have to really retain that strategy. It certainly can be challenging.

CALZI: You’re also relying on this outside third party organization to keep certain levels of security as well, and you can’t control that, right?

CURRIE: I believe it’s a trust but a verified model in most cases because you’ll have that relationship that you mentioned. You’ve set your guidelines.


M a y 2 2 , 2 0 1 5 5A


© 2

015

Erns

t & Y

oung

LLP

.ED

Non

e.

Louisville: you are here. Are you everywhere you want

to be? We can help you expand into new and emerging markets. Visit ey.com/us/strategicgrowthmarkets.

the discussion


You expect them to adhere to those guidelines, but there still needs to be some feedback in there for you to look at how well they are operating. Are they really following up on their end of the deal? That can be anything from a matrix or reports that they provide you. It can be anything from doing more of an independent view or an audit or internal review of that organization and their activities. That feedback is really important. And more specifically we’re talking in an outsource model, so that you don’t have the fox watching the hen house, so to speak.

ROUSH: And you have to develop that third party management. You have to manage it continuously. Also under-stand there’s different levels of risk that the outsourcing provides. So you have to have a program that can accommo-date that. Maybe do more due diligence with higher risk outsourcing partners than somebody that is less risky.

NALL: And it’s not just us that need this expertise, it’s our legal partners as well with our corporations that need to have the expertise to help us craft protection into our contracts so that the contracts are scoped correctly.

LEBO: It starts with internal controls and knowing our network versus know-ing our data first and then from there branching out. You definitely have to make sure you’re assessing your vendors and you’re assessing your outsource partners and making sure that they’re doing things right. But at the same time, you need to make sure that you’re en-abling them to do what they need to do, while still protecting and keeping them from just being able to access whatever they want when there’s not a business need for it. There’s a balance. It starts with understanding what your data is, knowing your data and knowing where the security is.

CALZI: This is all about managing risk. And risk is not a bad thing. We all take risks in business and in our lives to get to that next step. But is this an insurable risk?

LEBO: Some companies experiencing recent high-profile breaches had some. It’s definitely insurable. It’s just to what extent. And then the insurance com-

pany is looking to make sure that there are certain stipulations that may take away your coverage for some of that.

ROUSH: How much can you offset the risk by insurance? But even in the insurance phase, they’re struggling right now to really understand how they’re going to move forward. Applying for cyber security insurance today is much different than it was a year, two years ago. That space will continue to change and mature as well, along with us.

LEBO: It’s like they don’t have their algorithms figured out yet. They’ve got the cars, they’ve got the life, but they haven’t figured out their cyber security.

CALZI: Who is at fault? How do you write the contract?

NALL: Companies need to know their data, because that’s how we can set how much we can offset RISK with INSURANCE. It becomes a very interesting analysis to say, OK, this set is worth $10 million in insurance, this set is worth $15 million in insurance.

ROUSH: Then you always struggle. How do you put a price on brand reputation?

NALL: That is a great point.

CURRIE: You can use insurance to offset the cost of what you need to do in response to a breach, but you can’t necessarily use it to offset the reputational risk that comes along with that.

CALZI: What is your advice to more, smaller businesses. Put yourselves in the shoes of a smaller business, an entrepreneur that maybe doesn’t have the size and budget to deal with these

kinds of things, but they have the

risk. How should they approach this?

NALL: Don’t think that you’re ever excluded from this risk. Small businesses might think: “I’m not going to be a target because I’m small.” Just go into it thinking everyone is at risk.

ROUSH: The breaches we’ve seen at large companies have had huge financial impact. For smaller companies, what is probably more scary is that one hit — one breach — is just going to put them out of business. They have to go into it cautiously and partner, partner, partner. They should just be very careful about who they’re working with, who they’re picking as partners.

CURRIE: They should differentially protect their information, the things that matter most to you. Know your data. Know the value of that. In a smaller organization, it’s a little bit easier to know where that data is and to put some extra precautions around that. And I think alternatively, as you mentioned, Melanie, get advice. Don’t think you can necessarily handle it all on your own. There are a lot of organizations that are willing to help or are willing to provide guidance. The government certainly has a number of them. There are lots of forums out there where people are talking about this same topic. If you use those references, you can get some other advice on your program of how to address some of that risk.

ROUSH: Education.

LEBO: Data is key. Don’t try to necessarily protect the entire company. You’ve got castles that are smaller than the whole company. Put your security controls around the right data. Don’t necessarily protect your marketing stuff. Worry about your financial information. Differentiate, as Steve put it. Shrink your footprint. Shrink your attack surface. Don’t just have everything out there. Even if you’re a small company, see if you can shrink things down. If you can put it in the cloud, use leverage. Some of the systems out there have more protections, then

that’s the way to go. And figure out what tools you have. Can you leverage what you have versus going out and buying this shiny new tool? Be innovative around your current skill set.

CALZI: Take the example of a fifth generation family owned business that manufactures and sells something with their own design. It’s very unique, but they’re constantly being threatened by certain other folks in other countries to get that design. If somebody got it, they’d be able to knock it off. They’d be able to start producing it at a much lower cost and just flood the market.

NALL: And they might very well have a mentality that with being a fifth generation business that they can protect their IP better than anyone else. However, they’re not spending a fraction of what a third party provider would be on the security.

CALZI: Right. Absolutely. A question that I wanted to make sure that we got on the table is around board governance. I’ve seen at lot of articles recently focused on the board’s responsibility. There’s an element of making sure there’s an awareness and kind of scaring the board, “Hey, this is a big risk. You’ve got to put some budget around this.” But there’s also that sense of maturity, knowing that management has a responsibility, and the board does too. What are you seeing?

LEBO: I think boards are more proactive now. They’re more engaged and more informed. They’re bringing it to the table more than it necessarily was before. Maybe it’s the leadership saying, “Hey, this is a concern.” I see board members now coming prepared to the audit committee. They’re asking the questions, whereas before, we would bring it up. Now it’s the other way around.

NALL: I don’t think this topic would have hit the board years ago, but now it involves speaking with the board room and updating them in response to their questions. Boards are much more engaged.

ROUSH: I agree with what everyone said, and I see our board of directors

6A M a y 2 2 , 2 0 1 5

Adve

rtisi

ng S

uppl

emen

t to

Busin

ess F

irst the discussion

IT security risks are definitely insurable — it’s just to what

extent.

M A i n P o i n t s

C h A r l e s l e b o


taking that responsibility. They understand that information security risk is just another business risk that we have to manage.

CURRIE: One thing that’s maybe changed is that the board views this as more of its long-term program as opposed to a one time project. Before, we typically brought a specific need to the board to immediately help support an initiative that was very important to us. That was more of a project, whereas now we look at it as we need to support this long term. What do we need to do to have a program that has stood up and been resourced and planned for as we grow the business and change?

CALZI: We’ve done a recent study that showed how board governance is changing how committee structure is being reconsidered. Very few companies will have an IT committee, separate IT technology, maybe 2 percent, something like that. But I do see potentially that may be changing in terms of trends, in terms of where boards are going. What we’re seeing is that the best practice is saying this is not merely an IT risk, this is not only an audit risk. This is a risk that everyone has to own and all board members need to be aware of it. Not one committee that has a particular expert on it, because it impacts everything. The brand, right?

ROUSH: Yes. I agree. The scare tactic worked the first time, but you can only go once with the scare tactic. What now becomes our challenge as security professionals is being able to help them manage risk. So what kind of metrics do we have? You have to have that baseline. Where are we and where are we going? We have to be able to show how we are progressing. When is risk going outside of that acceptable range so that we can put the right resources and attention toward it. And there’s no silver bullet that I see like the metrics that every board of directors needs to have in order to manage the risks effectively. So that now becomes our struggle. We have the attention. We have the visibility. We have the seat at the table,

but how do we manage it effectively?

CALZI: I find that very interesting, the metrics. How do you know when you have a problem and how are you going to report that? What type of metrics does the board need to see? Steve, are you seeing anything at all in different companies where there are different types of metrics that are going up to the board or is that still kind of evolving?

CURRIE: Right now most programs are still in that developing phase, and so they’re really doing a lot of metrics around how their program is progressing, not so much on how there is a level of maturity we’re comfortable with and are maintaining. And we’re asking for some help or at least some visibility on the specific issues with headaches that we’re running into. Part of the shift I’m seeing as well is providing more education to board members or being a little bit more open around what our security programs are doing and the risks that we’re seeing. Not necessarily as a scare tactic, but to make them aware that we can’t protect everything all the time in our current state, but there are going to be some risks there. You should be aware maybe of what a couple of those are, at least the highlighted ones, and know that we have a plan to address them.

CALZI: So risk tolerance is central.

NALL: It’s still a challenge of monetizing that message for the board level. They want to know the monetary value that you’re really protecting against. And that’s common and will be for the next few years. I think you’re going to see better models come out and see better dialogue.

CURRIE: But it’s not necessarily that the security professionals just need money to fund the problem. They need people that know how to deal with the problem as well. So as great as it is to have — I’m not going to say a blank check — but as great as it is to have that opportunity, we need to be pretty wise on how we use that and very open about what our resourcing challenges are.

CALZI: This has been evolving for the last 30 years or so. So it’s not that cut and dried. It’s something for us to work on and to help folks think about. Seriously.

TYLER: A lot of board members have companies and may be dealing with security issues in their businesses. When they come to the board, they may be able to ask more intelligent questions or ask, “Are we doing this?” Maybe they’re even asking how you are doing it so they can take it back. Do you find any of that going on?

LEBO: Absolutely. One of our board members was on the board of a company recently in the news for a large data breach.

ROUSH: And they are asking good questions. So they’re educating themselves. To your point certainly they have the same struggle within the company that they’re in. The dialogue has been great, and their questions get better and better. The questions used to be “Can this happen to us?” But now it’s very, very direct.

TYLER: Are the boards more involved in making sure that you have a plan, because it’s almost not if, it’s almost a matter of when any more, there will be some type of breach. Are

plans in place to say we’re not going to handle it like other recent breaches? We’re going to handle it like this company or that company did 100 years ago where they got all the credit for it. Are there more plans in place to manage the risk so we don’t have a brand destroyed because of it?

ROUSH: They expect us to have those plans in place. The difference now is that they’re becoming more involved in those plans, so they want to understand what those plans are and how to provide that support and direction.

NALL: I’d say the table stakes are to have a plan, not just for this risk but for any risk to the brand. And cyber risk just becomes a component to that — that they’re asking, and they are asking great questions.

CALZI: As we wind up, would anyone like to make any further comments?

ROUSH: I just have one. When we talk about security — and really, it doesn’t matter what industry we’re in, what our business is — I think we can all find value in building those relationships with each other and learning from each other. We’re all facing unchartered territory. The more that we can collaborate and communicate with each other, the more effective we’re going to be by banding together.

M a y 2 2 , 2 0 1 5 7A


the discussion©

201

5 Er

nst &

You

ng L

LP.

ED N

one.

Louisville: you are here. Are you everywhere you want

to be? We can help you expand into new and emerging markets. Visit ey.com/us/strategicgrowthmarkets.

8A M a y 2 2 , 2 0 1 5

© 2015 Ernst & Young LLP. All Rights Reserved.

Laptops, smartphones, the cloud - your data gets around. And the more it travels, the more it’s at risk. EY’s Information Security team has an answer for every threat, a solution for every vulnerability. Information technology is always changing. Make sure your security can keep up. What makes us different is that we see things differently. You will, too.

Visit ey.com/advisory.

Ernst & Young LLPSuite 2400400 West Market StreetLouisville, KY 40202 +1 502 585 1400

SECURITY THREATSCOME IN MANYVARIETIES.YOUR SECURITYSHOULD, TOO.

cyber security roundtable

Documents