final_cybersecurity project (1)
TRANSCRIPT
![Page 1: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/1.jpg)
Developing Egon Zehnder’s role in cybersecurity
securing cyberspace
Consultants: Kal Bittianda, Selena LaCroix
Project Mentor: Karena Man
Intern Team: Lulu Chang, Kayla Kesslen, Emmeline Kim march 2014
![Page 2: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/2.jpg)
2© 2014 Egon Zehnder
Agenda
1 Overview of Cybersecurity
2 Disturbing Trends
3 State of the CISO Role
4 The Egon Zehnder Solution
![Page 3: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/3.jpg)
3© 2014 Egon Zehnder
overview of cybersecurity
![Page 4: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/4.jpg)
4© 2014 Egon Zehnder
Increased complexity and
interconnectivity
Growing dependence on cyber platforms
and mobile devices
Incomplete understanding of the problem
Lack of preparedness to
respond to attacks
The Cybersecurity Problem
![Page 5: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/5.jpg)
5© 2014 Egon Zehnder
Far Reaching Consequences
Cybersecurity impacts everyone• All companies are vulnerable • Huge economic implications for hacked companies• Security breaches compromise customer trust and loyalty
Cybersecurity Breach
• Companies lose data
• Customers lose trust
Company Costs
• Recovery costs: $136/record (2013)
• Compensation costs
Overall Loss
• Customer loyalty
• Payout
*Credit.com
![Page 6: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/6.jpg)
6© 2014 Egon Zehnder
No Industry is Safe
Government
Retail
*CNN Money and the NY Times
![Page 7: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/7.jpg)
7© 2014 Egon Zehnder
disturbing trends
![Page 8: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/8.jpg)
8© 2014 Egon Zehnder
Growth Trends of Access Points
2006 2007 2008 2009 2010 20110
40
80
120
160
200
U.S. Issued Credit Cards
Cre
dit
Card
s Is
sued (
mil
lions)
Oct
- 10
Dec
- 10
Feb
- 11
Apr -
11
Jun
- 11
Aug -
11
Oct
- 11
Dec
- 11
Feb
- 12
0
10
20
30
40
50
60
70
80
U.S. Smartphone Penetration
Feature PhonesSmartphones
% o
f M
obil
e P
hones
2004
2006
2008
2010
2012
2014
0
40
80
120
160
200
E-Commerce Growth
C2CB2C
Bil
lions
(USD
)
*The Economist, Nielsen, ATKearney and TMCnews
![Page 9: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/9.jpg)
9© 2014 Egon Zehnder
Trends in Tandem
2006 2007 2008 2009 2010 201140
60
80
100
120
140
Data Breach Costs for U.S. Companies
Cost
in
Bil
lion
s U
SD
52% of smartphones used
are company issued
48% of midsized companies ($50m - $1b) are on the
cloud
iPhone released
Over 120 million credit cards
issued per year
1st publically available LTE
service launched
*The Ponemon Institute
![Page 10: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/10.jpg)
10© 2014 Egon Zehnder
Are CIOs Desensitized or Disconnected?
Today, cybersecurity ranks No. 9 on the list of CIO
priorities
10 years ago, it ranked No. 1
CIOs are becoming LESS concerned with cybersecurity
67% of small & medium
businesses believe they are secure
Only 9% protect
employees’ smart phones
88% of large
businesses are
confident with
security
But 28% don’t
know or have
security crisis plans
1. National Cyber Security Alliance & Symantec survey2. BAE Systems survey 3. Gartner Inc. survey
1
3
1 2
![Page 11: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/11.jpg)
11© 2014 Egon Zehnder
state of the CISO role
![Page 12: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/12.jpg)
12© 2014 Egon Zehnder
The Modern Technology Officer Works Across Industries
33 %
54%
70%
of technology executives at Fortune 100 companies have transitioned in past 3 years
of this turnover was in the financial services and retail sectors
of recent hires were external placements
of external hires entered an industry in which they had no prior experience
43%
*Based on data analysis of the Fortune 100 companies
![Page 13: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/13.jpg)
13© 2014 Egon Zehnder
Global, Unrecognized Need for a Company CISO
CISOs
Only 16% of Fortune 100 companies currently have a CISO
*Based on data analysis of the Fortune 100 companies
![Page 14: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/14.jpg)
14© 2014 Egon Zehnder
Breakdown of Fortune 100 CISOs
60%
70%
30%
of CISOs were hired in the last 3 years
of CISOs were external hires who entered a new industry
of CISOs work in the Financial Services sector
Source: Genesys
*Based on data analysis of the Fortune 100 companies
![Page 15: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/15.jpg)
15© 2014 Egon Zehnder
Where the CISO Fits Today
CIO
VP of Infrastructure
Implementation Operation
CISO
Infosecurity
*Refer to Appendix slide 38 for more information
![Page 16: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/16.jpg)
16© 2014 Egon Zehnder
Evolution of the Best-in-Class CISO
Hard technology skills
Information retention
Introverted
Behind the scenes
Dr. No
Interdisciplinary approach
Facilitator
Yesterday (2008) Today
Extroverted
InfluenceBoard and CIO
Hard technology skills
Auxiliary role
Executive level position
![Page 17: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/17.jpg)
17© 2014 Egon Zehnder
the Egon Zehnder solution
![Page 18: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/18.jpg)
18© 2014 Egon Zehnder
An Effective Response Includes…
Global Awareness
• European Chip & PIN system decreased card fraud
• US has no official regulations, unlike Europe
Ongoing Vigilance
• Protecting points of access:• Mobile platforms• Credit cards• Cloud computing
Executive Collaborati
on• Company-wide
cooperation• An engaged board• C-suite awareness
• Cybersecurity on everyone’s agenda
1
1. Refer to Appendix slides 40 – 41
![Page 19: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/19.jpg)
19© 2014 Egon Zehnder
An Offense and a Defense
Responses can be…
Proactive
Anticipate and find weaknesses before breaches
happen
Maintain ongoing dialogue between technology and
business
Include C-Suite and the Board in company-wide
culture of vigilance
Reactive
Reputation and brand management
Offering customer kickbacks
Lawsuits
* Cited statistics from https://www.baesystemsdetica.com/news/bae-systems-applied-intelligence-reveals-that-60-of-us-businesses-have-incr/
![Page 20: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/20.jpg)
20© 2014 Egon Zehnder
Different Models, Different Talent Considerations
High volume transactions High value transactions
Highly regulated Self regulated
Premium IP Mass media IP
Controlled access Highly broadcast
![Page 21: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/21.jpg)
21© 2014 Egon Zehnder
Egon Zehnder CISO Placements in North America
Omar Khawaja Keith Wilson
Kevin McGee
• Location: USA• Placed as CISO for a $15.2
billion managed healthcare company
• Former Head of Product Marketing for Security Solutions at Verizon Communications
• Location: Canada• Placed as CISO for an $840
million data processing and outsourced services company
• Former Global CISO at TIAA-CREF, a leading retirement provider
• Location: USA• Placed as CISO for the $2.5
billion holding company for CIT Band
• Former CISO and VP of Information Security at Freddie Mac
![Page 22: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/22.jpg)
22© 2014 Egon Zehnder
Egon Zehnder CISO Placements Globally
AJ Charbonneau Pär Gunnarsson
Ben Heyes
• Location: France• Placed as Global CSO for a
$165 financial services company
• Former Global Chief Information Security officer at Standard Bank
• Location: Sweden• Placed as CSO for an $35 billion
communications company • Former Director of Security at
Tele2, an international telecommunications company
• Location: Australia• Placed as CISO for the $33
million national broadband company
• Former Head of Security Architecture & Service Planning at Australian National Bank
Jaya Baloo
• Location: Netherlands• Placed as CISO for an $11.6
billion telecommunication services company
• Former Professional Services Manager of Secure Mobility and Consumer IDM at Verizon Business
![Page 23: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/23.jpg)
23© 2014 Egon Zehnder
appendix
![Page 24: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/24.jpg)
24© 2014 Egon Zehnder
Target
110 million affected by
security breach
Offered 10%
discount to customers for a profit
loss
January 2014
Offered customers a free year of
credit monitoring
Estimated $1 billion in
costs
Earnings dropped
46% after data breach
No industry is safe
![Page 25: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/25.jpg)
25© 2014 Egon Zehnder
Personal information stolen from
400,000 bank
executives Hackivist collective
“anonymous” claimed they were
responsible
February 2013
Personal information
was published
to a Twitter account
Hackers gained
access to the contact database used for
emergencies
Government often
targeted for attack
No industry is safe
![Page 26: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/26.jpg)
26© 2014 Egon Zehnder
Iran infiltrated the Navy Marine Corps
Intranet Took the Navy 4
months to purge the hackers
September 2013
Network has
800,000 users and
2,500 locations
Cost the government $10 million for initial repairs
New protective security
measures totaled at more than
$100 million
No industry is safe
*Information obtained from the Wall Street Journal
![Page 27: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/27.jpg)
27© 2014 Egon Zehnder
3 New York-based
nursing homes
exposed to cyber attack
Customer info found
in documents posted on 4shared.co
m,a free file-sharing
site
February 2014
Documents allow
hackers to easily obtain
medical records and
payment info
Accessed info by
breaking into
SigmaCare software,
designed by a NY based company
Emerging problem with the push to digitize medical records
No industry is safe
*Information obtained from the Wall Street Journal
![Page 28: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/28.jpg)
28© 2014 Egon Zehnder
Snapchat
4.6 million users data was leaked The data
was published
to a website called
Snapchat.DB.info
January 2014
Gibson Security, an
internet security group,
predicted the breach
There was a vulnerabilit
y in the Snapchat’s
friend-finder
feature
Hackers’ motivation
was to raise awareness
No industry is safe
![Page 29: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/29.jpg)
29© 2014 Egon Zehnder
Customer data was accessed
by hackers User names,
passwords, emails,
addresses and phone numbers
compromised
February 2014
Unauthorized activity
occurred on 2 users’ accounts
Have since improved security
procedures and
systems
Waited until breach was closed and investigate
d before notifying
users
No industry is safe
*Information obtained from the Wall Street Journal
![Page 30: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/30.jpg)
30© 2014 Egon Zehnder
Points of Access – Credit Cards
2006 2007 2008 2009 2010 20110
40
80
120
160
200
Credit Cards Issued in the U.S.
Cre
dit
Card
s Is
sued (
mil
lions)
![Page 31: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/31.jpg)
31© 2014 Egon Zehnder
Points of Access – Mobile Platforms
Oct - 10
Nov - 10
Dec - 10
Jan - 11
Feb - 11
Mar - 11
Apr - 11
May - 11
Jun - 11
Jul - 11
Aug - 11
Sep - 11
Oct - 11
Nov - 11
Dec - 11
Jan -12
Feb - 12
0
10
20
30
40
50
60
70
80
71 70 70
6664
62 63
59 58 57 57 56 5654
52 5250
29 30 30
35 3638 37
40 41 42 43 44 4446
48 4850
U.S. Smartphone Penetration
Feature PhonesSmartphones
Perc
en
tage o
f M
obil
e P
hon
es
By February of 2012, 50% of users were using smartphones rather than feature phones
![Page 32: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/32.jpg)
32© 2014 Egon Zehnder
Points of Access – Mobile Payments
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140
20
40
60
80
100
120
140
160
180
200
1 5 13 26 41 57 7117
28
42
57
72
88
105
E-Commerce Growth C2CB2C
Bil
lions
(USD
)
![Page 33: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/33.jpg)
33© 2014 Egon Zehnder
Points of Access – Cloud Computing
![Page 34: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/34.jpg)
34© 2014 Egon Zehnder
Growing need for Technology Officers
Spike in 2004 likely due to Google’s IPO, prompting a new interest in the cyber world and its capacities Spike in 2008 likely due to stock market crash, prompting an increased concern with asset protection
1998 2000 2002 2004 2006 2008 2010 2012 20140
2
4
6
8
10
12
14
16
18
20
Technology Officers Hired Since 2000
*Based on data analysis of the Fortune 100 companies
![Page 35: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/35.jpg)
35© 2014 Egon Zehnder
Comparison of CISO Presence to Security Breach Rate
Financial Services
Consumer Goods
Retail Healthcare 0.00%
10.00%
20.00%
30.00%
40.00% Security Breach by Industry (2012)
CISOs as a % of Technology Officers by Industry
*Based on data analysis of the Fortune 100 companies
![Page 36: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/36.jpg)
36© 2014 Egon Zehnder
Spending Alone is Insufficient
*Y-axis = number of deals completed in 2012* Periwinkle line (top) = total number of transactions in 2012
![Page 37: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/37.jpg)
37© 2014 Egon Zehnder
Global Differences
U.S. Europe
European Critical
Infrastructures Directive
“An Open, Safe and Secure
Cyberspace” strategy
Chip & Pin
Outdated DHS training website
No official regulations
![Page 38: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/38.jpg)
38© 2014 Egon Zehnder
The Price to Pay
2004 2005 2006 2007 2008 2009 20100
50
100
150
200
250
UK-Issued Credit Card Fraud Losses
USD
(m
illi
ons)
61% decline since 2004
2004 2005 2006 2007 2008 2009 20100
0.02
0.04
0.06
0.08
0.1
US-Issued Credit Card Fraud Rates
Perc
ent
70% increase sin
ce
2004
*Information obtained from The Federal Reserve Bank of Atlanta
![Page 39: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/39.jpg)
39© 2014 Egon Zehnder
Magnetic Stripe Technology vs. Chip & PIN
U.S.
Technology• Magnetic stripe
used to record data• Requires signature
for verification
Problems • Swipe information
can be compromised
• Signature can be forged
Europe, Australia, Canada
Technology• Embedded
microchip in credit/debit cards
• Require PIN for verification
Solutions• Relies on “tap”
system• PIN cannot be
forged
![Page 40: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/40.jpg)
40© 2014 Egon Zehnder
Responsibilities by role
CIO
Set vision & strategy
• Business driver• Vision for technology
needs• Relationship-building
prowess• Communication• Taste of different
departments
VP of Infrastructu
re
Implement operations
• Reduce duplication of effort
• Ensure adherence to standards
• Enhance flow of information
• Promote adaptability • Ensure interoperability• Maintain effective change
management policies and practices
CISO
Safeguard security
• Establish & monitor security operations
• Develop & maintain security policies, procedures, and control techniques
• Comply with external cybersecurity laws and audits
![Page 41: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/41.jpg)
41© 2014 Egon Zehnder
Ongoing Vigilance
Protect Points of Access
Cloud Computin
g
Mobile Platforms
Credit Cards
![Page 42: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/42.jpg)
42© 2014 Egon Zehnder
Executive Cooperation
Board Cooperatio
n
The Board must be equally engaged in making cybersecurity a priority
Security is not a
one-person
job
Requires company
wide collaboration
C-Suite Awarene
ss
CEOs, CIOs and CISOs must be on the same page
But needs the right person at the helm
![Page 43: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/43.jpg)
43© 2014 Egon Zehnder
Kevin McGee
Location: Miami, Florida
Education: BS, Management Information Systems, Drexel University
Professional Experience:2013 – present Davis + Henderson
Chief Security Information Officer
2011 – 2013 TIAA – CREF Global Chief Information Security Officer
2007 – 2011 Broadridge Financial SolutionsChief Security Officer
2005 – 2007 Citigroup Private BankGlobal Head, IT Risk
2001– 2005 JP Morgan ChaseInformation Security Officer
1996 – 2001 AstraZeneca PlcInformation Security Officer
1997 – 1998 TSA, Inc.Senior Security Architect
Location: New Jersey
Education: MS, Computer Information Systems, Loyalist College, Canada
BS, Computer Information Systems, Champlain College, Canada
Professional Experience:2011 – present CIT Group2013 – present Chief Information Risk Officer2010 – 2013 Senior Vice President, IT Risk
and Security and Chief Information Security Officer
2009 – 2011 Freddie MacChief Information Security Officer and Vice
President, Information Security
2002 – 2008 Lehman Brothers Holdings, Inc.2004 – 2008 Chief Information Security Officer, Lehman
Brothers Bank 2002 – 2004 Advisor, Senior Security and Consultant,
Lehman Brothers Bank
2001 – 2002 The Goldman Sachs Group, Inc.Manager, Threat and Vulnerability, Investment
Banking
2000 – 2000 Ernst & Young LLPManagement Consultant
1997 – 2000 Credit Suisse GroupManager, Security Architecture and
Engineering, Americas and Asia, Credit Suisse First Boston
1996 – 1997 AT&TConsultant, Information Technology and
Manager, Security Administration
1993 – 1996 Government of CanadaAnalyst, Senior Security, Ontario Ministry of
Health
Keith Wilson
Sample Profiles
![Page 44: FINAL_Cybersecurity Project (1)](https://reader035.vdocuments.site/reader035/viewer/2022062420/55c3f656bb61eb22438b45d2/html5/thumbnails/44.jpg)
44© 2014 Egon Zehnder
Cybersecurity moving forward
Consider hiring a company CISO
Search beyond talent within company to
fill CISO role
Experience in the financial services sector especially
relevant for cybersecurity
matters