final_cybersecurity project (1)

Developing Egon Zehnder’s role in cybersecurity

securing cyberspace

Consultants: Kal Bittianda, Selena LaCroix

Project Mentor: Karena Man

Intern Team: Lulu Chang, Kayla Kesslen, Emmeline Kim march 2014

2© 2014 Egon Zehnder

Agenda

1 Overview of Cybersecurity

2 Disturbing Trends

3 State of the CISO Role

4 The Egon Zehnder Solution


overview of cybersecurity


Increased complexity and

interconnectivity

Growing dependence on cyber platforms

and mobile devices

Incomplete understanding of the problem

Lack of preparedness to

respond to attacks

The Cybersecurity Problem


Far Reaching Consequences

Cybersecurity impacts everyone• All companies are vulnerable • Huge economic implications for hacked companies• Security breaches compromise customer trust and loyalty

Cybersecurity Breach

• Companies lose data

• Customers lose trust

Company Costs

• Recovery costs: $136/record (2013)

• Compensation costs

Overall Loss

• Customer loyalty

• Payout

*Credit.com


No Industry is Safe

Government

Retail

*CNN Money and the NY Times


disturbing trends


Growth Trends of Access Points

2006 2007 2008 2009 2010 20110

40

80

120

160

200

U.S. Issued Credit Cards

Cre

dit

Card

s Is

sued (

mil

lions)

Oct

- 10

Dec

- 10

Feb

- 11

Apr -

11

Jun

- 11

Aug -

11

Oct

- 11

Dec

- 11

Feb

- 12

0

10

20

30

40

50

60

70

80

U.S. Smartphone Penetration

Feature PhonesSmartphones

% o

f M

obil

e P

hones

2004

2006

2008

2010

2012

2014

0

40

80

120

160

200

E-Commerce Growth

C2CB2C

Bil

lions

(USD

)

*The Economist, Nielsen, ATKearney and TMCnews


Trends in Tandem

2006 2007 2008 2009 2010 201140

60

80

100

120

140

Data Breach Costs for U.S. Companies

Cost

in

Bil

lion

s U

SD

52% of smartphones used

are company issued

48% of midsized companies ($50m - $1b) are on the

cloud

iPhone released

Over 120 million credit cards

issued per year

1st publically available LTE

service launched

*The Ponemon Institute


Are CIOs Desensitized or Disconnected?

Today, cybersecurity ranks No. 9 on the list of CIO

priorities

10 years ago, it ranked No. 1

CIOs are becoming LESS concerned with cybersecurity

67% of small & medium

businesses believe they are secure

Only 9% protect

employees’ smart phones

88% of large

businesses are

confident with

security

But 28% don’t

know or have

security crisis plans

1. National Cyber Security Alliance & Symantec survey2. BAE Systems survey 3. Gartner Inc. survey

1

3

1 2


state of the CISO role


The Modern Technology Officer Works Across Industries

33 %

54%

70%

of technology executives at Fortune 100 companies have transitioned in past 3 years

of this turnover was in the financial services and retail sectors

of recent hires were external placements

of external hires entered an industry in which they had no prior experience

43%

*Based on data analysis of the Fortune 100 companies


Global, Unrecognized Need for a Company CISO

CISOs

Only 16% of Fortune 100 companies currently have a CISO



Breakdown of Fortune 100 CISOs

60%

70%

30%

of CISOs were hired in the last 3 years

of CISOs were external hires who entered a new industry

of CISOs work in the Financial Services sector

Source: Genesys



Where the CISO Fits Today

CIO

VP of Infrastructure

Implementation Operation

CISO

Infosecurity

*Refer to Appendix slide 38 for more information


Evolution of the Best-in-Class CISO

Hard technology skills

Information retention

Introverted

Behind the scenes

Dr. No

Interdisciplinary approach

Facilitator

Yesterday (2008) Today

Extroverted

InfluenceBoard and CIO

Hard technology skills

Auxiliary role

Executive level position


the Egon Zehnder solution


An Effective Response Includes…

Global Awareness

• European Chip & PIN system decreased card fraud

• US has no official regulations, unlike Europe

Ongoing Vigilance

• Protecting points of access:• Mobile platforms• Credit cards• Cloud computing

Executive Collaborati

on• Company-wide

cooperation• An engaged board• C-suite awareness

• Cybersecurity on everyone’s agenda

1

1. Refer to Appendix slides 40 – 41


An Offense and a Defense

Responses can be…

Proactive

Anticipate and find weaknesses before breaches

happen

Maintain ongoing dialogue between technology and

business

Include C-Suite and the Board in company-wide

culture of vigilance

Reactive

Reputation and brand management

Offering customer kickbacks

Lawsuits

* Cited statistics from https://www.baesystemsdetica.com/news/bae-systems-applied-intelligence-reveals-that-60-of-us-businesses-have-incr/


Different Models, Different Talent Considerations

High volume transactions High value transactions

Highly regulated Self regulated

Premium IP Mass media IP

Controlled access Highly broadcast


Egon Zehnder CISO Placements in North America

Omar Khawaja Keith Wilson

Kevin McGee

• Location: USA• Placed as CISO for a $15.2

billion managed healthcare company

• Former Head of Product Marketing for Security Solutions at Verizon Communications

• Location: Canada• Placed as CISO for an $840

million data processing and outsourced services company

• Former Global CISO at TIAA-CREF, a leading retirement provider

• Location: USA• Placed as CISO for the $2.5

billion holding company for CIT Band

• Former CISO and VP of Information Security at Freddie Mac


Egon Zehnder CISO Placements Globally

AJ Charbonneau Pär Gunnarsson

Ben Heyes

• Location: France• Placed as Global CSO for a

$165 financial services company

• Former Global Chief Information Security officer at Standard Bank

• Location: Sweden• Placed as CSO for an $35 billion

communications company • Former Director of Security at

Tele2, an international telecommunications company

• Location: Australia• Placed as CISO for the $33

million national broadband company

• Former Head of Security Architecture & Service Planning at Australian National Bank

Jaya Baloo

• Location: Netherlands• Placed as CISO for an $11.6

billion telecommunication services company

• Former Professional Services Manager of Secure Mobility and Consumer IDM at Verizon Business


appendix


Target

110 million affected by

security breach

Offered 10%

discount to customers for a profit

loss

January 2014

Offered customers a free year of

credit monitoring

Estimated $1 billion in

costs

Earnings dropped

46% after data breach

No industry is safe


Personal information stolen from

400,000 bank

executives Hackivist collective

“anonymous” claimed they were

responsible

February 2013

Personal information

was published

to a Twitter account

Hackers gained

access to the contact database used for

emergencies

Government often

targeted for attack

No industry is safe


Iran infiltrated the Navy Marine Corps

Intranet Took the Navy 4

months to purge the hackers

September 2013

Network has

800,000 users and

2,500 locations

Cost the government $10 million for initial repairs

New protective security

measures totaled at more than

$100 million

No industry is safe

*Information obtained from the Wall Street Journal


3 New York-based

nursing homes

exposed to cyber attack

Customer info found

in documents posted on 4shared.co

m,a free file-sharing

site

February 2014

Documents allow

hackers to easily obtain

medical records and

payment info

Accessed info by

breaking into

SigmaCare software,

designed by a NY based company

Emerging problem with the push to digitize medical records

No industry is safe



Snapchat

4.6 million users data was leaked The data

was published

to a website called

Snapchat.DB.info

January 2014

Gibson Security, an

internet security group,

predicted the breach

There was a vulnerabilit

y in the Snapchat’s

friend-finder

feature

Hackers’ motivation

was to raise awareness

No industry is safe


Customer data was accessed

by hackers User names,

passwords, emails,

addresses and phone numbers

compromised

February 2014

Unauthorized activity

occurred on 2 users’ accounts

Have since improved security

procedures and

systems

Waited until breach was closed and investigate

d before notifying

users

No industry is safe



Points of Access – Credit Cards

2006 2007 2008 2009 2010 20110

40

80

120

160

200

Credit Cards Issued in the U.S.

Cre

dit

Card

s Is

sued (

mil

lions)


Points of Access – Mobile Platforms

Oct - 10

Nov - 10

Dec - 10

Jan - 11

Feb - 11

Mar - 11

Apr - 11

May - 11

Jun - 11

Jul - 11

Aug - 11

Sep - 11

Oct - 11

Nov - 11

Dec - 11

Jan -12

Feb - 12

0

10

20

30

40

50

60

70

80

71 70 70

6664

62 63

59 58 57 57 56 5654

52 5250

29 30 30

35 3638 37

40 41 42 43 44 4446

48 4850

U.S. Smartphone Penetration

Feature PhonesSmartphones

Perc

en

tage o

f M

obil

e P

hon

es

By February of 2012, 50% of users were using smartphones rather than feature phones


Points of Access – Mobile Payments

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

20

40

60

80

100

120

140

160

180

200

1 5 13 26 41 57 7117

28

42

57

72

88

105

E-Commerce Growth C2CB2C

Bil

lions

(USD

)


Points of Access – Cloud Computing


Growing need for Technology Officers

Spike in 2004 likely due to Google’s IPO, prompting a new interest in the cyber world and its capacities Spike in 2008 likely due to stock market crash, prompting an increased concern with asset protection

1998 2000 2002 2004 2006 2008 2010 2012 20140

2

4

6

8

10

12

14

16

18

20

Technology Officers Hired Since 2000



Comparison of CISO Presence to Security Breach Rate

Financial Services

Consumer Goods

Retail Healthcare 0.00%

10.00%

20.00%

30.00%

40.00% Security Breach by Industry (2012)

CISOs as a % of Technology Officers by Industry



Spending Alone is Insufficient

*Y-axis = number of deals completed in 2012* Periwinkle line (top) = total number of transactions in 2012


Global Differences

U.S. Europe

European Critical

Infrastructures Directive

“An Open, Safe and Secure

Cyberspace” strategy

Chip & Pin

Outdated DHS training website

No official regulations


The Price to Pay

2004 2005 2006 2007 2008 2009 20100

50

100

150

200

250

UK-Issued Credit Card Fraud Losses

USD

(m

illi

ons)

61% decline since 2004

2004 2005 2006 2007 2008 2009 20100

0.02

0.04

0.06

0.08

0.1

US-Issued Credit Card Fraud Rates

Perc

ent

70% increase sin

ce

2004

*Information obtained from The Federal Reserve Bank of Atlanta


Magnetic Stripe Technology vs. Chip & PIN

U.S.

Technology• Magnetic stripe

used to record data• Requires signature

for verification

Problems • Swipe information

can be compromised

• Signature can be forged

Europe, Australia, Canada

Technology• Embedded

microchip in credit/debit cards

• Require PIN for verification

Solutions• Relies on “tap”

system• PIN cannot be

forged


Responsibilities by role

CIO

Set vision & strategy

• Business driver• Vision for technology

needs• Relationship-building

prowess• Communication• Taste of different

departments

VP of Infrastructu

re

Implement operations

• Reduce duplication of effort

• Ensure adherence to standards

• Enhance flow of information

• Promote adaptability • Ensure interoperability• Maintain effective change

management policies and practices

CISO

Safeguard security

• Establish & monitor security operations

• Develop & maintain security policies, procedures, and control techniques

• Comply with external cybersecurity laws and audits


Ongoing Vigilance

Protect Points of Access

Cloud Computin

g

Mobile Platforms

Credit Cards


Executive Cooperation

Board Cooperatio

n

The Board must be equally engaged in making cybersecurity a priority

Security is not a

one-person

job

Requires company

wide collaboration

C-Suite Awarene

ss

CEOs, CIOs and CISOs must be on the same page

But needs the right person at the helm


Kevin McGee

Location: Miami, Florida

Education: BS, Management Information Systems, Drexel University

Professional Experience:2013 – present Davis + Henderson

Chief Security Information Officer

2011 – 2013 TIAA – CREF Global Chief Information Security Officer

2007 – 2011 Broadridge Financial SolutionsChief Security Officer

2005 – 2007 Citigroup Private BankGlobal Head, IT Risk

2001– 2005 JP Morgan ChaseInformation Security Officer

1996 – 2001 AstraZeneca PlcInformation Security Officer

1997 – 1998 TSA, Inc.Senior Security Architect

Location: New Jersey

Education: MS, Computer Information Systems, Loyalist College, Canada

BS, Computer Information Systems, Champlain College, Canada

Professional Experience:2011 – present CIT Group2013 – present Chief Information Risk Officer2010 – 2013 Senior Vice President, IT Risk

and Security and Chief Information Security Officer

2009 – 2011 Freddie MacChief Information Security Officer and Vice

President, Information Security

2002 – 2008 Lehman Brothers Holdings, Inc.2004 – 2008 Chief Information Security Officer, Lehman

Brothers Bank 2002 – 2004 Advisor, Senior Security and Consultant,

Lehman Brothers Bank

2001 – 2002 The Goldman Sachs Group, Inc.Manager, Threat and Vulnerability, Investment

Banking

2000 – 2000 Ernst & Young LLPManagement Consultant

1997 – 2000 Credit Suisse GroupManager, Security Architecture and

Engineering, Americas and Asia, Credit Suisse First Boston

1996 – 1997 AT&TConsultant, Information Technology and

Manager, Security Administration

1993 – 1996 Government of CanadaAnalyst, Senior Security, Ontario Ministry of

Health

Keith Wilson

Sample Profiles


Cybersecurity moving forward

Consider hiring a company CISO

Search beyond talent within company to

fill CISO role

Experience in the financial services sector especially

relevant for cybersecurity

matters

final_cybersecurity project (1)

Documents

egon zehnder trends

egon zehnder state

egon zehnder global

egon zehnder agenda

egon zehnder solution

egon zehnder disturbing

egon zehnders role

midsized companies