docs.google.com
Open in
urlscan Pro
2a00:1450:4001:800::200e
Public Scan
Submitted URL: https://info.safe.security/e3t/Ctc/I7+113/d2lml804/VV-sGG8m24RbW1p-HFq1Lnqq-W2lg-cV4MJNb7N4sL4dS3lLCfV1-WJV7CgJ3JW517vzQ79r...
Effective URL: https://docs.google.com/presentation/d/1yDnEs9kAIfeobqiBZemWbZzMAe2-eH9if4PKJ4lT1PU/edit?utm_medium=email&_hsmi=22006401...
Submission: On July 20 via api from FR — Scanned from FR
Effective URL: https://docs.google.com/presentation/d/1yDnEs9kAIfeobqiBZemWbZzMAe2-eH9if4PKJ4lT1PU/edit?utm_medium=email&_hsmi=22006401...
Submission: On July 20 via api from FR — Scanned from FR
Form analysis 0 forms found in the DOM
Text Content
Impossible d'ouvrir ce fichier car JavaScript n'est pas activé dans votre navigateur. Activez-le, puis rechargez la page. Sample: Cyber Risk Board Report Se désabonner des mises à jour Se désabonner des mises à jour Diaporama Partager Connexion Fichier Édition Affichage Aide Accessibilité Déboguer Modifications non enregistrées dans Drive Voir les nouvelles modifications Accessibilité Lecture seule Pour activer la compatibilité avec le lecteur d'écran, appuyez sur Ctrl+Alt+Z Pour connaître les raccourcis clavier, appuyez sur Ctrl+barre oblique 1SAMPLE:CyberRiskManagement:DiscussionwiththeC-SuiteandtheBoardThisisasamplereportonly.COMPANYNAMEDisclaimer:ThisisaSampleReport2Theinformationcontainedhereinisprovidedonan"asis"basiswithnoguaranteesofcompleteness,accuracy,usefulnessortimelinessandwithoutanywarrantiesofanykindwhatsoever,expressorimplied.InnoeventwillSafeSecuritiesInc,beliabletoyou,oranyoneelse,foranydecision(s)madeoraction(s)takeninrelianceupontheinformationcontainedhereinnorforanydirect,indirect,incidental,special,exemplary,punitive,consequential,orotherdamageswhatsoeverwhetherinanactionofcontract,statute,tortorotherwise,relatingtotheuseofthisreport.DisclaimerCopyrightNoticeThisreportisprotectedbyUSandInternationalCopyrightLaws.ReproductionandDistributionofthereportwithoutpriorpermissionofSafeSecuritiesIncisprohibited.3●AsaBoardmember,cyberriskfallsunderyourfiduciaryresponsibilities.Regulatorsacrosstheworldarecreatingspecificguidelinesforreportingoncyberrisk;andthusincreasingthelevelofoversightevenfurther.●CybersecuritycontinuestobeoneofthetopglobalrisksaspertheWorldEconomicForum;cyberriskisanimportantcomponentoftheoverallenterpriseriskforyourBoard.WhyshouldBoardmemberscareaboutCyberRiskManagement?4AscyberriskmanagementbecomesaBoardconcern,wesatdownwithmorethan20BoardMembers,CEOs,CFOs,CXOs,andCISOstounderstandtheirtopquestionsoncyberrisk,andtheirexpectationsfromeachother.Basedonthisresearch,webuiltaguidefortheCISO/CIOs.Note:ThisdocumentisintendedtoactasatemplateforaCISO/CIOforacyberriskmanagementdiscussionwiththeC-SuiteandtheBoardofDirectors.Howdidwebuildthisreport?5TopquestionsonCISOs’mind:1.HowdoIanswerthequestion‘Howsecurearewe?’withconfidence?2.HowdoIcommunicatetheriskprofiletotheBoardinalanguagetheycanrelateto?3.HowdoIgettheCEOandtheCFOalignedwithmyplanwhileshowingROIofthesecuritybudget?4.HowdoIsettherightexpectationswiththeBoardandgetasign-offontheacceptableresidualrisk?5.HowdoIensurethattheBoardisnotsurprisedifandwhenabreachoccurs?TopquestionsonBoardmembers’mind:1.Whatisourbusinesscontext-forbothexternalandinternalenvironment?2.Wherearewetoday?Howdowecomparepeersorbenchmarks?3.Whatisourtargetstate?Whataretheprioritiestogettothetargetstate?4.Whatisourresidualcyberriskasacompany?5.Whatisourbusinesscontinuityplan?Researchfindings:Topquestionsontheirminds6OurconversationswithBoardMembersandCXOssuggestthefollowingbestpracticesfortheCISO/CIOs:1.Understandtheaudience:ABoardmember’sroleisnottomanagecyberrisk,buttoensurethatthemanagementismanagingtheriskappropriatelytoprotectshareholders’interests.Theyarelookingforaneffectivecyberriskmanagementplanfromyou.TheCEOandCFOareyourkeystakeholders,whocanbeyourchampionstogettherightresourcesandfocusoncybersecurity.2.Bridgebetweentechnologyandbusinesscontext:NoteveryBoardmember/C-Suitememberisacybersecurityexpert.Youshouldbeabletoputtechnicaldetailsintobusinesscontext,andtalkthelanguageofbusiness.3.Donotshowstatusreports.Showaneffectiveongoingcyberriskmanagementprogramusingquantifiabledata..4.Donotfocusonthelastbigcyberevent(unlessitisanevent-specificupdate).Showanongoingplan.5.C-SuiteandBoardmembersexpectquantificationofothertypesofenterpriserisks(likefinancialrisk).QuantifycyberrisktodiscussROIandresidualrisks.6.‘Howtheyfeel’abouttheriskmanagementplanisveryimportant.Themorespecificyouare-withnumbers,actions,priorities-highertheirconfidenceinyourplan.CXOsandBoardmembersgavesomeguidancetotheCISOs71.GartnerReport,2021:5SecurityQuestionsYourBoardWillDefinitelyAsk2.SafeSecurityArticle,2022:HowCISOscanAnswerGartner’sTop5BoardQuestionsusingCyberRiskQuantification3.GartnerReport,2022:DriveBusinessActionwithCyberRiskQuantification4.GartnerReport,2022:BenchmarkingCybersecurityValueDeliveryMoreresourcestolearnhowCyberRiskQuantificationhelps8●Inputrequiredtobuildthisreport:○Definitionofthe“criticalassets’’○90minutesofinterviewtimewiththesecuritypolicycomplianceteam○60minutesofinterviewtimewiththeIToperationsteam○Read-onlyAPIfeedsintothetechnologyassetssuchasPubliccloud(AWS,GCP,Azure),VulnerabilityAssessmenttools(Qualys,Tenable,Rapid7),andConfigurationAssessmenttools(Qualys,nativeassessment)●Outputavailable:○AllthedatapointsareavailablethroughAPIs,inreal-time.○TheexactformatandstorycanbecustomizedusingthemostrelevantanalyticstoolsuchasDomo,PowerBI,TableauHowcanyoubuildthisreportinasquicklyas7days?9THESAMPLEREPORTThisisasamplereportonly10●Externalandinternalcontext●Cyberhealthandlossexposurevs.benchmarks●Cyberriskmanagementplanandtoppriorities●Residualrisk●Businesscontinuityplan●KeyoperationalmetricsAgendaThisisasamplereportonly11Macrocyberenvironment1.Whatarethekeydevelopmentsincyberenvironmentoverthelastquarter?2.Newthreatactors?3.Newattackvectors?Industrycyberenvironment1.Havetherebeenanyrecentbreachesinyourpeers?2.Arethereparticularriskitemsrelatedtoyourindustry?Ourlearningsfromthelastquarter#ofattacksattempted#ofattacksthwarted#ofsuccessfulattacks1.Howdidwerespondtoanyparticularthreatevent(s)lastquarter?2.Whatwereourlearningsfromthelastquarter?Howareweincorporatingtheselearningsinourcyberriskmanagementplan?EvolvingthreatenvironmentCONTEXTTobefilledbytheCISO’steamThisisasamplereportonly12360degreeviewofcyberriskacrosstheattacksurfaceWhatisourexposureto:Maliciousinsiderthreat;andAccidentalorbehavioralthreatHowresilientareourdigitalassets?Whatriskdoourthird(andfourth)partiespose?WorkforceDigitalassetsThirdPartyCONTEXTOrganizationsecuritygovernancecontrolsHowstrongarethepoliciesandcybersecuritytoolsstackwhichdeterminehowwedetect,preventandrespondtocyberincidents?ThescopeoftheanalysiscanbeforspecificcriticalassetsorabroaderassetsurfaceThisisasamplereportonly13Manual(~30%ofdata)Businesscontext,policies,cybersecuritytoolsAutomated(~70%ofdata)TechnologyassetsWorkforceassetsThirdparties$$potentiallossForthecompanyScoreLikelihoodofanattackbenchmarkActionplanMitigate,transfer,acceptCyberresearchAI-poweredscoringalgorithmData-drivenCyberRiskManagementprogramSeveritymodelThisisasamplereportonly14SAFEscoremeasuresthelikelihoodabreachwilloccurintheorganizationinthenext12months.Thisiscalculatedbylookingacrosstheorganization'sTechnology,Policies,Workforce,CybersecurityProductsandThirdParties.*Theindustryaverageiscomputedlookingatorganizationsofasimilarsizewithineachindustry.Today,wearebehindtheindustryaverageoncyberhealth*ConfidencebasedonorganizationprovidedinputsIndustryAverage*$90-100MOurexpectedlossishigherthantheindustryaverageGiventhecompany'sinternalsecuritypostureandtheexternalthreatenvironment,wearecarryingariskof$120Mofexpectedlossesduetoacybereventoverthenext12months.$120MCYBERHEALTHScoreConfidence:LowIndustryaverageThisisasamplereportonly151Top3industryattacktypes:OurexposuretoaransomwareandabusinessemailcompromiseattackishighOurOrganization1.3/5IndustryStandard3.1/5Ransomware2BusinessEmailCompromise3DatabreachbyHackersSafeScores(Breachlikelihood)*$32M$52MPotentialimpact**1.3/53.1/5$33M$44M3.7/53.1/5$185M$220MDisclaimer:ThisisaSampleReport*AsperyourIndustryandSize**AsperSafe’sfinancialriskmodelCYBERHEALTHThisisasamplereportonlyOurOrganizationIndustryStandardOurOrganizationIndustryStandardOurOrganizationIndustryStandardOurOrganizationIndustryStandardOurOrganizationIndustryStandard16WearedoingwellinmanagingworkforceandtechnologyexposureWhatisworkingwell?100%employeesaretrainedHighscoreonphishingsimulationsTop5%executiveshaveahighlevelofcybersecurityNISTcompliantStrongeffectivenessofremoteworkingpolicyGoodcoverageofpoliciesPubliccloudconfigurationsaresecureOn-premserverswithcriticalapplicationsconfigurationsaresecureWebapplicationsaresecurelyconfiguredAllmust-haveproductshavebeendeployedEDRcoverageisat90%StrongeffectivenessofourdeploymentsGoodscanreportsofallourTier1vendorsContinuousengagementwiththeTier1vendorsWorkforcePolicyTechnologyCybersecurityProductsThirdPartyCYBERHEALTHScoreConfidence:LowScoreConfidence:HighScoreConfidence:HighScoreConfidence:LowScoreConfidence:LowThisisasamplereportonly17MITIGATETRANSFERACCEPTRESIDUALRISKOurenterpriseCyberRiskManagementplanThisisasamplereportonly18ActionsVectorsStatusorhelpneeded(tobeaddedbytheCISOteam)PurchaseandsecurelyimplementEmailGatewaySecurityImplementMultiFactorAuthenticationfor100%ofbusinesscriticalassetsPurchaseandsecurelyimplementanOffsiteDataBackupSolutionRevamptheTrainingandAwarenesspolicyIncreasepatchmanagementcoverageofcriticalassetsfrom20%to100%IncreaseEDRcoverageofcriticalassetsfrom20%to100%Restricttheuseoflegacy(outofdate/endoflife)5WindowsXPAssetsDailymonitoringofthirdpartyriskDisablepublicaccessof23S3BucketsOurtopprioritiesbasedonROIandbusinessprioritiesCYBERSECURITYPRODUCTSTHIRDPARTYPOLICYWORKFORCETECHNOLOGYTECHNOLOGYTECHNOLOGYCYBERSECURITYPRODUCTSTECHNOLOGYCYBERSECURITYPRODUCTSTECHNOLOGYCYBERSECURITYPRODUCTSTECHNOLOGYCYBERSECURITYPRODUCTSCYBERRISKMANAGEMENTThisisasamplereportonly19Takingtheseactionswillreduceourpotentiallossesby33%SafeScoreIncrease$120M$80MFinancialRiskDecreaseByincreasingtheSafeScoreto3.2,thefinancialriskwilldecreaseby$40M.DesiredstateCYBERRISKMANAGEMENTScoreConfidence:HighScoreConfidence:LowThisisasamplereportonly20TransferRiskWhatRiskcanweTransfer?Ourannualexpectedloss$120MInsurancePolicy11Ourcyberinsurancecoverage$30MCYBERRISKMANAGEMENTThisisasamplereportonly SAMPLE:CyberRiskManagement:DiscussionwiththeC-SuiteandtheBoardThisisasamplereportonly.COMPANYNAMEDisclaimer:ThisisaSampleReport En mode diaporama, cette diapositive est ignorée Vue HTML de la présentation Activer la compatibilité du lecteur d'écran Aide relative aux présentations(H) Formation Mises à jour Aidez-nous à améliorer Slides Signaler un abus/une atteinte aux droits d'auteur Règles de confidentialité(P) Conditions d'utilisation Raccourcis clavier(K)Ctrl+/ Depuis votre dernière consultation Depuis votre dernière approbation Depuis le début de l'approbation Mode Présentateur Démarrer le diaporama avec les questions-réponses des participants et afficher les commentaires du présentateur Commencer depuis le débutCtrl+Maj+F5 Présenter sur un autre écran Énoncer depuis le lecteur d'écran► Accéder à la pellicule(F)Ctrl+Alt+Maj+F Accéder au cadre(V)Ctrl+Alt+Maj+C Accéder aux commentaires du présentateurCtrl+Alt+Maj+S Commentaires► Faute d'orthographe(M)► Mise en forme► Lien copié dans le presse-papiers Tous les utilisateurs disposant du lien Accès à tous les utilisateurs disposant du lien, sans connexion