By Mark Sander
Cyber-security was the topic at the Society for Information Management New Jersey Chapter’s recent CIO Roundtable event held on June 8 at the office of Sharp Electronics in Mahwah, NJ. More than 20 CIOs registered for this quarterly event, along with three of their CISOs. This open discussion among peers was facilitated by Philip Frigm, supervisory special agent in the Cyber Task Force for the Newark division of the FBI and Daniel Shapiro, an assistant United States Attorney for the District of New Jersey who prosecutes cyber-criminals. This was the second successful CIO Roundtable event, with the venue being founded in 2015 by Mark Sander and Kevin Schwesinger, both officers of the SIM NJ Chapter Executive Committee.
Key Session Notes
Timing is everything, or so the saying goes. It was certainly true with this event given the breaking news only hours earlier that the Office of Personnel Management (OPM) had been breached, most likely by Chinese government-sponsored actors. This quickly led the discussion to the adage, “Everyone has experienced a breach in their environment…it just has yet to be detected.” Multiple accounts were shared of companies’ first learning of a breach when they were contacted by law enforcement.
While cyber-attacks are conducted by those with a plethora of motivations, they can generally be boiled down to two major categories–financial or political gain. Criminals, insiders, and nation-state sponsored criminals are out to make a buck off of your information in one fashion or another. Hacktivists, insiders, terrorists and others want to embarrass your company or force your hand in some way. It has been projected that the cyber-criminals’ next big focus will be on healthcare information. These data sources contain a complete profile of personal data that cannot be changed, therefore bringing the highest price on the black market. In addition, the victims of these breaches are not companies or direct customers, but the patients themselves, making detection that much more complicated.
Everyone has a role after an attack. The role of the FBI and law enforcement is to “identify and catch the bad guys.” The role of the US Attorney’s Office is to prosecute these criminals. CIOs need to recognize that the priorities of both these organizations will initially differ from your top priority – restoring service and closing the exploited vulnerability. IT organizations need to ensure they accomplish their operational goal without destroying evidence or hindering the goal of the other two involved parties. Often they will require costly outside assistance to do this.
Several Best Practices were identified as part of the discussion:
* Creating an Incident Response Plan and testing it annually.
* Marking all emails which emanate from outside your company with the word “EXTERNAL” in the subject or sender’s address to alert users to potential phishing and socially engineered attacks.
* Purchasing cyber-insurance to minimize financial risk and exposure.
* Carefully evaluate the need to engage outsource service companies to perform tasks and/or manage your data. Outsourcing creates additional points of vulnerability for attack and in the case of litigation against your company, also creates another avenue for a subpoena that you may not be able to defeat.
* Make sure you are fully aware of all state and federal laws governing your particular business for required time horizons in which you must notify your customers, suppliers and other affected parties if a breach occurs.
Exit Survey Results
Attendees were asked to complete a brief survey at the conclusion of the event. Survey results included:
*100% of survey respondents acknowledged that their company had previously detected attacks on their environments. Although many types of attacks were noted, phishing attacks occurred at all of the respondents companies, with denial of service and social engineered attacks tying for second place.
*50% of survey respondents reported being the victim of a successful breach, with law enforcement being the first to detect the breach in 25% of cases.
*Time to detection ranged from hours to a detrimental six months.
*Budgets for cyber-security ranged from 1-10% of their total IT spend, with less than 25% of respondents considering that sufficient resourcing.
*Approximately half of respondents reported having a formal CISO positon in their company, with all of them reporting to the CIO. During the March CIO Roundtable event, a great deal of discussion centered on who the CISO should report to. There was increasing recognition that the position will eventually require ties to companies’ Internal Audit function and the departments responsible for physical security in the future, and possibly even ties at the board level.
*Data privacy, protecting Personally Identifiable Information (PII), cyber-security resources (funding and knowledgeable staff) and overall security ranked high on everyone’s priorities.
About the Author
Mark Sander is co-founder of the North Jersey CIO Roundtable and currently serves on the Executive Committee as Vice President of Administration for the NJ Chapter of SIM. With over 25 years of leadership experience in the Pharmaceutical, Consumer Products and Healthcare industries, he most recently held the position of Global CIO for Church &Dwight, the $3.5B household and consumer healthcare products company. Mark has previously held executive roles in operations, supply chain and technology and has been responsible for multiple turn-arounds and business transformations.
About the Society for Information Management (SIM)
SIM NJ is proud to serve New Jersey’s Chief Information Officers (CIOs) and other senior Information Technology (IT) executives. Our membership is comprised of experienced thought leaders who are passionate about the industry and consistently turn to SIM NJ to network, share ideas and discuss best practices. We represent one of the largest and strongest SIM chapters nationally with over 300 members, 90% of which are IT practitioners. On a national scale, SIM connects close to 5,000 active members through various chapters which make it one of the largest and most active CIO professional networks in the country.
About the SIM NJ CIO Roundtable
SIM NJ operates two separate quarterly roundtable venues: A South Jersey IT Leaders/CIO Roundtable held in the Princeton area targeting senior IT leaders in the southern half of the state; and the recently founded North Jersey CIO Roundtable held in Bergen County serving the northern part of the state and limited to titled CIOs by invitation only.
The CIO Roundtable is an opportunity for local CIO’s to get together for informal discussions on current industry trends on a quarterly basis. Facilitators range from CIO participants to leading industry experts and other functional executives. North Jersey events have successfully been held in March (The role of the CIO in the ever changing CXO environment – the CDO, CMO & CISO) and June (Cyber Security Breaches – It’s happened to you…now WHAT?) of this year, with the next event, The Role of the CIO from the perspective of the CEO, scheduled for September. A panel of area CEO’s is being assembled to lead the discussion.
Membership in SIM is not required to participate in either of the venues. If you are interested in learning more, please visit our website, www.simnj.org. To be considered for future CIO roundtables, please email us at communicaitons@njsim.org.