Synopsis of IIA’s Managers Forum on IT Security

With good presenters and maybe over half of the 70+ registered in attendance, the focus centered on cyber security, CEO/executive concerns on the topic, and M&A exposures i.e. breach trends and controls on the topic

• Among the culprits of cyber hacking include Morpho group – no association with nations yet but linked to 49 corporate data breaches / theft in 2013 i.e. who knows how many more under investigation and cannot be published yet; and Psuedo-nation state group – operating in hostile countries with no evidence of government funding and focuses on avoiding R&D costs
• Many statistical studies and publications including Version security breach mentions 2015 being height of data breach thus far i.e. approx. 4000 incidents, 1854 occurred with for profit organizations, and 736 Million records exposed 
• Key points mentioned was cyber-espionage up-tick in Manufacturing (overall #2) and 90% of incidents related trade secrets, e.g. Pharma manufacturing, newspaper/magazine paper mills with PHI data...
• Companies conduct due diligence during M&A including: value of trade secret, market analysis on brand and of course capability/viability…but a hidden danger is for unreported breach due to non-customer PI data since public disclosure is not necessary
• Additional considerations include: determining security posture/risk and efforts to sustain your security requirements/controls, ability/agility to activity react to log activities i.e. proactive threat vectors, and having a eye on data inventory and distribution/flow including 3rd-party connects

Finally, when out with executives or senior leadership, have your elevator speak ready.  Know with confidence where your highest security risks / threats are; your capability and diligence to react/correct/recover (tools, processes, SMEs); awareness strategy; and put a healthy plug for budget to ensure delivery of your security goals.

On M&A, my personal take/experience is try analyzing the “value” of the company data and analytics on related exposure cost (due to non-compliance or lack of security controls); and have the value clause written into the contract.  If anything, might be used to leverage the price/bid of the company being acquired!  Can you put an ROI on that math/benefit?