Today we will be discussing cybersecurity strategy alignment with the organization's business objective. My name is Cicero Chimbonda I am your instructor for this course. Cybersecurity strategy alignment with the organization's business objective? It is important to understand that cybersecurity strategies must align with the organization's business regulatory and operation objectives. This course we'll discuss the following topics. Cybersecurity strategy alignment overview. We will then discuss the alignment to the organization's business, following regulatory obligations. And lastly we will talk about the operational objectives. Cybersecurity strategy alignment overview. The background of information governance in today's global business environment begins with corporate governance. As we stated in previous courses, it really does start at the top and one always needs to begin with the end in mind. Governance is defined as the internal systems of practices, controls and procedures your company adopts. In order to govern itself, make effective decisions, comply with the law and meet the needs of external stakeholders. The boards and management alike need to ensure that the IT is aligned with the enterprise strategies and takes advantage of all the technological advances that are happening in our times today? Well, cybersecurity strategy alignment begins with leadership and leadership and governance have deliverables. Deliverables for my organization is stating, what is the mission statement? The mission statement is, why does the company exist. What does the company do it talks about the motivation and the purpose deliverable is a vision statement. What does the company want to be? Its hopes its ambitions and also the strategy, how is the company going to get there? The objectives to planning the goals? What must be done? What are the actions, where the owner, who are the owners? What are the projects? What are the timeframes? What are the outcomes? These are the deliverables? And in alignment the cybersecurity strategy the leadership of that organization must make sure that as you look at security, that's the ability to secure your infrastructure. The ability of secure your organization meets the the requirements of information security, which is the CIA tree odd confidentiality, integrity availability. Security will assure that that data is confidential and that is the alignment of the organization business. Distrust sharing that there's trust built into the organization by meeting its regulatory obligations. Well, how do we do this, making sure that the data preserves its integrity. Availability, you said and we'll talk more about this, that you cannot get a seat at the table unless you keep the lights on. Well, availability is that balance of making sure that you have the operational excellence, meet the operational objectives by creating stability. And making sure that those who need access to your resources, the resources are there available. How is this done? Well, the chief information security officer through the cyber security task force, make sure that he or she aligns that leadership skill set to assure that the organization strategy is there. Making sure that the communication upward is there and then assuring that his managerial or managerial skills assures that. The information security governance is built that is the cybersecurity program. Let's talk more into detail. How do we align? Well, cybersecurity strategy alignment to the organization business. The main purpose of alignment of cybersecurity strategy to the business will vary. You have businesses that are privately held, you have businesses that are publicly traded, you have businesses that our government or nation state and you have non for profit organizations. Well all these entities have different drivers, these different leadership, different top line, different bottom line. Wf we were just to look at the bottom line of a private equity firm. Well, it's mainly driven by revenues and and income after all expenses, whereas a publicly traded company might be more driven by the EBITDA. Earnings before interest, taxes, depreciation and amortization or driven by earnings per share. Or government it would be more driven by advanced and economic economy, environmental, political social, these are the protections that the government or the nation state must deliver for its citizens. Non for profit organization might be more interested in making sure that it breaks even maximizes cash flow, avoiding excessive financial risks. These are some drivers and cyber strategy will protect these assets, corporate assets, regulation lawsuits penalties, fines, make sure that those won't happen. And that's typically for a private or public for government agencies that might protect the citizens economy, making sure there's peace prosperity. And for non profit, protecting the funding the cause, the reputation, avoiding lawsuits and penalty. So you can see the cybersecurity strategy alignment of security and confidentiality would vary depending on what kind of industry that you are leading. Cybersecurity strategy alignment regulatory obligations. This is the compliance component or the legal component of your cybersecurity strategy. All organizations have to abide and operate within the defined boundaries of laws, adhere to specific regulatory obligations that apply. To that type of organization. So, as we talk about the STCS model, that security trust and stability. The alignment of regulatory obligation is to build trust that is the goal and to bring integrity to that data and that is where you have regulatory systems equals trust equals integrity. But we need to understand that it is vital that the cybersecurity program is aligned with the regulatory obligation that it operates under. This requires the understanding of enforceability and legally binding C rules and laws in each industry vary. Here we have the pyramid of hierarchy of laws. This is from a legal publishing source where states, the top of the line of legal legality is constitution. And then right under the beneath that, you have statutes, legislation which is usually done by state or or local jurisdictions. And then you have regulations where you have procedures codes and of conduct while in cybersecurity alignment, one needs to understand what are we binding. What if I'm in an industry that's a utility. For example, what are the laws that I need to make sure we don't pray in a simplistic form while understanding the terms and definitions. Constitutions are legally binding acts. If you are regulated by an act, well, that's legally binding if you don't adhere to that, you will be fined or you have penalties, statues, ordinances, legislations. Common law regulations codes. Again, these are legally binding statue entities or statues that one must no in adhere to. And you have those that are perhaps legally binding, for example, international laws perhaps it is legally binding but it's hard to enforce. Let me give you an example if I am a company that opens in a foreign country and I happened to break that law in a foreign country. Well because, my jurisdiction is in one country, it's going to be hard for the country be to enforce its laws. Since I'm here in a different nation framework could be legal or non legal frameworks. Rules potentially can be legally binding bills depending on the maturity a bill that's just being written or being debated. It's not legally binding but once it's signed actually becomes a wall, then it becomes legally binding policies. Again depends on what policies you might have signs, fines if you don't obey certain policies. And then these are definitely not legally binding. Their just their best practices, their guidelines, their standards, instructions. These are things that we should follow as professionals, but they doesn't necessarily mean if you don't do them, you are legally binding. So again, understanding your regulatory obligations will drive your strategy. Let's look at specifically some regulatory obligations that one needs to follow. These are some examples of of regulations. So we have the CAN-SPAM Act which is the controlling the assault of non solicited pornographic and marketing. It's an act that was written in 2003. It holds penalties and violations. The CAN-SPAM Act, violation of provisions are individuals can be subject up to $11,000 if it's breached. You have the Children's Online privacy Privacy Protection Act. The COPPA Act is enforced by the Federal Trade Commission. Fines have been increased and with the largest fine to date, 5.7$ million. Sarbanes Oxdey, Acts regulated by firms that are auditing and services for big companies. The penalties can be criminal CEOs]s, and CFOs can be liable for maximum penalties $1 million dollars and 10 years imprisonment for false certifications. And $5 million, 20 years for willful false filing, Electronic Communications privacy act and Sword Communications Act, which is a government agency for US citizens. The acts provides criminal penalties that could be used to jail malicious hackers. They also provide private right of action. Gramm Leach-Biley Act, or GLBA. Penalties violation could exceed up to a million dollars. There's also the possibility of terminations from the federal from the FDIC. The insurance company for banks, Consumer Privacy Protection Act. Consumer Privacy Protection Act can have penalties enforced with civil penalties Not exceeding five million. And last the violation is found to be woeful. And the intentional in which additional $5 million dollars can be imposed. So again, as you see, these are some laws that need to be looked at if that falls within your industry, here's some additional regulations. SEC, SEC is the Security Exchange Commission regulatory privacy consumer safeguarding act a regulation. It's a penalty that can be enforced. It can have civil fines violations can be up to a million dollars or triple the monetary plant. The commodity futures trading commission's which again it's a financial industry, can have penalties enforced. Also up to $1 million dollars or triple the monetary game. The DoD has a law called or a regulatory that has the 48 CFR which has penalties and and can be enforced. Failure to comply, may result in department. The Federal Drug Agency has rules that are clinical investigations and if you violate penalties can be enforced and which will conduct, you can be violated. You can you can have penalties. And this apartment FINRA, financial and banking has a supervisory control system. For reporting requirements, penalty of violations can include fines, suspensions, even banning from the financial industry. The Federal Trade Commission has codes that if you can have, violations can be reached up to $5 billion. Facebook had a recent case where it was fined by $5 billion dollars HIPAA the health Insurance Portability and Accountability Act which was constructed in 1996. AA can have penalties enforcement or fines hat are are violation. The largest find to date is $16 million, fines have been increasing and dramatically in 2018. The total number of Finds reached a record of $28 million. And lastly, the payment card industry data security standards PCI. It if for noncompliance can result in penalties ranging from $5000 up to 100,000 dollars per month by the credit card companies. So you can see here, it's important for the system that cyber the chief information security officer to understand what regulatory laws that the company must adhere to. So that they can prioritize the strategy to make sure those laws are followed. Lastly, cybersecurity strategy alignments to operational objectives. It is said in order to get a seat at the table. The Cissel chief information security officer or the CI O chief information officer must demonstrate that he or she can keep the lights on. There is no seat at the table without stability and availability. Cybersecurity strategy must demonstrate accountability to the entities responsible for operational excellence. Having KPI s key performance indices will help, so the leadership will bring that STS for it within the cyber security program. These are some frameworks that helped organizations to create a stable operations department missed is a cybersecurity framework for private sectors or public. And the framework is provides policy computer security guidance and also assesses and improves. The ability to prevent detect and respond two cybersecurity attacks. You got the ITIL which is the information technology infrastructure library. It's I T service management and private and public businesses. It has 5 stages or 5 services. It will talk more about it. You have the Mackenzie 7S. Which is typically a business framework that can be used to align the business to the to the cybersecurity program or the even the I T programs. But this is a business executive and private private and public framework. The 5S model has 7S models that analyzes and we'll talk more about it. You have the fair which stands for the factor analysis of information risk. It's a business executive and private and public private and public organizations provides information risks for cybersecurity. And business executives with the standard and best practices to help organizations measure, manage and report information risk. And we'll talk more about that as well. You have other regulation frameworks like Isil 27 one. You have others like PMO project management office and and many others like governance risk compliance. General data protection regulation G D P R. Which is an international European law that protects data for citizens in Europe. You have the high trust which is the health information trust Alliance a framework to help hip hop companies that are regulated by hip hop to achieve their controls. And even now, with with the pandemic COVID-19, you have several different frameworks to help companies adhere to the laws that are coming up recently. This is the alignment of the cybersecurity strategy portion of the course, we'll see you next time.
