Today

Page 1: Introduction to Cybersecurity, Governance, Risk, and Compliance

  • Topic of discussion: Cybersecurity, Governance, Risk, Compliance (GRC)

  • Speaker's background:

    • Bachelor's in Computer Science

    • Worked at PWC as Cybersecurity Consultant

    • MSIS from Smith School

    • Experience at Yahoo (formerly Verizon Media) focusing on GRC

    • Currently with Salesforce as GRC Specialist

Page 2: Overview of GRC and Agenda

  • GRC is multifaceted:

    • Roles can be technical (coder) or managerial (security management)

  • Agenda for today:

    • Definition of cybersecurity

    • Security best practices

    • Privacy considerations

    • Cybersecurity architecture in organizations

    • Insights into GRC focusing on third-party risk management and compliance

    • Skills needed in GRC roles

Page 3: Cybersecurity in the Modern World

  • Definition of cybersecurity:

    • Managing cyber attacks and minimizing damage

  • Importance of anticipating when and how security attacks happen

  • Key pillars of cybersecurity:

    • Confidentiality

    • Integrity

    • Availability

Page 4: Security Pillars Explained

  • Confidentiality: Protects sensitive information from unauthorized access.

    • Example of breach: Social engineering attacks seeking personal information.

  • Integrity: Ensures data remains unaltered during exchange.

    • Example: Alteration attack where data is changed en route.

  • Availability: Ensures systems and data are accessible when needed.

    • Example: Denial of Service (DoS) attack.

Page 5: Security Best Practices

  • Organizations apply standardized cybersecurity frameworks to measure security

    • Examples include ISO, NIST, SOC, and PCI-DSS for payment industry.

  • Framework implementation depends on organizational services or products offered.

Page 6: Understanding Privacy

  • Privacy focuses on:

    • Data collection, processing, and sharing practices.

    • PII (Personally Identifiable Information) management.

  • Legal frameworks such as GDPR ensure compliance with data handling.

Page 7: Cybersecurity Architecture

  • Organizations structure security domains based on needs:

    • Security engineering (application and cloud security)

    • Governance, risk management, and compliance.

Page 8: Governance

  • Governance: Aligning IT and security objectives with business goals.

    • Planning security features based on existing business processes.

Page 9: Risk Management

  • Risk management involves assessing threats, vulnerabilities, and controls:

    • Example scenarios to understand threats and controls through analogy (e.g., forest safety).

  • Definitions:

    • Threat: potential danger

    • Vulnerability: weakness that can be exploited

    • Risk: potential loss or damage

    • Control: measures in place to mitigate risk.

Page 10: Organizational vs. Third-Party Risk Management

  • Organizational risk management: Managing internal assets and systems.

  • Third-party risk management: Ensuring suppliers and partners also implement security measures

    • Verification through security questionnaires and assessments.

Page 11: Compliance

  • Compliance: Adhering to security standards and frameworks to minimize risks and penalties.

    • Importance of certifications to establish trust with partners.

Page 12: Steps to Compliance

  1. Adaptation: Choosing suitable compliance frameworks.

  2. Auditing: Conducting internal and external audits for certifications.

  3. Monitoring: Continuous oversight of security practices and response to changes.

Page 13: Analytics in GRC

  • Analytics aids in:

    • Risk classification and reporting.

    • Monitoring for abnormal activities.

    • Data visualization for management insights and decision-making.

Page 14: GRC Tools and Applications

  • Overview of GRC tools such as OneTrust and RSA Archer:

    • In-depth features for risk management and incident response.

    • Real-time monitoring for cybersecurity incidents.

Page 15: Skills Required for GRC Roles

  • Essential technical skills:

    • Coding knowledge (reading and understanding)

    • Familiarity with databases and cloud technologies (AWS, Azure, GCP)

    • Understanding of cybersecurity frameworks and compliance requirements.

  • Soft skills:

    • Critical thinking and analytical problem solving.

    • Effective communication and teamwork.

Page 16: Conclusion

  • Summary of the importance of GRC in cybersecurity and protective measures against threats.

  • Encouragement to develop relevant skills for future opportunities in the field.