The ISO 31000:2009, Basel III recommendations, the EU Capital Requirement Directives and the Own Risk and Solvency Assessment (ORSA)/Forward Looking Assessment of Own Risk (FLAOR) processes of Solvency II Directives profoundly affect the financing and the insurance of companies in all business sectors and local authorities.
US companies use US National Association of Insurance Commissioners (NAIC) recommendations based on the fundamental principles of ORSA; EU firms refer to FLAOR recommendations; and companies in other countries (e.g., Canada, Japan, China) refer to Solvency II as an international best practice.
This regulatory change began in June 2008 when the American International Group (AIG) faced a financial disaster. The risk maps and risk registers in place, usually under Basel II, were designed to capture incident data to calculate the relative value at risk (VaR) using a stochastic approach (statistics and probability). In this approach, VaR equals unexpected loss. Following the subprime mortgage crisis in 2008, clause 5 of ISO 31000:2009 recommended risk treatment from the point of view of the corporate manager and not from the point of view of the stochastic engineer. It is the cost accounting process of the absolute VaR (VaR = expected loss + unexpected loss) taking into account the risk appetite tolerance threshold.
In March 2012, as part of the NAIC Solvency Modernization Initiative (SMI), the NAIC voted to adopt a significant new addition to US insurance regulation: ORSA. The manner of the calculations used in an ORSA report was left to the discretion of each insurer. This led to variations in the measurement techniques of ORSA among companies. The insurers were concerned because a hard and fast, one-size-fits-all solution does not exist. The output was specific to the company, and a set of documents should demonstrate the results of the self-assessment and understanding of own-risks.
The Information Technology-Investor Relationship Management (IT-IRM) proposes a standardized, logical process to the ORSA measurement. Our recent Journal article covers how this IT application makes ORSA a logical assessment based on real-time data, making risk controllable and assessable using the same base criteria for economic capital and the same indicators, factors or the causes as the determinants of operational risk.
Congratulations to our own Kandyce Tripp, Global Head of Channel Operations, and Melissa Nacerino, Director, Americas Channel Marketing, for making the 2016 Women of the Channel list and the Power 100 list.
CRN’s “Women Of The Channel” project recognizes influential women leaders with extraordinary expertise and vision.
CRN’s Power 100 is a subset of the CRN Women of the Channel who have earned a special distinction based on their exemplary record of success and their level of influence in the channel.
Here at Palo Alto Networks, we are proud of our dedication to women’s empowerment principles. We recently established a Women’s Networking Community to connect and empower our female workforce. This Community spearheads development workshops, meetings and networking mixers; providing a valuable platform to learn and grow. We also debuted a Women in IT event series, starting with two events in Canada that we are now replicating in multiple regions. The goal is to bring business leaders, channel partners and Palo Alto Networks executives together to engage on the top issues impacting women in business, and to celebrate the impact women have made on the workplace.
SaaS applications pose a significant security challenge. You do not necessarily want to clamp down on their use because they have become a valuable tool for many of your company’s employees. Using cloud storage applications such as Box to upload a few files or using collaboration tools such as Microsoft Office 365 to create documents is an important part of their everyday routine. On the other hand, you cannot allow them to proliferate without control because they will expose your organization to potentially disastrous security and compliance risks, including data leakage and the insertion and distribution of malware.
So, how do you gain control of SaaS usage in your organization? Start by understanding where you may be exposed. Then you can deploy technologies to fix your vulnerabilities and protect the gaps. To help you get started, we’ve identified six of the biggest SaaS security challenges you must address—sooner rather than later. Here they are:
Challenge No. 1—SaaS Usage Visibility and Control
Once data has left the network perimeter, you will have a hard time getting visibility into SaaS applications and controlling their use. So you want to take preventative action. Start by identifying which SaaS applications should be used and which behaviors you will allow within each of those applications. Make a clear delineation between sanctioned and unsanctioned applications. If you want to safely enable “tolerated” applications that can’t be sanctioned, make sure your security products give you the flexibility to exert granular control and policy management.
Challenge No. 2—Data Exposure Visibility
With SaaS usage defined and controlled with granular policy, data will be moving to applications that your organization has sanctioned. However, when the data reaches a cloud service it resides within the SaaS application and is no longer visible to your network perimeter. This is a potential blind spot. You need products that give you additional visibility without being in-line for a deep understanding of users, the data they have shared and how they have shared it.
Challenge No. 3—Contextual Control of Data Exposure
Data in the cloud can be either structured or unstructured. Both types of data can put you at risk. To properly protect data in the cloud and ensure regulatory compliance for sensitive data, you need security tools that enable you to define granular, context-aware policy controls. Make sure you can drive enforcement and quarantine users and data before a violation occurs.
Challenge No. 4—Threat Prevention
Many SaaS applications automatically synchronize files with users. Also, many employees may use SaaS applications to share data with individuals outside your organization’s control. These behaviors create new insertion points for malware. To prevent these threats, you need a security solution that protects your sanctioned SaaS applications from known and unknown malware threats and exploits—regardless of the source of the malicious file.
Challenge No. 5—Risk Prevention (Not Just Response)
Threat and data exposure protections should not be an in-line function only looking at future events (i.e. like a traditional firewall). Instead, you need to be able to look back at all previous data and shares in your sanctioned SaaS applications. You need to capture events that took place even before the policy was put in place. This way, data exposure and threat risks are caught no matter when the occurred.
Challenge No. 6—Preserving Performance
SaaS applications are popular because they are convenient, easy to use and fast. If your security solution diminishes the user experience, you run the risk of driving users to an unsanctioned application. You don’t want to affect latency or bandwidth requirements for sanctioned SaaS applications. Look for a cloud-based security solution that doesn’t require network configuration changes or inline deployment. Make sure you can also support native applications on mobile devices so users are not limited to only using Web-based access on their devices.
As we talk to customers, we’re finding that getting SaaS applications under control is one of the most important security concerns of the cloud era. You need the right set of products to gain constant visibility, control and protection of your applications and data at all times. The Palo Alto Networks Next-Generation Security Platform was designed specifically to meet these challenges. You can identify SaaS applications with the Next-Generation Firewall; extend protection into the cloud with Aperture, and protect against known and unknown threats with the WildFire threat intelligence service.
For more information on how you can find, control and protect SaaS usage in your organization, download a free copy of our new book, Securing SaaS for Dummies.
In May 2015, 1.25 million pieces of personal information were stolen by cyber thieves from the Japan Pension Service (JPS). The news of the event reverberated throughout Japan similar to the headlines created after the Office of Personnel Management hacking a month later in the United States. The JPS event, on top of a recent series of information leaks, was shocking enough to raise cybersecurity awareness among corporate executives in Japan and shape Japan’s cybersecurity posture.
Seven months later, the Japanese Ministry of Economy, Trade and Industry (METI) and its Information-Technology Promotion Agency (IPA) released an impactful document: Cybersecurity Guidelines for Business Leadership Version 1.0 (this is a Japanese link; English press release is here). The 36-page document is aimed squarely at business executives, written in plain Japanese and eschewing technical terminology. The two organizations were alarmed by PwC statistics showing that only 27 percent of Japanese companies have business executives proactively instituting cybersecurity measures, compared to 59 percent globally.
Since their release, the guidelines have struck a chord with the business community, with executives in Japan becoming increasingly keen to learn which cybersecurity measures their companies should take. Seminars about the guidelines have proliferated around Tokyo and other major cities, attracting audiences from management and the executive level—quite different from the typically technical audiences that, until now, have attended most cybersecurity events. And some key Japanese players have reacted with major initiatives. Keidanren, the Japanese Business Federation (akin to the U.S. Chamber of Commerce), responded immediately in January 2016 in its second set of cybersecurity recommendations to the government, noting that industry is committed to reforming business leadership awareness and ensuring that cybersecurity is an important pillar of business risk management.
Keidanren blazed a trail. This April, Fujitsu Ltd., the Japanese multinational IT and services company, published a company-wide cybersecurity policy based on the guidelines: Fujitsu Group Information Security Policy, which applies to the company’s operations globally. We expect other major Japanese companies will follow suit with similar efforts, as Japanese companies culturally prefer to act in a uniform manner.
For the non-Japanese reading audience, what does the document say? The Japanese government gets to the point in the Cybersecurity Guidelines introduction: cybersecurity is an integral part of business operations and a priority for leadership, thus businesses must make decisions on their IT and cybersecurity investments to ensure business continuity and protect the company’s intellectual property and other assets. The document then provides three principles about which business executives should be aware, and 10 action items they should require their CISO and security teams to complete.
The three principles are that executive leadership should:
Take the leadership to invest in cybersecurity, based on the level of risk they deem acceptable to their business operations;
Enact cybersecurity measures for their own company, and promote measures in affiliated companies and business partners to mitigate potential information breaches; and
Communicate their cybersecurity measures to stakeholders, take accountability, and build confidence.
The 10 action items elucidate more specific measures to take and demand teamwork among executives, technical professionals, and non-technical people. Leadership should instruct CISOs to:
Craft a cybersecurity policy;
Establish an appropriate team and clarify the division of responsibilities;
Identify assets to protect, and potential risks to those assets, and craft a mitigation plan;
Implement the Plan-Do-Check-Act (PDCA) cycle;
Have subsidiaries and business partners also do a PDCA;
Ensure an appropriate budget and human resource allocation;
Categorize assets as those the company should protect on its own, versus those outsourced contractors should protect, given capacity and efficiency;
Actively participate in and contribute to cyber threat information sharing frameworks;
Establish an emergency response system and conduct cyber exercises; and
Identify in advance whom to notify about potential incidents.
Although not legally binding, the Cybersecurity Guidelines have presented a baseline expectation from the Japanese government to industry. And, in Japan, government expectations carry significant weight, as do the actions of one’s contemporaries. Couple these cultural norms with a growing realization among Japanese companies (similar to their global peers) of the need to improve cybersecurity, and there is strong foundation for change.
The timing of the release of the METI/IPA Cybersecurity Guidelines also was essential to the rapid comprehension among Japanese companies of their value. After the JPS case, Japan’srevised Personal Information Protection Act came into effect in September 2015, requiring all companies to take security measures to protect and prevent breaches of personal information. Finally, in January 2016 “My Number,” a new personal identification system for Social Security and taxation information, was launched.
This all was on top of new legal risks following the 2014 “Benesse Corporation” case in which a leading Japanese correspondence education services provider and publisher paid ¥20 billion(approximately $187 million) in a class-action customer lawsuit after a systems engineer working for its subsidiary sold 35 million pieces of customer information to name-list brokers. The case ran afoul of the Japanese Companies Act, which requires C-level people, such as Chief Information Officers and Chief Financial Officers, to ensure internal controls, including information security.
The guidelines have been a potent force over the last five months in encouraging Japanese companies to release or prepare new cybersecurity policies, many of which will impact both Japanese and non-Japanese business partners. Given the potential global influence, it would be beneficial for the METI/IPA Cybersecurity Guidelines to be translated into English. This also will enable a global audience to better understand the direction in which Japan’s cybersecurity is heading, share best practices and potentially comment on the guidelines, and maximize the chances that government efforts are aligned internationally.
We have seen this approach to send messages globally bear fruit very recently. When the Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC), a governmental organization responsible for cybersecurity strategy and policy-crafting and international coordination, published Japan’s National Cybersecurity Strategy in 2015, it released Japanese and English versions at around the same time. This was a trial for the Japanese government, which traditionally has taken several months to release English translations of documents, if at all. This important move reflected Japan’s strong determination to make a globally impactful strategy rather than potentially limiting its influence to just within Japan.
No single country, sector or company can improve cybersecurity on its own. Teamwork and communication are essential. The METI/IPA Cybersecurity Guidelines are a very welcome addition to the mix. Many global companies including Palo Alto Networks have been strong advocates of government efforts to promote sound cybersecurity policies that enable entities to assess and manage their cyber risks, and that are based on public-private partnerships. Japan is the third largest economy in the world, and its efforts to improve cybersecurity are globally impactful. Japan’s new Cybersecurity Guidelines deserve a global audience.
This is the first in a series of blogs to be co-authored by Mihoko Matsubara and Danielle Kriz aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover additional thoughts on the METI/IPA Cybersecurity Guidelines, the G7 Summit hosted by Japan in late May 2016, Japan’s role in global cybersecurity capacity-building, cyberthreat information-sharing and prospects for Japan, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.
The economy continues to improve, at least from an audit and IT audit perspective. Between 2011 and now, the job market strengthened significantly. Five years ago, within 48 hours of posting a job through search sites, I would have 5-15 viable candidates. Usually I never had to post on job search sites; someone in my professional network would ping me with interest. Now, I will post on searches and barely get a handful of candidates after a month. The economy has improved; maybe not to early 2000 numbers, but the market is doing very well.
The good job market can lull people into a networking slumber. When the recession hit 7+ years ago, I heard many candidates say, “I never thought I would be in this situation; I wish I had kept up with my network.” Every job market is cyclical, and you do not know when you might need to tap into your network, regardless of your field.
Networking Activities
Professional Associations: Stay involved in all professional associations relevant to your career. It may be difficult to attend every meeting, but choose a few that pique your interest, put them on your calendar and commit to paying your membership. Additionally, take advantage of volunteer opportunities.
Key Contacts: Schedule at least two business lunches/coffees per week, to keep in touch with the contacts most relevant to your success. Connect with that group at least twice a year.
Recruiters: Do not ignore calls from executive recruiters. Good recruiters want to establish a relationship with you, regardless if you are looking or not. Pick a handful of recruiters you trust and stay abreast of the job market.
LinkedIn: This is easily discounted when you are comfortable in your job. Staying active on LinkedIn expands your network and keeps you connected with professional contacts. Do this twice a day—put it on your calendar for 10 minutes first thing in the morning and 10 minutes after lunch.
LinkedIn Optimization
LinkedIn is Facebook for professionals. If you are not on LinkedIn, your relevancy is minimized to everyone but your current role. Every professional must have a LinkedIn profile, know how to use it and understand how to optimize its effectiveness. Here are a few LinkedIn tips
What Is LinkedIn for?
LinkedIn enables users to connect and share content with other professionals, including colleagues, potential employers and business partners. However, many users make LinkedIn personal, including birth announcements, surgery updates, marriage announcements, etc. Keep LinkedIn business-related and professional, which can be a fine line. Remember, the more professional you keep it, the less unprofessional you can look.
Professional Email Address
Many people use a personal address as their main contact email, which is acceptable. However, people do not realize how unprofessional their email address may be. Unprofessional email addresses I’ve seen on Linkedin include transam2002, joshistheman and rocketsfan2661. As a recruiter, this is something I always look at. If someone cannot determine if their email address is unprofessional, I tend to scrutinize their profile in much more detail.
Customize Your Profile URL
When my kids were born, I bought their namesake web sites and created their personal emails. At the time I thought it was a good idea, but as the kids have gotten old enough to use email, this has become a wonderful idea. The kids really like having a simple email address. The same is true for your LinkedIn URL. If you don’t have a profile, go claim it. If you do, make sure your URL is personalized and clean, like this: https://www.linkedin.com/in/dannymgoldberg.LinkedIn is a wonderful social networking tool, even for introverts. Go claim your profile and start with the above steps.
All of these networking activities can expand your network and help you stay in touch with your industry. Remember: you don’t want to ever have to say “I wish I would have….”
Danny Goldberg, CISA, CGEIT, CRISC, is founder of GoldSRD, a provider of high-quality, interactive internal audit training. Goldberg will present a free webinar titled, Becoming the Boss: 10 Key Steps for Advancing to Executive Management, 11AM (CDT), Thursday, 19 May. Sign up here.
Danny Goldberg, CISA, CGEIT, CRISC, founder, GoldSRD