The Definitive Cybersecurity Guide for Directors and Officers
Total Page:16
File Type:pdf, Size:1020Kb
NAVIGATING THE DIGITAL AGE THE DIGITAL NAVIGATING | BENELUX CONTRIBUTORS • Alan Jenkins, Associate Partner, IBM Security, UK • J.R. Santos, Executive Vice President Research, Cloud Security Alliance, USA • Attila Narin, CTO, EMEA, Palo Alto Networks, Luxembourg • Judith Vieberink, Lawyer, First Lawyers, the Netherlands • Avi Berliner, Manager, PwC, USA • Kelvin Rorive, Delivery Manager Security IT Threat Management, Rabobank, the Netherlands • Chris Bray, Partner, Heidrick & Struggles, UK • Marcel Van Eemeren, CEO, ON2IT, the Netherlands • Christophe Crous, Head of Security, Proximus, Belgium • Mark Hughes, President, BT Security, BT Global Services, UK • Elena Kvochko, CIO, Group Security Function, Barclays, USA • Mark McLaughlin, CEO, Palo Alto Networks, USA • Fred Streefland, Senior Product Marketing Manager, EMEA, Palo Alto Networks, the Netherlands; former • Neelie Kroes, former Vice President to the European CISO, LeaseWeb Commission, the Netherlands • Gavin Colman, Partner, Heidrick & Struggles, UK • Peter Mesker, CTO, SecureLink, the Netherlands • Gilles Orringe, Partner, Heidrick & Struggles, UK • Polo van der Putt, Lawyer, Vondst Advocaten, the Netherlands THE DEFINITIVE CYBERSECURITY GUIDE • Graham Bolton, Chairman, Institute for Software Quality (IfSQ), UK • Puck Polter, Lawyer, Vondst Advocaten, the Netherlands FOR DIRECTORS AND OFFICERS • Greg Day, Vice President and Regional Chief Security • Raoul Vernède, Information Security Officer, Wageningen Officer, EMEA, Palo Alto Networks, UK University and Research, the Netherlands • Gregory Albertyn, Senior Director, PwC, USA • Ryan Bergsma, Research Analyst, Cloud Security Alliance, USA • Hans de Vries, Head of the National Cyber Security Centre, (NCSC-NL), the Netherlands • Tijl Deneut, Security Researcher, XiaK, center of SecurityRoundtable.org eXcellence in industrial automation Kortrijk, Ghent BENELUX • Ian West, Chief of Cyber Security, NATO Communications University, Belgium and Information Agency, Belgium • Troels Oerting, Group Chief Security Officer, Barclays, UK • Jaya Baloo, CISO, KPN Telecom, the Netherlands • Johannes Cottyn, Assistant Professor in Automation, XiaK, center of eXcellence in industrial automation Kortrijk, Ghent University, Belgium SecurityRoundtable.org NDA omslag MW5_FS5_CC17.indd 1 28-04-17 10:59 NAVIGATING THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS BENELUX Published by Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – Benelux Printing and Binding: Damen Drukkers Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – Benelux is published by: ICT Media BV Laan van Voorburg 1 5261 LS, Vught The Netherlands First published: 2017 Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers – Benelux © 2017 Palo Alto Networks Inc. All rights reserved. Cover illustration by Tim Heraldo DISCLAIMER Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (the Guide) contains sum- mary information about legal and regulatory aspects of cybersecurity governance and is current as of the date of its initial publication (April 2017). Although the Guide may be revised and updated at some time in the future, the publishers and authors do not have a duty to update the information contained in the Guide, and will not be liable for any failure to update such information. The publishers and authors make no representation as to the completeness or accuracy of any information contained in the Guide. This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional advice. Professional advice should always be sought before taking any action based on the information provided. Every effort has been made to ensure that the information in this guide is correct at the time of publication. The views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for any errors or omissions con- tained herein. It is your responsibility to verify any information contained in the Guide before relying upon it. ISBN 978-90-819529-0-3 PREFACE: INSTITUTIONS ARE FaCING AN ERA OF UNPRECEDENTED CHANGE – WITH CYBERattaCKS PROVOKING DISRUPTION Preface: Institutions are Facing an era of Unprecedented Change – With Cyberattacks Provoking Disruption Neelie Kroes – former European Commissioner for the Digital Agenda and Vice President to the European Commission – sets out why cybersecurity must be a top priority for boards and executives. ll our institutions—government, not-for-profit organi- sations and businesses—are facing an unprecedented Aera of change. We live in a turbulent world of volatility and uncertainty, both economic and political. The relent- less rise of globalisation has delivered massive benefits for many, but not for all. This has contributed to widen- ing inequality which, in turn, has made our world a more complex and dangerous place. It is the responsibility of our leaders to grapple with this backdrop and with the mo- mentous speed of our digitally-connected world. In an increasingly complex world, board members and corporate executives are responsible for processing infor- mation from a broader range of sources than ever to effec- tively lead their organisations. Additionally, to successfully compete, companies must constantly innovate, demanding agile leadership and organisation. Without trust in the digital infrastructure that underpins this agility, however, organisations will find themselves increasingly unable to serve their stakeholders, including customers, employees and investors. The maintenance of this trust by effectively addressing cybersecurity risks, therefore, is of primary importance to board members and executives. Cybersecurity is no longer a problem for IT staff alone. Indeed, according to the 2016 Global Risks Report from the World Economic Forum, one of the top risks facing the boards of directors is cybersecurity. The issue is on your desk, at the top of your in-tray. It requires your attention and focus. The spectre of a cyberattack can provoke unease and concern. According to the World Economic Forum, iii ■ NAVIGATING THE DIGITAL AGE “[cyberattacks] have been rising in both fre- hub and centre of expertise for cybersecurity quency and scale. They have so far been isolat- in the Netherlands, a key figure in the op- ed, concerning mostly a single entity or coun- erational coordination at a major ICT crisis try, but as the internet of things leads to more and the computer emergency response team connections between people and machines, cy- (CERT) for the Dutch central government. ber dependency will increase, raising the odds The Centre for Cybersecurity Belgium now of a cyberattack with potential cascading ef- manages the country’s CERT under the au- fects across the cyber ecosystem. As a result, an thority of the Prime Minister. The CERT in entity’s risk is increasingly tied to that of other Luxembourg is a community of public and entities.” It is our duty as leaders to remain private sector expertise working together to calm and to work harder and smarter every improve the security of the nation. Each of day to protect our customers and citizens. these organisations is playing a vital role in At the most basic level, the job of leader- coordinating the response to a serious cyber- ship is to assess and respond to the strategic attack and helping citizens and organisations risks facing their organisations. Cybersecu- raise their security defences. rity is a paramount risk to virtually every EU-wide legislation is complementing business that has a digital connection to the country-specific efforts. The General Data outside world. How, then, does a board de- Protection Regulation (GDPR), when it velop the necessary skills to effectively assess comes into effect in May 2018, will require or- and respond to cybersecurity risk? New roles ganisations and businesses to do much more are emerging and boards must embrace a dif- to protect and secure the personal informa- ferent mix of skills. Boards must work with tion of European residents. The Network and people who can explain, in board-level lan- Information Security (NIS) Directive, which guage and tone, the most immediate risks, member states must implement by May 2018, and design strategies to manage these risks. aims to raise the cyber resilience of all EU Increasingly, boards and companies have a countries. It has security and incident noti- new, technologically-astute colleague who fication obligations for covered companies understands the nature of cyber risk, the as well as requirements for member states chief information security officer (CISO). It to adopt national NIS strategies. The GDPR is, therefore, the mission of the CISO to help and NIS Directive are important laws that boards understand the strategic cyber risks to can contribute to cybersecurity in the EU, their organisations. complementing the ongoing activities in the As a society, we bear a collective respon- Benelux countries. sibility for cybersecurity. Business leaders Security is no longer a ‘job on the side.’ must build solutions that prompt us in a Given the importance of securing the digital simple way to live and work securely, adopt- assets upon which society relies, cybersecuri- ing security by design and by default. Board ty is, and will continue to be, a top priority for members and corporate executives must en- boards and corporate executives.