THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS NAVIGATING T HE D I G I TA L AG E EXCERPT OF CHAPTER BY RIA THOMAS SECOND EDITION Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers Second Edition Excerpt of Chapter 20 Publisher: Palo Alto Networks Editors: Aleksandra Miljus, Mike Perkowski, and Al Perlman. Copy Editor: Rupal Shah Design and Composition: Tim Heraldo and Jeffrey Rennacker Produced With Grateful Thanks to: Kristen Batch, Deirdre Beard, Paul Calatayud, Christopher Coccagna, Elizabeth Cockett, John Davis, Greg Day, Sean Duca, Karine Gidali, Rick Howard, Danielle Kriz, Dana Loof, Rossana Monzon, Sean Morgan, Aryn Pedowitz, Michaline Todd, Alison Varela, and Sara Verri. Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, Second Edition is published by: Palo Alto Networks, 3000 Tannery Way, Santa Clara, CA 95054, USA Phone: +1 408-753-4000 | www.navigatingthedigitalage.com First published: 2018 © September 2018 Cover Illustration by Tim Heraldo Copyright in individual chapters rests with the authors. No photocopying: Copyright licenses do not apply. © 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/ company/trademarks.html. © 2018 NYSE Group, Inc. All rights reserved. New York Stock Exchange and NYSE are trademarks of NYSE Group, Inc. or its affiliates. For more information regarding registered trademarks see: www.intercontinentalexchange.com/terms-of-use. Disclaimer Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, Second Edition contains summary information about legal and regulatory aspects of cybersecurity governance and is current as of the date of its initial publication May, 2018. Although the Guide may be revised and updated at some time in the future, the publishers and authors do not have a duty to update the information contained in the Guide, and will not be liable for any failure to update such information. The publishers and authors make no representation as to the completeness or accuracy of any information contained in the Guide. This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional advice. Professional advice should always be sought before taking any action based on the information provided. Every effort has been made to ensure that the information in this guide is correct at the time of publication. The views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility to verify any information contained in the Guide before relying upon it. GLOBAL CYBERSECURITY EDUCATION FUND Navigating the Digital Age, Second Edition, is published by Palo Alto Networks. As a company, alleviating the problem of cybercrime is at the heart of everything we do. Our goal is to offer cybersecurity education and training to students of all backgrounds around the globe through the Global Cybersecurity Education Fund. Which is why every action we take, and your readership of this book, gets us one step closer to our mission—protecting our way of life in the Digital Age. Preface From the Editors Welcome to the all-new second edition of threat and risks. Part 2 emphasizes lessons Navigating the Digital Age. We emphasize from today’s world, and Part 3 is designed “all new” because none of the content in to help you ensure you are covered today. this edition is repetitive of what was writ- Each part has its own flavor and personal- ten in the first edition. How could it be? ity, reflective of its goals and purpose. Part The first edition was published three years 1 is a bit more futuristic, Part 2 a bit more ago. Welcome to the Digital Age, where experiential, and Part 3 a bit more practical. three years feels like a millennium. We hope you find each to be thought-pro- This edition brings together more than voking and valuable. 50 leaders and visionaries from business, One of the pleasant surprises we dis- science, technology, government, aca- covered in editing these chapters was how demia, cybersecurity, and law enforce- seamlessly and, at times, brilliantly our ment. Each has contributed an exclusive authors were able to connect the business chapter designed to make us think in and technology challenges of cybersecurity to depth about the ramifications of this digi- the broader issues facing the world at large. tal world we are creating. But, in retrospect, we probably shouldn’t An important focus of the book is centered have been surprised. After all, what makes on doing business in the Digital Age—par- this book so necessary and, we hope, so ticularly around the need to foster a mu- compelling is the reality that digital tech- tual understanding between technical and nologies are completely embedded in ev- non-technical executives when it comes to the ery aspect of our lives. And, as you will existential issues surrounding cybersecurity. discover in the pages ahead, we’re still only This book has come together in three at the beginning of our journey in navigat- parts. In Part 1, we focus on the future of ing the Digital Age. Unless otherwise stated, all $ amounts are in U.S. dollars. vii Table of Contents vii Preface Part 1 – The Future of Threat and Risks Introductions 5 1. Prologue Tom Farley — Former President, New York Stock Exchange 7 2. To Protect Our Way of Life in the Digital Age, We Must Reach for a Cybersecurity Moonshot Mark McLaughlin — Vice Chairman, Palo Alto Networks Seizing the Opportunities, Understanding the Challenges 15 3. Why Our Digital DNA Must Evolve—Quickly Salim Ismail — Founder, ExO Foundation; Board Member, XPRIZE 21 4. The Exhilarating, Exciting, and Sobering World of the Internet of Things: Imagine the Opportunities, and Realize the Risks Jennifer Steffens — Chief Executive Officer, IOActive 27 5. How Data Grids Will Power the Economy and Influence Our Future Rama Vedashree — Chief Executive Officer, Data Security Council of India 35 6. The Future of Cloud Ann Johnson — Corporate Vice President, Cybersecurity Solutions, Microsoft Why and How We Must Change Our Roles and Behaviors 43 7. Understanding the Exciting, Exponential, and Terrifying Future of Cybersecurity Marc Goodman — Author and Global Security Advisor 51 8. Dealing With the Evolving Adversary Mindset James C. Trainor — Senior Vice President, Cyber Solutions Group, Aon 59 9. The Evolving Role of the CISO: From Risk Manager to Business Enabler Justin Somaini — Chief Security Officer, SAP ix 65 10. Cybersecurity and the Board: Where Do We Go From Here? Mario Chiock — Schlumberger Fellow and CISO Emeritus, Schlumberger How Work Requirements and Ethical Responsibilities Come Together 75 11. Cybersecurity and the Future of Work Gary A. Bolles — Chair, Future of Work at Singularity University; Co-founder, eParachute.com; Partner, Charrette; Speaker and Writer 83 12. The Ethics of Technology and the Future of Humanity Gerd Leonhard — Author; Executive “Future Trainer;” Strategist; Chief Executive Officer, The Futures Agency Part 2 – Lessons From Today’s World Introductions 95 13. If You’re Not Collaborating With Colleagues and Competitors on Cyber Threat Intelligence, Beware: The Bad Guys Are Way Ahead of You Sherri Ramsay — Cybersecurity Consultant; Former Director of the U.S. National Security Agency / Central Security Service Threat Operations Center 101 14. Compliance Is Not a Cybersecurity Strategy Ryan Gillis — Vice President for Cybersecurity Strategy and Global Policy, Palo Alto Networks Mark Gosling — Vice President, Internal Audit, Palo Alto Networks Cybersecurity Awareness, Understanding, and Leadership 109 15. Security Transformation As a Business Imperative John Scimone — Senior Vice President and Chief Security Officer, Dell 115 16. The Importance of Cybersecurity Preparation and Leadership Stephen Moore — Vice President and Chief Security Strategist, Exabeam 121 17. Data Manipulation, Law Enforcement, and Our Future: Seeking to Build Trust in Our Digitally Connected Systems Dr. Philipp Amann — Head of Strategy, Europol’s European Cybercrime Centre (EC3) The Convergence and Divergence of Compliance and Cybersecurity 131 18. Why Secure Availability—Not Compliance—Should Be Every Business Leader’s Goal Danny McPherson — Executive Vice President and Chief Security Officer, Verisign x Table of Contents 139 19. Enabling the Digital Revolution in Europe: Building Effective Cybersecurity Policy Through Trust and Cooperation Michal Boni — Member, European Parliament 145 20. Beyond Compliance: The Human Element of Cyber Resilience Ria Thomas — Partner and Global Co-Lead for Cybersecurity, Brunswick Group 151 21. Why Corporate Governance Matters So Much in Cybersecurity Paul Jackson, GCFE — Managing Director, Asia-Pacific Leader, Cyber Risk, Kroll Part 3 – Make Sure You’re Covered Today Introductions 161 22. Welcome to the Frontlines of Business and Cybersecurity Pablo Emilio Tamez López — Chief Information Security Officer, Tecnológico de Monterrey 165 23. In Today’s World, Every Company Is a Cybersecurity Company Mark Anderson — President, Palo Alto Networks 169 24. How You Should Expand Your Cybersecurity Talent Pool: A Lesson of Supply and Demand Ed Stroz — Founder and Co-President, Stroz Friedberg, an Aon company Language 175 25. How to Articulate the Business Value of Cybersecurity Mark Rasch — Cybersecurity and Privacy Attorney 181 26. Language, Please: How You Talk to Boards and Executives Can Make or Break Your Cybersecurity James Shira 187 27. Using the Right Evidence to Make the Right Cybersecurity Decisions Mischel Kwon — Founder and Chief Executive Officer, MKACyber 191 28. Building Empathy and Trust Among CISOs and Business Leaders Brad Arkin — Vice President and Chief Security Officer, Adobe Table of Contents xi Strategy 197 29. To Get Ahead of Cybersecurity Threats, Focus on Preparedness and Sustainability Heather King — Chief Operating Officer, Cyber Threat Alliance Megan Stifel — Attorney; Founder, Silicon Harbor Consultants; Cybersecurity Policy Director, Public Knowledge 203 30.