1. Cyber Security for Small Business
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A
Information & Cyber Security Risk

2. Information & Cyber Security Risk
Agenda
Industry and Competitation
Leadership and Organizational Culture
Identification
Current Trends in Information and Cyber Risk
The Role of the CISO
Current Trends in Business Leadership
Training and Awareness
✓
6
5
4
3
2
1
Conclusion & Questions
7
8
✓
✓
✓
✓
✓
✓
✓

3. Identification
“Cyber” is the new buzz word…….
Information & Cyber Security Risk
Identify Critical PersonnelIdentify Critical Data & Information
What resources are critical to
keeping your business running?
Power & Other Utilities
Supplies
Materials
Production Facilities
Be sure to have alternative ways
to address shortfalls.
Tech Power
Alternate supply vendors
Futures
Alternate transportation methods
Identify Critical Resources
321
These people have special
knowledge or skills that are
crucial to your business.
R&D Engineers
Payroll
Systems/Network Admins
Different by Industry
Who can do the job if you lose
someone?
Cross train skill sets
Alternate positions
Have continuity artifacts
Have primary & secondary
What is your business? What
information keeps you
competitive in your industry?
R&D for products
Recipes & formulas
Metrics Data
Production efficiencies
Marketing strategies
Business Intelligence
This is where you should focus
most of your resources.
Restrict access
Protect data & information
Do systems need to be
connected to the network that is
connected to the internet?

4. Current & Most Trending Information and Cyber Risks Today
All software should be assessed
Commercial off the Shelf
In house developed
3rd Party developed
Open Source
Software as a service
What you should look at
Assess supply or development change for vendors
Assessment of product
Read contracts and maintenance agreements
Vulnerability management
Software Assurance
Malicious Insider
Disgruntled Employees
Financial Hardship
Competitors
 Want to do harm
 Want to steal for profit
Accidental Insider
Exhibits Bad Habits
Phishing
Opens malware and bad links
Poor password practices
 Change Culture
 Training
 AUPs
 Assessment
Insider Threat 1 2
Information & Cyber Security Risk

5. Questions to ask
What is being stored in the
cloud?
What does the security look
like?
Who owns the data?
Who is responsible for a
breach?
Review contractual language
and SLAs.
VMs – How are the sessions
protected?
Cloud & VM 3 Internet of Things (IoT) BYOD4 5
Current & Most Trending Information and Cyber Risks Today
Information & Cyber Security Risk
Questions to ask
What framework are you using
to manage environment?
What devices are connected
and manageed?
Who has visibility inside and
outside your business?
Have you assessed for
vulnerabilities?
NOTE: 2.8 Mobile devices exist
for every person on the planet!
This number will double by
2020!
Questions to ask
What is the device connection
and approval process?
Do you have a baseline
configuration & security baseline?
Do you parse the business data
from the personal data?
What are the rules for end of life
and upgrades?
What is the incident response
and breach notification process
for lost or stolen data or the
device itself?

6.  Operations and Sustainment
• Defense in Depth (hardware, software)
• Vulnerability Management
 Malware categories have increased – very complex
 Patches should be texted before being deployed
• Configuration and Change Management
• Sound CERT and Incident Response capability
• System Engineering Projects
• Continuity & Disaster Recovery
Information & Cyber Security Risk
Current & Most Trending Information and Cyber Risks Today

7.  Information and Cyber Security Culture
– Needs to be supported by executive leaders
– Middle managers should understand
executive strategy related to security risks
– All leaders should participate and let
employees see it
– All employees should understand the culture
Information & Cyber Security Risk
Leadership and Organizational Culture

8. Your Logo
Current Trends in Business Leadership
Chief Operations Officer (COO)
- Number 1 C-level position cut in large business
 Executive VPs and Business Unit Managers
picking up more responsibilities
Chief Information Officer (CIO)
- Number 2 C-level position cut in large business
 Being replaced or combined by CSO/CISO
Information &
Cyber Security Risk

9. The Role of the CISO
Information & Cyber Security Risk
•Responsible for Information and Cyber Security
Guides the organizational security culture
Works with all business units
Works with HR, Legal, Public Affairs and Physical Security
Advises C level leaders and Board of Directors
Understands the risks based on their industry
Operational security risks
Administrative security risks
Communicates technical requirements into business terms
Expected to be very knowledgeable
Regulatory compliance (State, Federal, International)
Trends and Opportunities
Security & Risk frameworks
ISO 27000 & 31000, COBIT 5, NIST 800-37, ITIL

10. Training and Awareness
Information & Cyber Security Risk
NOTE: It is very important to relate some of the training and awareness toward real world examples that
are specific to your industry for better effectiveness.
All employees should attend initial and periodic information & cyber security awareness training.
All privileged users should be identified and trained in their specialty as well as their computing environment.
All managers should attend security awareness training geared towards the organization as a whole
Specialty training and certification should be identified for specific roles to reduce risky behaviors
Training is Geared Towards Audience
Face to Face
Computer Based
External training providers (classes, conferences, or hired training professionals)
On the job or mentoring
Training Methods
Develop methods to make employees aware of information and cyber security risks.
Internal phishing campaigns
Posters in common or public areas (change them periodically)
News letters and announcements – be creative!
Awareness
1
2
3

11. Industry and Competitation
Information & Cyber Security Risk
Look at procurement strategies and trusted vendor
relationships.
Communicate with other business units to ensure
consistency in security risk management
Information and cyber security should be represented
and managed in all projects.
What are your
competitors
doing?
Align security
risks to business
strategy!
Learn from
someone elses
mistakes!

12. • Information and Cyber Security
 Has never been as important as it is today
 New technologies like IoT & Cloud Computing & VMs
are driving innovation for business and adding risk
 CSOs & CISOs are steering culture and managing risk
 Training and Awareness as part of the culture
 Understand how to align & balance Information & Cyber
Security to your businesses overall business strategy
Information & Cyber Security Risk
Conclusion

13. THANK YOU!
Questions?