8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More: http://snip.ly/q0zie#https://www.bankinfosecurity.com/8-tough-questions-every-ciso-should-be-ready-to-answer-a-10357

Four years of the EU’s Cosmetics Product Regulation

It has been four years since the EU’s Cosmetics Product Regulation (Regulation EC No. 1223/2009), initiated in December 2009, became operational in July 2013. This regulation was considered path breaking when it was introduced because of its comprehensive nature as well as the extent of the shift it signaled from the legislation from which it took off. It was also considered extremely significant because it suggested a regulatory framework that was in alignment with the most modern technologies and methods available during the present times.

Some of the regulatory modules which are structured into the EU’s Cosmetics Product Regulation include important elements aimed at ensuring safety of cosmetic products and accountability from manufacturers, and include points such as:

o  Cosmetic Product Safety Report (CPSR)

o  Product Information File (PIF)

o  Responsible Person (RP)

o  Label information

o  Cosmetovigilance

o  Substance regulations

o  Claims, etc.

Compliance with the safety regulations set out in EU’s Cosmetics Product Regulation is mandatory. This, though, is not easy, considering the severe clauses that the regulation has for ensuring compliance. These are the reasons for which compliance with the EU’s Cosmetics Product Regulation is challenging:

–       In-market control is assigned to EU Member State competent authorities

–       The flow of information between countries is interlinked by the Cosmetic Product Notification Portal (CPNP), which is fed with the information by the demand for pre-market notification of cosmetic products and by ongoing cosmetovigilance procedures put in place with the respective provisions in the CPR

–       The central role in cosmetovigilance applies to the Responsible Person while the access to manufacturers and responsible persons is assured by product labeling provisions

–       EU and non-EU manufactures of cosmetics as well, as the suppliers of cosmetic ingredients, are required to provide data on their chemicals

–       Compliance with the modules requires know-how, diligence and ongoing adjustment to state of the art of knowledge and documentation.

More challenges

In addition, the EU’s Cosmetics Product Regulation presents more challenges for manufacturers of cosmetic products that want to market to any of the countries of the EU:

The EU’s Cosmetics Product Regulation is so expansive that it represents not only the entry requirements for marketing of cosmetics product in the European Union; but is a model framework for many national legislations worldwide. These legislators are given the choice of either adopting a few parts of the EU’s Cosmetics Product Regulation’s modules, or the structure of the Regulation of its predecessor legislation, the Cosmetics Directive, in full. Therefore, companies need to have the knowledge and the skills needed for complying both with the EU’s Cosmetics Product Regulation and other regulatory frameworks.

There is yet another challenge to implementing the EU’s Cosmetics Product Regulation: The safety assessment. Complying with this part of the EU’s Cosmetics Product Regulation requires extensive knowledge and skill of a host of subjects and issues such as toxicology, chemistry, cosmetology and microbiology, apart from that of regulatory affairs and compliance management. This already tough provision has been made even tougher with the final implementation of the ban on animal testing that the EU introduced in March 2013,

As a result of this ban, considerable confusion abounds about the interpretation of the compliance regulations in the various agencies and sectors that the compliance process has to pass through. If alternative tests are carried out, they are not available for all toxicological endpoints that need assessment as part of the EU’s Cosmetics Product Regulation.

Clearing the confusions

This makes compliance with the EU’s Cosmetics Product Regulation as difficult and complicated as one can imagine. A two-day seminar from GlobalCompliancePanel, a leading provider of professional trainings for all the areas of regulatory compliance, will offer clarity on the provisions of the EU’s Cosmetics Product Regulation. The complicated parts of the regulation, namely the regulatory modules, will be given a clearer understanding.

The Director of this two-day seminar is Dr. Annelie Struessmann, who is the Technical & Regulatory Director with CONUSBAT Regulatory Services, a provider of internationalization compliance services for Cosmetics, Personal Care, Fine Chemicals and Borderline Industries.

To gain better understanding of this regulation, please visit Four years of the EU’s Cosmetics Product Regulation to enroll. This seminar has been pre-approved by RAPS as eligible for up to 12 credits towards a participant’s RAC recertification upon full completion.

At this session, Dr. Struessmann will explain the provisions of the regulatory modules and supplement this with a description of the latest developments and research results. She will use these to show pathways towards compliance, at which she will use practical examples and experiences gained in the course of performing the necessary compliance steps before and while marketing of cosmetics products in the EU.