Integrated GRC points of view: Operational Risk & Cyber Security Management

Gregorios Themistocleous

CISA, CRISC, ITIL

Head of Cyber Security Risk, Assurance & Compliance Services

ADACOM S.A.

But How? Digital disruption is changing long proven rules in every industry as well as in all of society

The past is no longer a predictor of the futureand this is a challenge for all of us schooled in the traditional ways of doing business

Often organizations neglect the signs…The signs of a cyber breach can be very subtle,

with several incidents happening at the same time

The cumulative effect on an organization can be huge

Advanced social engineering (e.g. spear phishing, watering-hole attacks)

Sophisticated six-month intelligence gathering phase

Full knowledge of enterprise weaknesses – people, process and technology

Impacts business decisions, mergers/acquisitions, and competitive position

Accounts payable

R&DSupply chainSales

Strategic manipulation of sales and email systems result in missed sales of

-2% to 3% just prior to quarterly and

annual reporting periods

Supply chain and on-line ordering system

manipulation leads to degradation of production and receivables collection,

results in missed revenue projections

of -2% to 3%

Higher profit areas and growth product

development efforts are stolen, resulting in loss

of sales and competitive edge,

and royalty payment to nation-state companies

Periodic accounts payable fraud causes US$ millions in lost income per year.

Mass release of privacy data results in loss of public

trust and additional legal cost

…which impacts the entire value chain

2017 ISACA Research: Better Tech Governance Is Better for Business

2017 ISACA Research: Better Tech Governance Is Better for Business

2017 ISACA Research: Better Tech Governance Is Better for Business

Cybersecurity must be on Board agenda …

• Treat cyber risk as part of enterprise risk management

• Prioritize the assets that need protection

• Match cybersecurity to your strategy

• Discuss cyber risks in the language of business, not IT

Integrated Governance, Risk & Compliance

Operational Risk

ManagementAML

Fraud

Cyber Security

IT RiskModel

Risk

Legal Risk

Conduct Risk

Third-party Risk

Chartis Research, December 2015

ADACOM’s Governance, Risk & Compliance experiences

• Expanding operational risk to include cyber security

• Cyber security and operational risk functions need a common language

• Connect the technical aspects of cyber security with the people and process risks that operational risk is designed to monitor and control

• Top-down governance processes and board-level involvement

• Technology and data are a source of risk but can also be a part of the solution

• Let’s start treating data as a strategic asset

• Build an acceptable data use culture, build company norms

UNITED KINGDOMLondon

88 Wood St.,Barbican EC2V 7RS, LondonTel: +44 (0) 203 126 4590

GREECEAthens

25 Kreontos St.104 42 Athens

+30 210 5193740

ISRAELTel Aviv

16th Ha'Melacha St. 48091 Rosh Ha'Ayin

+972 74 7019424

SERBIABelgrade

Omladinskih Brigada 90v11070 Airport City+381 11 3219425

CYPRUSNicosia

7 Florinis Str..1065 Nicosia

+357 99318516

Thank you