Good morning. It's a great pleasure to be here with you today. More than 15 years, I work for decent bank of Armenia, but I, I also cooperate with the IMF and world bank as a cybersecurity expert for banking, regulation, and supervision. I would like to identify if I have some colleagues here from financial sector, anyone, one colleague, I need your support. And what about auditors? Do we have auditors in this room? Few auditors. Do we have it auditors in this room? Few it good. Although this is about cybersecurity governance, but I, I I'll talk about how to audit cybersecurity governance.
The question is how to put this elephant in the fridge, because before me previous presenters already talked about very important things like cybersecurity, hygiene, like data analytics, but question, which is one of the most important ones is people who are sitting in the highest positions. Are they able to make good decisions, how to govern cybersecurity? Because we can have state of arts systems.
We can have lots of, I dunno, new technologies, but if we need also to have appropriate knowledge in the highest level, I mean, in the board level to govern cyber security, this presentation is like 18 plus, there are some bad words there, but I think it's okay. We do not have any teenagers here. So cyber security, the term cyber sounds very sexy and lots of people are using cyber security instead of informant security or data security or it security. And some of them it's the same.
Currently there are debates.
If, if the cyber security is the same as informant security and the next week I'm traveling through Luxembourg to, to take part of another meeting. And we, we are starting right to identify if the term cyber people understand in the, in the same way. I do not like to stop here and, and talk about that. But I would like to ask if, you know, then early, anyone knows the famous professor. He's a very famous professor, works in duke university.
And once he said the following, I don't like to read, but I would like to ask to read, and I can change just one small word, big data and say exactly the same for cybersecurity. We are talking a lot about cybersecurity, mainly in technical things. Mainly we are putting lots of efforts to, to identify hygiene, which is very important, but we need also, we need to have appropriate knowledge in the highest level who can show us where to go. This is my definition just for, for this conference.
Next, this is the agenda. I'm going to talk. I'm going to talk about the problem management expectation from cybersecurity, cybersecurity, governance, challenges, key risks. And later on, I'll give you some, some links to frameworks and how can intern loaded audit cybersecurity governance and, or use a maturity model to, to assess the maturity? Because if something is not mature enough, that there is no need to audit, you cannot create any value because the main objective of internal audit is to create value
So that cyber security works as needed. Yeah.
Once one more question, who knows about Peter Morris, very famous guy, a previous part, one of the partners of KPMG and the ones he said that it governance aspects of corporate governance are one of the things that CEOs, unfortunately, lots of CEOs think they don't have to understand until it beats them. This, this is really painful reality.
And I can, once again, change just one small word, replace it to the cybersecurity and say exact the same until our companies fail after cybersecurity attacks or something else, our CEOs, or maybe higher decision makers do not pay enough attention to, to that, to that issues. So what management expect from, from the cybersecurity, what does management expect how to govern cybersecurity?
Well, I think for example, in, in public sector, in financial sector, in other sectors, when our board members, mainly from economy field or from, I dunno, law, their, their background is economic finance law today understand really cybersecurity. Can they really manage and govern cybersecurity? How to be sure everything works as needed. Okay. We have cybersecurity hygiene, but who should give us assurance that hygiene is there? Or H is there and works properly, works as needed. Next question, how to measure results. Okay. Everything is there. We know everything works.
We know we, we like to be sure I'm the responsible decision maker. I need to be sure that everything works as needed and how to measure that results.
So for, for lots of decision makers, I mean, high level officials, cybersecurity is still a black box and they are afraid to, to make decision decisions sometimes. And they're pushing this decision to be made by CSO or CIO or some other, other low level managers. What is cybersecurity governance who can help me to, to define what is cybersecurity governance? When you say cybersecurity governance, what is the key components of the cybersecurity governance? Any thoughts who knows this beautiful lady,
Please
Mold most of you. And what do you think?
What kind of connection do we have with Angelina Jo and cybersecurity? Zero connection? What do you think if you Google Angelina Jo, how many records will, will you get from Google? Just guess 2,000,005, please? How many 82 million records? But if you, if you Google cybersecurity, you'll give Google gives you 93 million records. And as I said, lots of people are, are Googling like cyber security. If you add these two numbers, it gives you some idea that currently our CIS CEOs or maybe our board members are Googling cyber security more than, than Angelina Julie.
In my age, when internet just became very popular, people were looking Angelina or bread pit or some, someone else much more than cybersecurity, but cybersecurity is now a first key priority for any CEO. I think any board member who is responsible for cybersecurity security.
So what is cybersecurity governance? I would like to share with you the it governance definition, which comes from the it governance Institute. And once again, we can change just one word it governance and put its cyber sec.
And it'll exactly define what is cybersecurity governance and what is the most important components of cybersecurity governance? It's its integral part of corporate governance. It's consists of leadership, which is the, the most, the most, the most important part. And also organizational structure. You should have appropriate organizational structure. And without that, doesn't matter what kind of state of art technologies you have there, it, it cannot help you to, to survive in this digital era and also appropriate processes, appropriate processes should be in place to the cyber cyber security.
So if I try to just visualize this enterprise governance is our roof and I, governance is one of the cornerstones cybersecurity governance is the second one, cetera, cetera, et cetera.
So without the roof, whatever you have inside the room, like imagine we are building a new new house without roof. If we do something here, if we have the, the most expensive furniture here just after the first raid, it'll be destroyed. So if you do not have appropriate corporate governance or enterprise governance, we cannot talk about cybersecurity governance, key risks. Cybersecurity is a technical issue.
I heard about this from lots of CEOs, from lots of governors, from my experience, I can say I'm traveling a lot mainly in undeveloped countries or developing countries in Africa, Asia in the, in the Pacific. And my main business area is, is, is finance. I have lots of experience shocking with the S of the central banks, CEOs of the commercial banks. And most of them are thinking exactly like this. They know that cybersecurity is very important, but they think, you know, cybersecurity is a technical issue.
We, we do not understand cybersecurity. Next is why we have cybersecurity responsible. We have CSR and it's his or her responsibility to, to take care about cybersecurity. Or we have state of art systems. What if you have the, the S class Mercedes-Benz in your garage and you do not have you do not know how to drive. So you have state of art systems, but you don't know how to, how to use it. And finally, we are not interested for hackers. This is also a stupid approach of dealing with the cyber cyber, everything.
I guess some of you may, may watch this, this video.
This is very typical, painful reality. Some, some governors, I, I met with them. They are emphasizing that, you know, we are doing penetration testing every year and we are quite safe. Here is the reality of the penetration testing. Look at this is very typical, very typical.
I, I was sitting in a, in a, in a committee when penetration tester, where they are presenting the results. You know, when we are asking penetration testing to come to penetrate us, we think our risks are here. And if they can give something about this fear, then we are totally safe. So penetration testing is one of the controls.
Okay, you can do that, but it's not enough.
So cyber security frameworks, there are several cybersecurity frameworks. I'm more than sure that you may, you may know about that. First is IST cybersecurity framework, which is universal. You can use for any sector. The second one, G seven, eight elements for cybersecurity. This is a very high, high level framework, which is also acceptable. And you can easily use in, in different sectors. And the final one F F I C, which stands for federal financial institutions, evaluation, consult, cybersecurity tool.
This design for specifically, for, for financial sector. Although there are five main areas. You can use one of them for your particular business. So maturity model, what is the maturity? Maturity gives you to know where are you now? Because as I said, if your company is not mature enough, then doing audit will not create any value. So if you know, where are you? You can say, okay, tomorrow or after five years, I would like to be there. But if you do not know, where are you right now? It's very difficult to say, what is your, your vision?
So cybersecurity F I C maturity maturity framework gives you a very easy tool to assess your maturity. And there are five domains and there are five maturity levels.
You can, you can assess your current maturity and, and match your expectations.
This is the assessment. And after the assessment, it gives you something like this.
For every, every domain, there are assessment factors and there are also components. For example, in the governance domain, you have oversight, you have strategy policies, et cetera. So after assessing, you'll see, there should be lots of green areas, red areas, or yellow areas. Whenever you have less than yellow, let's say, which is less than 50%. It means you have to work more, more effectively in that, in that area.
So before maturity assessment, your company looks like this, and you cannot say, if the next second your bot is under the water or in water, but after maturity, your company's more or less looks like this because you know, already where, where risks are come, come from and you can implement appropriate controls to mitigate that risks. So as summary, cybersecurity governance is the integral part of corporate governance.
Once again, if, if there is no room roof, there is no need to buy the most expensive furniture. Cybersecurity governance is broad and complex topic.
Yes, we need to have appropriate knowledge in the boardroom to make good decisions for, for our companies and clearly defined roles, responsibilities and accountability. Accountabilities are, are key components of cybersecurity governance. And finally, the most important is also audit or assurance who is giving us an assurance that cybersecurity is in place. So cybersecurity governance is a journey, but who should decide right now? It's a journey we are here. Should I go straight left or right. This is the question. And who should answer this question? Thanks so much. Thank you.
