The Economy is reliant on the Internet The state of Internet security is eroding quickly. Trust in online transactions is evaporating, and it will require strong security leadership for that trust to be restored. For the Internet to remain the juggernaut of commerce and productivity it has become, it will require more, not less, input from security. PWC Global Cyber Security Survey 2008
Digital Immigrants need education more than Digital natives • Demographers refer to the current k-12 cohort as the “digital natives” • The US workplace is mostly populated by “digital immigrants” • The current private sector is the most vulnerable to national security • We will have the current workforce of “digital immigrants” there for decades
President Obama’s Report on Cyber Security (May 30, 2009) The United States faces the dual challenge of maintaining an environment that promotes efficiency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights. President’s Cyber Space Policy Review, May 30, 2009 page iii Quoting from Internet Security Alliance Cyber Security Social Contract: Recommendations to the Obama Administration and the 111th Congress November 2008
CURRENT ECONOMIC INCENTIVES FAVOR ATTACKERS • Attacks are cheap and easy • Vulnerabilities are almost infinite • Profits from attacks are enormous ($ 1 TRILLION in 08) • Defense is costly (Usually no ROI) • Defense is often futile • Costs of attacks are distributed
Financial Management of Cyber Risk It is not enough for the information technology workforce to understand the importance of cybersecurity; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts. President’s Cyber Space Policy Review May 30, 2009 page 15
Senior Executives ARE NOT analyzing Cyber Risk adequately There is still a gap between IT and enterprise risk management. Survey results confirm the belief among IT security professionals that Boards and senior executives are not adequately involved in key areas related to the governance of enterprise security. 2008 Carnegie Mellon University CyLab Governance of enterprise Security Survey
Cyber RISK is not being Appreciated • 75% of US corporations do NOT have a Chief Risk Officer • 5% of US corporations report to the CFO on security risks • 65% of US corporations either do not have a documented process to assess cyber risk, or do not have a person in charge of the process ---meaning they have no process Deloitte “Enterprise Risk,” 2007
Communication Across Corporate Structures is Inadequate • Intra company communication on privacy and security risks was lacking. Only 17% of respondents indicated they had a cross organizational privacy/security team. • Less than half had a formal enterprise risk management plan. (47%) • 1/3 of those with a plan did not include IT-related risks in the plan. 2008 Carnegie Mellon University CyLab Governance of Enterprise Security Survey
Many Corp Info Security Budgets are DECREASING 47% of all enterprises are deferring or reducing future budgets for information security initiatives PricewaterhouseCoopers 2009 Global Information Security Survey
Problem is more than just “awareness” • 42% of survey respondents acknowledge that threats to information security are increasing • 52% acknowledge that cost reductions to info security initiatives will make adequate security more difficult PricewaterhouseCoopers Global Information Security Survey 2009
Financial Impact of Cyber Risk October, 2008
Design of ISA/ANSI Program • Open to all (Gov as well as industry), • No Charge to Participate • Cross sectors and departments • 7 full day working sessions over 2 years • Phase I (“Questions”) complete Nov 08 • Phase II (“Responses”) complete Dec 09 • “Red Teams” Review findings
ISA/ANSI Fund Financial Risk Management Program 42 Private Sector Organizations, volunteer plus U.S. Department of Commerce U.S. Securities and Exchange Commission Department of Justice Department of Transportation National Credit Union Administration U.S. Cyber Consequences Unit U.S. Department of Homeland Security U .S. DHS – Science & Technology (S&T) Directorate U.S. DHS – National Cyber Security Division (NCSD) U.S. DHS – Office of Infrastructure Protection U.S. DHS – Policy Directorate U.S. DHS – Science & Technology (S&T) Directorate California Office of Homeland Security Peacecorps
The need to understand business economics to address cyber issues If the risks and consequences can be assigned monetary value, organizations will have greater ability and incentive to address cybersecurity. In particular, the private sector often seeks a business case to justify the resource expenditures needed for integrating information and communications system security into corporate risk management and for engaging partnerships to mitigate collective risk. President’s Cyber Space Policy Review May 30, 2009 page 18
The Economic Assessment of Cyber Security: 50 ?s for CFOs • Business Operations • General Counsel • Compliance Officer • Media (Investors and PR) • Human Resources • Risk Manager/ Insurance
Calculate Net Financial Risk • Threat (frequency of risk event/probability number of events per year) X • Consequence (Severity of risk event/possible loss form event) X • Vulnerability (likelihood or % of damages/ given mitigation actions) MINUS • Risk Transferred (e.g. insurance) = • NET FINANCIAL RISK
Sample Questions: Legal • Analyzed liabilities? • What legal rules apply to us or 3-parties? • Vulnerable class action/shareholder suits? • Legal Exposure to Gov investigations? • Do our contracts protect us enough? • Multi-state laws apply? • Exposed to trade secret theft?
Sample Questions: Compliance • Inventory of applicable regulations? • Where is our “regulated” data”? • Valid reasons for holding all our data? • Policies & procedures documented? • Can we opt-out of reg requirements? • Are we tracking compliance? • Are we reviewing and updating privacy compliance?
Sample Questions: Risk Manger/Insurance • Are we insured for this? (probably no) • What can we get insurance for? • What is the D & O Exposure? • Where can we find cyber insurance and what does it cover (& doesn’t it cover)? • What’s the cost benefit to insurance? • How do we evaluate policies?
Sample Questions: Business Operations • What’s our single biggest vulnerability? • How long are we down? Want to be up? • Are we complying w/ SoA standards? • Are we properly staffed? • Have we assessed physical security • Incident response/continuity plans? • Risk exposure from vendors? • How often do we re-evaluate risks?
Sample Questions: Media/Crisis Management Team • Do we have segmented responses for all stakeholders? • Documented crisis communication plan? • Identified and trained all who need to be? • Have the external contacts we need? • Have we run a mock trial? • Are we budgeted for a crisis?
Sample Questions: Human Resources • Does everyone understand our $ Risk? • Attract/retain the right personnel? • Do we provide training to mitigate risk? • Is the org structured for team work? • Audit network access (esp. at termination)? • Address social networking & pub sites? • HR assessment include cyber security? • Discipline policy adequate for monitoring?
PROPOSAL • Build a grounded Enterprise Education program consistent with Cyber Space Policy Review • Based on 2-years open forum of industry and government • Initial 2-year program completed and funded by ISA and ANSI • DoC fund final development and testing
Three Phase Program • Phase I: take 50 Questions and 60 Responses documents and reformulate into enterprise training program • Phase II: Beta test Enterprise Education Program w/multiple methods and Evaluate • Phase III: Final National Roll Out using most cost effective model
Deliverables • Quarterly Status Updates • Final Business Plan & launch Phase II 12 months from approval • Pilot strategy report 10 days after beginning of Phase II • Metrics on overall effectiveness 12 months following Phase II beginning Phase II • Modified Program based on Phase II 12 months from beginning Phase II
Phase III National Roll Out • Dependent on Phase II Results & metrics • Final Business Plan and Implimentation 10 days after contract signing Phase III • Quarterly Reports • Final Summary and Evaluation 36 months following beginning of National Roll Out
Budget Phase I - Design and development of a comprehensive business plan • Integrates 2008 and 2009 ISA/ANSI Financial Risk Management Reports (50 Questions for corporate CFOs and Responses) into technical course development • Includes various management and direct costs • Projected cost - $300,000
Recommend
More recommend