Published on March 17, 2014
© 2012 Liberty Group Ventures. All rights reserved What CIOs and CFOs need to know about Cyber Security Phil Agcaoili March 14, 2014
© 2012 Liberty Group Ventures. All rights reserved 2 Special Thanks to Kiersten Todt Roger Cressey
© 2012 Liberty Group Ventures. All rights reserved 3 Isn’t this the same thing? Cyber Security Information Security
© 2012 Liberty Group Ventures. All rights reserved 4 U.S. Cyber Security Defined 2 Questions: •Are you U.S. Critical Infrastructure (CI)? •Do you have physical or virtual systems and assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on – National security, – National economic security, and/or – National public health or safety?
© 2012 Liberty Group Ventures. All rights reserved 5 16 DHS Critical Infrastructure Sectors
© 2012 Liberty Group Ventures. All rights reserved 6 Framework Background Presidential Executive Order 13636 (2013) Failure by Congress to pass cyber legislation Unprecedented cyber threat environment Role of NIST Operates under Department of Commerce Develop industry-led voluntary framework Process Ten months, five workshops, transparent process 12,000 public comments adjudicated Collaboration between NIST, White House (NSC), DHS, and private sector http://www.nist.gov/cyberframework/
© 2012 Liberty Group Ventures. All rights reserved 7 Framework Basics Core: Set of cybersecurity activities and informative references common across CI Functions: Overview of organization’s management of cyber risks Identify, Protect, Detect, Respond, Recover (IPDRR) Tiers: Mechanism to view approach and processes for managing cyber risk 1. Partial 2. Risk Informed 3. Repeatable 4. Adaptive Tier 4 is not the goal for every organization
© 2012 Liberty Group Ventures. All rights reserved 8 Framework Basics (continued) Profiles Alignment of IPDRR with business requirements, risk tolerance, and resources of organization Current Profile Target Profile Profiles create gap analysis Creating a profile helps a company understand its dependencies with business partners, vendors, and suppliers.
© 2012 Liberty Group Ventures. All rights reserved 9 What the Framework is Really About Creating a common language for cyber risk management COBIT 5, ISO/IEC 27001, NIST 800-53, CCS CSC, and ISA 62443 Objective: Facilitate behavioral change in organizations Treat cyber risk as a mission equal in priority to other corporate risk Intended for critical infrastructure owners and operators Can/May be used by many others Applies market-driven approach to cyber risk management Product of industry, not government Not one size fits all…user experience will vary
© 2012 Liberty Group Ventures. All rights reserved 10 How much more do we have to spend? Why?
© 2012 Liberty Group Ventures. All rights reserved 11 Implications of Framework Industry: Each Sector Will Define Adoption Identify metrics for success Facilitate information sharing within industry Defining cost-effectiveness Role for insurance….finally? Cyber Liability Cyber Breach Business Small (prioritize, develop risk management process) Medium (grow risk management process) Large (mature risk management process, share best practices and lessons learned)
© 2012 Liberty Group Ventures. All rights reserved 12 Framework: The Way Ahead (continued) Industry Adopt Framework by mapping it to existing risk management process and addressing gaps that are identified through profile development Conduct training to “normalize” cyber risk behavior, including simulations and exercises with corporate leadership Participate in additional workshops on implementation and areas for improvement Feedback to government: Lessons learned/what works/what doesn’t/what’s missing Industry input will shape development of Framework 2.0 Non-lifeline sector adoption Retail, Manufacturing, Information Technology, etc.
© 2012 Liberty Group Ventures. All rights reserved 13 Framework: The Way Ahead (continued) Government DHS role evolving Launched Critical Infrastructure Cyber Community (C3 or C Cubed) Voluntary Program Providing managed security services to states, localities who adopt framework - a good first step Work with Sector Specific Agencies (SSA) in first year, expand to all CI business in future Seeking input from small business on framework adoption Working on evolving incentives International adoption…and overcoming Snowden challenge Need for role of US business with global presence to engage and facilitate
© 2012 Liberty Group Ventures. All rights reserved 14 Framework: The Way Ahead NIST Initial Areas for Further Work Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment Supply Chain Risk Management International Aspects, Impacts, and Alignment Technical Privacy Standards
© 2012 Liberty Group Ventures. All rights reserved 15 Next Steps for You… Engage in Cybersecurity Framework development Increase senior leadership and board engagement on cybersecurity Promote and integrate the culture of cyber security Hire a CISO Have a plan Ensure Defensible Security Practices Use the NIST Cyber Security Framework Third Party Security Measure your security’s effectiveness Invest wisely
© 2012 Liberty Group Ventures. All rights reserved 16 Communicating Cyber Security to All Levels • Board Getting hacked is not a matter of IF, but When. • Management Security is a Journey. Not a Destination. • All Security is Everyone’s Responsibility. Stop. Think. Connect.
© 2012 Liberty Group Ventures. All rights reserved Thanks Phil Agcaoili Contributor, NIST Cybersecurity Framework version 1 Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
Presented: Phil Agcaoili Chairman, Ponemon Institute Fellows Co-Author, Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) standard Board ...
What CIOs and CFOs Need to Know About Cyber Security Jan 22 ... All rights reserved What CIOs and CFOs need to know about Cyber Security Phil Agcaoili ...
... œMany CFOs know that they need to spend more on cyber ... CFOs and CIOs should treat cyber risk ... CFOs and CIOs on Hot For Security ...
Five things CFOs want from CIOs. ... “CIOs need to spend more time tailoring the benefits of the ... Australia lagging decades behind in cyber security ...
CIOs: Take Your CFO to DinnerMany CFOs ... cyber security, ... Those comments and others led me to conclude CIOs and CFOs really need ...
And if that nugget of financial insight represented the apex of what CIOs need to know ... between how CIOs and CFOs think ... cyber security threats; Show ...
Designed for CEOs, COOs, CIOs, CFOs, IT leadership, and other senior management, "Being Bullet-Proof: What Hospital Executives Need to Know to Stop Cyber ...
CFO insights Five essential truths about cyber security you need to know ... to have any chance of winning the cyber wars, CFOs should understand several ...
CFO-CIO priorities for cybersecurity ... CFOs and CIOs should view cybersecurity as a series of ... “Many CFOs know that they need to spend more on ...