What CIOs and CFOs Need to Know About Cyber Security

50 %
50 %
Information about What CIOs and CFOs Need to Know About Cyber Security
Technology

Published on March 17, 2014

Author: philipagcaoili

Source: slideshare.net

Description

IABIA and Kettering Executive Network Joint Briefing for the Atlanta CIOs

© 2012 Liberty Group Ventures. All rights reserved What CIOs and CFOs need to know about Cyber Security Phil Agcaoili March 14, 2014

© 2012 Liberty Group Ventures. All rights reserved 2 Special Thanks to Kiersten Todt Roger Cressey

© 2012 Liberty Group Ventures. All rights reserved 3 Isn’t this the same thing? Cyber Security Information Security

© 2012 Liberty Group Ventures. All rights reserved 4 U.S. Cyber Security Defined 2 Questions: •Are you U.S. Critical Infrastructure (CI)? •Do you have physical or virtual systems and assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on – National security, – National economic security, and/or – National public health or safety?

© 2012 Liberty Group Ventures. All rights reserved 5 16 DHS Critical Infrastructure Sectors

© 2012 Liberty Group Ventures. All rights reserved 6 Framework Background  Presidential Executive Order 13636 (2013)  Failure by Congress to pass cyber legislation  Unprecedented cyber threat environment  Role of NIST  Operates under Department of Commerce  Develop industry-led voluntary framework  Process  Ten months, five workshops, transparent process  12,000 public comments adjudicated  Collaboration between NIST, White House (NSC), DHS, and private sector http://www.nist.gov/cyberframework/

© 2012 Liberty Group Ventures. All rights reserved 7 Framework Basics  Core: Set of cybersecurity activities and informative references common across CI  Functions: Overview of organization’s management of cyber risks  Identify, Protect, Detect, Respond, Recover (IPDRR) Tiers: Mechanism to view approach and processes for managing cyber risk 1. Partial 2. Risk Informed 3. Repeatable 4. Adaptive  Tier 4 is not the goal for every organization

© 2012 Liberty Group Ventures. All rights reserved 8 Framework Basics (continued)  Profiles  Alignment of IPDRR with business requirements, risk tolerance, and resources of organization  Current Profile  Target Profile  Profiles create gap analysis Creating a profile helps a company understand its dependencies with business partners, vendors, and suppliers.

© 2012 Liberty Group Ventures. All rights reserved 9 What the Framework is Really About  Creating a common language for cyber risk management  COBIT 5, ISO/IEC 27001, NIST 800-53, CCS CSC, and ISA 62443  Objective: Facilitate behavioral change in organizations  Treat cyber risk as a mission equal in priority to other corporate risk  Intended for critical infrastructure owners and operators  Can/May be used by many others  Applies market-driven approach to cyber risk management  Product of industry, not government  Not one size fits all…user experience will vary

© 2012 Liberty Group Ventures. All rights reserved 10 How much more do we have to spend? Why?

© 2012 Liberty Group Ventures. All rights reserved 11 Implications of Framework  Industry: Each Sector Will Define Adoption  Identify metrics for success  Facilitate information sharing within industry  Defining cost-effectiveness  Role for insurance….finally?  Cyber Liability  Cyber Breach  Business  Small (prioritize, develop risk management process)  Medium (grow risk management process)  Large (mature risk management process, share best practices and lessons learned)

© 2012 Liberty Group Ventures. All rights reserved 12 Framework: The Way Ahead (continued)  Industry  Adopt Framework by mapping it to existing risk management process and addressing gaps that are identified through profile development  Conduct training to “normalize” cyber risk behavior, including simulations and exercises with corporate leadership  Participate in additional workshops on implementation and areas for improvement  Feedback to government: Lessons learned/what works/what doesn’t/what’s missing  Industry input will shape development of Framework 2.0  Non-lifeline sector adoption  Retail, Manufacturing, Information Technology, etc.

© 2012 Liberty Group Ventures. All rights reserved 13 Framework: The Way Ahead (continued)  Government  DHS role evolving  Launched Critical Infrastructure Cyber Community (C3 or C Cubed) Voluntary Program  Providing managed security services to states, localities who adopt framework - a good first step  Work with Sector Specific Agencies (SSA) in first year, expand to all CI business in future  Seeking input from small business on framework adoption  Working on evolving incentives  International adoption…and overcoming Snowden challenge  Need for role of US business with global presence to engage and facilitate

© 2012 Liberty Group Ventures. All rights reserved 14 Framework: The Way Ahead  NIST  Initial Areas for Further Work  Authentication  Automated Indicator Sharing  Conformity Assessment  Cybersecurity Workforce  Data Analytics  Federal Agency Cybersecurity Alignment  Supply Chain Risk Management  International Aspects, Impacts, and Alignment  Technical Privacy Standards

© 2012 Liberty Group Ventures. All rights reserved 15 Next Steps for You…  Engage in Cybersecurity Framework development  Increase senior leadership and board engagement on cybersecurity  Promote and integrate the culture of cyber security  Hire a CISO  Have a plan  Ensure Defensible Security Practices  Use the NIST Cyber Security Framework  Third Party Security  Measure your security’s effectiveness  Invest wisely

© 2012 Liberty Group Ventures. All rights reserved 16 Communicating Cyber Security to All Levels • Board Getting hacked is not a matter of IF, but When. • Management Security is a Journey. Not a Destination. • All Security is Everyone’s Responsibility. Stop. Think. Connect.

© 2012 Liberty Group Ventures. All rights reserved Thanks Phil Agcaoili Contributor, NIST Cybersecurity Framework version 1 Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

What CIOs and CFOs need to know about Cyber Security - YouTube

Presented: Phil Agcaoili Chairman, Ponemon Institute Fellows Co-Author, Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) standard Board ...
Read more

What CIOs and CFOs Need to Know About Cyber Security ...

What CIOs and CFOs Need to Know About Cyber Security Jan 22 ... All rights reserved What CIOs and CFOs need to know about Cyber Security Phil Agcaoili ...
Read more

Rising Tide of Security Threats Disarms Conflicts between ...

... œMany CFOs know that they need to spend more on cyber ... CFOs and CIOs should treat cyber risk ... CFOs and CIOs on Hot For Security ...
Read more

Five things CFOs want from CIOs - CIO

Five things CFOs want from CIOs. ... “CIOs need to spend more time tailoring the benefits of the ... Australia lagging decades behind in cyber security ...
Read more

CIOs: Take Your CFO to Dinner - Deloitte CIO - WSJ

CIOs: Take Your CFO to DinnerMany CFOs ... cyber security, ... Those comments and others led me to conclude CIOs and CFOs really need ...
Read more

What CIOs Need to Know About Money - CIO

And if that nugget of financial insight represented the apex of what CIOs need to know ... between how CIOs and CFOs think ... cyber security threats; Show ...
Read more

'Being Bullet-Proof' Cyber Security Conference

Designed for CEOs, COOs, CIOs, CFOs, IT leadership, and other senior management, "Being Bullet-Proof: What Hospital Executives Need to Know to Stop Cyber ...
Read more

CFO insights Five essential truths about cyber security ...

CFO insights Five essential truths about cyber security you need to know ... to have any chance of winning the cyber wars, CFOs should understand several ...
Read more

EY - Partnering for performance Part 3: the CFO and CIO ...

CFO-CIO priorities for cybersecurity ... CFOs and CIOs should view cybersecurity as a series of ... “Many CFOs know that they need to spend more on ...
Read more