A Holistic Approach to Cyber Security Reduce the gap between your - - PowerPoint PPT Presentation

a holistic approach to cyber security
SMART_READER_LITE
LIVE PREVIEW

A Holistic Approach to Cyber Security Reduce the gap between your - - PowerPoint PPT Presentation

Sep 23, 2022 40 likes •311 views

A Holistic Approach to Cyber Security Reduce the gap between your tools and your strategy. July 23,2019 Todays Presenters - A Holistic Approach to Cyber Security Frank Yako Steve Roesing CIO, Director of Strategic Initiatives, ASMGi

slide-1
SLIDE 1

A Holistic Approach to Cyber Security

Reduce the gap between your tools and your strategy.

July 23,2019

slide-2
SLIDE 2

Today’s Presenters - A Holistic Approach to Cyber Security

Steve Roesing President, CEO, ASMGi

sroesing@asmgi.com

Frank Yako CIO, Director of Strategic Initiatives, ASMGi

fyako@asmgi.com

2

slide-3
SLIDE 3

7/23/2019

3

What If There Was A Way To Develop Your Cyber Program, such that …

u The business understands what, when and why you’re

are implemen8ng solu8ons?

u You determine what an appropriate budget is for the

enterprise, versus being told how much budget you’ll get to protect the organiza8on

u Each implemented solu8on achieves a return on its

  • wn, PLUS works well with current solu8ons and

contributes to a larger eco-system (whole is greater than the sum of the parts)

slide-4
SLIDE 4

7/23/2019

4

Total Solu8on = People + Process + Technology

A Holistic Approach to Cyber Security

slide-5
SLIDE 5

7/23/2019

5

A Holistic Approach to Cyber Security

Total Solu8on = 3 Pillars

slide-6
SLIDE 6

7/23/2019

6

Way of thinking…

u The Holis8c Security Mindset

u Focus on Solu1ons = People + Process + Technology u Gap-based + Risk-Based u Align with the business u What the business “needs” for the long-term

u The Point-Solu8on Mindset

u Fragmented u Focus on Technology u Reac1on to “something” – like media = CEO

listening to NPR on the drive to work! (event- driven, like Wikileaks = DLP)

u What the business “wants” at a point in 1me

slide-7
SLIDE 7

7

7/23/2019

Way of thinking…

slide-8
SLIDE 8

8

7/23/2019

Way of thinking…

slide-9
SLIDE 9

How Do You Make Decisions?

u Holis8c Approach or Point Solu8ons? u Are your Roadmaps based on risk posture or

budgets? (Are you value-based or cost-based?)

u Do you see the forest or the trees? u Are you trying to priori8ze everything, or

scheduling only what you determine is a priority?

9

7/23/2019

slide-10
SLIDE 10

Quan%fying Cyber Risk

u Bring security closer to the

business

u Create a common language

to discuss cyber risks

u Priori7za7on = Align budgets

with ini7a7ves that provide actual economic impact

How Do you “Do” a Holistic Cyber Security Program – Quantify your Risk …

10

7/23/2019

slide-11
SLIDE 11

7/23/2019

11

Doing a Holistic Cyber Security Program – Quantified Cyber Risk

u Baseline Assessment u Program / Roadmap u Select and Implement Pla[orm Solu8ons u Opera8onalize to ensure Outcomes are

Achieved

u Include Cyber Insurance

slide-12
SLIDE 12

Center For Internet Security - CIS Controls

hZps://learn.cisecurity.org

12

7/23/2019

slide-13
SLIDE 13

hZps://www.cisecurity.org/blog/cis-controls-version-7-whats-old-whats-new/ 13

7/23/2019

slide-14
SLIDE 14

Step 1 – Baseline Assessment

u Use surveys + internal automated assessment to test against

CIS controls

u Compare survey response to automated tes8ng u Discuss differences u Use sophis8cated AI/ML modeling, with global threat data

and breach impacts to Quan8fy Cyber Risks

14

7/23/2019

slide-15
SLIDE 15

Step 2 – Roadmap (3 year recommended)

u Program development

(policies, procedures, controls mapping for compliance, etc.)

u Procure and implement tools u Opera8ons: Use a gap-based

approach, get help with the areas you are not equipped to handle internally

u Priori1ze ini1a1ves based on actual economic

impact to the business and how best to manage the economics of risks

u Provide actual costs for:

  • The Program
  • Pla^orm/Tool + Implementa1on - taking

into account the useful life of a solu1on including how to an1cipate unknown threats and a phased plan based on iden1fied priori1es and risks.

  • Opera1ons, Including IT, Security, and all

applicable aspects of the business including the C-Level and Board.

  • Cyber Insurance at each level of maturity

15

7/23/2019

slide-16
SLIDE 16

Step 3 – Select and Implement Platforms / Tools

u Keep exis8ng tools that help you achieve desired outcomes,

replace those that don’t!

u Consider ecosystem u Consider the full lifecycle of the pla[orm / tool set u Focus on achieving the outcomes defined in your Roadmap!

16

7/23/2019

slide-17
SLIDE 17

Step 4 – Operationalize

u Total Solu8on = People + Process + Technology u Exper8se u Capacity u Core business u Transfer risk where appropriate (cyber insurance)

17

7/23/2019

slide-18
SLIDE 18

Step 5 – Cyber Insurance

u Is your cyber policy 8ed to actual risks or is it a “one-size-fits-

all”?

u Will your current policy actually cover a cyber incident? u A dynamic policy will change as your security posture

changes

u Policy should be 8ed to your roadmap

18

7/23/2019

slide-19
SLIDE 19

19

7/23/2019

Example: Basic CIS Control 3 – Continuous Vulnerability Management

slide-20
SLIDE 20

Example: Basic CIS Control 3 – Continuous Vulnerability Management

20

7/23/2019

slide-21
SLIDE 21

Example: Basic CIS Control 3 – Continuous Vulnerability Management u Baseline Assessment u Survey says you do vulnerability management, automated

assessment iden%fies vulnerabili%es in your environment

u Discussion and program review reveals that while you

have a scanning pla@orm in place, it is difficult to keep up with remedia%on, and your program does not include strict SLAs and guidelines for classifying and remedia%ng vulnerabili%es

21

7/23/2019

slide-22
SLIDE 22

Example: Basic CIS Control 3 – Continuous Vulnerability Management u Program Development u Review and improve Vulnerability Management Program u Define SLA (desired outcome) = u (using CVSS) No High or Cri%cal vulnerabili%es exist for

more than 45 days

u No medium vulnerabili%es exist for 90 days u No Low vulnerabili%es exist for 180 days

22

7/23/2019

slide-23
SLIDE 23

Example: Basic CIS Control 3 – Continuous Vulnerability Management u Opera8onalize the Program u Don’t have dedicated resources allocated to this task u Don’t currently have enough resources to achieve these

SLAs

u Only scanning quarterly, which doesn’t work for these

SLAs

u Currently only performing patches for remedia%on u No Sandbox in place for tes%ng remedia%on

Should you change the SLAs or how you do remedia8on? Build a playbook that addresses these opera8onal challenges.

23

7/23/2019

slide-24
SLIDE 24

QUESTIONS?

7/23/2019

slide-25
SLIDE 25

Next in our Webinar Series

… stay tuned for more cyber webinars. We are doing webinars on each of the CIS top 20 controls, and will release the first 3 scheduled webinars soon. Please call or send us a note, or follow us on LinkedIn and Twitter for more information. Phone: +1 216-255-3040 Email: sales@asmgi.com LinkedIn: https://www.linkedin.com/company/asmgi/ Twitter: https://twitter.com/ASMGi_CLE

25

7/23/2019

slide-26
SLIDE 26

Special Webinar Offer …

u … for those attending today’s webinar, please call +1 216.255.3040 or email

Steve Roesing or Frank Yako directly for a NO COST Baseline Assessment.

sroesing@asmgi.com fyako@asmgi.com

u We will perform the Baseline Assessment and review the results with you so

that you fully understand how your quantified risk exposure looks today!

u This is especially meaningful if you are entering a budget cycle soon, as we

will position you to base your budget request on real Quantified Cyber Risk and start building your Holistic Security Program immediately!

26

7/23/2019

slide-27
SLIDE 27

800 Superior Ave E, Ste 1050
 Cleveland, OH 44114
 
 Phone: 216.255.3040
 Fax: 216.274.9647
 
 Email: info@asmgi.com
 
 www.asmgi.com

Thank You!

27

7/23/2019