The Economy is reliant on the Internet The state of Internet - - PowerPoint PPT Presentation

The Economy is reliant

• n the Internet

The state of Internet security is eroding quickly. Trust in online transactions is evaporating, and it will require strong security leadership for that trust to be

• restored. For the Internet to remain the juggernaut of

commerce and productivity it has become, it will require more, not less, input from security.

PWC Global Cyber Security Survey 2008

Digital Immigrants need education more than Digital natives

• Demographers refer to the current k-12 cohort

as the “digital natives”

• The US workplace is mostly populated by “digital

immigrants”

• The current private sector is the most vulnerable

to national security

• We will have the current workforce of “digital

immigrants” there for decades

President Obama’s Report on Cyber Security (May 30, 2009)

The United States faces the dual challenge of maintaining an environment that promotes efficiency, innovation, economic prosperity, and free trade while also promoting safety, security, civil liberties, and privacy rights.

President’s Cyber Space Policy Review, May 30, 2009 page iii

Quoting from Internet Security Alliance Cyber Security Social Contract: Recommendations to the Obama Administration and the 111th Congress November 2008

CURRENT ECONOMIC INCENTIVES FAVOR ATTACKERS

• Attacks are cheap and easy
• Vulnerabilities are almost infinite
• Profits from attacks are enormous

($ 1 TRILLION in 08)

• Defense is costly (Usually no ROI)
• Defense is often futile
• Costs of attacks are distributed

Financial Management of Cyber Risk

It is not enough for the information

technology workforce to understand the importance of cybersecurity; leaders at all levels of government and industry need to be able to make business and investment decisions based on knowledge of risks and potential impacts.

President’s Cyber Space Policy Review May 30, 2009 page 15

Senior Executives ARE NOT

analyzing Cyber Risk adequately

There is still a gap between IT and enterprise risk management. Survey results confirm the belief among IT security professionals that Boards and senior executives are not adequately involved in key areas related to the governance of enterprise security.

2008 Carnegie Mellon University CyLab Governance of enterprise

Security Survey

Cyber RISK is not being Appreciated

• 75% of US corporations do NOT have a Chief

Risk Officer

• 5% of US corporations report to the CFO on

security risks

• 65% of US corporations either do not have a

documented process to assess cyber risk, or do not have a person in charge of the process ---meaning they have no process Deloitte “Enterprise Risk,” 2007

Communication Across Corporate Structures is Inadequate

• Intra company communication on privacy and

security risks was lacking. Only 17% of respondents indicated they had a cross

• rganizational privacy/security team.
• Less than half had a formal enterprise risk

management plan. (47%)

• 1/3 of those with a plan did not include IT-related

risks in the plan.

2008 Carnegie Mellon University CyLab Governance of Enterprise Security Survey

Many Corp Info Security Budgets are DECREASING

47% of all enterprises are deferring or reducing future budgets for information security initiatives PricewaterhouseCoopers 2009 Global Information Security Survey

Problem is more than just “awareness”

• 42% of survey respondents acknowledge

that threats to information security are increasing

• 52% acknowledge that cost reductions to

info security initiatives will make adequate security more difficult

PricewaterhouseCoopers Global Information Security Survey 2009

Financial Impact of Cyber Risk

October, 2008

Design of ISA/ANSI Program

• Open to all (Gov as well as industry),
• No Charge to Participate
• Cross sectors and departments
• 7 full day working sessions over 2 years
• Phase I (“Questions”) complete Nov 08
• Phase II (“Responses”) complete Dec 09
• “Red Teams” Review findings

ISA/ANSI Fund Financial Risk Management Program

42 Private Sector Organizations, volunteer plus U.S. Department of Commerce U.S. Securities and Exchange Commission Department of Justice Department of Transportation National Credit Union Administration U.S. Cyber Consequences Unit U.S. Department of Homeland Security U .S. DHS – Science & Technology (S&T) Directorate U.S. DHS – National Cyber Security Division (NCSD) U.S. DHS – Office of Infrastructure Protection U.S. DHS – Policy Directorate U.S. DHS – Science & Technology (S&T) Directorate California Office of Homeland Security Peacecorps

The need to understand business economics to address cyber issues

If the risks and consequences can be assigned monetary value, organizations will have greater ability and incentive to address cybersecurity. In particular, the private sector often seeks a business case to justify the resource expenditures needed for integrating information and communications system security into corporate risk management and for engaging partnerships to mitigate collective risk.

President’s Cyber Space Policy Review May 30, 2009 page 18

The Economic Assessment of Cyber Security: 50 ?s for CFOs

• Business Operations
• General Counsel
• Compliance Officer
• Media (Investors and

PR)

• Human Resources
• Risk Manager/

Insurance

Calculate Net Financial Risk

• Threat (frequency of risk event/probability

number of events per year) X

• Consequence (Severity of risk event/possible

loss form event) X

• Vulnerability (likelihood or % of damages/

given mitigation actions) MINUS

• Risk Transferred (e.g. insurance) =
• NET FINANCIAL RISK

Sample Questions: Legal

• Analyzed liabilities?
• What legal rules apply to us or 3-parties?
• Vulnerable class action/shareholder suits?
• Legal Exposure to Gov investigations?
• Do our contracts protect us enough?
• Multi-state laws apply?
• Exposed to trade secret theft?

Sample Questions: Compliance

• Inventory of applicable regulations?
• Where is our “regulated” data”?
• Valid reasons for holding all our data?
• Policies & procedures documented?
• Can we opt-out of reg requirements?
• Are we tracking compliance?
• Are we reviewing and updating privacy

compliance?

Sample Questions: Risk Manger/Insurance

• Are we insured for this? (probably no)
• What can we get insurance for?
• What is the D & O Exposure?
• Where can we find cyber insurance and

what does it cover (& doesn’t it cover)?

• What’s the cost benefit to insurance?
• How do we evaluate policies?

Sample Questions: Business Operations

• What’s our single biggest vulnerability?
• How long are we down? Want to be up?
• Are we complying w/ SoA standards?
• Are we properly staffed?
• Have we assessed physical security
• Incident response/continuity plans?
• Risk exposure from vendors?
• How often do we re-evaluate risks?

Sample Questions: Media/Crisis Management Team

• Do we have segmented responses for all

stakeholders?

• Documented crisis communication plan?
• Identified and trained all who need to be?
• Have the external contacts we need?
• Have we run a mock trial?
• Are we budgeted for a crisis?

Sample Questions: Human Resources

• Does everyone understand our $ Risk?
• Attract/retain the right personnel?
• Do we provide training to mitigate risk?
• Is the org structured for team work?
• Audit network access (esp. at termination)?
• Address social networking & pub sites?
• HR assessment include cyber security?
• Discipline policy adequate for monitoring?

PROPOSAL

• Build a grounded Enterprise Education

program consistent with Cyber Space Policy Review

• Based on 2-years open forum of industry

and government

• Initial 2-year program completed and

funded by ISA and ANSI

• DoC fund final development and testing

Three Phase Program

• Phase I: take 50 Questions and 60

Responses documents and reformulate into enterprise training program

• Phase II: Beta test Enterprise Education

Program w/multiple methods and Evaluate

• Phase III: Final National Roll Out using

most cost effective model

Deliverables

• Quarterly Status Updates
• Final Business Plan & launch Phase II 12

months from approval

• Pilot strategy report 10 days after

beginning of Phase II

• Metrics on overall effectiveness 12 months

following Phase II beginning Phase II

• Modified Program based on Phase II 12

months from beginning Phase II

Phase III National Roll Out

• Dependent on Phase II Results & metrics
• Final Business Plan and Implimentation 10

days after contract signing Phase III

• Quarterly Reports
• Final Summary and Evaluation 36 months

following beginning of National Roll Out

Budget

Phase I - Design and development of a comprehensive business plan

• Integrates 2008 and 2009 ISA/ANSI Financial

Risk Management Reports (50 Questions for corporate CFOs and Responses) into technical course development

• Includes various management and direct costs
• Projected cost - $300,000

Budget

Phase II - Testing/Evaluation/Reformatting

• Multi-tier pilot program:

– Utilizing combination of instructor-led onsite training and web-based instruction – Offering focused single enterprise course offerings and/or multi-enterprise training sessions Develop and impliment metrics to test cost effectivness

• Develop and implement metrics to test and

evaluation overall cost effectiveness

• Projected cost - $400,000-$700,000* (conditional

upon option I, II, or III elements)

Budget

Phase III – Implementation of final business plan for cyber training and education program

• Implement metrics to test and evaluate for

continual program improvement

• Includes various management and direct

costs

• Projected cost – TBD/Conditional upon

Phase II