The Value Proposition for Cyber Security: Does it exist and how can - - PowerPoint PPT Presentation

the value proposition for cyber security does it exist
SMART_READER_LITE
LIVE PREVIEW

The Value Proposition for Cyber Security: Does it exist and how can - - PowerPoint PPT Presentation

Mar 16, 2023 12 likes •254 views

The Value Proposition for Cyber Security: Does it exist and how can we create it? Larry Clinton, ISAlliance Chief Operating Officer Who o We Are What we believe n The World has Changed n Globalization n Digitalization n Terrorism

slide-1
SLIDE 1

The Value Proposition for Cyber Security: Does it exist and how can we create it?

Larry Clinton, ISAlliance Chief Operating Officer

slide-2
SLIDE 2

Who

  • We Are
slide-3
SLIDE 3

What we believe

n The World has Changed n Globalization n Digitalization n Terrorism n Traditional Regulatory Mechanisms

won’t work

n Too slow n US only n Retard needed economic growth

slide-4
SLIDE 4

Economic Effects of Attacks

n 25% of our wealth---$3 trillion

  • n---is

transmitted over the Internet daily

n FBI: Cyber crime cost business

$26 billion

  • n (probably LOW estimate)

n Financial Institutions are generally

considered the safest---their losses were up 450% 450% in the last year

n There are more electronic financial

transactions than paper checks now, 1% 1% of cyber crooks are caught.

slide-5
SLIDE 5

Digital Growth?

n “Companies have built into their

business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every company’s assumptions for growth.”

  • --Stanford University Study, July 2006

Sure

slide-6
SLIDE 6

Digital Defense? Maybe not

n “The technology community has

made much progress in the past 5 years improving technical security. Yet, moving the needle on information security is a team activity, The hardest remaining issues involve people and organizations.” “Embedding Information Security into the Extended Enterprise.” Dartmouth University 2006

slide-7
SLIDE 7

Everyone on the Team?

n 29% of Senior Executives

“acknowledged” that they did not know how many negative security events they had in the past year

n 50% of Senior Executives said they

did not know how much money was lost due to attacks

Source: PricewaterhouseCoopers survey of 7,000 companies 9/06

Maybe Not

slide-8
SLIDE 8

Digital Defense

n 23% of CTOs did not know if cyber

losses were covered by insurance or not.

n 34% of CTOs thought their cyber

losses would be covered by insurance----and were wrong.

n “The biggest network vulnerability in

American corporations are extra connections added for senior executives without proper security.”

  • --Source: DHS Chief Economist Scott Borg

NOT

slide-9
SLIDE 9

What needs to be Done? Realize the Value Proposition

n Role for industry: n Determine how to solve the problem n Role for Government n Encourage industry to adopt proven

solutions

slide-10
SLIDE 10

Can we mitigate cyber Attacks? YES

n PricewaterhouseCoopers conducted 2

International surveys (2004 & 2006) covering 15,000 corporations of all types

n Apx 25% of the companies surveyed

were found to have followed recognized “best practices” for cyber security.

slide-11
SLIDE 11

Benefits of Best Practices

n Reduces the number of successful

attacks

n Reduces the amount of down-time

suffered from attacks

n Reduces the amount of money lost

from attacks

n Reduces the motivation to comply

with extortion threats

slide-12
SLIDE 12

Senior Mgrs Best Practices

n Cited in US National

Draft Strategy to Protect Cyber Space (September 2002)

n Endorsed by

TechNet for CEO Security Initiative (April 2003)

n Endorsed US India

Business Council (April 2003)

slide-13
SLIDE 13

ISALLIANCE BEST PRACTICES

n Practice #1: General Management n Practice #2: Policy n Practice #3: Risk Management n Practice #4: Security Architecture & Design n Practice #5: User Issues n Practice #6: System & Network Management n Practice #7: Authentication & Authorization n Practice #8: Monitor & Audit n Practice #9: Physical Security n Practice #10: Continuity Planning & Disaster

Recovery

slide-14
SLIDE 14

Why Doesn’t Everyone Comply with the Best Practices?

n “Many organizations have found it

difficult to provide a business case to justify security investments and are reluctant to invest beyond the

  • minimum. One of
  • f the main reason
  • ns

for

  • r this reluctance is that com
  • mpanies

have ve been largely y foc

  • cused on
  • n direct

expenses related to

  • security

y and not

  • t

the col

  • llateral benefits that can be

rea realized zed”

  • --Stanford University ‘06
slide-15
SLIDE 15

Management is

n Stanford Global Supply Chain Management

Forum/IBM Study: “Clearly demonstrated that investments in security can provide business value such as: * Improved Product Safety (38%)

  • Improved Inventory management (14%)
  • Increase in timeliness of shipping info

(30%)

WRONG

slide-16
SLIDE 16

There’s More !!!

n Increase in supply chain information

access (50%)

n Improved product handling (43%) n Reduction in cargo delays (48%

reduction in inspections)

n Reduction in transit time (29%) n Reduction in problem identification

time (30%)

n Higher customer satisfaction (26%)

slide-17
SLIDE 17

Security, like Digital Technology must be Integrated in Bus Plan

n “Security is still viewed as a cost, not

as something that could add strategic value and translate into revenue and

  • savings. But if one digs into the

results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan.” PricewaterhoseCoopers Sept 2006

slide-18
SLIDE 18

Key Issues for Industry

n Globalization and outsourcing have

increased the challenges of security

n Security metrics must be more tightly

linked to the business.

n Investment in security must move

from reactive add ons to proactive initiatives consistent with company’s strategic goals

n Directives must come from the top

Dartmouth University 2006

slide-19
SLIDE 19

ISA Insurance Incentives

n AIG developed an on-line metric tool

based on ISAlliance Best Practices for Senior Managers

  • Separate tool developed for small

businesses based on small business best practices

  • Qualified companies can receiv3e up

to 15% discount on cyber insurance

slide-20
SLIDE 20

ISA Security Integration Program-Get the team involved

n Issues must be addressed

simultaneously from the:

n Legal n Business n Technology n Policy

Perspectives

BUS/OPERATIONAL LEGAL/REG TECH/R&D POLICY PROBLEM / ISSUE

slide-21
SLIDE 21

ISAlliance Integrated Business Security Program

n Outsourcing n Risk Management n Security Breech Notification n Privacy n Insider Threats n Auditing n Contractual Relationships (suppliers,

partners, sub-contractors, customers)

slide-22
SLIDE 22

Things Government Can Do

n Stimulate the insurance market

  • Temporary insurer of last resort (e.g.

w/crop and flood insurance)

  • Use government’s market power (e.g.

require contractors to have insurance)

  • Civil Liability reform (Precedent: Anti-

Terrorism Act of 2002)

  • Allow info sharing to create better

metrics (e.g. Y2K)

slide-23
SLIDE 23

More for Government to do

n Create Gov/Industry/Education

Consortium (e.g. Sema-Tech)

n Create Awards Programs (e.g.

Baldridge Awards for Quality)

n Develop Significant outreach

programs targeted at senior corporate execs.

slide-24
SLIDE 24

Larry Clinton Chief Operations Officer Internet Security Alliance lclinton@isalliance.org 703-907-7028 (O) 202-236-0001 (C)