Your SlideShare is downloading. ×
What CIOs and CFOs Need to Know About Cyber Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

What CIOs and CFOs Need to Know About Cyber Security

690
views

Published on

IABIA and Kettering Executive Network Joint Briefing for the Atlanta CIOs

IABIA and Kettering Executive Network Joint Briefing for the Atlanta CIOs

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
690
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2012 Liberty Group Ventures. All rights reserved What CIOs and CFOs need to know about Cyber Security Phil Agcaoili March 14, 2014
  • 2. © 2012 Liberty Group Ventures. All rights reserved 2 Special Thanks to Kiersten Todt Roger Cressey
  • 3. © 2012 Liberty Group Ventures. All rights reserved 3 Isn’t this the same thing? Cyber Security Information Security
  • 4. © 2012 Liberty Group Ventures. All rights reserved 4 U.S. Cyber Security Defined 2 Questions: •Are you U.S. Critical Infrastructure (CI)? •Do you have physical or virtual systems and assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on – National security, – National economic security, and/or – National public health or safety?
  • 5. © 2012 Liberty Group Ventures. All rights reserved 5 16 DHS Critical Infrastructure Sectors
  • 6. © 2012 Liberty Group Ventures. All rights reserved 6 Framework Background  Presidential Executive Order 13636 (2013)  Failure by Congress to pass cyber legislation  Unprecedented cyber threat environment  Role of NIST  Operates under Department of Commerce  Develop industry-led voluntary framework  Process  Ten months, five workshops, transparent process  12,000 public comments adjudicated  Collaboration between NIST, White House (NSC), DHS, and private sector http://www.nist.gov/cyberframework/
  • 7. © 2012 Liberty Group Ventures. All rights reserved 7 Framework Basics  Core: Set of cybersecurity activities and informative references common across CI  Functions: Overview of organization’s management of cyber risks  Identify, Protect, Detect, Respond, Recover (IPDRR) Tiers: Mechanism to view approach and processes for managing cyber risk 1. Partial 2. Risk Informed 3. Repeatable 4. Adaptive  Tier 4 is not the goal for every organization
  • 8. © 2012 Liberty Group Ventures. All rights reserved 8 Framework Basics (continued)  Profiles  Alignment of IPDRR with business requirements, risk tolerance, and resources of organization  Current Profile  Target Profile  Profiles create gap analysis Creating a profile helps a company understand its dependencies with business partners, vendors, and suppliers.
  • 9. © 2012 Liberty Group Ventures. All rights reserved 9 What the Framework is Really About  Creating a common language for cyber risk management  COBIT 5, ISO/IEC 27001, NIST 800-53, CCS CSC, and ISA 62443  Objective: Facilitate behavioral change in organizations  Treat cyber risk as a mission equal in priority to other corporate risk  Intended for critical infrastructure owners and operators  Can/May be used by many others  Applies market-driven approach to cyber risk management  Product of industry, not government  Not one size fits all…user experience will vary
  • 10. © 2012 Liberty Group Ventures. All rights reserved 10 How much more do we have to spend? Why?
  • 11. © 2012 Liberty Group Ventures. All rights reserved 11 Implications of Framework  Industry: Each Sector Will Define Adoption  Identify metrics for success  Facilitate information sharing within industry  Defining cost-effectiveness  Role for insurance….finally?  Cyber Liability  Cyber Breach  Business  Small (prioritize, develop risk management process)  Medium (grow risk management process)  Large (mature risk management process, share best practices and lessons learned)
  • 12. © 2012 Liberty Group Ventures. All rights reserved 12 Framework: The Way Ahead (continued)  Industry  Adopt Framework by mapping it to existing risk management process and addressing gaps that are identified through profile development  Conduct training to “normalize” cyber risk behavior, including simulations and exercises with corporate leadership  Participate in additional workshops on implementation and areas for improvement  Feedback to government: Lessons learned/what works/what doesn’t/what’s missing  Industry input will shape development of Framework 2.0  Non-lifeline sector adoption  Retail, Manufacturing, Information Technology, etc.
  • 13. © 2012 Liberty Group Ventures. All rights reserved 13 Framework: The Way Ahead (continued)  Government  DHS role evolving  Launched Critical Infrastructure Cyber Community (C3 or C Cubed) Voluntary Program  Providing managed security services to states, localities who adopt framework - a good first step  Work with Sector Specific Agencies (SSA) in first year, expand to all CI business in future  Seeking input from small business on framework adoption  Working on evolving incentives  International adoption…and overcoming Snowden challenge  Need for role of US business with global presence to engage and facilitate
  • 14. © 2012 Liberty Group Ventures. All rights reserved 14 Framework: The Way Ahead  NIST  Initial Areas for Further Work  Authentication  Automated Indicator Sharing  Conformity Assessment  Cybersecurity Workforce  Data Analytics  Federal Agency Cybersecurity Alignment  Supply Chain Risk Management  International Aspects, Impacts, and Alignment  Technical Privacy Standards
  • 15. © 2012 Liberty Group Ventures. All rights reserved 15 Next Steps for You…  Engage in Cybersecurity Framework development  Increase senior leadership and board engagement on cybersecurity  Promote and integrate the culture of cyber security  Hire a CISO  Have a plan  Ensure Defensible Security Practices  Use the NIST Cyber Security Framework  Third Party Security  Measure your security’s effectiveness  Invest wisely
  • 16. © 2012 Liberty Group Ventures. All rights reserved 16 Communicating Cyber Security to All Levels • Board Getting hacked is not a matter of IF, but When. • Management Security is a Journey. Not a Destination. • All Security is Everyone’s Responsibility. Stop. Think. Connect.
  • 17. © 2012 Liberty Group Ventures. All rights reserved Thanks Phil Agcaoili Contributor, NIST Cybersecurity Framework version 1 Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA