SlideShare a Scribd company logo

vision 2020 testimony

Rob Arnold
Rob Arnold
1 of 4
Download to read offline
Mr. Chairman, Members of the Committee: My name is Rob Arnold. I have served as Information Security Officer at the University of Kansas for the past two years. Prior to that I worked for seventeen years in financial services. I have been a practitioner of information security for seventeen years, and have eight years' experience leading information security teams and being responsible for security programs. I hold the professional designations Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM). I would like to thank the committee for the opportunity to address you today. I will address questions related to the recommendations found in Legislative Post Audit report R-14-007, State Agency Information Systems: Sensitive Datasets and IT Security Resources. Three themes were raised for legislative consideration in the conclusions of the report: structural issues affecting delivery of security functions, the role of the private sector, and staffing the security function. Structure enables success To speak directly to the question of effectiveness, "are the state's IT Security resources adequate to meet the current need?" involves special attention to the structures that support good security outcomes. The Council on CyberSecurity identifies a short list of suggestions in its Cybersecurity Workforce Handbook: clear accountability, establish a response team, measure and report, invest in training and development, build external relationships, develop career pathways, establish mentorship, and build the brand. From my experience leading information security programs, I would prioritize the first three suggestions from this list. Establishing the accountability and defining measures of success creates structure that enables the success of a security program. This makes accountability a critical success factor in any enterprise security plan. KU's security program benefits from clear accountability. The Information Security Office derives authority and scope of duties from policy. The policy also articulates responsibilities for IT staff, for authorized users of IT, and for a computer security incident response team (CSIRT). The inclusion of the CSIRT in policy reflects the priority and importance assigned to the response function at KU. A strong focus on reporting allows me to assert that KU's incident response time for security incidents during calendar year 2014 places us in the top 10% of all organizations with this capability. This benchmark comes from the 2013 Verizon Data Breach Investigation Report. The Verizon report also points out that 66% of breaches remain undiscovered by organizations for months or more, which helps underscore the importance of a strong response capability. Having an effective response team is the top operational priority within the capabilities of a modern enterprise security team. Reliance on prevention has proved ineffective, so emphasis on robust response is the current best practice. The structure in KU’s security program, defining my role as accountable and providing clear reporting lines, enables the operational success of our incident response function. So these three priorities (two structural and one operational) are foundational elements of KU’s information security program. Private sector role
A more difficult question is “how and to what extent can the private sector assist in meeting the state’s security goals?” The market for managed security services is currently a $15 Billion global market, projected to grow to $33 Billion by 2020. The private sector is a crucial part of this demand as well as the supply. Opportunities to augment the state’s capabilities using managed security service providers exist, but careful vendor management will be a critical success factor. Planning for a mixed source model with the ability to loosely couple with different vendors will enable a quicker time to value on future security projects if the state chooses that option. But the merger and acquisition activity in the security provider space is intense, which poses a degree of risk and highlights the need for vendor management. Making sure the enterprise security plan for Kansas both embraces mixed sourcing and mitigates the risks of reliance on outside entities for critical security services will be a careful balancing act. My experience suggests judiciously applying mixed sourcing to tactical projects with short turn times to get quick results on security services that are more transactional and less strategic, or where economies of scale apply. Reserving internal capacity to take on transformational work is one compelling reason to use mixed sourcing. Private sector involvement will require tradeoffs, as security decisions always do. Some types of security work can be traded off for money and vendor management work. Managed security services work best when the performance of work can be easily governed by a service level agreement. Staffing the security function To give some context to the findings in the audit report that relate to staffing, the concerns raised, while significant, are more reflective of the employment environment than they are of the state's approach to staffing the security function. The report highlights a specific risk that arises when lead security positions go unfilled for a long time. This risk affects the public and private sector. A 2014 study of 504 organizations by the Ponemon Institute examined this staffing issue and found that 36% of security positions and 58% of senior security positions went unfilled in 2013. 70% of those organizations responded that their security function is understaffed. The top reason listed for why positions go unfilled was inability to offer a competitive salary, with 43% of respondents choosing it. 5.1 months to fill a security position, and 9.2 months for a senior security position are average according to this current research. A 2014 BurningGlass report points out a 74% growth in security job postings for the time period 2007- 2013, and finds that security jobs take 24% longer to fill than all IT jobs, and 36% longer to fill than all jobs. This report also finds that in 2013 U. S. employers posted 50,000 jobs requiring the information security credential CISSP, recruiting from a pool of only 60,000 CISSP holders. The clear conclusion is that demand is outstripping supply for highly qualified security talent. Numbers from the Bureau of Labor Statistics reinforce the point and provide local insight. The most recent Occupational Employment Statistics report (May 2013) lists 70 information security analyst positions in the Topeka metropolitan area. That small talent pool it is indicative of the problem with trying to recruit qualified security professionals locally. Median wage is listed as $68,330, which is just higher than the 25th percentile nationwide figure of $67,120. So salary pressure from the east and west coast is also draining the Kansas talent pool of qualified information security staff.
The talent market for qualified security professionals also constrains the capacity of the managed services sector to provide services in this area. Security providers in this area are nearly always hiring qualified staff, posing additional retention challenges for state agencies. The security strategy includes staff development plans with the goals of retaining security talent and developing new security staff. One compelling advantage we have at KU is being able to recruit students to the security field in several ways. We employ them directly in the security office, and we guest lecture in classes related to information security, emphasizing the employment market and the need for qualified security staff. A robust security plan for Kansas needs to address the security staffing challenge from the supply side as well as demand. Summary: Thinking about how to solve security problems at the scale of state government will require diligent attention to the fundamentals of information security management. Certain key issues are constraining the capacity of state agencies to accomplish their security goals. These key issues are well highlighted in the report from Legislative Division of Post Audit, State Agency Information Systems: Sensitive Datasets and IT Security Resources. Thoughtful engagement from leadership as exemplified in the interest of the committee members today is critical to success. The private sector shows evidence of increasing engagement, with information security discussions a prominent feature in board rooms. Many more questions than the few I could explore today will need to be examined in the course of building the state’s direction. Engaged leadership that focuses on a “short list” of security priorities will allow the state to move purposefully toward the security posture it wants to have. The landscape of security is complicated, so “doing less but doing it better” is a strategy to build some momentum towards the state’s security goals. Thank you for your attention and consideration. I will be pleased to respond to questions at the appropriate time.
Supporting references: 1) Legislative Post Audit. Report R-14-007 State Agency Information Systems: Sensitive Datasets and IT Security Resources http://www.kslpa.org/docs/reports/R-14-007.pdf 2) Council on CyberSecurity. Cybersecurity Workforce Handbook: A Practical Guide to Managing Your Workforce http://www.counciloncybersecurity.org/workforce/workforce-management/ 3) University of Kansas Policy Library. Information Technology Security Policy http://policy.ku.edu/IT/info-technology-security-policy 4) Verizon. 2013 Data Breach Investigations Report http://www.verizonenterprise.com/resources/reports/es_data-breach-investigations-report- 2013_en_xg.pdf 5) The White House. FACT SHEET: Executive Order Promoting Private Sector Cybersecurity Information Sharing https://www.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting- private-sector-cybersecurity-inform 6) ABI Research. Managed Security Services Market to Reach US$32.9 Billion in 2020; Driven by Increasing Complexity of Security Requirements https://www.abiresearch.com/press/managed-security-services-market-to-reach-us329-bi 7) Timothy M. Chester. Outsource the Transactional, Keep the Transformative http://www.educause.edu/ero/article/outsource-transactional-keep-transformative 8) BurningGlass. Job Market Intelligence: Report on the Growth of Cybersecurity Jobs http://www.burning- glass.com/media/4187/Burning%20Glass%20Report%20on%20Cybersecurity%20Jobs.pdf 9) US Department of Labor, Bureau of Labor Statistics. Occupational Outlook Handbook http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm 10) US Department of Labor, Bureau of Labor Statistics. Occupational Employment Statistics http://www.bls.gov/oes/CURRENT/oes151122.htm

Recommended

CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for InsuranceAccenture Insurance
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-finalΔρ. Γιώργος K. Κασάπης
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responseMaciej Buczkowski
 

Recommended

CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for InsuranceAccenture Insurance
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-finalΔρ. Γιώργος K. Κασάπης
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
rp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responserp-esg-tackling-attack-detection-incident-response
rp-esg-tackling-attack-detection-incident-responseMaciej Buczkowski
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Harvey Nash UK & IRE Cyber Security Survey 2016
Harvey Nash UK & IRE Cyber Security Survey 2016Harvey Nash UK & IRE Cyber Security Survey 2016
Harvey Nash UK & IRE Cyber Security Survey 2016Bryan Smith
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summarypatmisasi
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment ReportBelinda Edwards
 
Websense
WebsenseWebsense
WebsenseCMR WORLD TECH
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Information Security - Hiring Trends and Trends for the Future PDF
Information Security - Hiring Trends and Trends for the Future PDFInformation Security - Hiring Trends and Trends for the Future PDF
Information Security - Hiring Trends and Trends for the Future PDFAlexander Goodwin
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research UpdateGridCyberSec
 
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_toolsEma report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_toolsAnjoum .
 
9545-RR-Why-Use-MSSP
9545-RR-Why-Use-MSSP9545-RR-Why-Use-MSSP
9545-RR-Why-Use-MSSPAlex Himmelberg
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 
Universidade Federal Fluminense
Universidade Federal FluminenseUniversidade Federal Fluminense
Universidade Federal FluminenseLiara Ramos da Fonseca
 
Tutorial
TutorialTutorial
TutorialAnkarytrejo
 

More Related Content

What's hot

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Harvey Nash UK & IRE Cyber Security Survey 2016
Harvey Nash UK & IRE Cyber Security Survey 2016Harvey Nash UK & IRE Cyber Security Survey 2016
Harvey Nash UK & IRE Cyber Security Survey 2016Bryan Smith
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summarypatmisasi
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment ReportBelinda Edwards
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Information Security - Hiring Trends and Trends for the Future PDF
Information Security - Hiring Trends and Trends for the Future PDFInformation Security - Hiring Trends and Trends for the Future PDF
Information Security - Hiring Trends and Trends for the Future PDFAlexander Goodwin
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research UpdateGridCyberSec
 
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_toolsEma report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_toolsAnjoum .
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALSteve Knapp
 

What's hot (20)

2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
Harvey Nash UK & IRE Cyber Security Survey 2016
Harvey Nash UK & IRE Cyber Security Survey 2016Harvey Nash UK & IRE Cyber Security Survey 2016
Harvey Nash UK & IRE Cyber Security Survey 2016
 
2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary2015 Scalar Security Study Executive Summary
2015 Scalar Security Study Executive Summary
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 
Websense
WebsenseWebsense
Websense
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Information Security - Hiring Trends and Trends for the Future PDF
Information Security - Hiring Trends and Trends for the Future PDFInformation Security - Hiring Trends and Trends for the Future PDF
Information Security - Hiring Trends and Trends for the Future PDF
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update2015 Energy Industry Cybersecurity Research Update
2015 Energy Industry Cybersecurity Research Update
 
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_toolsEma report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
Ema report -_ibm_security_q_radar_incident_forensics_vs_other_industry_tools
 
9545-RR-Why-Use-MSSP
9545-RR-Why-Use-MSSP9545-RR-Why-Use-MSSP
9545-RR-Why-Use-MSSP
 
Healthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINALHealthcare Cybersecurity Whitepaper FINAL
Healthcare Cybersecurity Whitepaper FINAL
 

Viewers also liked

Transformación de Datos en SPSS
Transformación de Datos en SPSSTransformación de Datos en SPSS
Transformación de Datos en SPSSKarina Landero
 
Οικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή Υγείας
Οικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή ΥγείαςΟικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή Υγείας
Οικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή ΥγείαςΜεταξούλα Μανικάρου
 

Viewers also liked (6)

Universidade Federal Fluminense
Universidade Federal FluminenseUniversidade Federal Fluminense
Universidade Federal Fluminense
 
Tutorial
TutorialTutorial
Tutorial
 
Sn Mag 02 - Sn
Sn Mag 02 - SnSn Mag 02 - Sn
Sn Mag 02 - Sn
 
Transformación de Datos en SPSS
Transformación de Datos en SPSSTransformación de Datos en SPSS
Transformación de Datos en SPSS
 
Οικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή Υγείας
Οικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή ΥγείαςΟικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή Υγείας
Οικιακή οικονομία: Οδηγός Εκπαιδευτικού - Αγωγή Υγείας
 
Idj11
Idj11Idj11
Idj11
 

Similar to vision 2020 testimony

Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentIBM Security
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperrickkaun
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-StudyTam Nguyen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalSelectedPresentations
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically Symantec
 
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...Capgemini
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Cybersecurity Talent : The Big Gap in Cyber Protection
Cybersecurity Talent : The Big Gap in Cyber ProtectionCybersecurity Talent : The Big Gap in Cyber Protection
Cybersecurity Talent : The Big Gap in Cyber ProtectionCapgemini
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Paperjam_redaction
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityRahul Tyagi
 

Similar to vision 2020 testimony (20)

Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 
Insights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer AssessmentInsights from the IBM Chief Information Security Officer Assessment
Insights from the IBM Chief Information Security Officer Assessment
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
Hp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaperHp arc sight_state of security ops_whitepaper
Hp arc sight_state of security ops_whitepaper
 
2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
 
FederalTimes
FederalTimesFederalTimes
FederalTimes
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically Addressing Cybersecurity Strategically
Addressing Cybersecurity Strategically
 
CYBER SECURITY audit course report
CYBER SECURITY audit course reportCYBER SECURITY audit course report
CYBER SECURITY audit course report
 
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...
The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer a...
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Cybersecurity Talent : The Big Gap in Cyber Protection
Cybersecurity Talent : The Big Gap in Cyber ProtectionCybersecurity Talent : The Big Gap in Cyber Protection
Cybersecurity Talent : The Big Gap in Cyber Protection
 
Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)Étude mondiale d'EY sur la cybersécurité (2018)
Étude mondiale d'EY sur la cybersécurité (2018)
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe Security
 

vision 2020 testimony

  • 1. Mr. Chairman, Members of the Committee: My name is Rob Arnold. I have served as Information Security Officer at the University of Kansas for the past two years. Prior to that I worked for seventeen years in financial services. I have been a practitioner of information security for seventeen years, and have eight years' experience leading information security teams and being responsible for security programs. I hold the professional designations Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM). I would like to thank the committee for the opportunity to address you today. I will address questions related to the recommendations found in Legislative Post Audit report R-14-007, State Agency Information Systems: Sensitive Datasets and IT Security Resources. Three themes were raised for legislative consideration in the conclusions of the report: structural issues affecting delivery of security functions, the role of the private sector, and staffing the security function. Structure enables success To speak directly to the question of effectiveness, "are the state's IT Security resources adequate to meet the current need?" involves special attention to the structures that support good security outcomes. The Council on CyberSecurity identifies a short list of suggestions in its Cybersecurity Workforce Handbook: clear accountability, establish a response team, measure and report, invest in training and development, build external relationships, develop career pathways, establish mentorship, and build the brand. From my experience leading information security programs, I would prioritize the first three suggestions from this list. Establishing the accountability and defining measures of success creates structure that enables the success of a security program. This makes accountability a critical success factor in any enterprise security plan. KU's security program benefits from clear accountability. The Information Security Office derives authority and scope of duties from policy. The policy also articulates responsibilities for IT staff, for authorized users of IT, and for a computer security incident response team (CSIRT). The inclusion of the CSIRT in policy reflects the priority and importance assigned to the response function at KU. A strong focus on reporting allows me to assert that KU's incident response time for security incidents during calendar year 2014 places us in the top 10% of all organizations with this capability. This benchmark comes from the 2013 Verizon Data Breach Investigation Report. The Verizon report also points out that 66% of breaches remain undiscovered by organizations for months or more, which helps underscore the importance of a strong response capability. Having an effective response team is the top operational priority within the capabilities of a modern enterprise security team. Reliance on prevention has proved ineffective, so emphasis on robust response is the current best practice. The structure in KU’s security program, defining my role as accountable and providing clear reporting lines, enables the operational success of our incident response function. So these three priorities (two structural and one operational) are foundational elements of KU’s information security program. Private sector role
  • 2. A more difficult question is “how and to what extent can the private sector assist in meeting the state’s security goals?” The market for managed security services is currently a $15 Billion global market, projected to grow to $33 Billion by 2020. The private sector is a crucial part of this demand as well as the supply. Opportunities to augment the state’s capabilities using managed security service providers exist, but careful vendor management will be a critical success factor. Planning for a mixed source model with the ability to loosely couple with different vendors will enable a quicker time to value on future security projects if the state chooses that option. But the merger and acquisition activity in the security provider space is intense, which poses a degree of risk and highlights the need for vendor management. Making sure the enterprise security plan for Kansas both embraces mixed sourcing and mitigates the risks of reliance on outside entities for critical security services will be a careful balancing act. My experience suggests judiciously applying mixed sourcing to tactical projects with short turn times to get quick results on security services that are more transactional and less strategic, or where economies of scale apply. Reserving internal capacity to take on transformational work is one compelling reason to use mixed sourcing. Private sector involvement will require tradeoffs, as security decisions always do. Some types of security work can be traded off for money and vendor management work. Managed security services work best when the performance of work can be easily governed by a service level agreement. Staffing the security function To give some context to the findings in the audit report that relate to staffing, the concerns raised, while significant, are more reflective of the employment environment than they are of the state's approach to staffing the security function. The report highlights a specific risk that arises when lead security positions go unfilled for a long time. This risk affects the public and private sector. A 2014 study of 504 organizations by the Ponemon Institute examined this staffing issue and found that 36% of security positions and 58% of senior security positions went unfilled in 2013. 70% of those organizations responded that their security function is understaffed. The top reason listed for why positions go unfilled was inability to offer a competitive salary, with 43% of respondents choosing it. 5.1 months to fill a security position, and 9.2 months for a senior security position are average according to this current research. A 2014 BurningGlass report points out a 74% growth in security job postings for the time period 2007- 2013, and finds that security jobs take 24% longer to fill than all IT jobs, and 36% longer to fill than all jobs. This report also finds that in 2013 U. S. employers posted 50,000 jobs requiring the information security credential CISSP, recruiting from a pool of only 60,000 CISSP holders. The clear conclusion is that demand is outstripping supply for highly qualified security talent. Numbers from the Bureau of Labor Statistics reinforce the point and provide local insight. The most recent Occupational Employment Statistics report (May 2013) lists 70 information security analyst positions in the Topeka metropolitan area. That small talent pool it is indicative of the problem with trying to recruit qualified security professionals locally. Median wage is listed as $68,330, which is just higher than the 25th percentile nationwide figure of $67,120. So salary pressure from the east and west coast is also draining the Kansas talent pool of qualified information security staff.
  • 3. The talent market for qualified security professionals also constrains the capacity of the managed services sector to provide services in this area. Security providers in this area are nearly always hiring qualified staff, posing additional retention challenges for state agencies. The security strategy includes staff development plans with the goals of retaining security talent and developing new security staff. One compelling advantage we have at KU is being able to recruit students to the security field in several ways. We employ them directly in the security office, and we guest lecture in classes related to information security, emphasizing the employment market and the need for qualified security staff. A robust security plan for Kansas needs to address the security staffing challenge from the supply side as well as demand. Summary: Thinking about how to solve security problems at the scale of state government will require diligent attention to the fundamentals of information security management. Certain key issues are constraining the capacity of state agencies to accomplish their security goals. These key issues are well highlighted in the report from Legislative Division of Post Audit, State Agency Information Systems: Sensitive Datasets and IT Security Resources. Thoughtful engagement from leadership as exemplified in the interest of the committee members today is critical to success. The private sector shows evidence of increasing engagement, with information security discussions a prominent feature in board rooms. Many more questions than the few I could explore today will need to be examined in the course of building the state’s direction. Engaged leadership that focuses on a “short list” of security priorities will allow the state to move purposefully toward the security posture it wants to have. The landscape of security is complicated, so “doing less but doing it better” is a strategy to build some momentum towards the state’s security goals. Thank you for your attention and consideration. I will be pleased to respond to questions at the appropriate time.
  • 4. Supporting references: 1) Legislative Post Audit. Report R-14-007 State Agency Information Systems: Sensitive Datasets and IT Security Resources http://www.kslpa.org/docs/reports/R-14-007.pdf 2) Council on CyberSecurity. Cybersecurity Workforce Handbook: A Practical Guide to Managing Your Workforce http://www.counciloncybersecurity.org/workforce/workforce-management/ 3) University of Kansas Policy Library. Information Technology Security Policy http://policy.ku.edu/IT/info-technology-security-policy 4) Verizon. 2013 Data Breach Investigations Report http://www.verizonenterprise.com/resources/reports/es_data-breach-investigations-report- 2013_en_xg.pdf 5) The White House. FACT SHEET: Executive Order Promoting Private Sector Cybersecurity Information Sharing https://www.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting- private-sector-cybersecurity-inform 6) ABI Research. Managed Security Services Market to Reach US$32.9 Billion in 2020; Driven by Increasing Complexity of Security Requirements https://www.abiresearch.com/press/managed-security-services-market-to-reach-us329-bi 7) Timothy M. Chester. Outsource the Transactional, Keep the Transformative http://www.educause.edu/ero/article/outsource-transactional-keep-transformative 8) BurningGlass. Job Market Intelligence: Report on the Growth of Cybersecurity Jobs http://www.burning- glass.com/media/4187/Burning%20Glass%20Report%20on%20Cybersecurity%20Jobs.pdf 9) US Department of Labor, Bureau of Labor Statistics. Occupational Outlook Handbook http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm 10) US Department of Labor, Bureau of Labor Statistics. Occupational Employment Statistics http://www.bls.gov/oes/CURRENT/oes151122.htm