Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Keynote Session : NIST - Cyber Security Framework Measuring Security

1,021 views

Published on

What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
How would I measure my effectiveness?

Published in: Technology
  • Be the first to comment

Keynote Session : NIST - Cyber Security Framework Measuring Security

  1. 1. Critical Security Framework MEASURING Security Dick Bussiere | Technical Director | Asia Pacific
  2. 2. Turbo Agenda  Whatisthe NISTCybersecurityFramework?  Why YOUshould care?  How wouldIapplyit?  How wouldImeasuremy effectiveness?
  3. 3. Things to Ponder  205 Days until breach detected (APAC Average)?  Can you say with certainty that you are100% Secure?  Do you knowwith certainty that you haveNOT beenbreached?
  4. 4. Heard on the street… Of organizations believesecurity should be a top orhigh priority of the business Of CEO’s viewsecurity as a top orhigh priority to the business Of organizationscompletely agree that the businesshasthe ability to defend itself from securityattacks
  5. 5. IF YOU CAN’T MEASUREYOU CAN’T CONTROL
  6. 6. IF YOU CAN’T MEASUREYOU CAN’T IMPROVE
  7. 7. Communication Gap? Executive: • Brand & Reputation of Business • Ongoing Business Operations • Risk to Customers IT Team: • Is riskat anacceptable level? • What level of risk arewe exposed to? • Arewe compliant with all the regulations that apply to us? • Is thecybersecurityplatform operating as well as it should be? • Whereshould wespend additional money?
  8. 8. The Survey Says… Security Frameworks guide the way… • 84% Leverage a security framework • Broad range of company sizes Wide Range of Frameworks Utilized • 44% used more than one framework • EOY 2016 - CSF (43%), CIS (44%) ISO (44%) Best practice & requirements drive CSF adoption • 70% adopted CSF because they consider it best practice • 29% adopted CSF because a partner required it Security Framework Adoption is a Journey • Only 1 in 5 rank their organization as very mature • More than half of CSF adopters require significant investment to fully conform Survey conducted by Dimensional Research, March 2016 316 IT and Security Professionals interviewed in US
  9. 9. Why Cyber Security Framework?  Asksthe question“whatareyoudoing toimprove” ratherthan“did youimplement controlXYZ”  Results in a shiftfrom compliance to actionand specificoutcomes  Businessoriented  Has built-inmaturitymodel andgap analysis  No need to overlay another maturity modelon top of CSF  Measureswhereyou areand whereyou need to go  Can be implemented“piecemeal”as required,makingit moreappealing to business
  10. 10.  Repeatable  Flexible  TechnologyNeutral  CostEffective  Measurable!  CommonLanguage WhyCyber Security Framework?
  11. 11. Objectives of CSF in a nutshell Describe Current Security Posture Describe TargetSecurity Posture Continuous Improvement AssessProgress towards Target Posture CommunicateRisk
  12. 12. A Frameworkof Frameworks ISO/IEC27001 CCSCSC1 ISA62443 NISTSP 800-53 COBIT 5 NISTCYBERSECURITY FRAMEWORK 5in 1!
  13. 13. Framework Profile (Where you are and where you want to go) Framework Implementation Tiers (How you view cybersecurity) CSF Core (What it does) •Defines (measures) current state •Defines (measures) desired state •Tiers (4) that show how cybersecurity risks and processes are viewed within an organization •Required Tier based on perceived risk/benefit analysis •Identify •Protect •Detect •Restore •Recover The Cyber Security Framework at 40,000 feet…
  14. 14. CSF Component 1 – FrameworkCore Framework Core Identify Detect RespondRecover Protect
  15. 15. Structure Microsoft Excel Worksheet
  16. 16. Risk Profile, Requirements & Resources ISO/IEC 27001 NIST Cybersecurity Framework CIS Critical Security Controls ISA 62443 “Normalization Layer” Use CSF to “Normalize to Common Language Existing Frameworks
  17. 17. CSF Component 2 – FrameworkImplementation Tiers Partial Risk Informed Repeatable Adaptable  How cybersecurity risks and processes are viewed within organization Sophistication
  18. 18. CSF Component 3 – FrameworkProfile  Presents overview of present and future cybersecurity posture  BusinessRequirements  RiskTolerance  Resources  Usedtodefine currentstate and desired state  Canhelp measure progress...
  19. 19. How is CSF Different?  Expresses cybersecurity activities in a common language  Leverages existing standards –does not reinvent the wheel –can map existing processes/guidelines into CSF  Provides crucial guidance for reinforcing security controls while maintaining a focus on business objectives  Provides a vehicle to effectively measurecybersecurityeffectiveness independent of existing framework
  20. 20. Endpoint Assessment Network Monitoring Analytics Event Monitoring Ingredients to Measuring Compliance
  21. 21. Thank You Dick Bussiere | Technical Director | Asia Pacific

×