Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
MANAGING CYBER AND FIVE OTHER
TECHNOLOGY RISKS
WHAT MUNICIPAL OFFICIALS AND
SENIOR EXECUTIVES NEED TO KNOW
CRITICAL ISSUES...
THE TECHNOLOGY MANAGEMENT
OPPORTUNITY:
• Integrating new technologies into a
government environment that includes:
• Cost/...
KEY TECHNOLOGY MANAGEMENT CHALLENGES
• Determining what we need, want, can afford; when and
how we get it, how to manage i...
WHAT IS TECHNOLOGICAL RISK?
Categories
of
Technology
Risk
Cyber-
security
Financial
Opera-
tional
Legal
Reputa-
tional
Societal
1. CYBER SECURITY
• Banking incursions – electronic funds transfer
• Data/PII breach/theft
• Network breach/use as a remot...
TYPES OF THREATS – SO FAR
Targeted Attacks
• Local government agencies are not usually specifically
targeted, but you migh...
2. LEGAL RISKS
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access...
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access...
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access...
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access...
MANAGING TECHNOLOGY RISKS: THE
NEED FOR TECHNOLOGICAL PROFICIENCY
A TECHNOLOGICALLY
PROFICIENT ORGANIZATION
…Understands the links between its business
processes and its technology
…Unders...
DEVELOPING TECHNOLOGICAL PROFICIENCY
To the extent one is weaker than the other, they are all weaker.
ProficiencyGovernanc...
GOVERNANCE
Governing boards cannot
ignore technology or delegate key elements
• Reputational and financial risks cannot be...
GOVERNANCE
Management needs to set the tone from the top, down:
• Understands technology as an enterprise-wide risk
manage...
PLANNING
Determines how you spend technology resources
Key elements of the plan:
• Matches organizational goals to technol...
CYBER HYGIENE
BECAUSE…
The bulk of successful attacks come because
an employee clicked on something they
shouldn’t have, so…
• Train (an...
TECHNICAL COMPETENCE
Implement the plan with
technical competency
• Keep Governance updated on activities
• Apply and enfo...
http://blousteinlocal.rutgers.edu/managing-technology-risk/
TECHNOLOGY PROFICIENCY MATURITY MODEL
• UnawareStage 1
• FragmentedStage 2
• Top Down/EvolvingStage 3
• Managed/PervasiveS...
RISKPOTENTIAL
UNAWARE
FRAGMENTED
DEFINED
MANAGED
OPTIMIZED
MATURITY LEVEL
MATURITY AND RISK POTENTIAL
TECHNOLOGY PROFILES
BASIC
WHAT SHOULD I DO?
PUT TECHNOLOGY PROFICIENCY ON
YOUR ORGANIZATIONS AGENDA
You can’t do this overnight; it will always be a work in
progress....
STUDY CONDUCTED BY:
Marc Pfeiffer, Assistant Director
Bloustein Local Government Research Center
Bloustein School of Plann...
Managing Cyber and Five Other Technology Risks
Managing Cyber and Five Other Technology Risks
Upcoming SlideShare
Loading in …5
×

Managing Cyber and Five Other Technology Risks

394 views

Published on

Marc Pfeiffer, assistant director and senior policy fellow at the Bloustein Local Government Research Center at Rutgers University, discusses the technology risks facing municipal officials, which extend beyond cyber security to financial, operational, and reputational risk.

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

Managing Cyber and Five Other Technology Risks

  1. 1. MANAGING CYBER AND FIVE OTHER TECHNOLOGY RISKS WHAT MUNICIPAL OFFICIALS AND SENIOR EXECUTIVES NEED TO KNOW CRITICAL ISSUES FOR THE FISCAL HEALTH OF NEW ENGLAND CITIES AND TOWNS APRIL 8 ,2016 Presented By Marc Pfeiffer, Principal Investigator and Assistant Director, Bloustein Local Government Research Center, Rutgers University
  2. 2. THE TECHNOLOGY MANAGEMENT OPPORTUNITY: • Integrating new technologies into a government environment that includes: • Cost/tax/fee pressures • Citizen expectations • Political dynamics that work against against long-term planning • “We can defer that purchase for another year, can’t we?”
  3. 3. KEY TECHNOLOGY MANAGEMENT CHALLENGES • Determining what we need, want, can afford; when and how we get it, how to manage it • Understanding that “technology” is more than “information technology”, but also includes operational and communications technologies; and they all have risks to manage • Understanding the risks; and that technology risks go beyond cyber-security; that it includes the other risks that need to be reckoned with • Knowing that managing technology and their risks is a not journey with a destination; it is an ongoing and evolving activity
  4. 4. WHAT IS TECHNOLOGICAL RISK?
  5. 5. Categories of Technology Risk Cyber- security Financial Opera- tional Legal Reputa- tional Societal
  6. 6. 1. CYBER SECURITY • Banking incursions – electronic funds transfer • Data/PII breach/theft • Network breach/use as a remote host • Access to networked control systems • Credit card security • Cyber extortion – DDOS, Cryptolocker/ransomware • Website/Social Media Security
  7. 7. TYPES OF THREATS – SO FAR Targeted Attacks • Local government agencies are not usually specifically targeted, but you might be targeted by someone disgruntled or if something goes wrong Mass Attacks • This stems from successful email phishing and its cousins, and social engineering attacks Your Humans: • Clicking on the wrong link/opening the wrong file Bottom line: bad guys try to manipulate people into divulging personal or business information or tricking them into schemes to defraud
  8. 8. 2. LEGAL RISKS
  9. 9. THE OTHER TECHNOLOGY RISKS 3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
  10. 10. THE OTHER TECHNOLOGY RISKS 3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources 4. Financial – costs of responses to breaches and operational failure
  11. 11. THE OTHER TECHNOLOGY RISKS 3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources 4. Financial – costs of responses to breaches and operational failure 5. Reputational risks
  12. 12. THE OTHER TECHNOLOGY RISKS 3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources 4. Financial – costs of responses to breaches and operational failure 5. Reputational risks 6. Society driven risks
  13. 13. MANAGING TECHNOLOGY RISKS: THE NEED FOR TECHNOLOGICAL PROFICIENCY
  14. 14. A TECHNOLOGICALLY PROFICIENT ORGANIZATION …Understands the links between its business processes and its technology …Understands its technology needs …Is assured that the technology will work when it needs to, including routine and emergency situations …Is capable of protecting itself against compromise, including protecting and responding to cyber threats
  15. 15. DEVELOPING TECHNOLOGICAL PROFICIENCY To the extent one is weaker than the other, they are all weaker. ProficiencyGovernance Planning Cyber Hygiene Technical Competency
  16. 16. GOVERNANCE Governing boards cannot ignore technology or delegate key elements • Reputational and financial risks cannot be delegated • Governing body and chief executive must be engaged • Includes technology managers, fiscal staff, public safety, operational representation; can include responsible citizens.
  17. 17. GOVERNANCE Management needs to set the tone from the top, down: • Understands technology as an enterprise-wide risk management issue • Create a technology governance process • Has adequate access to technology expertise • Develop risk management processes • Adopts technology policies • Establish a technology planning process • Ensure reports to elected officials are meaningful
  18. 18. PLANNING Determines how you spend technology resources Key elements of the plan: • Matches organizational goals to technology goals • Assessment of technology assets, services, resources (hardware, software, networks, contractors, facilities, people) • Identify priorities of changes in technology solutions and activities • Assess and address technology risks • Define the information security management framework • Address “make or buy” decisions • Assign plan execution responsibilities to appropriate staff and tie plan to organization budget • Use a practical time horizon: No more than 3 years and review annually (or more often )
  19. 19. CYBER HYGIENE
  20. 20. BECAUSE… The bulk of successful attacks come because an employee clicked on something they shouldn’t have, so… • Train (and retrain) your humans • Consider intrusion testing • Have informed employee policies
  21. 21. TECHNICAL COMPETENCE Implement the plan with technical competency • Keep Governance updated on activities • Apply and enforce policies • Ensure that all tech employees are trained and contractors are secure • Keep aware of changing circumstances and technology, and SHARE information with peers • Be consistent; do not slack off
  22. 22. http://blousteinlocal.rutgers.edu/managing-technology-risk/
  23. 23. TECHNOLOGY PROFICIENCY MATURITY MODEL • UnawareStage 1 • FragmentedStage 2 • Top Down/EvolvingStage 3 • Managed/PervasiveStage 4 • Optimized/NetworkedStage 5
  24. 24. RISKPOTENTIAL UNAWARE FRAGMENTED DEFINED MANAGED OPTIMIZED MATURITY LEVEL MATURITY AND RISK POTENTIAL
  25. 25. TECHNOLOGY PROFILES BASIC
  26. 26. WHAT SHOULD I DO?
  27. 27. PUT TECHNOLOGY PROFICIENCY ON YOUR ORGANIZATIONS AGENDA You can’t do this overnight; it will always be a work in progress. It will likely cost new resources of time, attention, and $$ Remember, proficiency and cybersecurity are an ongoing process and challenge, NOT a destination! And every organization is at a different spot on the map So… START
  28. 28. STUDY CONDUCTED BY: Marc Pfeiffer, Assistant Director Bloustein Local Government Research Center Bloustein School of Planning and Public Policy Rutgers, The State University 33 Livingston Street, New Brunswick 08901 marc.pfeiffer@rutgers.edu 848-932-2830 http://blousteinlocal.rutgers.edu/managing-technology-risk/ Under a grant provided by the: Municipal Excess Liability Joint Insurance Fund 9 Campus Drive - Suite 16 Parsippany, NJ 07054 (201) 881-7632 With an assist from Dr. Alan Shark, Director of the Center for Technology Leadership at the Rutgers School of Public Affairs and Administration, and Executive Director, Public Technology Institute All materials © 2015 by Rutgers and the Municipal Excess Liability Joint Insurance Fund

×