This document discusses why enterprise security often fails against cyber threats and provides recommendations. It summarizes that the traditional enterprise security model was designed for compliance rather than addressing modern cyber warfare tactics, resulting in vulnerabilities. The document recommends adopting the Cybersecurity Framework to better identify all IT assets, protect against threats through elimination techniques, and improve detection abilities. It also stresses the importance of response and recovery plans as well as measuring security effectiveness through readiness, capability, and quick response times.

1. Why Enterprise Security Fails in
Cyber Space and What You Can Do
About It?
ISACA
Allen Zhang
02/19/2015

2. Me & this Presentation
• << than 30 years of IT experience in
infrastructure & development
• <<15 years in info security & privacy
• Educated in Chinamerica and got
bunch of certs for job security
• Enterprise security model
• What went wrong
• Cyber security framework
• What may work for you

3. Black Swan Events

4. C-Suite & BoD (NACD) Woke Up?

5. Pure Bad Luck?
Johns Hopkins Kimmel Cancer Center –
2/3 caused by random mutation in the
tissue cells during the ordinary process
of stem cell division. 1/3, genetic
inheritance and lifestyles the journal
Science. Friday 2 January 2015
• A Matter of When, Not If – weakest link, hacker’s proficiency & ROI
• From natural disasters to likely event and a risk factor in planning
• The first or the last? Sensational? or Delicious? and How much?

6. Why/How Did They Fail?
Budget for
security ?
Staffs?
Skillsets?
Security
tools?
Management
support?
Wrong
projects?
Low
priorities?

7. Root Cause
Inherent Flaws of Enterprise Security Doctrines

8. Design Issues in Current Practices
• Designed for compliance of
regulations and requirements
• Measured by process executions
• A fortress with inside-out lenses
• Policy & process driven
• Focus on program and its structured,
planned, & organized operations
• For peace time, maybe conventional
war for script-kids, not cyber warfare

9. Cybersecurity's Maginot Line
The Placebo Effect of the Defense-in-Depth Model
One million of things done right is breached by one thing done wrong!

10. To Err Is Human!
http://www.saferoutesinfo.org/ Why
are pedestrian push buttons used at traffic
signals?
Then how do you protect a user -
from himself or herself?

11. Possible To Keep Up With Cyber Adversaries?
Enterprise
Security
Cyber
Hackers

12. Cybercrime Infrastructure
From Proofpoint
Better than the cyber defense capability in probably 150+ countries

13. Want Revenge?
1) Become one of them
2) Get into their minds, forums and networks
3) Learn their skills and keep up with it
4) Join bounty program
5) Practice day & nite
6) Hit back
Or Something Else?

14. Turn This Around?
Adopt Cyber Security Framework

15. Identify – Every Piece of IT
• Total network device visibility
• Hardware/software inventory and
compliance without chocking
innovation and productivity
• Apps hosted outside of your marked
territory
• Data – identity/credit card $1, with
phi complete record up to $1000
• 2015 – year of health care hack -
started with anthem, fraud not
detectable as card transaction
• Encryption, de-identification,
privileged access, usage patterns
You can not manage what you don’t know

16. Protect – Game of Elimination & Exponential Factor

17. Detect – Find it Yourself, BFF or from Media
Considering 24X7 Vigilance and Incident Response?

18. Respond & Recover
Breached, now what?
cyber insurance, credit monitoring, incident/forensics retainer,
mock drills …

19. ABC - Cyber Security Structure
• Chain of command, cyber security
committee, incident response team
• Work scope: your network, your cloud
apps, your vendors’ apps, links to your
vendors
• Communications and reporting
• Strategy, plan, projects, tasks
Do
Make Sure
Think

20. Measuring Effectiveness
• Show that you can do it, ready to do it
any time, and do it very quickly –
readiness, capability, capacity, response
time, sustainability
• Keep records and trail of due diligence
to protect yourself in an event of a
breach

21. MVS - Lean Security Model
• Lean – capital, resource, time – no waste
• Compliance (Minimum) – baseline
compliance (risk:))
• Viable – top cyber risks, weakest link,
sustainable, and survival of the fittest
• Dependency – defense on your own feet
What is the right budget for cyber defense?

22. Maturity Levels
Compliance
• regulations,
industrial, audits,
other compliance,
p+p+t
cyber risks
• your presences,
your partners, your
premises
productivity
• mobile, work any
time/place/device,
home office, cloud
apps, outsourced
apps, services now
services/
products
integrated
• cheaper w/o s&p,
fda, ftc mobile
app reviews
Will you pay 1 ¢ more at Target for better security?

23. Take Away
• Gloomy for current state – Bad guys are
winning, totally ….
• Feel better over time and in near term – we
learn how to deal with it and live with it
• Optimistic about getting better for long term -
> 50+ years

24. allen_zhang@hmsa.com
808-777-9895