Download as PDF, PPTX
![[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...](https://cdn.slidesharecdn.com/ss_thumbnails/cb22keynoteunderwhelmedmakingsenseoftheoverwhelmingchallengeofcybersecurity-230101083039-ff0c756e-thumbnail.jpg?width=640&height=640&fit=bounds)
Advanced Methodologies - System Theoretic Process Analysis for CyberSecurity.pdf
- 1. Holmes and Associates,Inc. Pushing Cybersecurity “Farther to the Left” Nov 28, 2023 Kirk Holmes, President Holmes and Associates, Inc. kirk@holmesinc.net (301) 346-9115 http://www.holmesinc.net
- 2. 2 8(a) small business TeamCapabilities About Holmes and Associates, Inc. and Team Example Customers • Transformation experience and connections • CIO Advisory • vCISO and vCIO • Significant organizational transformation experience We Provide Thought leadership • STPA-Sec – a key Cybersecurity methodology • IT Service Management • Service provider excellence (Baldrige)
- 3. ConOps Requirements DesignO&M Construction ConOps Requirements Design Construction Cost To Correct Defect Phase that Defect is Corrected Cost To Correct Cost To Correct Cost To Correct CostTo Correct P h a s e t h a t D e f e c t i s C r e a t e d 100x+ cost Security Concept Functional Security Req’s Bake-In Bolt-On Patching 1x cost 1x 1x 1x CISA “Secure-By- Design” à Fix defects Early! How do you do it more Systematically, Consistently, and Holistically? ANSWER: System Theoretic Process Analysis for Security (STPA-Sec) Goal: Move Cybersecurity To the Left of the Lifecycle Secure-By- Design TARGET
- 4. 4 What is STPA-Sec?A Leading Edge Approach System-Theoretic Process Analysis (STPA) • Complementary to classic methodologies • Earlier life cycle requirements • Business alignment & business-driven decisions • Top-Down decomposition approach • Consistent models • Codification • “Emergent properties” • Non-technical considerations Business/ Mission Threat Vulnerability CISA: Secure-by-Design Responsive to Complex Systems have emergent properties
- 5. 5 § STPA-Sec isgrounded in real life operations as it was created by Holmes colleague Dr. William Young as a seasoned Air Force officer who was obtaining a PhD in Cybersecurity from MIT § Real Life example: STPA-Sec was used for one of the Air Force’s highest-profile ICBM programs Does STPA-Sec Methodology Work?
- 6. 6 Quotes from: “Cybersecurityfor DoD Acquisition Program Execution: Best Practices for the Major Capability Acquisition Pathway”, Nov 2021 § “Like all engineering processes, STPA-Sec relies on skilled, well-trained professionals to perform the analysis.” § “The GBSD program made use of STPA-Sec to drive security engineering activities as early as the material solutions analysis phase of systems development.” § “Using STPA-Sec allowed GBSD to design systems that minimize security vulnerabilities while meeting program requirements and schedule.” § “The use of STPA-Sec by the GBSD program was indicated by the Office of the Director, Operational Test and Evaluation (DOT&E) as a contributing factor in reducing cybersecurity and schedule risks.” DoD Confirmed that STPA-Sec is a Best Practice
- 7. 7 § Modernization: Complexity §Modeling and analyzing cybersecurity before engineering and acquisitions § Vulnerability Management: Scale, transparency, consistency § Addressing Known Exploitable Vulnerabilities § Insider Threat: Scale, transparency, consistency § Management of audit trail logs § Employee attrition: Knowledge management and codification § Application to Artificial Intelligence governance: Connection of mission, threat, technology, and vulnerability Example Common Challenge Areas
- 8. 8 Holmes and Associatescan bring unique and unparalleled thought leadership to transform cybersecurity throughout an entire organization The Holmes Team Proposition 1.Lower cybersecurity risk 2.Higher consistency 3.Horizontal and vertical alignment 4.Lower cost 5.Higher speed of execution 6.Enhanced mission protection Holmes Can Provide: Workshops Policy and Process development Model Building Skill building Repository management Tool building SECURE BY DESIGN