Speaker, )tle, company Moderator: ABC

Transcription

1 Speaker, )tle, company Moderator: ABC LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE Office (703) Cell (202)

2 During the Last Minute 45 new viruses 200 new malicious web sites 180 personal iden))es stolen 5000 examples of malware created 2 million dollars lost

3 Business Approach to Cyber Security * The security discipline has so far been skewed toward technology firewalls, ID management, intrusion detec)on instead of risk analysis and proac)ve intelligence gathering. PWC Global Cyber Security Survey

4 If Your Thinking Tech.. An Enterprise Wide Risk Management Issue Thinking about technology without considering economics is as misguided as thinking of economics without considering technology Technology is about HOW aracks occur, economics is about WHY aracks occur

5 Why are We not doing it? The challenge in cyber security is not that best prac)ces need to be developed, but instead lies in communica)ng these best prac)ces, demonstra)ng the value in implemen)ng them and encouraging individuals and organiza)ons to adopt them. The Informa)on Systems Audit and Control Associa)on (ISACA)- March 2011

6 Why are We not doing it? Overall, cost was most frequently cited as the biggest obstacle to ensuring the security. Making the business case for cyber security remains a major challenge, because management o[en does not understand either the scale of the threat or the requirements for a solu)ons. The number one barrier is the security folks who haven t been able to communicate the urgency well enough and they haven t actually been able to persuade the decision makers of the reality of the threat from CSIS & PWC Surveys 2010

7 Cyber Security and the Economics We find that misplaced incen;ves are as important as technical design security failure is caused as least as o?en by bad incen;ves as by bad technological design Anderson and Moore The Economics of Informa;on Security

8 Misaligned Incentives Economists have long known that liability should be assigned to the en)ty that can manage risk. Yet everywhere we look we see online risk allocated poorly people who connect their machines to risky places do not bear full consequences of their ac)ons. And developers are not compensated for costly efforts to strengthen their code Anderson and Moore Economics of Information Security

9 Cyber Economic Equation: Incentives Favors Attackers Offence: ARacks are cheap Offence: ARacks are easy to launch Offence: Profits from aracks are enormous Offence: GREAT business model ( resell same service) Defense: Perimeter to defend is unlimited Defense: Is compromised hard to show ROI Defense: Usually a genera)on behind the aracker Defense: Prosecu)on is difficult and rare

10 Business Incentives to become less secure Some have assumed adop)ng modern tech will be more secure thus increased security will happen naturally that s wrong Business efficiency demands less secure systems (VOIP/na)onal supply chains/cloud) Profits from advanced tech are not used to advance security Regulatory compliance is not correlated with security may be counter produc)ve

11 The Good News: We know (mostly)what to do! PWC/Gl Inform Study best prac)ces 100% CIA % can be stopped Verizon % can be stopped NSA % can be prevented Secret Service/Verizon % can be stopped or mi)gated by adop)ng inexpensive best prac)ces and standards already exis)ng

12 We are Not Cyber Structured In 95% of companies the CFO is not directly involved in informa)on security 2/3 of companies don t have a risk plan 83% of companies don t have a cross organiza)onal privacy/security team Less than ½ have a formal risk management plan, 1/3 of the ones who do don t consider cyber in the plan In 2009 & 2010, 50%- 66% of US companies deferred or reduced investment in cyber security

13 Enterprise Cyber Risk Management Focus on Finances & Investment

14 Enterprise Cyber Risk Management Focus on Finances & Investment

15 ANSI ISA Program Outlines an enterprise wide process to arack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Opera)ons/technology strategies Communica)ons strategies Risk Management/insurance strategies

16 What CFOs Need to Do Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk management plan Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and reform based on enterprise- wide feedback

17 Growth toward Enterprise wide cyber management (since ISA-ANSI model) In 2008 only 15% of companies had enterprise wide risk management teams for cyber. In % of companies had these teams Major firms (E & Y) are now including the ISA Model in their Enterprise Programs Since 2007 more CISOs are repor)ng to Sr Business Management (UP 13% to CEO UP 36% CFO, UP 67% COO DOWN 39% CIO

18 Speaker, )tle, company Moderator: ABC LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE Office (703) Cell (202)