Speaker, )tle, company Moderator: ABC LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE lclinton@isalliance.org Office (703) 907-7028 Cell (202) 236-0001
During the Last Minute 45 new viruses 200 new malicious web sites 180 personal iden))es stolen 5000 examples of malware created 2 million dollars lost
Business Approach to Cyber Security * The security discipline has so far been skewed toward technology firewalls, ID management, intrusion detec)on instead of risk analysis and proac)ve intelligence gathering. PWC Global Cyber Security Survey
If Your Thinking Tech.. An Enterprise Wide Risk Management Issue Thinking about technology without considering economics is as misguided as thinking of economics without considering technology Technology is about HOW aracks occur, economics is about WHY aracks occur
Why are We not doing it? The challenge in cyber security is not that best prac)ces need to be developed, but instead lies in communica)ng these best prac)ces, demonstra)ng the value in implemen)ng them and encouraging individuals and organiza)ons to adopt them. The Informa)on Systems Audit and Control Associa)on (ISACA)- March 2011
Why are We not doing it? Overall, cost was most frequently cited as the biggest obstacle to ensuring the security. Making the business case for cyber security remains a major challenge, because management o[en does not understand either the scale of the threat or the requirements for a solu)ons. The number one barrier is the security folks who haven t been able to communicate the urgency well enough and they haven t actually been able to persuade the decision makers of the reality of the threat. - - - - from CSIS & PWC Surveys 2010
Cyber Security and the Economics We find that misplaced incen;ves are as important as technical design security failure is caused as least as o?en by bad incen;ves as by bad technological design Anderson and Moore The Economics of Informa;on Security
Misaligned Incentives Economists have long known that liability should be assigned to the en)ty that can manage risk. Yet everywhere we look we see online risk allocated poorly people who connect their machines to risky places do not bear full consequences of their ac)ons. And developers are not compensated for costly efforts to strengthen their code Anderson and Moore Economics of Information Security
Cyber Economic Equation: Incentives Favors Attackers Offence: ARacks are cheap Offence: ARacks are easy to launch Offence: Profits from aracks are enormous Offence: GREAT business model ( resell same service) Defense: Perimeter to defend is unlimited Defense: Is compromised hard to show ROI Defense: Usually a genera)on behind the aracker Defense: Prosecu)on is difficult and rare
Business Incentives to become less secure Some have assumed adop)ng modern tech will be more secure thus increased security will happen naturally that s wrong Business efficiency demands less secure systems (VOIP/na)onal supply chains/cloud) Profits from advanced tech are not used to advance security Regulatory compliance is not correlated with security may be counter produc)ve
The Good News: We know (mostly)what to do! PWC/Gl Inform Study 2006- - - best prac)ces 100% CIA 2007- - - 90% can be stopped Verizon 2008 87% can be stopped NSA 2009- - - 80% can be prevented Secret Service/Verizon 2010- - - 94% can be stopped or mi)gated by adop)ng inexpensive best prac)ces and standards already exis)ng
We are Not Cyber Structured In 95% of companies the CFO is not directly involved in informa)on security 2/3 of companies don t have a risk plan 83% of companies don t have a cross organiza)onal privacy/security team Less than ½ have a formal risk management plan, 1/3 of the ones who do don t consider cyber in the plan In 2009 & 2010, 50%- 66% of US companies deferred or reduced investment in cyber security
Enterprise Cyber Risk Management Focus on Finances & Investment
Enterprise Cyber Risk Management Focus on Finances & Investment
ANSI ISA Program Outlines an enterprise wide process to arack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Opera)ons/technology strategies Communica)ons strategies Risk Management/insurance strategies
What CFOs Need to Do Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk management plan Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and reform based on enterprise- wide feedback
Growth toward Enterprise wide cyber management (since ISA-ANSI model) In 2008 only 15% of companies had enterprise wide risk management teams for cyber. In 2011 87% of companies had these teams Major firms (E & Y) are now including the ISA Model in their Enterprise Programs Since 2007 more CISOs are repor)ng to Sr Business Management (UP 13% to CEO UP 36% CFO, UP 67% COO DOWN 39% CIO
Speaker, )tle, company Moderator: ABC LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE lclinton@isalliance.org Office (703) 907-7028 Cell (202) 236-0001