Speaker, )tle, company Moderator: ABC

Similar documents
Larry Clinton President & CEO Internet Security Alliance lclinton@isalliance.org

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

The Value Proposition for Cyber Security: Does it exist and how can we create it? Larry Clinton, ISAlliance Chief Operating Officer

11/27/2015. Cyber Risk as a Component of Business Risk: Communicating with the C-Suite. Conflict of interest. Learning Objectives

APT Protection Via Data-Centric Security. Alan Kessler President and CEO Vormetric

BOARD OF GOVERNORS MEETING JUNE 25, 2014

Computer Security Incident Handling Detec6on and Analysis

Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

Larry Clinton Operations Officer Internet Security Alliance

Main Research Gaps in Cyber Security

Excerpt From The Small (Under $10 Million Revenues) Private Company Executive Compensation Digest

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Internet Security Alliance Proposal for A 21 st Century Social Contract: A Sustainable Program of Cyber Security lclinton@isalliance.

Breakout A: From Paper to EMR- Preparing for the Transi;on

Defending yesterday. Technology. Key findings from The Global State of Information Security Survey 2014

Italy. EY s Global Information Security Survey 2013

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

Defending Against Data Beaches: Internal Controls for Cybersecurity

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

Top Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces

PCI VERSION 2.0 AND RISK MANAGEMENT. Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management

Cyber, Social Media and IT Risks. David Canham (BA) Hons, MIRM

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Seamus Reilly Director EY Information Security Cyber Security

Implemen'ng an Enterprise Framework for Secure Health Data Exchange

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

How To Protect Virtualized Data From Security Threats

HIPAA Breaches, Security Risk Analysis, and Audits

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

The Protection Mission a constant endeavor

Defending yesterday. Telecommunications. Key findings from The Global State of Information Security Survey 2014

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Cyber Security on the Offense: A Study of IT Security Experts

Changing Legal Landscape in Cybersecurity: Implications for Business

Cybersecurity Governance Update on New FFIEC Requirements

Splunk and Big Data for Insider Threats

Managing the Unpredictable Human Element of Cybersecurity

$194 per record lost* 3/15/2013. Global Economic Crime Survey. Data Breach Costs. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP

RETHINKING CYBER SECURITY Changing the Business Conversation

Defending Against Cyber Security Threats to the Payment and Banking Systems

<Insert Picture Here> How to protect sensitive data, challenges & risks

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

Bill Sieglein, Founder CSO Breakfast Club PLATINUM SPONSOR: SOLUTIONARY

How To Protect Your Online Banking From Fraud

DETECT. LEARN. ADAPT. DEFEND. WIN EVERY ATTACK.

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

M2M & Cybersecurity Workshop TIA 2013 M2M Standards and Security. Mihai Voicu CIO/CSO ILS Technology LLC

How to Justify Your Security Assessment Budget

Do You Know What You Don t Know?

Cyber Security key emerging risk Q3 2015

Cloud Risks and Opportunities

Information Security and Risk Management

Category: Title of Nomination. Project Manager: Job Title: Agency: Department: Address: City: State:

7 Things All CFOs Should Know About Cyber Security

Incident Response. Six Best Practices for Managing Cyber Breaches.

Defending yesterday. Retail & Consumer. Key findings from The Global State of Information Security Survey 2014

AND RESPONSE. Continuity Insights Conference Chicago June 18-19, Unclassified

Firewalls Overview and Best Practices. White Paper

Information Governance Software that allows Organizations to Track, Monitor and Classify Data in Real Time

Defending yesterday. Power & Utilities. Key findings from The Global State of Information Security Survey 2014

2015 VORMETRIC INSIDER THREAT REPORT

I ve been breached! Now what?

Financial Fraud Threats & Preven3on. Mark Frank EVP, Senior Opera3ons Officer Colorado Business Bank

Big Data and Security: At the Edge of Prediction

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012

Security and Privacy

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

A New Security Publication About Risk and Security for Business Leaders. Sponsorship & Advertising Media Pack

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Using SIEM for Real- Time Threat Detection

Windows Server 2003 End of Support. What does it mean? What are my options?

Risk-based security buyer s guide:

Addressing Big Data Security Challenges: The Right Tools for Smart Protection

HIPAA Compliance: Meeting the Security Challenge. Eric Siebert Author and vexpert. whitepaper

CFO Changing the CFO Mindset on Cybersecurity

Ernie Hayden CISSP CEH Executive Consultant

WHITE PAPER IMPROVING FIREWALL CHANGES OVERCOME PROCESS AND COMPLEXITY CHALLENGES BY FOCUSING ON THE FIREWALL.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

FTC Data Security Standard

End-user Security Analytics Strengthens Protection with ArcSight

FIVE PRACTICAL STEPS

Your Web and Applications

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

CYBERSPACE SECURITY CONTINUUM

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Best Prac*ces in Corporate Card Expense Management May 2012

CYBERSECURITY HOT TOPICS

The Cloud Balancing Act for IT: Between Promise and Peril

2012 NCSA / Symantec. National Small Business Study

Build a HIPAA- Compliant Prac5ce. Wes Strickling, Founder & CEO

Secure Because Math: Understanding ML- based Security Products (#SecureBecauseMath)

Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

McAfee Server Security

The Importance of Cybersecurity Monitoring for Utilities

Transcription:

Speaker, )tle, company Moderator: ABC LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE lclinton@isalliance.org Office (703) 907-7028 Cell (202) 236-0001

During the Last Minute 45 new viruses 200 new malicious web sites 180 personal iden))es stolen 5000 examples of malware created 2 million dollars lost

Business Approach to Cyber Security * The security discipline has so far been skewed toward technology firewalls, ID management, intrusion detec)on instead of risk analysis and proac)ve intelligence gathering. PWC Global Cyber Security Survey

If Your Thinking Tech.. An Enterprise Wide Risk Management Issue Thinking about technology without considering economics is as misguided as thinking of economics without considering technology Technology is about HOW aracks occur, economics is about WHY aracks occur

Why are We not doing it? The challenge in cyber security is not that best prac)ces need to be developed, but instead lies in communica)ng these best prac)ces, demonstra)ng the value in implemen)ng them and encouraging individuals and organiza)ons to adopt them. The Informa)on Systems Audit and Control Associa)on (ISACA)- March 2011

Why are We not doing it? Overall, cost was most frequently cited as the biggest obstacle to ensuring the security. Making the business case for cyber security remains a major challenge, because management o[en does not understand either the scale of the threat or the requirements for a solu)ons. The number one barrier is the security folks who haven t been able to communicate the urgency well enough and they haven t actually been able to persuade the decision makers of the reality of the threat. - - - - from CSIS & PWC Surveys 2010

Cyber Security and the Economics We find that misplaced incen;ves are as important as technical design security failure is caused as least as o?en by bad incen;ves as by bad technological design Anderson and Moore The Economics of Informa;on Security

Misaligned Incentives Economists have long known that liability should be assigned to the en)ty that can manage risk. Yet everywhere we look we see online risk allocated poorly people who connect their machines to risky places do not bear full consequences of their ac)ons. And developers are not compensated for costly efforts to strengthen their code Anderson and Moore Economics of Information Security

Cyber Economic Equation: Incentives Favors Attackers Offence: ARacks are cheap Offence: ARacks are easy to launch Offence: Profits from aracks are enormous Offence: GREAT business model ( resell same service) Defense: Perimeter to defend is unlimited Defense: Is compromised hard to show ROI Defense: Usually a genera)on behind the aracker Defense: Prosecu)on is difficult and rare

Business Incentives to become less secure Some have assumed adop)ng modern tech will be more secure thus increased security will happen naturally that s wrong Business efficiency demands less secure systems (VOIP/na)onal supply chains/cloud) Profits from advanced tech are not used to advance security Regulatory compliance is not correlated with security may be counter produc)ve

The Good News: We know (mostly)what to do! PWC/Gl Inform Study 2006- - - best prac)ces 100% CIA 2007- - - 90% can be stopped Verizon 2008 87% can be stopped NSA 2009- - - 80% can be prevented Secret Service/Verizon 2010- - - 94% can be stopped or mi)gated by adop)ng inexpensive best prac)ces and standards already exis)ng

We are Not Cyber Structured In 95% of companies the CFO is not directly involved in informa)on security 2/3 of companies don t have a risk plan 83% of companies don t have a cross organiza)onal privacy/security team Less than ½ have a formal risk management plan, 1/3 of the ones who do don t consider cyber in the plan In 2009 & 2010, 50%- 66% of US companies deferred or reduced investment in cyber security

Enterprise Cyber Risk Management Focus on Finances & Investment

Enterprise Cyber Risk Management Focus on Finances & Investment

ANSI ISA Program Outlines an enterprise wide process to arack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Opera)ons/technology strategies Communica)ons strategies Risk Management/insurance strategies

What CFOs Need to Do Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk management plan Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and reform based on enterprise- wide feedback

Growth toward Enterprise wide cyber management (since ISA-ANSI model) In 2008 only 15% of companies had enterprise wide risk management teams for cyber. In 2011 87% of companies had these teams Major firms (E & Y) are now including the ISA Model in their Enterprise Programs Since 2007 more CISOs are repor)ng to Sr Business Management (UP 13% to CEO UP 36% CFO, UP 67% COO DOWN 39% CIO

Speaker, )tle, company Moderator: ABC LARRY CLINTON PRESIDENT & CEO INTERNET SECURITY ALLIANCE lclinton@isalliance.org Office (703) 907-7028 Cell (202) 236-0001

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information