2012 05 09 larry clinton sc congress toronto canada presentation about cyber economics

7/31/2019 2012 05 09 Larry Clinton SC Congress Toronto Canada Presentation About Cyber Economics

1/18

Speaker,)tle,companyModerator:ABC

LARRYCLINTONPRESIDENT&CEO

INTERNETSECURITYALLIANCE

[email protected]

Office(703)907-7028Cell(202)236-0001


2/18

During the Last Minute

45newviruses 200newmaliciouswebsites 180personaliden))esstolen

5000examplesofmalwarecreated

2milliondollarslost


3/18

* Thesecuritydisciplinehassofarbeenskewedtowardtechnologyfirewalls,IDmanagement,

intrusiondetec)oninsteadofriskanalysisand

proac)veintelligencegathering.PWCGlobalCyberSecuritySurvey

Business Approach to Cyber Security


4/18

AnEnterpriseWideRiskManagementIssue

Thinkingabouttechnologywithoutconsideringeconomicsisasmisguidedasthinkingofeconomicswithoutconsidering

technology

TechnologyisaboutHOWaacksoccur,economicsisaboutWHYaacksoccur

If Your Thinking Tech..


5/18

Thechallengeincybersecurityisnotthatbestprac)cesneedtobedeveloped,butinsteadlies

incommunica)ngthesebestprac)ces,

demonstra)ngthevalueinimplemen)ngthem

andencouragingindividualsandorganiza)ons

toadoptthem.

TheInforma)onSystemsAuditandControlAssocia)on(ISACA-March2011

Why are We not doing it?


6/18

Overall,costwasmostfrequentlycitedasthebiggestobstacletoensuringthesecurity.

Makingthebusinesscaseforcybersecurityremainsamajorchallenge,because

managemento[endoesnotunderstandeitherthescaleofthethreatortherequirementsforasolu)ons.

Thenumberonebarrieristhesecurityfolkswhohaventbeenabletocommunicatetheurgencywellenoughandtheyhaventactuallybeenabletopersuadethedecisionmakersoftherealityofthethreat.----fromCSIS&PWCSurveys2010

Why are We not doing it?


7/18

Wefindthatmisplacedincen;vesareasimportantastechnicaldesignsecurityfailureis

causedasleastaso?enbybadincen;vesasby

badtechnologicaldesign

AndersonandMooreTheEconomicsofInforma;on

Security

Cyber Security and the Economics


8/18

Economistshavelongknownthatliabilityshouldbeassignedtotheen)tythatcanmanagerisk.Yeteverywherewelookweseeonlineriskallocatedpoorlypeoplewhoconnecttheir

machinestoriskyplacesdonotbearfullconsequencesoftheirac)ons.Anddevelopersarenotcompensatedforcostlyeffortstostrengthentheircode

Anderson and Moore Economics ofInformation Security

Misaligned Incentives


9/18

Offence:Aacksarecheap

Offence:Aacksareeasytolaunch Offence:Profitsfromaacksareenormous Offence:GREATbusinessmodel(resellsameservice

Defense:PerimetertodefendisunlimitedDefense:IscompromisedhardtoshowROI

Defense:Usuallyagenera)onbehindtheaacker

Defense:Prosecu)onisdifficultandrare

Cyber Economic Equation:

Incentives Favors Attackers


10/18

Somehaveassumedadop)ngmoderntechwillbemoresecurethusincreasedsecurity

willhappennaturallythatswrong

Businessefficiencydemandslesssecuresystems(VOIP/na)onalsupplychains/Cloud

Profitsfromadvancedtecharenotusedtoadvancesecurity

Regulatorycomplianceisnotcorrelatedwithsecuritymaybecounterproduc)ve

Business Incentives to become less secure


11/18

PWC/GlInformStudy2006---bestprac)ces100%

CIA2007---90%canbestopped Verizon200887%canbestopped NSA2009---80%canbepreventedSecretService/Verizon2010---94%canbestoppedormi)gatedbyadop)nginexpensivebestprac)cesandstandardsalreadyexis)ng

The Good News:

We know (mostly)what to do!


12/18

In95%ofcompaniestheCFOisnotdirectlyinvolvedininforma)onsecurity

2/3ofcompaniesdonthaveariskplan

83%ofcompaniesdonthaveacrossorganiza)onalprivacy/securityteam

Lessthanhaveaformalriskmanagementplan,1/3oftheoneswhododontconsidercyberintheplan

In2009&2010,50%-66%ofUScompaniesdeferredorreducedinvestmentincybersecurity

We are Not Cyber Structured


13/18

Enterprise Cyber Risk ManagementFocus on Finances &

Investment

C


14/18

Enterprise Cyber Risk Management

Focus on Finances & Investment


15/18

ANSI ISA Program

Outlinesanenterprisewideprocesstoaackcybersecuritybroadlyandeconomically CFOstrategies HRstrategies Legal/compliancestrategies Opera)ons/technologystrategies Communica)onsstrategies RiskManagement/insurancestrategies


16/18

What CFOs Need to Do

Owntheproblem Appointanenterprisewidecyberriskteam Meetregularly Developanenterprisewidecyberriskmanagementplan

Developanenterprisewidecyberriskbudget Implementtheplan,analyzeitregularly,testandreformbasedonenterprise-widefeedback

G th t d E t i id b


17/18

Growth toward Enterprise wide cyber

management (since ISA-ANSI model)

In2008only15%ofcompanieshadenterprisewideriskmanagementteamsforcyber.In

201187%ofcompanieshadtheseteams

Majorfirms(E&YarenowincludingtheISAModelintheirEnterprisePrograms

Since2007moreCISOsarerepor)ngtoSrBusinessManagement(UP13%toCEOUP36%CFO,UP67%COODOWN39%CIO


18/18

Speaker,)tle,companyModerator:ABC

LARRYCLINTONPRESIDENT&CEO

INTERNETSECURITYALLIANCE

[email protected]

Office(703)907-7028Cell(202)236-0001

2012 05 09 larry clinton sc congress toronto canada presentation about cyber economics

Documents