Cyber Security Governance

Robert Fritz, CISSP, CSSLP

April 25, 2019

Agenda“An Introduction to Opportunities”

Discussion Item #

Introduction 3

Cyber Security threats / Visibility 4

Cyber Security Perspectives 5

Governed Risk 7

Relationship Opportunities 9

Where is Risk 10

• US Air Force: Communications Officer

– HQ Air Combat Command, Langley AFB

– HQ USAF, Pentagon

• hp

– Cyber Security Researcher and Consultant

• Morgan Stanley

– Executive Director, Security Architecture

– Morgan Stanley Canada CISO

• Recent Security Contribution

– Cloud Cyber Security Panelist @ NIST

– Supplier Security Talks @ Gartner, Evanta

– Standards / Certification Contribution:

• Center for Internet Security

• ISC2 Certification / Test Development

Introduction: Robert FritzDirector, Cyber Security, Emera

Cyber Security Threats / Visibility

Recent

News

Target: Businesses

and Government:

Finance, Critical

Infrastructure,

Government, and

Commerce are all

examples of targeted

organization.

¥ 2019 Ponemon institute study

₸ From 2018 Ponemon Institute “Cost of Data Breach Study”

* From last quarter published by CCIRC 2

December 2018US-indicted Chinese

nationals (APT-

10/stone Panda)

alleged to have

penetrated multiple

Managed Service

(Cloud) Providers.

October 2018“Grey Energy” threat

actor and malware

advance state of critical

infrastructure attack

with well-constructed

tools and techniques.

27%Global 2-yr chance of

material breach¥

399Incidents Reported to

Canada Cyber

Incident Response

Center ⃰

$4MAverage Cost of Data

Breach¥

December 2018Marriott (SPG) breach

affected 500 million

accounts, including, in

many cases, personal

information that can

lead to user identity

theft.

January 2019US National

Counterintelligence and

Security Center

launched campaign to

highlight corporate

supply chains as a

primary nation state

target.

• Board

– Accountable for Ensuring Risk is Managed

• C-Suite

– Accountable for Managing Risk

• Business

– Accountable for Delivering Customer Value

• IT

– Accountable for Cost and Agility

• IT Security

– Accountable for Security Operations

– Accountable for Security Services

– Accountable for Security (??) Risk (??)

• External Stakeholders

– Ensure company is accountable for

“externalities”

Cyber Security PerspectivesRoles

• Board / C-Suite

– Surprised if Something “Bad” Happens

• Business

– Drives cost down, speed up

• Shadow-IT Services

– Assumes Data/Services Secure

• IT

– “Does what it can” with available funding

• IT Security

– Fear of Business Security Mistakes

– Fear of IT Projects Undermining Security

– Becomes “Department of “NO”

• External Stakeholders

– Receive little communication before, during

or after an incident

Cyber Security PerspectivesRelationships: Ungoverned Security

Governed RiskTransparency and Accountability

• Board / C-Suite

– Demands Regular, Quality, Risk Data

– Defines Appropriate Risk Tolerance

• Business

– Accepts Security Risk Accountability

– Empowered Security Decisions

• IT

– Communicates Cost / Risk Choices in

Business Terms

• IT Security

– Analyses Risk

– Partners with Legal/Purchasing

• External Stakeholders

– Formal Structured Engagement

Governed RiskCISO Governance Responsibility Trends

• Cyber Security Governance Inside IT

– Service Delivery and Risk Assessment

– Execution to Standard

• Cyber Security Governance Outside IT

– “Information Risk Oversight”

• Create Processes for Engaging

Stakeholders

• Facilitate Risk Discussions with

Stakeholders

• Connect “Material” Discussions with

“Enterprise Risk Management”

– Security Service Capability Benchmarking

• Develop Standards that Map Business

Risk Tolerance to Threat Landscape

• Define Benchmarks for Success

Where do CISO’s fit in the Organization?*

*2018 Ponemon Institute Survey

Relationship OpportunitiesExploring Functional Roots

• CISO Function

– Evolved from Tradition of Applied Security

– Can See Past “Technology Assertions”

– Can (Dis)Prove Questions of Technology

• Audit Function

– Evolved from Accounting / Regulatory

– Can See Past “Process Assertions”

– Can (Dis)Prove Questions of Process

• Opportunities

– CISO Needs

• Checks on Integrity of Risk Reporting

• Checks on Consistency of Delivery

– CISO Offerings

• Organizational Capability Gaps:

• “Tips” for Audit Focus

People

Process

Technology

• One who knows and knows that he knows...

– His horse of wisdom will reach the skies.

• One who knows, but doesn't know that he knows...

– He is fast asleep, so you should wake him up!

• One who doesn't know, but knows that he doesn't know...

– His limping mule will eventually get him home.

• One who doesn't know and doesn't know that he doesn't know...

– He will be eternally lost in his hopeless oblivion!

- Ibn Yamin 13 ,ابن یمین فریومدیth Century Poet

Where is Risk?Uncertainty Defined

11

Known

• Measured Deficiencies

• Existing Plans/ Follow Through

Known Unknown

• Incomplete Inventories

• Unmanaged Vendors and Connectivity

Unknown Unknown

• External: Emerging Threats

• Internal: Organic Process/ Technology

Where Is Risk? Uncertainty Applied

Which Do We Manage?

Questions?