cyber security governance · 2019-06-06 · cyber security threats / visibility recent news target:...
TRANSCRIPT
Cyber Security Governance
Robert Fritz, CISSP, CSSLP
April 25, 2019
Agenda“An Introduction to Opportunities”
Discussion Item #
Introduction 3
Cyber Security threats / Visibility 4
Cyber Security Perspectives 5
Governed Risk 7
Relationship Opportunities 9
Where is Risk 10
• US Air Force: Communications Officer
– HQ Air Combat Command, Langley AFB
– HQ USAF, Pentagon
• hp
– Cyber Security Researcher and Consultant
• Morgan Stanley
– Executive Director, Security Architecture
– Morgan Stanley Canada CISO
• Recent Security Contribution
– Cloud Cyber Security Panelist @ NIST
– Supplier Security Talks @ Gartner, Evanta
– Standards / Certification Contribution:
• Center for Internet Security
• ISC2 Certification / Test Development
Introduction: Robert FritzDirector, Cyber Security, Emera
Cyber Security Threats / Visibility
Recent
News
Target: Businesses
and Government:
Finance, Critical
Infrastructure,
Government, and
Commerce are all
examples of targeted
organization.
¥ 2019 Ponemon institute study
₸ From 2018 Ponemon Institute “Cost of Data Breach Study”
* From last quarter published by CCIRC 2
December 2018US-indicted Chinese
nationals (APT-
10/stone Panda)
alleged to have
penetrated multiple
Managed Service
(Cloud) Providers.
October 2018“Grey Energy” threat
actor and malware
advance state of critical
infrastructure attack
with well-constructed
tools and techniques.
27%Global 2-yr chance of
material breach¥
399Incidents Reported to
Canada Cyber
Incident Response
Center ⃰
$4MAverage Cost of Data
Breach¥
December 2018Marriott (SPG) breach
affected 500 million
accounts, including, in
many cases, personal
information that can
lead to user identity
theft.
January 2019US National
Counterintelligence and
Security Center
launched campaign to
highlight corporate
supply chains as a
primary nation state
target.
• Board
– Accountable for Ensuring Risk is Managed
• C-Suite
– Accountable for Managing Risk
• Business
– Accountable for Delivering Customer Value
• IT
– Accountable for Cost and Agility
• IT Security
– Accountable for Security Operations
– Accountable for Security Services
– Accountable for Security (??) Risk (??)
• External Stakeholders
– Ensure company is accountable for
“externalities”
Cyber Security PerspectivesRoles
• Board / C-Suite
– Surprised if Something “Bad” Happens
• Business
– Drives cost down, speed up
• Shadow-IT Services
– Assumes Data/Services Secure
• IT
– “Does what it can” with available funding
• IT Security
– Fear of Business Security Mistakes
– Fear of IT Projects Undermining Security
– Becomes “Department of “NO”
• External Stakeholders
– Receive little communication before, during
or after an incident
Cyber Security PerspectivesRelationships: Ungoverned Security
Governed RiskTransparency and Accountability
• Board / C-Suite
– Demands Regular, Quality, Risk Data
– Defines Appropriate Risk Tolerance
• Business
– Accepts Security Risk Accountability
– Empowered Security Decisions
• IT
– Communicates Cost / Risk Choices in
Business Terms
• IT Security
– Analyses Risk
– Partners with Legal/Purchasing
• External Stakeholders
– Formal Structured Engagement
Governed RiskCISO Governance Responsibility Trends
• Cyber Security Governance Inside IT
– Service Delivery and Risk Assessment
– Execution to Standard
• Cyber Security Governance Outside IT
– “Information Risk Oversight”
• Create Processes for Engaging
Stakeholders
• Facilitate Risk Discussions with
Stakeholders
• Connect “Material” Discussions with
“Enterprise Risk Management”
– Security Service Capability Benchmarking
• Develop Standards that Map Business
Risk Tolerance to Threat Landscape
• Define Benchmarks for Success
Where do CISO’s fit in the Organization?*
*2018 Ponemon Institute Survey
Relationship OpportunitiesExploring Functional Roots
• CISO Function
– Evolved from Tradition of Applied Security
– Can See Past “Technology Assertions”
– Can (Dis)Prove Questions of Technology
• Audit Function
– Evolved from Accounting / Regulatory
– Can See Past “Process Assertions”
– Can (Dis)Prove Questions of Process
• Opportunities
– CISO Needs
• Checks on Integrity of Risk Reporting
• Checks on Consistency of Delivery
– CISO Offerings
• Organizational Capability Gaps:
• “Tips” for Audit Focus
People
Process
Technology
• One who knows and knows that he knows...
– His horse of wisdom will reach the skies.
• One who knows, but doesn't know that he knows...
– He is fast asleep, so you should wake him up!
• One who doesn't know, but knows that he doesn't know...
– His limping mule will eventually get him home.
• One who doesn't know and doesn't know that he doesn't know...
– He will be eternally lost in his hopeless oblivion!
- Ibn Yamin 13 ,ابن یمین فریومدیth Century Poet
Where is Risk?Uncertainty Defined
11
Known
• Measured Deficiencies
• Existing Plans/ Follow Through
Known Unknown
• Incomplete Inventories
• Unmanaged Vendors and Connectivity
Unknown Unknown
• External: Emerging Threats
• Internal: Organic Process/ Technology
Where Is Risk? Uncertainty Applied
Which Do We Manage?
Questions?