cybersecurity in the age of government regulation › e › cybermdconference › presentations ›...
TRANSCRIPT
CareFirst BlueCross BlueShield is the shared business name of CareFirst of Maryland, Inc. and Group Hospitalization and Medical Services, Inc. which are independent licensees of the Blue Cross and Blue Shield Association. ® Registered trademark of the Blue Cross and Blue Shield Association. ®′ Registered trademark of CareFirst of Maryland, Inc.
Cybersecurity in the Age of Government Regulation
Compliance versus Security
October 28, 2015
Harry D. FoxEVP, Technical and Operational Support Services
CareFirst BlueCross BlueShield
Agenda
2
• Security Landscape
• Increased Demand For Controls And Scrutiny
• Compliant vs Secure
• Cybersecurity Frameworks and Governance
• Key Action Steps
Sobering Thought…
3
Cybercrime will Cost Businesses
Over $2 Trillion by 2019
“New research from market analysts, Juniper Research, suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally
by 2019, increasing to almost four times the estimated cost of breaches in 2015.” – Juniper Research, The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation, May 2015
Security Landscape
4
AV-TEST Institute registers over 390,000 new malicious programs every day.
Malware Growth Last 10 Years
“Many executives are declaring cyber as the risk that will define our generation,” said Dennis Chesley, Global Risk Consulting Leader for PwC. – from Turnaround and Transformationin Cybersecurity, by PwC
Threat Actors are Sophisticated, Well Organized, and Well Funded
5
Source: Mandiant APT1 Exposing One of China’s Cyber Espionage Units
Threats Continue to Evolve
6
• While we can’t ignore the threats of the past, there isgrowing sophistication– Social Engineering– Spear Phishing– Advanced Malware that changes its
signature and profile
• The motives and actors are also changing– Nation States– Hacktivism– Organized Crime
“Cyberspace has become a full-blown war zone as governments across the globe clash
for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are
becoming a key weapon for governments seeking to defend national sovereignty and
project national power.” – FireEye, World War C: Understanding Nation-State Motives Behind
Today’s Cyber Attacks
• Cyberattacks and breaches haveleft organizations scrambling to find ways to measure and demonstrate due diligence
• Security doesn’t have a “one-size-fits-all” solution making measuring due diligence challenging
Increased Controls and Scrutiny
7
• Compliance can bring sweeping changes to the organization well beyond the traditional scope of Information Security
Greater Legislation on the way…
8
From SC Magazine 10/20/2015
Compliance and Security
9
Compliance ≠ Security
Compliance and Security
10
Risk-based Compliance Frameworks
11
Of respondents to a recent PwC study have selected a
risk-based cybersecurity framework.
ISO 27001 and NIST are the most
common.
Adapted from Slide Team’s 0514 risk management framework PowerPoint Presentation
Using a risk-based approach, companies should apply relevant compliance frameworks against
technical, process, and people controls
Mapping Frameworks to Controls
12
From: Do’s and Don'ts of Risk-based Security Management in a Compliance-driven Culture by Shahid N. Shah
Multiple Frameworks
13
• Many enterprises are bound to multiple frameworks and requirements through regulations and contracts
• These controlsmust be centralized intoa common framework
Common Controls Hub from Unified Compliance Framework
Governance Model
14
A well defined Governance Model is critical
Source: Framework for Improving Critical Infrastructure CybersecurityVersion 1.0 National Institute of Standards and Technology February 12, 2014
Challenges and Risks
15
Overreach
Focus on high-profile/low-value controls
Overly prescriptive
Over focus on compliance and process
Laws and expectations aren’t consistent with current societal norms
Cost of security and compliance could overwhelm small companies
Key Steps
16
Adopt a cybersecurity framework and apply it using a Risk Management Framework (RMF).
Create a well-defined governance model with senior management oversight of decisions, risks, controls, audit/assessment, and management action plans.
Create an inventory of systems, conduct a risk assessment, and use the RMF to define achievable goals.
Create a multi-year roadmap for cybersecurity with clearly defined deliverables against which you can measure progress.
Security threats never stop evolving so your roadmap must continually evolve to meet those threats, new obligations, and support changes in business needs.
Harry D. FoxEVP, Technical and Operational Support Services
CareFirst BlueCross [email protected]
10455 Mill Run CircleMail Stop: 01-965
Owings Mills, MD 21117