University of Wisconsin–Madison 2

Why build a strategy?

7/15/2015

Options: Detection or Prevention

• Last strategic plan was five years old and never formally adopted by leadership

• Newer technology breeds newer and more sophisticated threats• Well engineered and professional looking malware• Zero Day attacks continue to increase in volume (24 tracked in

2014)*• Total Days of Exposure for malware was over 295 in 2014*

• Threat Actors are more clever and the stakes are higher• Campaigns such as Dragonfly, Waterbug, and Turla infiltrated

industrial systems, embassies, and other sensitive targets*

• Volume and Complexity of Threat Activity Increasing• Spear-Phishing attempts increased by 8% and more

sophisticated *• Increased “State Sponsored” cyberespionage and greater focus

on Higher Education*• Well engineered and professional looking malware

• Optimized risk management requires cybersecurity approaches that center on the data

“Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.”

- Sun Tzu (Ancient Chinese Military Strategist)

* = From Symantec’s 2015 Internet Security Threat Report

University of Wisconsin–Madison 3

Getting to work…

7/15/2015

Options: Detection or Prevention

Know what you want at the end of the run…• This is more than a Gap Analysis and Cybersecurity is more than a

service function• Understand the assets and the need for protection• Be prepared to “dovetail” business risk to the security plans• Know where you are and where you want to be – it’s that simple!!!

The mindset you need to create a useful strategy:

Executive Buy-In• Support from the CIO and other C-Leaders plus VPs• Discussions that align guidance to business strategy

Speak in a Common Language• Level set the definitions of risk, vulnerability and threat• Understand how the business works and how managers talk

Do not be the “Merchant of No!”• Learn the fastest way to get to YES!

“Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.”

– Gus Agnos (VP Strategy & Operations at Synack)

It has to be a team effort involving domain leaders and key performers

Where is our focus?

Cybersecurity Incident Response Cycle

Vulnerability scanning & analysis inconsistent / infrequent

Threat I

ntel a

nd Reporti

ng

Securit

y Educatio

n and

Training

Incident Response – Metrics and Trends

Security engineering and formal approval of systems connecting or operating

Common Services = Common

Delivery

Reactive vs.

Proactive

Third Party Assessment

Scalable Security Tools

Data Location

7/15/2015 University of Wisconsin–Madison 4

Staff perform

relevant and meaningful

cybersecurity

tasks

Data Classification

Periodic (Comprehensive) Security

Assessments

Tangled funding sources

Data

Data

Governance

Data

Ownership

University of Wisconsin–Madison 5

Components of UW-Madison Cybersecurity Strategy

7/15/2015

Options: Detection or Prevention

Preparation is key!You cannot do this alone!

• Working Groups and Committees (UW-MIST, MTAG, ITC, TISC, etc)• Cybersecurity Leadership Team

Executive and Department/College/Business Unit Buy-In• Cost, Schedule, Performance• Governance and Collaboration

UW-Madison Cybersecurity Strategy

Strategic Elements Enabling Objectives

Data Governance and Information Classification PlanRetain previous strategy’s actions (“find it/delete it/protect it”)

Establish the UW-Madison Risk Management Framework

Enable & support culture to value cybersecurity & reduce risk

Build community of experts/improve user competence (SETA)

Establish Restricted Data Environments

Consolidate Security Operations & institute best practices

Central data collection/aggregation to analyze security events

Improve Cyber Threat Analysis/Dissemination /Remediation

Identify and seek sources of repeatable funding

Optimize Services, Security Metrics, Compliance & CDM

Identify UW-Madison compliance issues (FERPA, HIPAA, PCI-DSS, Red Flags Rule, etc.)

Establish Collaborative Partnerships to assure teaching and research availability (Wisconsin Idea)

Develop and refine sustainable security ops/risk assessments

Develop & implement a marketing and communications plan