why build a strategy? 7/15/2015 university of wisconsin–madison2 options: detection or prevention...
TRANSCRIPT
University of Wisconsin–Madison 2
Why build a strategy?
7/15/2015
Options: Detection or Prevention
• Last strategic plan was five years old and never formally adopted by leadership
• Newer technology breeds newer and more sophisticated threats• Well engineered and professional looking malware• Zero Day attacks continue to increase in volume (24 tracked in
2014)*• Total Days of Exposure for malware was over 295 in 2014*
• Threat Actors are more clever and the stakes are higher• Campaigns such as Dragonfly, Waterbug, and Turla infiltrated
industrial systems, embassies, and other sensitive targets*
• Volume and Complexity of Threat Activity Increasing• Spear-Phishing attempts increased by 8% and more
sophisticated *• Increased “State Sponsored” cyberespionage and greater focus
on Higher Education*• Well engineered and professional looking malware
• Optimized risk management requires cybersecurity approaches that center on the data
“Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.”
- Sun Tzu (Ancient Chinese Military Strategist)
* = From Symantec’s 2015 Internet Security Threat Report
University of Wisconsin–Madison 3
Getting to work…
7/15/2015
Options: Detection or Prevention
Know what you want at the end of the run…• This is more than a Gap Analysis and Cybersecurity is more than a
service function• Understand the assets and the need for protection• Be prepared to “dovetail” business risk to the security plans• Know where you are and where you want to be – it’s that simple!!!
The mindset you need to create a useful strategy:
Executive Buy-In• Support from the CIO and other C-Leaders plus VPs• Discussions that align guidance to business strategy
Speak in a Common Language• Level set the definitions of risk, vulnerability and threat• Understand how the business works and how managers talk
Do not be the “Merchant of No!”• Learn the fastest way to get to YES!
“Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.”
– Gus Agnos (VP Strategy & Operations at Synack)
It has to be a team effort involving domain leaders and key performers
Where is our focus?
Cybersecurity Incident Response Cycle
Vulnerability scanning & analysis inconsistent / infrequent
Threat I
ntel a
nd Reporti
ng
Securit
y Educatio
n and
Training
Incident Response – Metrics and Trends
Security engineering and formal approval of systems connecting or operating
Common Services = Common
Delivery
Reactive vs.
Proactive
Third Party Assessment
Scalable Security Tools
Data Location
7/15/2015 University of Wisconsin–Madison 4
Staff perform
relevant and meaningful
cybersecurity
tasks
Data Classification
Periodic (Comprehensive) Security
Assessments
Tangled funding sources
Data
Data
Governance
Data
Ownership
University of Wisconsin–Madison 5
Components of UW-Madison Cybersecurity Strategy
7/15/2015
Options: Detection or Prevention
Preparation is key!You cannot do this alone!
• Working Groups and Committees (UW-MIST, MTAG, ITC, TISC, etc)• Cybersecurity Leadership Team
Executive and Department/College/Business Unit Buy-In• Cost, Schedule, Performance• Governance and Collaboration
UW-Madison Cybersecurity Strategy
Strategic Elements Enabling Objectives
Data Governance and Information Classification PlanRetain previous strategy’s actions (“find it/delete it/protect it”)
Establish the UW-Madison Risk Management Framework
Enable & support culture to value cybersecurity & reduce risk
Build community of experts/improve user competence (SETA)
Establish Restricted Data Environments
Consolidate Security Operations & institute best practices
Central data collection/aggregation to analyze security events
Improve Cyber Threat Analysis/Dissemination /Remediation
Identify and seek sources of repeatable funding
Optimize Services, Security Metrics, Compliance & CDM
Identify UW-Madison compliance issues (FERPA, HIPAA, PCI-DSS, Red Flags Rule, etc.)
Establish Collaborative Partnerships to assure teaching and research availability (Wisconsin Idea)
Develop and refine sustainable security ops/risk assessments
Develop & implement a marketing and communications plan