LARRY

CLINTON PRESIDENT Speaker, )tle, company & CEO INTERNET Moderator: ABC SECURITY ALLIANCE lclinton@isalliance.org Oce (703) 907-7028 Cell (202) 236-0001

During the Last Minute

45 new viruses 200 new malicious web sites 180 personal iden))es stolen 5000 examples of malware created 2 million dollars lost

Business Approach to Cyber Security

* The security discipline has so far been skewed toward technologyrewalls, ID management, intrusion detec)oninstead of risk analysis and proac)ve intelligence gathering. PWC Global Cyber Security Survey

If Your Thinking Tech..

An Enterprise Wide Risk Management Issue Thinking about technology without considering economics is as misguided as thinking of economics without considering technology Technology is about HOW aRacks occur, economics is about WHY aRacks occur

Why are We not doing it?

The challenge in cyber security is not that best

prac)ces need to be developed, but instead lies in communica)ng these best prac)ces, demonstra)ng the value in implemen)ng them and encouraging individuals and organiza)ons to adopt them. The Informa)on Systems Audit and Control Associa)on (ISACA)- March 2011

Why are We not doing it?

Overall, cost was most frequently cited as the biggest obstacle to ensuring the security. Making the business case for cyber security remains a major challenge, because management o[en does not understand either the scale of the threat or the requirements for a solu)ons. The number one barrier is the security folks who havent been able to communicate the urgency well enough and they havent actually been able to persuade the decision makers of the reality of the threat. ----from CSIS & PWC Surveys 2010

Cyber Security and the Economics

We nd that misplaced incen;ves are as important as technical designsecurity failure is caused as least as o?en by bad incen;ves as by bad technological design
Anderson and Moore The Economics of Informa;on Security

Misaligned Incentives

Economists have long known that liability should be assigned to the en)ty that can manage risk. Yet everywhere we look we see online risk allocated poorlypeople who connect their machines to risky places do not bear full consequences of their ac)ons. And developers are not compensated for costly eorts to strengthen their code
Anderson and Moore Economics of Information Security

Cyber Economic Equation: Incentives Favors Attackers

Oence: ARacks are cheap Oence: ARacks are easy to launch Oence: Prots from aRacks are enormous Oence: GREAT business model (resell same service)

Defense: Perimeter to defend is unlimited Defense: Is compromised hard to show ROI Defense: Usually a genera)on behind the aRacker Defense: Prosecu)on is dicult and rare

Business Incentives to become less secure

Some have assumed adop)ng modern tech will be more secure thus increased security will happen naturally thats wrong Business eciency demands less secure systems (VOIP/na)onal supply chains/Cloud) Prots from advanced tech are not used to advance security Regulatory compliance is not correlated with securitymay be counter produc)ve

The Good News: We know (mostly)what to do!

PWC/Gl Inform Study 2006--- best prac)ces 100% CIA 2007---90% can be stopped Verizon 200887% can be stopped NSA 2009---80% can be prevented Secret Service/Verizon 2010---94% can be stopped or mi)gated by adop)ng inexpensive best prac)ces and standards already exis)ng

We are Not Cyber Structured

In 95% of companies the CFO is not directly involved in informa)on security

2/3 of companies dont have a risk plan 83% of companies dont have a cross organiza)onal privacy/security team

Less than have a formal risk management plan, 1/3 of the ones who do dont consider cyber in the plan In 2009 & 2010, 50%-66% of US companies deferred or reduced investment in cyber security

Enterprise Cyber Risk ManagementFocus on Finances & Investment

Enterprise Cyber Risk Management Focus on Finances & Investment

ANSI ISA Program

Outlines an enterprise wide process to aRack cyber security broadly and economically CFO strategies HR strategies Legal/compliance strategies Opera)ons/technology strategies Communica)ons strategies Risk Management/insurance strategies

What CFOs Need to Do

Own the problem Appoint an enterprise wide cyber risk team Meet regularly Develop an enterprise wide cyber risk management plan Develop an enterprise wide cyber risk budget Implement the plan, analyze it regularly, test and reform based on enterprise-wide feedback

Growth toward Enterprise wide cyber management (since ISA-ANSI model) In 2008 only 15% of companies had enterprise wide risk management teams for cyber. In 2011 87% of companies had these teams Major rms (E & Y) are now including the ISA Model in their Enterprise Programs Since 2007 more CISOs are repor)ng to Sr Business Management (UP 13% to CEO UP 36% CFO, UP 67% COO DOWN 39% CIO

LARRY CLINTON PRESIDENT Speaker, )tle, company & CEO INTERNET Moderator: ABC SECURITY ALLIANCE lclinton@isalliance.org Oce (703) 907-7028 Cell (202) 236-0001