Beruflich Dokumente
Kultur Dokumente
CLINTON PRESIDENT Speaker, )tle, company & CEO INTERNET Moderator: ABC SECURITY ALLIANCE lclinton@isalliance.org Oce (703) 907-7028 Cell (202) 236-0001
* The security discipline has so far been skewed toward technologyrewalls, ID management, intrusion detec)oninstead of risk analysis and proac)ve intelligence gathering. PWC Global Cyber Security Survey
An Enterprise Wide Risk Management Issue Thinking about technology without considering economics is as misguided as thinking of economics without considering technology Technology is about HOW aRacks occur, economics is about WHY aRacks occur
prac)ces need to be developed, but instead lies in communica)ng these best prac)ces, demonstra)ng the value in implemen)ng them and encouraging individuals and organiza)ons to adopt them. The Informa)on Systems Audit and Control Associa)on (ISACA)- March 2011
Overall, cost was most frequently cited as the biggest obstacle to ensuring the security. Making the business case for cyber security remains a major challenge, because management o[en does not understand either the scale of the threat or the requirements for a solu)ons. The number one barrier is the security folks who havent been able to communicate the urgency well enough and they havent actually been able to persuade the decision makers of the reality of the threat. ----from CSIS & PWC Surveys 2010
We
nd
that
misplaced
incen;ves
are
as
important
as
technical
designsecurity
failure
is
caused
as
least
as
o?en
by
bad
incen;ves
as
by
bad
technological
design
Anderson
and
Moore
The
Economics
of
Informa;on
Security
Misaligned Incentives
Economists
have
long
known
that
liability
should
be
assigned
to
the
en)ty
that
can
manage
risk.
Yet
everywhere
we
look
we
see
online
risk
allocated
poorlypeople
who
connect
their
machines
to
risky
places
do
not
bear
full
consequences
of
their
ac)ons.
And
developers
are
not
compensated
for
costly
eorts
to
strengthen
their
code
Anderson and Moore Economics of Information Security
Oence: ARacks are cheap Oence: ARacks are easy to launch Oence: Prots from aRacks are enormous Oence: GREAT business model (resell same service)
Defense: Perimeter to defend is unlimited Defense: Is compromised hard to show ROI Defense: Usually a genera)on behind the aRacker Defense: Prosecu)on is dicult and rare
Some have assumed adop)ng modern tech will be more secure thus increased security will happen naturally thats wrong Business eciency demands less secure systems (VOIP/na)onal supply chains/Cloud) Prots from advanced tech are not used to advance security Regulatory compliance is not correlated with securitymay be counter produc)ve
PWC/Gl Inform Study 2006--- best prac)ces 100% CIA 2007---90% can be stopped Verizon 200887% can be stopped NSA 2009---80% can be prevented Secret Service/Verizon 2010---94% can be stopped or mi)gated by adop)ng inexpensive best prac)ces and standards already exis)ng
2/3
of
companies
dont
have
a
risk
plan
83%
of
companies
dont
have
a
cross
organiza)onal
privacy/security
team
Less
than
have
a
formal
risk
management
plan,
1/3
of
the
ones
who
do
dont
consider
cyber
in
the
plan
In
2009
&
2010,
50%-66%
of
US
companies
deferred
or
reduced
investment
in
cyber
security
Growth toward Enterprise wide cyber management (since ISA-ANSI model) In 2008 only 15% of companies had enterprise wide risk management teams for cyber. In 2011 87% of companies had these teams Major rms (E & Y) are now including the ISA Model in their Enterprise Programs Since 2007 more CISOs are repor)ng to Sr Business Management (UP 13% to CEO UP 36% CFO, UP 67% COO DOWN 39% CIO
LARRY CLINTON PRESIDENT Speaker, )tle, company & CEO INTERNET Moderator: ABC SECURITY ALLIANCE lclinton@isalliance.org Oce (703) 907-7028 Cell (202) 236-0001