Beruflich Dokumente
Kultur Dokumente
John McCumber
(ISC)² Director of Cybersecurity Advocacy, North America
3
Who’s this guy?
» Cybersecurity Advocate?
» Fellow of (ISC)²
» Retired Air Force
» Public and Private
Sector Experience
4
What Are We Talking About?
» What is a lexicon?
» Why do we need one?
» Why is it important?
» Relationships in risk management
» How you can use this information?
5
The new lexicon
6
But First…
Why?
7
Cybersecurity
8
Thoughts on measurement
"When you can measure what you are speaking about, and express it
in numbers, you know something about it;
But when you cannot measure it, when you cannot express it in
numbers, your knowledge is of a meager and unsatisfactory kind:
It may be the beginning of knowledge, but you have scarcely in your
thoughts advanced to the stage of science."
William Thomson
Lord Kelvin (1824-1907)
9
Where’s the disconnect?
Break Image Slide
10
Traditional cybersecurity
» Technical issues only
» Vulnerability-centric
» Probes exterior boundaries
» Little actual analysis
» Based on a “state”
» Recommends point solutions
– tied to specific vulnerabilities
– based on consultant’s experience
11
Risk management definition
12
Risk management principles
» Incorporates an analytical, systems approach into
the entire operational and support cycle.
» Provides systems and operational leaders a
reliable decision support process.
» Encourages protection of only that which requires
protection.
» Manages cost while achieving significant
performance benefits.
13
Empirical Objective
Cost
Performance
Risk
Applying Safeguards
14
Essential Elements of Risk
» Threats
» Assets
» Vulnerabilities
» Safeguards
– Products
– Procedures
– People
15
The Risk Equations
1: T x V x A = Rb
T x V x A
2: = Rr
S
16
Risk = Volume of a Cube
17
Risk Assessment Process
Threat
Assessment
Asset Decision
Risk Safeguard
Valuation Support
Determination Assessment
Analysis
Vulnerability
Assessment
18
Asset Valuation
19
Bases of Value
» Development basis
» Operational basis
» Market basis
» Collection basis
20
Defining Operational Requirements
21
Threat Determination
22
Threat Classifications
Threat
Environmental Man-Made
Internal External
Hostile Non-Hostile
RM
Risk MeasureTotal =
i 1
i
T x V x A = Rb
or 25
Safeguard Determination
26
Residual Risk Calculation
T x V x A
= Rr
S
27
Risk Assessment Process
Threat
Assessment
Asset Decision
Risk Safeguard
Valuation Support
Determination Assessment
Analysis
Vulnerability
Assessment
28
Decision Support Methodologies
29
Conclusion
30
What did we learn?
Break Image
1. Language is important to our
understanding.
31
Learn More & Get Involved
» Get the full report Hiring and Retaining Top
Cybersecurity Talent at www.isc2.org
» Engage a local (ISC)² Chapter
» Join community.isc2.org
» Help make a difference at
www.isc2.org/cybersecurity-advocates
32
»The End
33