2010 07 14 larry clinton boston open group presentation
TRANSCRIPT
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
1/30
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
2/30
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident, Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman
Ken Silva, Immediate Past Chair, CSO VeriSignLt. Gen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New York/Mellon FinancialPradeep Khosla, Dean Carnegie Mellon School of Computer SciencesJoe Buonomo, President, Direct Computer ResourcesBruno Mahlmann, VP Cyber Security, DellLinda Meeks, VP CISO Boeing CorporationJustin Somaini, CIO, SymantecGary McAlum, Sr. VP & CSO, USAA
J. Michael Hickey, 1st Vice ChairVP Homeland Security, VerizonMarc-Anthony Signorino, TreasurerNational Association of Manufacturers
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
3/30
ISAlliance Mission Statement
ISA seeks to integrate advancedtechnology with business economics
and effective public policy to create a
sustainable system of cyber security.
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
4/30
The Internet ChangesEverything
Concepts of Privacy Concepts of National Defense Concepts of Self Concepts of Economics We have been focused on the HOW cyber
attacks we need to focus on the WHY ($) Cyber security is an economic/strategic
issue as much operational/technical one
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
5/30
Cyber Security Economicsare Skewed
Responsibility, costs, harms andincentives are misaligned
Individual and Corporate Financial loss National Defense Core investment is undermined by edge
insecurity Enterprises are not structured to properly
analyze cyber risk
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
6/30
The Private Sector
The private sector owns 95% of the cyberinfrastructure
The private sector must, by law, operate---not in the public interest---but to maximizeshareholder value
The private sector makes decisions basedon economics
The way to improve cybersecurity is toalter the economics of cybersecurity
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
7/30
We need a total riskmanagement approach
The security discipline has so far beenskewed toward technologyfirewalls, ID
management, intrusion detectioninsteadof risk analysis andproactive intelligencegathering.
PWC Global Cyber Security Survey
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
8/30
CURRENT ECONOMIC INCENTIVES
FAVOR ATTACKERS
Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous
($ 1 TRILLION in 08)
Defense is costly (Usually no ROI) Defense is often futile Costs of Attacks are distributed
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
9/30
Digital Growth? Sure
Companies have built into their businessmodels the efficiencies of digital technologies
such as real time tracking of supply lines,inventory management and on-line commerce.
The continued expansion of the digital lifestyle
is already built into almost every companys
assumptions for growth.Stanford University
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
10/30
Senior Exec do ARE NOT analyzing
Cyber Risk adequately
There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among IT
security professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the
governance of enterprise security.2010 Carnegie Mellon University CyLab Governance of
Enterprise Security Survey
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
11/30
Digital Defense?Maybe Not
29% of Senior Executives acknowledged that they didnot know how many negative security events they hadin the past year
50% of Senior Executives said they did not know howmuch money was lost due to attacks
Source: PricewaterhouseCoopers survey of 7,000 companies 9/06
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
12/30
Digital Defense Not So Much
23% of CTOs did not know if cyber losses were coveredby insurance.
34% of CTOs thought cyber losses would be coveredby insurance----and were wrong.
The biggest network vulnerability in Americancorporations are extra connections added for seniorexecutives without proper security.
Source: DHS Chief Economist Scott Borg
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
13/30
Structural / economicmisalignment
Symantec: attacks up 500% between6-07 & doubled again between 2009-10
Cyber Space Policy Review: Cost toAmerican business = $1 TRILLION
PWC/CSIS/Forrester all report investmentin information security is down in50%-66% of American companies----andmost of the security spending is for auditcompliance not security
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
14/30
We are notcyber structured
In 95% of companies the CFO is notdirectly involved in information security
2/3 of companies dont have a risk plan 83% of companies dont have a cross
organizational privacy/security team
Less than
have a formal riskmanagement plan1/3 of the ones who
do dont consider cyber in the plan
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
15/30
Financial Management of
Cyber Risk
It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of
government and industry need to be able tomake business and investment decisionsbased on knowledge of risks and potential
impacts.Presidents Cyber Space Policy Review May 30, 2009
page 15
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
16/30
The Economic Assessment of
Cyber Security: 50 ?s for CFOs
Business Operations General Counsel Compliance Officer Media (Investors and
PR)
Human Resources Rick Manager/
Insurance
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
17/30
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
18/30
ANSI-ISA Program
Outlines an enterprise wide process toattack cyber security broadly andeconomically
CFO strategies HR strategiesLegal/compliance strategies Operations/technology strategies
Communications strategies Risk Management/insurance strategies
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
19/30
What CFO needs to do
Own the problemAppoint an enterprise wide cyber risk teamMeet regularly
Develop an enterprise wide cyber riskmanagement plan
Develop an enterprise wide cyber riskbudget Implement the plan, analyze it regularly,
test and reform based on EW feedback
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
20/30
ISA Cyber Social Contract
Similar to the agreement that led topublic utility infrastructuredissemination in 20th C
Infrastructure develop -- marketincentives
Consumer protection throughregulation
Gov role is more creativehardermotivate, not mandate,compliance
Industry role is to develop practicesand standards and implement them
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
21/30
President Obamas Report on
Cyber Security(May 30, 2009)
The United States faces the dualchallenge of maintaining an
environment that promotes efficiency,
innovation, economic prosperity, and
free trade while also promoting safety,
security, civil liberties, and privacy
rights.Presidents Cyber Space Policy Review, May 30,
2009 page iii
Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
22/30
Social Contract II
Implementing the ObamaCyber Security Strategy
via theISA Social Contract Model
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
23/30
Issues Covered in socialContract 2.0
Economics of cyber security Information sharingSupply chain
Financial Cyber Risk ManagementAnalog laws governing digital technology Developing automated security standardsfor converged media (e.g. VOIP)
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
24/30
Chapter 2: Partnership at the
Business Plan Level
Obama personally rejected regulation ofPrivate Sector for cyber security
Gov role to evaluate & create incentivesfor adopting good cyber secure policies
practices and technologies just as inother areas of economy
Market incentives endorsed by ObamaCyber Space Policy Review used as
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
25/30
Regulation is not the answer
Compliance (not security) already eats upmuch of the security budget
Specific Regs cant keep up with attacks Vague regs show no effect Regs increase costs uniquely for American
companies Regs can be counter productiveceilings (Campaign Finance)
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
26/30
Obamas Report on Cyber
Security (May 30, 2009)
The government, working with State and localpartners, should identify procurement strategies thatwill incentivize the market to make more secureproducts and services available to the public.
Additional incentive mechanisms that thegovernment should explore include adjustments toliability considerations (reduced liability in exchangefor improved security or increased liability for theconsequences of poor security), indemnification, tax
incentives, and new regulatory requirements andcompliance mechanisms.Presidents Cyber Space Policy Review May 30,2009 page vs.
Quoting Internet Security Alliance Cyber SecuritySocial Contract: Recommendations to the Obama
th
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
27/30
ISA Model: Create a Market for
Best Practices and Standards
Studies show nearly 90% of breachescould be prevented by following knownbest practices and standards
Priv Sector should continue to developstandards, practices & technologies
Govt. test them for effectiveness Govt. should motivate adoption via sliding
scale of market incentives
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
28/30
ISA Proposed Incentives(Testimony E & C May 1, 2009)
1. R & D Grants2. Tax incentives3. Procurement Reform4. Streamlined Regulations5. Liability Protection6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
29/30
White House Meeting onCyber Security July 14
President Obama, Sec Locke, Sec.Napolitano, Howard Schmidt (others)
Commerce speaks before DHS Schmidt: need to up costs for attackers Obama: interconnected nature of the
internet will make it difficult to regulate forsecurity
Legislation moving in different direction
-
7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation
30/30
Larry ClintonPresident
Internet Security [email protected]
703-907-7028202-236-0001