2010 07 14 larry clinton boston open group presentation

7/31/2019 2010 07 14 Larry Clinton Boston Open Group Presentation

1/30

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202-236-0001


2/30

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident, Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman

Ken Silva, Immediate Past Chair, CSO VeriSignLt. Gen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New York/Mellon FinancialPradeep Khosla, Dean Carnegie Mellon School of Computer SciencesJoe Buonomo, President, Direct Computer ResourcesBruno Mahlmann, VP Cyber Security, DellLinda Meeks, VP CISO Boeing CorporationJustin Somaini, CIO, SymantecGary McAlum, Sr. VP & CSO, USAA

J. Michael Hickey, 1st Vice ChairVP Homeland Security, VerizonMarc-Anthony Signorino, TreasurerNational Association of Manufacturers


3/30

ISAlliance Mission Statement

ISA seeks to integrate advancedtechnology with business economics

and effective public policy to create a

sustainable system of cyber security.


4/30

The Internet ChangesEverything

Concepts of Privacy Concepts of National Defense Concepts of Self Concepts of Economics We have been focused on the HOW cyber

attacks we need to focus on the WHY ($) Cyber security is an economic/strategic

issue as much operational/technical one


5/30

Cyber Security Economicsare Skewed

Responsibility, costs, harms andincentives are misaligned

Individual and Corporate Financial loss National Defense Core investment is undermined by edge

insecurity Enterprises are not structured to properly

analyze cyber risk


6/30

The Private Sector

The private sector owns 95% of the cyberinfrastructure

The private sector must, by law, operate---not in the public interest---but to maximizeshareholder value

The private sector makes decisions basedon economics

The way to improve cybersecurity is toalter the economics of cybersecurity


7/30

We need a total riskmanagement approach

The security discipline has so far beenskewed toward technologyfirewalls, ID

management, intrusion detectioninsteadof risk analysis andproactive intelligencegathering.

PWC Global Cyber Security Survey


8/30

CURRENT ECONOMIC INCENTIVES

FAVOR ATTACKERS

Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous

($ 1 TRILLION in 08)

Defense is costly (Usually no ROI) Defense is often futile Costs of Attacks are distributed


9/30

Digital Growth? Sure

Companies have built into their businessmodels the efficiencies of digital technologies

such as real time tracking of supply lines,inventory management and on-line commerce.

The continued expansion of the digital lifestyle

is already built into almost every companys

assumptions for growth.Stanford University


10/30

Senior Exec do ARE NOT analyzing

Cyber Risk adequately

There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among IT

security professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the

governance of enterprise security.2010 Carnegie Mellon University CyLab Governance of

Enterprise Security Survey


11/30

Digital Defense?Maybe Not

29% of Senior Executives acknowledged that they didnot know how many negative security events they hadin the past year

50% of Senior Executives said they did not know howmuch money was lost due to attacks

Source: PricewaterhouseCoopers survey of 7,000 companies 9/06


12/30

Digital Defense Not So Much

23% of CTOs did not know if cyber losses were coveredby insurance.

34% of CTOs thought cyber losses would be coveredby insurance----and were wrong.

The biggest network vulnerability in Americancorporations are extra connections added for seniorexecutives without proper security.

Source: DHS Chief Economist Scott Borg


13/30

Structural / economicmisalignment

Symantec: attacks up 500% between6-07 & doubled again between 2009-10

Cyber Space Policy Review: Cost toAmerican business = $1 TRILLION

PWC/CSIS/Forrester all report investmentin information security is down in50%-66% of American companies----andmost of the security spending is for auditcompliance not security


14/30

We are notcyber structured

In 95% of companies the CFO is notdirectly involved in information security

2/3 of companies dont have a risk plan 83% of companies dont have a cross

organizational privacy/security team

Less than

have a formal riskmanagement plan1/3 of the ones who

do dont consider cyber in the plan


15/30

Financial Management of

Cyber Risk

It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of

government and industry need to be able tomake business and investment decisionsbased on knowledge of risks and potential

impacts.Presidents Cyber Space Policy Review May 30, 2009

page 15


16/30

The Economic Assessment of

Cyber Security: 50 ?s for CFOs

Business Operations General Counsel Compliance Officer Media (Investors and

PR)

Human Resources Rick Manager/

Insurance


17/30


18/30

ANSI-ISA Program

Outlines an enterprise wide process toattack cyber security broadly andeconomically

CFO strategies HR strategiesLegal/compliance strategies Operations/technology strategies

Communications strategies Risk Management/insurance strategies


19/30

What CFO needs to do

Own the problemAppoint an enterprise wide cyber risk teamMeet regularly

Develop an enterprise wide cyber riskmanagement plan

Develop an enterprise wide cyber riskbudget Implement the plan, analyze it regularly,

test and reform based on EW feedback


20/30

ISA Cyber Social Contract

Similar to the agreement that led topublic utility infrastructuredissemination in 20th C

Infrastructure develop -- marketincentives

Consumer protection throughregulation

Gov role is more creativehardermotivate, not mandate,compliance

Industry role is to develop practicesand standards and implement them


21/30

President Obamas Report on

Cyber Security(May 30, 2009)

The United States faces the dualchallenge of maintaining an

environment that promotes efficiency,

innovation, economic prosperity, and

free trade while also promoting safety,

security, civil liberties, and privacy

rights.Presidents Cyber Space Policy Review, May 30,

2009 page iii

Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008


22/30

Social Contract II

Implementing the ObamaCyber Security Strategy

via theISA Social Contract Model


23/30

Issues Covered in socialContract 2.0

Economics of cyber security Information sharingSupply chain

Financial Cyber Risk ManagementAnalog laws governing digital technology Developing automated security standardsfor converged media (e.g. VOIP)


24/30

Chapter 2: Partnership at the

Business Plan Level

Obama personally rejected regulation ofPrivate Sector for cyber security

Gov role to evaluate & create incentivesfor adopting good cyber secure policies

practices and technologies just as inother areas of economy

Market incentives endorsed by ObamaCyber Space Policy Review used as


25/30

Regulation is not the answer

Compliance (not security) already eats upmuch of the security budget

Specific Regs cant keep up with attacks Vague regs show no effect Regs increase costs uniquely for American

companies Regs can be counter productiveceilings (Campaign Finance)


26/30

Obamas Report on Cyber

Security (May 30, 2009)

The government, working with State and localpartners, should identify procurement strategies thatwill incentivize the market to make more secureproducts and services available to the public.

Additional incentive mechanisms that thegovernment should explore include adjustments toliability considerations (reduced liability in exchangefor improved security or increased liability for theconsequences of poor security), indemnification, tax

incentives, and new regulatory requirements andcompliance mechanisms.Presidents Cyber Space Policy Review May 30,2009 page vs.

Quoting Internet Security Alliance Cyber SecuritySocial Contract: Recommendations to the Obama

th


27/30

ISA Model: Create a Market for

Best Practices and Standards

Studies show nearly 90% of breachescould be prevented by following knownbest practices and standards

Priv Sector should continue to developstandards, practices & technologies

Govt. test them for effectiveness Govt. should motivate adoption via sliding

scale of market incentives


28/30

ISA Proposed Incentives(Testimony E & C May 1, 2009)

1. R & D Grants2. Tax incentives3. Procurement Reform4. Streamlined Regulations5. Liability Protection6. Public Education7. Insurance8. SBA loans9. Awards programs10. Cyber SAFETY Act


29/30

White House Meeting onCyber Security July 14

President Obama, Sec Locke, Sec.Napolitano, Howard Schmidt (others)

Commerce speaks before DHS Schmidt: need to up costs for attackers Obama: interconnected nature of the

internet will make it difficult to regulate forsecurity

Legislation moving in different direction


30/30

Larry ClintonPresident

Internet Security [email protected]

703-907-7028202-236-0001

2010 07 14 larry clinton boston open group presentation

Documents