cybersecurity for decision makers “the trouble with cybersecurity is…panic? no. worry? probably....
TRANSCRIPT
Cybersecurity for Decision Makers“The Trouble with Cybersecurity is…Panic? No.
Worry? Probably. Time for action? Definitely!”
UHCL-CSI Seminar December 2013
Ross A. Leo, Background and Experience
BSc, CHPSE, CISSP, CISM, ABCP, CHS-III 35 years in IT systems, architecture, and management 33 years in Technical Security and Governance 22 years at NASA in Mission Operations IT Systems Support:
Program Director for Security and Assurance, CSOC Chief Security Architect, JSC Mission Control Center, CSOC Chief Information Security Officer (CISO), Shuttle & Station Programs, CSOC
14 years as trainer and consultant in security & compliance Over 140 successful assessments and programs completed (Security, HIPAA, SOX) Over 4500 trained & certified in security & compliance (CISSP, CISM, SOX, HIPAA, PM)
4 years at UTMB-Galveston as Director of IT and CISO Built data center and implemented a complete EMR system for 116 sites and 350K records Completed full scale HIPAA compliance program (all aspects)
Published author in Cybersecurity HIPAA Program Reference Handbook, Auerbach, 2005 Series Editor and author, Auerbach Series “Critical Infrastructure & CyberSecurity
Engineering”, 2013
10.Dec.13 2UHCL-CSI Seminar December 2013
3UHCL-CSI Seminar December 2013
Cybersecurity
10.Dec.13
buzz…buzz…
buzz…buzz
What’s the buzz?
4UHCL-CSI Seminar December 2013
Cybersecurity – A Working Definition Nearly every organization has become more dependent on
information systems to run its operations, in nearly every aspect.
Timely, trustworthy, accurate information is the lubricant, the fuel and often the payload that every business or agency requires. Money is a tool (in sufficient quantities) used to act on information
Information has competitive value and must be kept private (Confidentiality)
Information must be acquired from reliable sources and converted to appropriate, usable forms (Integrity)
Information must be accessible whenever and wherever needed (Availability)
When these conditions cannot be met or sustained, the operation the information supports is at risk of impairment or failure.
10.Dec.13
5UHCL-CSI Seminar December 2013
Cybersecurity – A Working Definition “Cybersecurity” reflects the body of organizational efforts to
Identify, characterize, quantify, prioritize and ultimately protect this asset
Apply process, technological and physical methods to actualize the protection
Ensure that asset Confidentiality, Integrity and Availability are preserved
The need for Cybersecurity is axiomatic Necessary to doing business in today’s interconnected world
Fundamental to protecting and sustaining elements of Critical Infrastructure
Becoming more and more built into legislation and regulation
But [Houston] we have a problem, because the trouble with Cybersecurity is…
10.Dec.13
6UHCL-CSI Seminar December 2013
The Trouble with CyberSecurity Is…
Operational business arguments: COST: “It is a substantial cost in manpower and infrastructure that adds to
our overhead. The cost of these compliance measures drive up expenses and make us less competitive.”
COMPETING OBJECTIVES: “The need of our business to operate smoothly and the effective operation of the cybersecurity measures cannot peacefully coexist because the security measures interfere with that smooth operation.”
TIME: “If we have to take the time to stop our development processes to go back and put security into it, it will delay our completion and cause us to miss our window of opportunity.”
VALUE: “Where is the ROI?”
Whether justified or not, these are commonly used. These come from the organization telling Security about real issues, but often not waiting around (or wanting to) for real, meaningful answers.
10.Dec.13
7UHCL-CSI Seminar December 2013
The Trouble with CyberSecurity Is…
Problems of communication and perception: “I don’t even understand what the technologies we have to put in place
to protect us actually do.”
“If it really works so well, why do we still have problems?”
“How do I know it is really working if you cannot even guarantee that the thing it is supposed to protect us from will ever even happen?”
“Why would anyone ever ‘attack’ us? We’re not that big nor that important that we would ever consider ourselves a target.”
These arguments reflect a lack of understanding, a lack of communication, and a lack of appreciation of the risks involved: on both sides of the conversation.
10.Dec.13
8UHCL-CSI Seminar December 2013
The Trouble with CyberSecurity Is…
Problems of legality and practice: Very difficult to translate into a statement in the law that can be understood in a
legal context as a crime, as evidence, as “harm”
Questions about monitoring and enforcement often become questions about [seemingly] protecting one person’s rights even while [seemingly] violating the rights of another: “Big Brother”, profiling, “Pre-Crime Units”
Jurisdiction can be rather problematic, especially internationally; investigation and apprehension can be difficult to impossible.
At what point, by what act, or by what criteria does any act change from intrusion, snooping, or identity theft and become an act of actual warfare?
“Information wants to be free” – a common claim, but what about intellectual property, copyrights or national security information?
These questions reflect degrees of definition, positions of preference or perspective, freedom vs. security, and other conflicts between the rights of persons, legal applications, and social perceptions.
10.Dec.13
9UHCL-CSI Seminar December 2013
The Real Trouble with CyberSecurity Is…
A lack of effective communication between the technologists charged with implementing it, and the business leaders responsible to the stakeholders for the governance of the assets used by the organizations: One side has the reputation (historically deserved) for saying “No, we
cannot do it that way because it is insecure or noncompliant.”
The other side has the reputation (also historically deserved) of going ahead in the face of reducible risks due to “the needs of the business”.
It has been seen as a operational impediment (technology or policy) rather than an operational enabler It can be either depending upon the participants aligning objectives and
priorities.
It is frequently communication or its lack that decides this issue.
10.Dec.13
10UHCL-CSI Seminar December 2013
The Real Trouble with CyberSecurity Is… Things get quiet, then something happens…We respond, we
fix it and things get quiet again. The crisis passes and is over, until next time.
Different phases: Awareness, Realization, Reaction, Recovery, Relaxation. But what follows that?
The result is Repetitive Remediation, not Continuous Process improvement.
10.Dec.13
11UHCL-CSI Seminar December 2013
The Question
The questions to the problem of Cybersecurity are
What do we do about it?
What needs to be fixed?
What tools will we need, that we don’t already have?
Who is truly responsible?
Who needs to do the fixing?
What about…?
What questions do you have to add to this list?
10.Dec.13
12UHCL-CSI Seminar December 2013
The Answer
The answers, though obvious to most if not all of us, are:
We must FIRST commit to action: Analyze, Decide, Plan and ACT
We must fix our communications FIRST: seek first to understand…
We won’t know what tools, if any, we will need until we understand…
Cybersecurity is a team-effort, so all of us are responsible and accountable
Each member has a part to play and a part to fix
42
Security is a business problem, and a business (private or public) that does not address and solve its problems effectively does not remain a business for long.
10.Dec.13
13UHCL-CSI Seminar December 2013
Some Help and Some Pointers
Where to start: the business is the context, with all parts included
What to do: Get concerned, get informed, get involved, get going
What NOT to do: Panic, hesitate, avoid, evade, make excuses
Many resources exist to inform and guide, and are easy to find Government: FBI, NIST, DHHS, DHS, et al
Industry: Trade associations, professional associations, Insurers
Organizations: ABCHS, InfraGard, SANS, many others
10.Dec.13
14UHCL-CSI Seminar December 2013
Conclusions• More and more emphasis is being placed on being proactive
instead of being purely reactive.
• Trends in Corporate governance are recognizing that more must be done in this are to eliminate avoidable liabilities.
• Laws passed now often contain penalties for failing to act with due care and due diligence in the face of known and knowable threats
• Impacts to operations have become much more costly to reputations and bottom lines, even without lawsuits
• Protective actions and technologies are often very reasonable in cost, comparatively speaking
• Active risk management enables better control and better fitting solutions – just like in any other business process.
• Don’t be concerned, be in control.
10.Dec.13
15UHCL-CSI Seminar December 2013
Questions
Thank you!10.Dec.13