CENTRALIZED CYBERSECURITY IN A DECENTRALIZED WORLD
BOB TURNER
CHIEF INFORMATION SECURITY OFFICER
UNIVERSITY OF WISCONSIN-MADISON
CISO CHICAGO SUMMIT - AUGUST 2015
CYBERSECURITY PERSPECTIVES
3/10/2016
2
CENTRALLY GOVERNED DISTRIBUTED GOVERNANCE
Single threaded authority, responsibility, and
decision making power
Authority, responsibility, and decision making
power are vested in and delegated to
individual groups and teams
Common hierarchy for policies, standards,
guidelines, procedures, and processes
Teams establish their own policies, standards,
guidelines, procedures, and processes
Enterprise-wide involvement in the
development and implementation of risk
management and cybersecurity strategies
Decentralized cybersecurity risk
management is based on individual team
and business strategies
Strong, well-informed central leadership
provides consistency throughout the
organization
Sharing of risk-related information among
subordinate organizations
Less autonomy for subordinate organizations No subordinate organization is able to
transfer risk to another without the latter's
informed consent.
3/10/2016 3
Advanced Persistent Threat
Data Breach Attacks
WHY ARE WE TALKING ABOUT THIS?
DDoS or Other Events
3/10/2016
What are the current attack vectors?
CHANGES IN HIGHER EDUCATION
3/10/2016
4
From 2014 Wisegate Survey: Assessing and Managing IT Security Risks
• Academic and research responsibilities can be burdened when cybersecurity processes and procedures are not risk reducers
While research environments are run by talented technologists providing adequate security controls, providing system information to the campus wide cybersecurity team should follow industry best-practices
Remote scans and continuous monitoring are options for gathering vulnerability information and can be run during off-peak hours
• Perceptions (and a little reality) that vulnerability and asset management scanning slows down higher performance networks
Computing power and high bandwidth can mask criminal activity
Scans can be tailored to be as non-intrusive as possible or scheduled to occur outside peak computing windows
• Not all campus networks have adequate IT support or appropriately trained cybersecurity staff
Can centralized cybersecurity staff provide support on a transactional basis?
WHAT IS THE ROOT CAUSE?
3/10/2016
5
THINK TANK!What does a CISO do when IT support and
cybersecurity services are not centrally driven?
How can CISOs address common cybersecurity
threats with a unified and cohesive approach?
Where do CISO’s turn to find the right
partnerships to improve cybersecurity
programs? 3/10/2016
6
3/10/2016
7
What questions do you have?
http://www.cio.wisc.edu/security/