3e - impactful security program leadership and metrics for
TRANSCRIPT
10/4/2018
1
Prepare For “When”
• Every cyber breach or failure incident comes back to the failure of policy, procedure or the lack of having a policy or procedure.
DOJ Homeland Security, James Abignale, FBI
About George Usi
• Internet Pioneer• Operations & Standards Pioneer• Strategic operations & management origin• Proud Father & Lucky Husband
10/4/2018
2
What You Will Learn Today
Difference Between Cyber Security & Cyber Compliance Cyber Security Risks, Exposures, & Regulations Five Key Governance Problems Leaders Should Know Top Ten Lines Before Being Hacked The US Government Has (Somewhat) Come To The Rescue Security Program Leadership Methods & Requisite Organization What To Do Next
Cyber Differences
What’s The Difference?
• Computer security, cybersecurity[1], or IT security is the protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide (Wikipedia definition as of September 1, 2018).
• Regulatory Compliance, In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations.[1]
10/4/2018
3
How You Might Relateto Both
Cyber Risks & Exposures
Risk Of A Cybersecurity Breach in 2018
Ref: Ponemon Institute – 2018 Global Data Breach Study by IBM & Datto Inc
TREND:62% of construction & manufacturing attacked reportransomware incident for small businesses <50.
10/4/2018
4
Low Records = Low Risk…Right? Think Again!
Source: 2018 Ponemon Institute all businesses – 24-month horizon
27.9% Probability of records Data Breach
Basic Formula To Calculate Lowest Risk Point
(Employees * $233) + (Records * $233) + $68,000^ = $ Risk
$ Risk* Likelihood of Breach by Records Count = Calculated Risk $
Example - Small Water Agency Risk of Breach Calculation: 1) 90 current employees plus 565 previous employee in archive, for total of 655 records operating
over 30 years;2) Handling privacy data name/address, and SSN of 20,000 customers.
(655 x $233) + (20,000 x $233) + $68,000 = $4,880,615 Risk
$4,880,615 * 0.192 = ~$937,000 Calculated Risk (STARTS AT!!!)
^Breach Consulting Minimal Cost to Respond/Recover according to Ponemon Institute/IBM 2018
Oh Wait, We Forgot Oregon!
Oops…
1) 100 previous employees moved to Oregon where the ORS Privacy law fines are $767 more per record;
2) 400 of your customers also moved to Oregon at $767 more per record
3) Total ORS 646a record count 500ea
Original Calculated Risk Exposure = ~$937,000 Calculated Risk
(130 x $767) x days not ORS 646a proactive = Up to $73,632…
POTENTIALLY MORE…PER DAY!
https://csrps.com/privacy-regulations/Oregon
10/4/2018
5
Fox Watching Henhouse
10/4/2018
6
Five Key Problems
Laws Changing• New CA Consumer
Privacy Act of 2018• Many state privacy laws
added “if then” clause• Alphabet Soup of
Compliance• Yes, suits can be
brought between two or more states
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
Problem 1:
All Is Not As It Seems…
Problem 2:
10/4/2018
7
How Secure Do You Need To Be?
CyberRisk
$ecurity$pend
Problem 5:
* https://www.prnewswire.com/news-releases/small-businesses-overspending-on-cybersecurity-experts-say-300612332.html
Leaders who failed to plan &invest wisely in cybersecurityspent 58% more then those whohave a “security plan” in place.*
10/4/2018
8
The Top Ten!
Top Ten Things We Hear Before The “Help… We
Were Hacked” Rescue Call
Top Ten Lines Heard Right Before A Hack
1. We don’t have any data anyone would want to steal.2. Security is an overhead and is too expensive.3. IT Guy/Team is great and everything is 100% secure.4. Cloud/service provider already provides my security.5. Business too small to get a regulatory fine/penalty.6. We change our passwords.7. I bought cyber security insurance.8. We follow best practices in cyber security.9. I hired a security leader to handle this.10. We have never been hacked before (that we know of).
10/4/2018
9
Federal Government To The Rescue (Somewhat)
With NIST CSF & NIST 800-53
https://www.nist.gov/cyberframework v1.0
10/4/2018
10
The Framework Path with SIMM 5300
• SIMM = Statewide Information Management Manual
• SIMM 5300 = OIS (Office of Information Security)
• 30 Control Areas• NIST influenced• Publication on CDT Site• Maps NIST & SAM 5300
https://cdt.ca.gov/wp-content/uploads/2018/01/5300PeopleProcessTechGuide_2018-0108.pdf
Security Program Leadership&
Requisite Organization
Cyber Leadership Lemonade
• Governance• Minimum Controls• Security Program• Standards, Policy,
& Procedure• Risk Management• Metrics• Privacy• Usage Restrictions,
Authorizations, & Compliance
• Continuous Monitoring
https://cdt.ca.gov/wp-content/uploads/2018/01/5300PeopleProcessTechGuide_2018-0108.pdf
10/4/2018
11
Elliot Jaques & Requisite Organization?
What Is Elliot Jaques Known For?
• Set Standard for Corporate Lifecycles
http://timespan101.com/
Sell & Survive
Business Scaling
Shift to Thrive
Growth & Big Decisions
Finance & Risk Drivers
What Else Is Elliot Jaques Known For?
• Posited that… …the complexity of a work role can be determined by measuring how long the incumbent could work on their own before being checked by the boss.
• Use of “Stratum Levels” to organize operational outcomes.
http://www.manasclerk.com/blog/2013/01/21/why-timespan-works/ http://timespan101.com/
10/4/2018
12
Roles & Stratum According to Jaques
http://timespan101.com/
Mismatch of Role To Human Resource
http://timespan101.com/
10/4/2018
13
Align Capability With Measured Tasks
Effectiveness Use CDT SIMM 5300-C Maturity Metric
https://cdt.ca.gov/security/resources/#SIMM
10/4/2018
14
Here Is What I Told You
With Proper Awareness, We Make Wise Choices
• Cyber Compromise is a Matter of When• With A Formal Security Program, Cyber Risk Reduction is ~30%• Regulations/Laws are Changing & More Stringent• All Is Not As It Seems; Training Necessary• Cyber Assurance Laws, 3rd-Party Checklists, & Audits Are Looming• Breaches No Longer About Just Losing Data• Conduct POAM & Spend Wisely• NIST & SIMM To The Rescue• Requisite Cyber Security Leadership• Simplify the Complicated With Free Toolsets
Here Is What I Recommend You Do Now
10/4/2018
15
Cyber Security Program 7-Step Punch List
1. Understand Agency Business Risk With Cyber Compliance Evaluation
2. Construct Action Plan for People, Process, & Technology
3. Launch/Relaunch Security Program with CDT Resources
4. Prepare for SIMM 5300 Security Compliance Reports (TRPs) and visit CDT site
5. Mitigate “People” Risk (Suggest Security Assurance Training)
6. Manage Remaining Risk via Plan of Action/Milestones (POAM) & Oversight
7. Evaluate for “Fox Watching the Hen House” Principle in Continuous Monitoring
https://cdt.ca.gov/security/policy/schedule-for-submission-of-technology-recovery-plans/
The Easy Button
• Give us your business card and we will deliver Free DIY templates• Or…have SACTECH help with
• Conducting cyber compliance deep dive assessment• Agency Requisite Organization capabilities assessment for SIMM 5300-B• Two-party maintenance of SIMM 5300 & NIST
We are CA Small Certified Business #35606
Omnistruct Cyber Compliance Consulting& Cyber Governance Maintenance
+ Drive Action Plan+ Continuous Consult+ Cyber Awareness+ Incident Handling+ Cyber Insurance
Guidance
+ Data Privacy Audit+ Compliance Analysis+ GAP Analysis+ 2-Party Oversight+ Security Posture
Audit
+ SIMM/NIST Adoption+ Work Plan to Comply+ Security Policy WISP+ Risk & Recovery Plan+ Business Associate &
3rd-Party Agreements
SIMM
10/4/2018
16
Case Study 1 – Organizational Risk
A regional water/power organization was struggling with regulatory cyber compliance due to separation of internal business units. They adopted NIST 800-53 and identified a number of regulatory cyber gaps between operating administrative and operational entities. With a proper oversight and compliance maintenance plan in place, they were able to use Vendor Management principles internally to avoid the potential for a compliance violation between their segmented operation and vendor communities and reduce risk exposures by 20%.
Case Study 2 – School Is In (The Money)
A large school district (top 20) was struggling to understand their cyber security business risk. Although they were following a framework, technology tools were unable to see when unmonitiredexceptions and policy violations were happening. They conducted a cyber compliance deep dive and adopted NIST CSF reducing their security spend by 18% while investing wisely in cyber risks that matter.
Case Study 3 – The SCAP Hurts
A major state agency was struggling with their STIG/SCAP visibility. They adopted continuous visibility/monitoring of endpoints with SCAP visibility and remediation for their cyber compliance passing audits with FISMA enforcement.
