Transcript
Page 1: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

How to Build Your Own Cyber Security Framework

using a Balanced Scorecard"

Russell Cameron Thomas!EnergySec 9th Annual Security Summit!

September 18, 2013!

Twitter: @MrMeritology!

Blog: Exploring Possibility Space!

Page 2: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Who here loves frameworks?!

Page 3: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Who here loves frameworks?!

NIST Cyber Security Framework?!Other?!

Page 4: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Frameworks can matter (a lot)

Page 5: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Frameworks can matter (a lot) if they are instrumental in

driving new levels of Cyber Security Performance

Page 6: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

What the hell is “Cyber Security Performance”?!

Page 7: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Yes, “Cyber”!

Page 8: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Yes, “Cyber”!Confluence of…!•  Information Security!•  Privacy!•  IP Protection!•  Critical Infrastructure Protection & Resilience!•  Digital Rights!•  Homeland & National Security!•  Digital Civil Liberties!

Page 9: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

What the hell is “Cyber Security Performance”?!

Page 10: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Cyber security performance” is… "

… systematic improvements in an organization's dynamic posture

and capabilities relative to its rapidly-changing and uncertain adversarial environment.”!

Page 11: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Cyber security performance” is… "

…Management By Objectives!

(Drucker)!

Page 12: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Cyber security performance” is… "

…Management By Objectives!

…Performance Mgt, incentives!

Page 13: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Cyber security performance” is… "

…Management By Objectives!

…Performance Mgt, incentives!

…Staffing, training, organizing!

Page 14: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Cyber security performance” is… "

…Management By Objectives!

…Performance Mgt, incentives!

…Staffing, training, organizing!

…Organization learning, agility!

Page 15: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Cyber security performance” is… "

…Management By Objectives!

…Performance Mgt, incentives!

…Staffing, training, organizing!

…Organization learning, agility!

… and good practices!

Page 16: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Performance” vs “Practices”!

Page 17: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Using the Universal Language of Executives….���

Page 18: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Using the Universal Language of Executives….���

Page 19: How to Build Your Own Cyber Security Framework using a Balanced Scorecard
Page 20: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

"Keep your head still"

Page 21: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

"Keep your head still"

“Keep your arm straight”

Page 22: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

"Keep your head still"

“Keep your arm straight” “Swing on

one plane”

Page 23: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

"Keep your head still"

“Keep your arm straight” “Swing on

one plane”

“Swing easy”

Page 24: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

"Keep your head still"

“Grip it and rip it!"

“Keep your arm straight” “Swing on

one plane”

“Swing easy”

Page 25: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

"Best practices" are like golf tips… ������

Page 26: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

"Best practices" are like golf tips… ������

Golf tips alone don't make good golfers���

Page 27: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Why Agility?

Why Rapid Innovation?!

Page 28: How to Build Your Own Cyber Security Framework using a Balanced Scorecard
Page 29: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

State ofthe Art!

Lagging"InfoSec"Program!

Page 30: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Time for some drama!

Page 31: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Time for some drama!

Set in the Summer of 2017!

Page 32: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“I  in central Texas.”  

t was another long heat wave

Page 33: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Spare generating capacity was dangerously low!

Page 34: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

You run information security!at a large industrial company!that includes several and cogeneration.!

Page 35: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Thanks to deregulation and incentives, microgrids have taken off, especially in Texas

=  10+  microgrids  

Microgrid Adoption, 2017"

Page 36: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

In recent days, instead of selling its excess power, your firm was buying at peak spot prices."""This was strange.!

Page 37: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

18  months  earlier  

You"Energy Ops "Manager"

Business"Continuity"Manager"

Page 38: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Effective Response, Recovery & Resilience"

Page 39: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Your Microgrid Automation""

hosted"auto-configuring"software"reporting/trending!system config!diagnostics!

Internet  

Microgrid"Supervisory"Controller"

12  months  earlier  

Page 40: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Spot trading was largely automated���via microgrid automation software.���

12  months  earlier  

Page 41: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Optimize Exposure"

Page 42: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Insiders?

Threat Intelligence

Business Partners? Contractors?

Criminals?

APT?

Error?

Hactivist?

Terrorist?

24  months  earlier  

Page 43: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Our New Capability: Attack-driven Defense"

1.  Raise cost to attackers

2.  Increase odds of detection

3.  Iterate defense based on real attack patterns

24  months  earlier  

source:  Etsy  h7p://www.slideshare.net/zanelackey/a7ackdriven-­‐defense  

Page 44: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Insiders?

Business Partners? Contractors?

Criminals?

APT?

Error?

Hactivist?

Terrorist?

Threat Intelligence Yesterday  

Page 45: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Effective Threat Intelligence"

Page 46: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Sensors & Pattern Detection for Anomalous User Behavior"

24  months  earlier  

Any Non- Tech. Tech.

source:  Etsy  h7p://www.slideshare.net/zanelackey/a7ackdriven-­‐defense  

User  Class  

Page 47: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Insiders?

Business Partners? Contractors?

Criminals?

APT?

Error?

Hactivist?

Terrorist?

X Threat Intelligence

X

Yesterday  

Page 48: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Quality ofProtections & Controls"

Page 49: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Insiders?

Business Partners? Contractors?

Criminals?

APT?

Error?

Hactivist?

Terrorist?

X X

Threat Intelligence Yesterday  

Page 50: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Efficient/Effective Execution & Operations"

Page 51: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

12  months  earlier  

Page 52: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Effective External Relationships"

Page 53: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

The Crime:"

ArDficially  Congested  

Subsided  Generators  

Manipulation of Wholesale Market Subsidies

Conges'on  pa+erns,  July  14,  2017  

Page 54: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Losers: You and hundreds of other microgrids forced to generate spot market bids during price spikes. (Botnet-style. Each loses a little $$)

Scam: Generate losing trades in one market to make money in another market

Page 55: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Attack: Compromised Hosted Auto-Configuration Software

"hosted"auto-configuring"software"reporting/trending!system config!diagnostics!

Internet  

Microgrid"Supervisory"Controller"

Page 56: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

The Attackers"

Insider: Contractor at web application software company

Outsider: Hedge fund manager bribed contractor with profit sharing

Page 57: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Gold Man Hacks Bid Probe "2017"

2017"

Gold Man Hacks Faces Record Fine Over Energy

Page 58: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Over  the  last  24  months  

Adap've  Threat  

Intelligence  

A+ack-­‐  driven  Defense  

Expanded  External  

Engagement  

Expanded  Detec'on  &  Response  

Metrics  

Page 59: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Effective Agility & Learning"

Page 60: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Over  the  last  24  months  

Page 61: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Effective Design & Development"

Page 62: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Over  the  last  24  months  

Page 63: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Optimize Cost of Risk"

Page 64: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Over  the  last  24  months  

Page 65: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Accountability & Responsibility"

Page 66: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

The End

Page 67: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Summary:

The Ten Dimensions of

Cyber Security Performance!

Page 68: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Actors  

Systems  

The  Organiza7on  

Events  

Context"

Page 69: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Actors  

Systems  

1.  Exposure  

Events  

Dimension 1:Optimize Exposure"

Page 70: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Actors  

Systems  

1.  Exposure  2.  Threats  

Events  

Dimension 2:Effective Threat

Intelligence"

Page 71: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Actors  

Systems  

1.  Exposure  

3.  Design  &  Dev.  

2.  Threats  

Events  

Dimension 3:Effective Design &

Development"

Page 72: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Actors  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  Protec'on

s    &  Con

trols  

Events  

Dimension 4:Quality of Protection

& Controls"

Page 73: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Actors  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  Execu'o

n  &  Ope

ra'o

ns  

Events  

Dimension 5:Effective/Efficient

Execution & Operations"

Page 74: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Events  

Actors  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  ExecuDo

n  &  Ope

raDo

ns  

6.  Response,    Recovery  

&  Resilience  

Dimension 6:Effective Response,

Recovery & Resilience"

Page 75: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Opera7onal  Cyber  Security  

Dimensions 1 – 6 Measure Core Performance"

Events  

Actors  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  ExecuDo

n  &  Ope

raDo

ns  

6.  Response,    Recovery  

&  Resilience  

Page 76: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

First  Loop  Learning  

“First Loop Learning”is Continuous Improvement

in Daily Operations"

Page 77: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Events  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  ExecuDo

n  &  Ope

raDo

ns  

Actors  

7.  Externa

l  Engagem

ent  

The  Organiza7on  

Other  Organiza7ons  

Government  &  Law  Enforcement  

Dimension 7:Effective External

Engagement"

6.  Response,    Recovery  

&  Resilience  

Page 78: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Events  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  ExecuDo

n  &  Ope

raDo

ns  

Actors  

7.  External  Engagem

ent  

Other  Organiza7ons  

Government  &  Law  Enforcement  

8.  Agility  &  Learning  

Dimension 8:Effective Agility

& Learning"

6.  Response,    Recovery  

&  Resilience  

Page 79: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Events  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  ExecuDo

n  &  Ope

raDo

ns  

Actors  

7.  External  Engagem

ent  

8.  Agility  &  Learning  9.  Total  Cost  of  Risk  

Other  Organiza7ons  

Government  &  Law  Enforcement  

Dimension 9:Optimize

Total Cost of Risk"

6.  Response,    Recovery  

&  Resilience  

Page 80: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Events  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  ExecuDo

n  &  Ope

raDo

ns  

Actors  

7.  External  Engagem

ent  

Total  Cost  of  Risk  

10.  Accountability  &  Responsibility  

Stakeholders  

9.  Total  Cost  of  Risk  8.  Agility  &  Learning  

Other  Organiza7ons  

Government  &  Law  Enforcement  

Dimension 10:Accountability

& Responsibility"

6.  Response,    Recovery  

&  Resilience  

Page 81: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Dynamic  Capabili7es  

Dimensions 7 – 10 Measure Systemic

Agility"

Events  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  ProtecDon

s    &  Con

trols  

5.  ExecuDo

n  &  Ope

raDo

ns  

Actors  

Total  Cost  of  Risk  

10.  Accountability  &  Responsibility  

Stakeholders  

9.  Total  Cost  of  Risk  8.  Agility  &  Learning  

Other  Organiza7ons  

Government  &  Law  Enforcement  

7.  External  Engagem

ent  

6.  Response,    Recovery  

&  Resilience  

Page 82: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Second  Loop  Learning  

“Second Loop Learning”is Innovation

and Reinvention*"

*  Individual  and  CollecDve  

Page 83: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Events  

Systems  

1.  Exposure  2.  Threats  

3.  Design  &  Dev.  4.  Protec'on

s    &  Con

trols  

5.  Execu'o

n  &  Ope

ra'o

ns  

Actors  

7.  Externa

l  Engagem

ent  

Stakeholders  

10.  Accountability    &  Responsibility  

9.  Total  Cost  of  Risk  8.  Agility  &  Learning  

Other  Organiza7ons  

Government  &  Law  Enforcement  

Ten Dimensions ofCyber Security

Performance"

6.  Response,    Recovery  

&  Resilience  

Page 84: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Last thought…!

Page 85: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Can’t you make it simpler?”!

Page 86: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

“Can’t you make it simpler?”!

“We need a crayon version for executives and other

business and policy types”!

Page 87: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Sure!

Page 88: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Sure!•  “Transcendental numbers hurt my head”!

Page 89: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Sure!•  “Transcendental numbers hurt my head”!•  Declare π = 3.0!

Page 90: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

Sure!•  “Transcendental numbers hurt my head”!•  Declare π = 3.0!•  But we lose something essential!

“Circle”  

Page 91: How to Build Your Own Cyber Security Framework using a Balanced Scorecard

[email protected]

http://exploringpossibilityspace.blogspot.com/

@MrMeritology!


Top Related