Upload File

global ciso forum 2017: how to measure anything in cybersecurity risk

  • Home
  • Technology
  • Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
16
Richard Seiersen: VP Trust & CISO Twilio Forecasting Breach Perspectives and Code from HTMA Cyber

Upload: ec-council

Post on 21-Jan-2018

344 views

Category:

Technology


5 download

Report

TRANSCRIPT

Page 1: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Richard Seiersen: VP Trust & CISO Twilio

Forecasting BreachPerspectives and Code from HTMA Cyber

Page 2: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

?

Page 3: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Agenda:

Forecasting breach, what’s that!?

What are the challenges?

Why would you want to?

The Security Analytics Framework

Page 4: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

The Security Analytics Framework

Our Focus

Page 5: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Forecasting breach, what’s that!?

What are the challenges?

Why would you want to?

The Security Analytics Framework

Page 6: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Internal Use Only

Forecasting Breach, What’s That!?

2017-2019 Breach Forecast

16% chance of losing $20M+

1% chance of losing $70M+

Who else uses these methods?Actuaries, big-pharma, military logisticians, nuclear engineers, epidemiologists, meteorologist, project managers, movie producers etc…anyone making forecasts with seemingly irriducible uncertainty.

It’s Tolerance Based: This one has an imagined insurance threshold

It’s Capability Based: We model security capability improvement over time

It’s Risk As A Curve!: We build a model that relates impact (money) and likelihood.

It Uses Probabilities: We only use probabilities and dollars – no Red, Yellow, Green or High, Medium, Low.

It’s Time Based: We make multi-year forecasts to help drive strategy.

…. but if correct, it has a similar structure to the territory, which accounts for its usefulness. — Alfred Korzybski in Science & SanityA map is not the territory

Data For Demo Purposes Only

Page 7: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Internal Use Only

Key Question: Is a ~16% chance of losing $20M or more, at least once in 3 years, OK? Can it be benchmarked in some way?

Fortune 500 Healthcare• Yearly Avg Rate: 3.85%• 3 Year Avg Rate: 11%

Fortune 500 Finance• Yearly Avg Rate: 2.46%• 3 Year Avg Rate: 7.2%

Fortune 500 Retail• Yearly Avg Rate: 2.02%• 3 Year Avg Rate: 5.9%

*Research conducted by Hubbard Decision Research Inc.

• Public disclosed data breaches from 2014-2015

• Outcomes are uncertain, but update our beliefs

• We will show you how to predict like this with marbles shortly!

Observations

Forecasting Breach, What’s That!?

Page 8: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Forecasting breach, what’s that!?

What are the challenges?

Why would you want to?

The Security Analytics Framework

Page 9: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Challenge #1: The Concept or Misconception Of Measurement

Page 10: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Challenge #2: Probabilities

Page 11: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Challenge #2: Probabilities & Breach

WhatproportionisRed?

Assumeyoudon’tknow…….total

• F500 2014-2015 healthcare breach forecast

• We can update as we get more info, be it red

or blue marbles.

Page 12: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Challenge #3: Forecasting Financial Impact

Win $1000 if you guess the average weight in tons of an adult male African

elephant?

=

100lbs. 1000Tons

Page 13: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

It’s Demo Time!

Forecasting the

value of “security

capabilities” in

reducing the

likelihood and

impact of breach

Page 14: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Forecasting breach, what’s that!?

What are the challenges?

Why would you want to?

The Security Analytics Framework

Page 15: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Why would you want to

do this?

Page 16: Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk

Thank You!

http://www.howtomeasureanything.com/cybersecurity/#downloads


2014 Deloitte-NASCIO Cybersecurity Study State governments at … · result, the CISO position is gaining in importance, becoming better defined, and calling for more consistent capabilities

CISO Playbook - OWASP

Owasp atlanta-ciso-guidevs1

CISO Dream Team - Balbix · 2 The CISO’s Cybersecurity Dream Team Folks in: Vulnerability management Threat intelligence Security operations Also includes network defense teams,

HOW TO BE AN EFFECTIVE CYBERSECURITY LEADER IN … · 2018. 3. 1. · 1 HOW TO BE AN EFFECTIVE CYBERSECURITY LEADER IN HEALTHCARE Session CYB1, March 5, 2018 Karl J. West, CISO &

Cybersecurity Governance in the Commonwealth of Virginia...a Chief Information Security Officer (CISO) to address cybersecurity issues.6 VITA is charged with overseeing the ommonwealth’s

BlackBerry Security Summit 2016 · 7/14/2016  · Mobile Security Mobile Security Mobile Strategies Mobile Strategies The Importance of Independent Cybersecurity Assessment CISO Panel

New York’s Cybersecurity Regulations for Financial ...cysecure.org › 595 › 595standard › financial-NYC_Instit_HealthCare.pdf · Security Officer (CISO). 23 NYCRR 500.04. The

Assessing Cyber Risk Management Program Maturity · Healthcare Cyber Risk Management Solutions Assessing . Cyber Risk Management . Program Maturity. CISO Virtual Cybersecurity Symposium

The CISO Current Report - cyber.ylventures.com Current... · experts for ongoing insights into their thoughts, priorities and opinions about the state of their organizational cybersecurity

Becoming a Cybersecurity Professional · 2020. 8. 24. · company’s Chief Technology Officer (CTO) or Chief Information Security Officer (CISO). Network Security Engineers need

Delivering CISO Vision and Strategy - Optivfiles.accuvant.com/web/file/ddf1e7ff005a4c979d46540817ab3880/CISO... · Delivering CISO Vision and Strategy SERVICE DATA SHEET CISO Services

CYBERSECURITY COLLABORATIVE OVERVIEW€¦ · CISO “SWAT Teams” for on-demand support during times of crisis (48-hours) Virtual Briefings with National Security and Cyber experts

REPORT The CISO and Cybersecurity - Fortinet · The CISO and Cybersecurity Report is based on a survey conducted in January and February of 2019. Respondents had the job titles of

From%checkboxes%to%frameworks - Cyber …...2 From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programsCybersecurity risk is an immense

Cio ciso security_strategyv1.1

ATTENDEE GUIDE THE ONLY VIRTUAL EVENT FOCUSED N YOU · CISO VISIONS Cybersecurity Summit ATTENDEE GUIDE SEPT.28–OCT.22020 QUARTZEVENTS.COM MONDAY–FRIDAY. 2 quartzevents.com |

Data Protection Strategy Bob Maley, CEO, Strategic CISO & former CISO, State of Pennsylvania

CISO - Mobile Applications

STATEMENT OF GUIDANCE Cybersecurity for Regulated Entities...CIO: Chief Information Officer . CISO: Chief Information Security Officer . Cloud computing: A model for enabling on-demand

CISO Board Briefing 2017 - Black Swan Technologies€¦ · CISO BOARD BRIEFING 2017: INSIGHTS FROM THE 2016 CISO FORUMS Introduction A chief information security officer (CISO) has

Navigating New York's New Cybersecurity Regulations and ...media.straffordpub.com/products/navigating-new... · 4/12/2017  · body exists, the CISO shall timely present the report

New Managed Security Service Provider - VARS Corporation · 2020. 8. 31. · Integrated Simplified Scalable Managed 360° Cybersecurity Virtual CISO Office Managed Security Service

The new CISO - Deloitte 78 The new CISO Looking inward: When the CISO needs to look in the mirror According to data from Deloitte’s CISO Labs, building capabilities to better integrate

Evolving Healthcare Cybersecurity Programs with Lessons ...Dan Bowden, CISO, Sentara Healthcare. 2 Agenda •Introductions ... –Some projects eventually become commercial products

From checkboxes to frameworks · From checkboxes to frameworks: CISO insights on moving from compliance to risk-based cybersecurity programs. Cybersecurity risk is an immense threat

REPORT The CISO and Cybersecurity · Executive Summary The CISO and Cybersecurity Report from Fortinet takes a snapshot of how CISOs are approaching cybersecurity, and how their organizations

The state of CISO influence 2021 The maturing CISO role

REPORT The Security Architect and Cybersecurity...While the CISO owns the cybersecurity strategy, much of the work needed to implement that strategy falls to the security architect

A CISO’s Guide to Bolstering Cybersecurity Posture · A CISO’s Guide to Bolstering Cybersecurity Posture . 1 . Introduction . The CISO blog launched on the CIS website in January

A New Normal: The NYDFS Cybersecurity Regulations …/media/Files/Insights/Events/2017/03/NYD... · Cybersecurity Regulations and the Insurance Industry ... Role of the CISO ... Establish

Through the cyber looking glass The perspective from a US federal CISO turned private sector CISO Patricia Titus Chief Information Security Officer (CISO)

EY Cybersecurity Dashboard...CISO, CIO, other C-level Functional or domain leadership Operational leads Portfolio status/health Financial and organizational health (e.g., budget, headcount)

The CISO Guide – How Do You Spell CISO?

ULTIMATE GUIDE Cyber risk reporting to the board of directors · half-yearly checklist-style cybersecurity posture questionnaires provided by their vendors. One CISO indicated that