2006 12 00 Larry Clinton Commerce Department Presentation

7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation

1/24

The Value Proposition for Cyber Security:Does it exist and how can we create it?

Larry Clinton, ISAllianceChief Operating Officer


2/24


3/24

What we believe

n The World has Changedn Globalizationn Digitalizationn Terrorismn Traditional Regulatory Mechanisms

wont work n Too slown US onlyn Retard needed economic growth


4/24


5/24

Digital Growth?

n Companies have built into theirbusiness models the efficiencies of digital technologies such as real time

tracking of supply lines, inventorymanagement and on-line commerce.The continued expansion of thedigital lifestyle is already built intoalmost every companys assumptionsfor growth.

---Stanford University Study, July 2006

Sure


6/24

Digital Defense? Maybe not

n The technology community hasmade much progress in the past 5years improving technical security.

Yet, moving the needle oninformation security is a team activity,The hardest remaining issues involvepeople and organizations.

Embedding Information Security intothe Extended Enterprise. DartmouthUniversity 2006


7/24

Everyone on theTeam?n 29% of Senior Executives

acknowledged that they did notknow how many negative security

events they had in the past yearn 50% of Senior Executives said they

did not know how much money was

lost due to attacks

Source: PricewaterhouseCoopers survey of 7,000companies 9/06

Maybe Not


8/24

Digital Defense

n 23% of CTOs did not know if cyberlosses were covered by insurance ornot.

n 34% of CTOs thought their cyberlosses would be covered byinsurance----and were wrong.

n The biggest network vulnerability in American corporations are extraconnections added for seniorexecutives without proper security.

---Source: DHS Chief Economist Scott Borg

NOT


9/24

What needs to be Done?Realize the Value Propositionn Role for industry:

n Determine how to solve the problem

n Role for Government

n Encourage industry to adopt provensolutions


10/24

Can we mitigate cyber Attacks? YES

n PricewaterhouseCoopers conducted 2International surveys (2004 & 2006)covering 15,000 corporations of all

types

n Apx 25% of the companies surveyed

were found to have followedrecognized best practices for cybersecurity.


11/24

Benefits of Best Practices

n Reduces the number of successfulattacks

n Reduces the amount of down-timesuffered from attacks

n Reduces the amount of money lost

from attacksn Reduces the motivation to comply

with extortion threats


12/24

Senior Mgrs Best Practicesn

Cited in US NationalDraft Strategy toProtect Cyber Space(September 2002)

n Endorsed byTechNet for CEOSecurity Initiative

(April 2003)

n Endorsed US IndiaBusiness Council

(April 2003)


13/24

ISALLIANCE BEST PRACTICESn

Practice #1: General Managementn Practice #2: Policyn Practice #3: Risk Managementn Practice #4: Security Architecture & Designn Practice #5: User Issuesn Practice #6: System & Network Managementn Practice #7: Authentication & Authorizationn Practice #8: Monitor & Auditn Practice #9: Physical Securityn Practice #10: Continuity Planning & Disaster

Recovery


14/24

Why Doesnt Everyone Complywith the Best Practices?n Many organizations have found itdifficult to provide a business case to

justify security investments and arereluctant to invest beyond theminimum.

---Stanford University 06


15/24

Management isn

Stanford Global Supply Chain ManagementForum/IBM Study:

Clearly demonstrated that investments insecurity can provide business value suchas:

* Improved Product Safety (38%)

Improved Inventory management (14%) Increase in timeliness of shipping info(30%)

WRONG


16/24

Theres More !!!

n Increase in supply chain informationaccess (50%)

n Improved product handling (43%)n Reduction in cargo delays (48%

reduction in inspections)n Reduction in transit time (29%)n Reduction in problem identification

time (30%)n Higher customer satisfaction (26%)


17/24


18/24

Key Issues for Industry

n Globalization and outsourcing haveincreased the challenges of securityn Security metrics must be more tightly

linked to the business.n Investment in security must move

from reactive add ons to proactiveinitiatives consistent with companysstrategic goals

n Directives must come from the topDartmouth University 2006


19/24

ISA Insurance Incentives

n AIG developed an on-line metric toolbased on ISAlliance Best Practices forSenior Managers

Separate tool developed for smallbusinesses based on small businessbest practices

Qualified companies can receiv3e upto 15% discount on cyber insurance


20/24

ISA Security IntegrationProgram-Get the team involvedn Issues must be addressed

simultaneously from the:

n Legaln Businessn Technologyn

PolicyPerspectives

B U S / OPERATI ONAL

LEGAL/REG

T E C H / R & D

POLICY

PROBLEM /ISSUE


21/24

ISAlliance Integrated BusinessSecurity Programn Outsourcingn Risk Managementn Security Breech Notificationn Privacyn Insider Threatsn Auditingn Contractual Relationships (suppliers,

partners, sub-contractors, customers)


22/24

Things Government Can Do

n Stimulate the insurance market Temporary insurer of last resort (e.g.

w/crop and flood insurance)

Use governments market power (e.g.require contractors to have insurance) Civil Liability reform (Precedent: Anti-

Terrorism Act of 2002) Allow info sharing to create better

metrics (e.g. Y2K)


23/24

More for Government to do

n Create Gov/Industry/EducationConsortium (e.g. Sema-Tech)

n Create Awards Programs (e.g.Baldridge Awards for Quality)

n Develop Significant outreachprograms targeted at senior corporateexecs.


24/24

Larry Clinton

Chief Operations Officer

Internet Security [email protected]

703 907 7028 (O) 202 236 0001 (C)

Documents

2006 12 00 Larry Clinton Commerce Department Presentation