Upload
isalliance
View
215
Download
0
Embed Size (px)
Citation preview
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
1/24
The Value Proposition for Cyber Security:Does it exist and how can we create it?
Larry Clinton, ISAllianceChief Operating Officer
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
2/24
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
3/24
What we believe
n The World has Changedn Globalizationn Digitalizationn Terrorismn Traditional Regulatory Mechanisms
wont work n Too slown US onlyn Retard needed economic growth
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
4/24
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
5/24
Digital Growth?
n Companies have built into theirbusiness models the efficiencies of digital technologies such as real time
tracking of supply lines, inventorymanagement and on-line commerce.The continued expansion of thedigital lifestyle is already built intoalmost every companys assumptionsfor growth.
---Stanford University Study, July 2006
Sure
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
6/24
Digital Defense? Maybe not
n The technology community hasmade much progress in the past 5years improving technical security.
Yet, moving the needle oninformation security is a team activity,The hardest remaining issues involvepeople and organizations.
Embedding Information Security intothe Extended Enterprise. DartmouthUniversity 2006
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
7/24
Everyone on theTeam?n 29% of Senior Executives
acknowledged that they did notknow how many negative security
events they had in the past yearn 50% of Senior Executives said they
did not know how much money was
lost due to attacks
Source: PricewaterhouseCoopers survey of 7,000companies 9/06
Maybe Not
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
8/24
Digital Defense
n 23% of CTOs did not know if cyberlosses were covered by insurance ornot.
n 34% of CTOs thought their cyberlosses would be covered byinsurance----and were wrong.
n The biggest network vulnerability in American corporations are extraconnections added for seniorexecutives without proper security.
---Source: DHS Chief Economist Scott Borg
NOT
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
9/24
What needs to be Done?Realize the Value Propositionn Role for industry:
n Determine how to solve the problem
n Role for Government
n Encourage industry to adopt provensolutions
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
10/24
Can we mitigate cyber Attacks? YES
n PricewaterhouseCoopers conducted 2International surveys (2004 & 2006)covering 15,000 corporations of all
types
n Apx 25% of the companies surveyed
were found to have followedrecognized best practices for cybersecurity.
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
11/24
Benefits of Best Practices
n Reduces the number of successfulattacks
n Reduces the amount of down-timesuffered from attacks
n Reduces the amount of money lost
from attacksn Reduces the motivation to comply
with extortion threats
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
12/24
Senior Mgrs Best Practicesn
Cited in US NationalDraft Strategy toProtect Cyber Space(September 2002)
n Endorsed byTechNet for CEOSecurity Initiative
(April 2003)
n Endorsed US IndiaBusiness Council
(April 2003)
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
13/24
ISALLIANCE BEST PRACTICESn
Practice #1: General Managementn Practice #2: Policyn Practice #3: Risk Managementn Practice #4: Security Architecture & Designn Practice #5: User Issuesn Practice #6: System & Network Managementn Practice #7: Authentication & Authorizationn Practice #8: Monitor & Auditn Practice #9: Physical Securityn Practice #10: Continuity Planning & Disaster
Recovery
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
14/24
Why Doesnt Everyone Complywith the Best Practices?n Many organizations have found itdifficult to provide a business case to
justify security investments and arereluctant to invest beyond theminimum.
---Stanford University 06
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
15/24
Management isn
Stanford Global Supply Chain ManagementForum/IBM Study:
Clearly demonstrated that investments insecurity can provide business value suchas:
* Improved Product Safety (38%)
Improved Inventory management (14%) Increase in timeliness of shipping info(30%)
WRONG
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
16/24
Theres More !!!
n Increase in supply chain informationaccess (50%)
n Improved product handling (43%)n Reduction in cargo delays (48%
reduction in inspections)n Reduction in transit time (29%)n Reduction in problem identification
time (30%)n Higher customer satisfaction (26%)
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
17/24
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
18/24
Key Issues for Industry
n Globalization and outsourcing haveincreased the challenges of securityn Security metrics must be more tightly
linked to the business.n Investment in security must move
from reactive add ons to proactiveinitiatives consistent with companysstrategic goals
n Directives must come from the topDartmouth University 2006
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
19/24
ISA Insurance Incentives
n AIG developed an on-line metric toolbased on ISAlliance Best Practices forSenior Managers
Separate tool developed for smallbusinesses based on small businessbest practices
Qualified companies can receiv3e upto 15% discount on cyber insurance
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
20/24
ISA Security IntegrationProgram-Get the team involvedn Issues must be addressed
simultaneously from the:
n Legaln Businessn Technologyn
PolicyPerspectives
B U S / OPERATI ONAL
LEGAL/REG
T E C H / R & D
POLICY
PROBLEM /ISSUE
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
21/24
ISAlliance Integrated BusinessSecurity Programn Outsourcingn Risk Managementn Security Breech Notificationn Privacyn Insider Threatsn Auditingn Contractual Relationships (suppliers,
partners, sub-contractors, customers)
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
22/24
Things Government Can Do
n Stimulate the insurance market Temporary insurer of last resort (e.g.
w/crop and flood insurance)
Use governments market power (e.g.require contractors to have insurance) Civil Liability reform (Precedent: Anti-
Terrorism Act of 2002) Allow info sharing to create better
metrics (e.g. Y2K)
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
23/24
More for Government to do
n Create Gov/Industry/EducationConsortium (e.g. Sema-Tech)
n Create Awards Programs (e.g.Baldridge Awards for Quality)
n Develop Significant outreachprograms targeted at senior corporateexecs.
7/31/2019 2006 12 00 Larry Clinton Commerce Department Presentation
24/24
Larry Clinton
Chief Operations Officer
Internet Security [email protected]
703 907 7028 (O) 202 236 0001 (C)