How to Build Your Own Cyber Security Framework using a Balanced Scorecard

How to Build Your Own Cyber Security Framework

using a Balanced Scorecard"

Russell Cameron Thomas!EnergySec 9th Annual Security Summit!

September 18, 2013!

Twitter: @MrMeritology!

Blog: Exploring Possibility Space!

Who here loves frameworks?!

Who here loves frameworks?!

NIST Cyber Security Framework?!Other?!

Frameworks can matter (a lot)

Frameworks can matter (a lot) if they are instrumental in

driving new levels of Cyber Security Performance

What the hell is “Cyber Security Performance”?!

Yes, “Cyber”!

Yes, “Cyber”!Confluence of…!•  Information Security!•  Privacy!•  IP Protection!•  Critical Infrastructure Protection & Resilience!•  Digital Rights!•  Homeland & National Security!•  Digital Civil Liberties!

What the hell is “Cyber Security Performance”?!

“Cyber security performance” is… "

… systematic improvements in an organization's dynamic posture

and capabilities relative to its rapidly-changing and uncertain adversarial environment.”!


…Management By Objectives!

(Drucker)!



…Performance Mgt, incentives!




…Staffing, training, organizing!





…Organization learning, agility!





…Organization learning, agility!

… and good practices!

“Performance” vs “Practices”!

Using the Universal Language of Executives….��

Using the Universal Language of Executives….��

"Keep your head still"


“Keep your arm straight”


“Keep your arm straight” “Swing on

one plane”



one plane”

“Swing easy”


“Grip it and rip it!"


one plane”

“Swing easy”

"Best practices" are like golf tips… ��

"Best practices" are like golf tips… ��

Golf tips alone don't make good golfers��

Why Agility?

Why Rapid Innovation?!

State ofthe Art!

Lagging"InfoSec"Program!

Time for some drama!

Time for some drama!

Set in the Summer of 2017!

“I in central Texas.”

t was another long heat wave

Spare generating capacity was dangerously low!

You run information security!at a large industrial company!that includes several and cogeneration.!

Thanks to deregulation and incentives, microgrids have taken off, especially in Texas

= 10+ microgrids

Microgrid Adoption, 2017"

In recent days, instead of selling its excess power, your firm was buying at peak spot prices."""This was strange.!

18 months earlier

You"Energy Ops "Manager"

Business"Continuity"Manager"

Effective Response, Recovery & Resilience"

Your Microgrid Automation""

hosted"auto-configuring"software"reporting/trending!system config!diagnostics!

Internet

Microgrid"Supervisory"Controller"

12 months earlier

Spot trading was largely automated��via microgrid automation software.��

12 months earlier

Optimize Exposure"

Insiders?

Threat Intelligence

Business Partners? Contractors?

Criminals?

APT?

Error?

Hactivist?

Terrorist?

24 months earlier

Our New Capability: Attack-driven Defense"

1.  Raise cost to attackers

2.  Increase odds of detection

3.  Iterate defense based on real attack patterns

24 months earlier

source: Etsy h7p://www.slideshare.net/zanelackey/a7ackdriven-‐defense

Insiders?


Criminals?

APT?

Error?

Hactivist?

Terrorist?

Threat Intelligence Yesterday

Effective Threat Intelligence"

Sensors & Pattern Detection for Anomalous User Behavior"

24 months earlier

Any Non- Tech. Tech.

source: Etsy h7p://www.slideshare.net/zanelackey/a7ackdriven-‐defense

User Class

Insiders?


Criminals?

APT?

Error?

Hactivist?

Terrorist?

X Threat Intelligence

X

Yesterday

Quality ofProtections & Controls"

Insiders?


Criminals?

APT?

Error?

Hactivist?

Terrorist?

X X

Threat Intelligence Yesterday

Efficient/Effective Execution & Operations"

12 months earlier

Effective External Relationships"

The Crime:"

ArDficially Congested

Subsided Generators

Manipulation of Wholesale Market Subsidies

Conges'on pa+erns, July 14, 2017

Losers: You and hundreds of other microgrids forced to generate spot market bids during price spikes. (Botnet-style. Each loses a little $$)

Scam: Generate losing trades in one market to make money in another market

Attack: Compromised Hosted Auto-Configuration Software

"hosted"auto-configuring"software"reporting/trending!system config!diagnostics!

Internet

Microgrid"Supervisory"Controller"

The Attackers"

Insider: Contractor at web application software company

Outsider: Hedge fund manager bribed contractor with profit sharing

Gold Man Hacks Bid Probe "2017"

2017"

Gold Man Hacks Faces Record Fine Over Energy

Over the last 24 months

Adap've Threat

Intelligence

A+ack-‐ driven Defense

Expanded External

Engagement

Expanded Detec'on & Response

Metrics

Effective Agility & Learning"


Effective Design & Development"


Optimize Cost of Risk"


Accountability & Responsibility"

The End

Summary:

The Ten Dimensions of

Cyber Security Performance!

Actors

Systems

The Organiza7on

Events

Context"

Actors

Systems

1. Exposure

Events

Dimension 1:Optimize Exposure"

Actors

Systems

1. Exposure 2. Threats

Events

Dimension 2:Effective Threat

Intelligence"

Actors

Systems

1. Exposure

3. Design & Dev.

2. Threats

Events

Dimension 3:Effective Design &

Development"

Actors

Systems


3. Design & Dev. 4. Protec'on

s & Con

trols

Events

Dimension 4:Quality of Protection

& Controls"

Actors

Systems


3. Design & Dev. 4. ProtecDon

s & Con

trols

5. Execu'o

n & Ope

ra'o

ns

Events

Dimension 5:Effective/Efficient

Execution & Operations"

Events

Actors

Systems



s & Con

trols

5. ExecuDo

n & Ope

raDo

ns

6. Response, Recovery

& Resilience

Dimension 6:Effective Response,

Recovery & Resilience"

Opera7onal Cyber Security

Dimensions 1 – 6 Measure Core Performance"

Events

Actors

Systems



s & Con

trols

5. ExecuDo

n & Ope

raDo

ns


& Resilience

First Loop Learning

“First Loop Learning”is Continuous Improvement

in Daily Operations"

Events

Systems



s & Con

trols

5. ExecuDo

n & Ope

raDo

ns

Actors

7. Externa

l Engagem

ent

The Organiza7on

Other Organiza7ons

Government & Law Enforcement

Dimension 7:Effective External

Engagement"


& Resilience

Events

Systems



s & Con

trols

5. ExecuDo

n & Ope

raDo

ns

Actors

7. External Engagem

ent

Other Organiza7ons


8. Agility & Learning

Dimension 8:Effective Agility

& Learning"


& Resilience

Events

Systems



s & Con

trols

5. ExecuDo

n & Ope

raDo

ns

Actors

7. External Engagem

ent

8. Agility & Learning 9. Total Cost of Risk

Other Organiza7ons


Dimension 9:Optimize

Total Cost of Risk"


& Resilience

Events

Systems



s & Con

trols

5. ExecuDo

n & Ope

raDo

ns

Actors

7. External Engagem

ent

Total Cost of Risk

10. Accountability & Responsibility

Stakeholders

9. Total Cost of Risk 8. Agility & Learning

Other Organiza7ons


Dimension 10:Accountability

& Responsibility"


& Resilience

Dynamic Capabili7es

Dimensions 7 – 10 Measure Systemic

Agility"

Events

Systems



s & Con

trols

5. ExecuDo

n & Ope

raDo

ns

Actors

Total Cost of Risk


Stakeholders


Other Organiza7ons


7. External Engagem

ent


& Resilience

Second Loop Learning

“Second Loop Learning”is Innovation

and Reinvention*"

* Individual and CollecDve

Events

Systems


3. Design & Dev. 4. Protec'on

s & Con

trols

5. Execu'o

n & Ope

ra'o

ns

Actors

7. Externa

l Engagem

ent

Stakeholders



Other Organiza7ons


Ten Dimensions ofCyber Security

Performance"


& Resilience

Last thought…!

“Can’t you make it simpler?”!

“Can’t you make it simpler?”!

“We need a crayon version for executives and other

business and policy types”!

Sure!

Sure!•  “Transcendental numbers hurt my head”!

Sure!•  “Transcendental numbers hurt my head”!•  Declare π = 3.0!

Sure!•  “Transcendental numbers hurt my head”!•  Declare π = 3.0!•  But we lose something essential!

“Circle”

[email protected]

http://exploringpossibilityspace.blogspot.com/

@MrMeritology!

Technology

How to Build Your Own Cyber Security Framework using a Balanced Scorecard