2009 11 16 larry clinton financial risk management enterprise education presentation

7/31/2019 2009 11 16 Larry Clinton Financial Risk Management Enterprise Education Presentation

1/29

The Economy is reliant

on the Internet

The state of Internet security is eroding quickly. Trust

in online transactions is evaporating, and it will

require strong security leadership for that trust to be

restored. For the Internet to remain the juggernaut ofcommerce and productivity it has become, it will

require more, not less, input from security.

PWC Global Cyber Security Survey 2008


2/29

Digital Immigrants need

education more than Digital natives

Demographers refer to the current k-12 cohortas the digital natives

The US workplace is mostly populated by digitalimmigrants

The current private sector is the most vulnerableto national security

We will have the current workforce of digitalimmigrants there for decades


3/29

President Obamas Report on

Cyber Security(May 30, 2009)

The United States faces the dualchallenge of maintaining an

environment that promotes efficiency,

innovation, economic prosperity, andfree trade while also promoting safety,

security, civil liberties, and privacy

rights.Presidents Cyber Space Policy Review, May 30,

2009 page iii

Quoting from Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administration andthe 111th Congress November 2008


4/29

CURRENT ECONOMIC INCENTIVES

FAVOR ATTACKERS

Attacks are cheap and easy Vulnerabilities are almost infinite

Profits from attacks are enormous($ 1 TRILLION in 08)

Defense is costly (Usually no ROI) Defense is often futile Costs of attacks are distributed


5/29

Financial Management of

Cyber Risk

It is not enough for the information

technology workforce to understand the

importance of cybersecurity; leaders at all

levels of government and industry need to beable to make business and investment

decisions based on knowledge of risks and

potential impacts.

Presidents Cyber Space Policy Review May 30, 2009 page 15


6/29

Senior Executives ARE NOTanalyzing Cyber Risk adequately

There is still a gap between IT and enterprise

risk management. Survey results confirm the

belief among IT security professionals that

Boards and senior executives are notadequately involved in key areas related to

the governance of enterprise security.

2008 Carnegie Mellon University CyLab Governance of enterpriseSecurity Survey


7/29

Cyber RISK is not being

Appreciated

75% of US corporations do NOT have a ChiefRisk Officer

5% of US corporations report to the CFO onsecurity risks

65% of US corporations either do not have adocumented process to assess cyber risk, ordo not have a person in charge of the

process ---meaning they have no processDeloitte Enterprise Risk, 2007


8/29

Communication Across Corporate

Structures is Inadequate

Intra company communication on privacy andsecurity risks was lacking. Only 17% of

respondents indicated they had a cross

organizational privacy/security team. Less than half had a formal enterprise risk

management plan. (47%)

1/3 of those with a plan did not include IT-relatedrisks in the plan.2008 Carnegie Mellon University CyLab Governance of Enterprise

Security Survey


9/29


10/29

Problem is more than just

awareness

42% of survey respondents acknowledgethat threats to information security areincreasing

52% acknowledge that cost reductions toinfo security initiatives will make adequatesecurity more difficult

PricewaterhouseCoopers Global Information Security Survey 2009


11/29

Financial Impact of Cyber RiskOctober, 2008


12/29

Design of ISA/ANSI Program

Open to all (Gov as well as industry), No Charge to ParticipateCross sectors and departments

7 full day working sessions over 2 years Phase I (Questions) complete Nov 08 Phase II (Responses) complete Dec 09 Red Teams Review findings


13/29

ISA/ANSI Fund Financial Risk

Management Program

42 Private Sector Organizations, volunteer plus

U.S. Department of CommerceU.S. Securities and Exchange Commission

Department of Justice

Department of TransportationNational Credit Union Administration

U.S. Cyber Consequences UnitU.S. Department of Homeland Security

U .S. DHS Science & Technology (S&T) DirectorateU.S. DHS National Cyber Security Division (NCSD)

U.S. DHS Office of Infrastructure ProtectionU.S. DHS Policy Directorate

U.S. DHS Science & Technology (S&T) DirectorateCalifornia Office of Homeland Security

Peacecorps


14/29

The need to understand business

economics to address cyber issues

If the risks and consequences can be assigned

monetary value, organizations will have greater

ability and incentive to address cybersecurity. In

particular, the private sector often seeks a businesscase to justify the resource expenditures needed for

integrating information and communications system

security into corporate risk management and for

engaging partnerships to mitigate collective risk.Presidents Cyber Space Policy Review May 30, 2009 page 18


15/29

The Economic Assessment of

Cyber Security: 50 ?s for CFOs

Business Operations General Counsel Compliance Officer Media (Investors and

PR)

Human Resources Risk Manager/

Insurance


16/29

Calculate Net Financial Risk

Threat (frequency of risk event/probabilitynumber of events per year) X

Consequence (Severity of risk event/possibleloss form event) X

Vulnerability (likelihood or % of damages/given mitigation actions) MINUS

Risk Transferred (e.g. insurance) = NET FINANCIAL RISK


17/29

Sample Questions: Legal

Analyzed liabilities? What legal rules apply to us or 3-parties? Vulnerable class action/shareholder suits? Legal Exposure to Gov investigations? Do our contracts protect us enough?Multi-state laws apply?

Exposed to trade secret theft?


18/29

Sample Questions: Compliance

Inventory of applicable regulations? Where is our regulated data? Valid reasons for holding all our data? Policies & procedures documented? Can we opt-out of reg requirements?Are we tracking compliance?Are we reviewing and updating privacycompliance?


19/29

Sample Questions:

Risk Manger/Insurance

Are we insured for this? (probably no) What can we get insurance for? What is the D & O Exposure? Where can we find cyber insurance and

what does it cover (& doesnt it cover)?

Whats the cost benefit to insurance?

How do we evaluate policies?


20/29

Sample Questions:

Business Operations

Whats our single biggest vulnerability? How long are we down? Want to be up?Are we complying w/ SoA standards?Are we properly staffed? Have we assessed physical security Incident response/continuity plans? Risk exposure from vendors? How often do we re-evaluate risks?


21/29

Sample Questions:

Media/Crisis Management Team

Do we have segmented responses for allstakeholders?

Documented crisis communication plan? Identified and trained all who need to be? Have the external contacts we need? Have we run a mock trial?Are we budgeted for a crisis?


22/29

Sample Questions:

Human Resources

Does everyone understand our $ Risk?Attract/retain the right personnel? Do we provide training to mitigate risk? Is the org structured for team work?Audit network access (esp. at termination)?Address social networking & pub sites? HR assessment include cyber security? Discipline policy adequate for monitoring?


23/29

PROPOSAL

Build a grounded Enterprise Educationprogram consistent with Cyber SpacePolicy Review

Based on 2-years open forum of industryand government

Initial 2-year program completed andfunded by ISA and ANSI

DoC fund final development and testing


24/29

Three Phase Program

Phase I: take 50 Questions and 60Responses documents and reformulateinto enterprise training program

Phase II: Beta test Enterprise EducationProgram w/multiple methods and Evaluate

Phase III: Final National Roll Out usingmost cost effective model


25/29

Deliverables

Quarterly Status Updates Final Business Plan & launch Phase II 12

months from approval

Pilot strategy report 10 days afterbeginning of Phase II

Metrics on overall effectiveness 12 monthsfollowing Phase II beginning Phase II

Modified Program based on Phase II 12months from beginning Phase II


26/29

Phase III National Roll Out

Dependent on Phase II Results & metrics Final Business Plan and Implimentation 10

days after contract signing Phase III

Quarterly Reports Final Summary and Evaluation 36 months

following beginning of National Roll Out


27/29

Budget

Phase I - Design and development of acomprehensive business plan

Integrates 2008 and 2009 ISA/ANSI FinancialRisk Management Reports (50 Questions forcorporate CFOs and Responses) into technicalcourse development

Includes various management and direct costs Projected cost - $300,000


28/29

Budget

Phase II - Testing/Evaluation/Reformatting

Multi-tier pilot program: Utilizing combination of instructor-led onsite training

and web-based instruction

Offering focused single enterprise course offeringsand/or multi-enterprise training sessions Develop andimpliment metrics to test cost effectivness

Develop and implement metrics to test andevaluation overall cost effectiveness

Projected cost - $400,000-$700,000* (conditionalupon option I, II, or III elements)


29/29

Budget

Phase III Implementation of final businessplan for cyber training and educationprogram

Implement metrics to test and evaluate forcontinual program improvement Includes various management and direct

costs Projected cost TBD/Conditional uponPhase II

2009 11 16 larry clinton financial risk management enterprise education presentation

Documents