managing cyber and five other technology risks
TRANSCRIPT
MANAGING CYBER AND FIVE OTHER TECHNOLOGY RISKS
WHAT MUNICIPAL OFFICIALS AND SENIOR EXECUTIVES NEED TO KNOW
CRITICAL ISSUES FOR THE FISCAL HEALTH OF NEW ENGLAND CITIES AND TOWNS APRIL 8 ,2016
Presented By Marc Pfeiffer, Principal Investigator and Assistant Director, Bloustein Local Government Research Center, Rutgers University
THE TECHNOLOGY MANAGEMENT OPPORTUNITY:
• Integrating new technologies into a government environment that includes:
• Cost/tax/fee pressures • Citizen expectations
• Political dynamics that work against against long-term planning
• “We can defer that purchase for another year, can’t we?”
KEY TECHNOLOGY MANAGEMENT CHALLENGES • Determining what we need, want, can afford; when and
how we get it, how to manage it
• Understanding that “technology” is more than “information technology”, but also includes operational and communications technologies; and they all have risks to manage
• Understanding the risks; and that technology risks go beyond cyber-security; that it includes the other risks that need to be reckoned with
• Knowing that managing technology and their risks is a not journey with a destination; it is an ongoing and evolving activity
WHAT IS TECHNOLOGICAL RISK?
Categories of
Technology Risk
Cyber-security
Financial
Opera-tional
Legal
Reputa-tional
Societal
1. CYBER SECURITY
• Banking incursions – electronic funds transfer • Data/PII breach/theft • Network breach/use as a remote host • Access to networked control systems • Credit card security • Cyber extortion – DDOS, Cryptolocker/ransomware • Website/Social Media Security
TYPES OF THREATS – SO FAR Targeted Attacks
• Local government agencies are not usually specifically targeted, but you might be targeted by someone disgruntled or if something goes wrong
Mass Attacks
• This stems from successful email phishing and its cousins, and social engineering attacks
Your Humans:
• Clicking on the wrong link/opening the wrong file Bottom line: bad guys try to manipulate people into divulging personal or business information or tricking them into schemes to defraud
2. LEGAL RISKS
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
4. Financial – costs of responses to breaches and operational failure
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
4. Financial – costs of responses to breaches and operational failure
5. Reputational risks
THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate; services delivery failure from loss of access to IT resources
4. Financial – costs of responses to breaches and operational failure
5. Reputational risks
6. Society driven risks
MANAGING TECHNOLOGY RISKS: THE NEED FOR TECHNOLOGICAL PROFICIENCY
A TECHNOLOGICALLY PROFICIENT ORGANIZATION
…Understands the links between its business processes and its technology
…Understands its technology needs
…Is assured that the technology will work when it needs to, including routine and emergency situations
…Is capable of protecting itself against compromise, including protecting and responding to cyber threats
DEVELOPING TECHNOLOGICAL PROFICIENCY
To the extent one is weaker than the other, they are all weaker.
Proficiency Governance
Planning Cyber Hygiene
Technical Competency
GOVERNANCE
Governing boards cannot ignore technology or delegate key elements
• Reputational and financial risks cannot be delegated
• Governing body and chief executive must be engaged
• Includes technology managers, fiscal staff, public safety, operational representation; can include responsible citizens.
GOVERNANCE
Management needs to set the tone from the top, down:
• Understands technology as an enterprise-wide risk management issue
• Create a technology governance process • Has adequate access to technology expertise • Develop risk management processes • Adopts technology policies • Establish a technology planning process • Ensure reports to elected officials are meaningful
PLANNING Determines how you spend technology resources
Key elements of the plan:
• Matches organizational goals to technology goals • Assessment of technology assets, services, resources (hardware,
software, networks, contractors, facilities, people) • Identify priorities of changes in technology solutions and activities • Assess and address technology risks • Define the information security management framework • Address “make or buy” decisions • Assign plan execution responsibilities to appropriate staff and tie
plan to organization budget • Use a practical time horizon: No more than 3 years and review
annually (or more often )
CYBER HYGIENE
BECAUSE… The bulk of successful attacks come because an employee clicked on something they shouldn’t have, so…
• Train (and retrain) your humans • Consider intrusion testing • Have informed employee policies
TECHNICAL COMPETENCE
Implement the plan with technical competency
• Keep Governance updated on activities
• Apply and enforce policies
• Ensure that all tech employees are trained and contractors are secure
• Keep aware of changing circumstances and technology, and SHARE information with peers
• Be consistent; do not slack off
http://blousteinlocal.rutgers.edu/managing-technology-risk/
TECHNOLOGY PROFICIENCY MATURITY MODEL
• Unaware Stage 1 • Fragmented Stage 2 • Top Down/Evolving Stage 3 • Managed/Pervasive Stage 4 • Optimized/Networked Stage 5
RISK
PO
TEN
TIAL
UNAWARE
FRAGMENTED DEFINED MANAGED OPTIMIZED
MATURITY LEVEL
MATURITY AND RISK POTENTIAL
TECHNOLOGY PROFILES
BASIC
WHAT SHOULD I DO?
PUT TECHNOLOGY PROFICIENCY ON YOUR ORGANIZATIONS AGENDA You can’t do this overnight; it will always be a work in progress.
It will likely cost new resources of time, attention, and $$
Remember, proficiency and cybersecurity are an ongoing process and challenge, NOT a destination! And every organization is at a different spot on the map So… START
STUDY CONDUCTED BY: Marc Pfeiffer, Assistant Director
Bloustein Local Government Research Center Bloustein School of Planning and Public Policy Rutgers, The State University 33 Livingston Street, New Brunswick 08901 [email protected] 848-932-2830 http://blousteinlocal.rutgers.edu/managing-technology-risk/ Under a grant provided by the: Municipal Excess Liability Joint Insurance Fund
9 Campus Drive - Suite 16 Parsippany, NJ 07054 (201) 881-7632
With an assist from Dr. Alan Shark, Director of the Center for Technology Leadership at the Rutgers School of Public Affairs and Administration, and Executive Director, Public Technology Institute
All materials © 2015 by Rutgers and the Municipal Excess Liability Joint Insurance Fund