1. 2012 Liberty Group Ventures. All rights reserved What CIOs and CFOs need to know about Cyber Security Phil Agcaoili March 14, 2014

2. 2012 Liberty Group Ventures. All rights reserved 2 Special Thanks to Kiersten Todt Roger Cressey 3. 2012 Liberty Group Ventures. All rights reserved 3 Isnt this the same thing? Cyber Security Information Security 4. 2012 Liberty Group Ventures. All rights reserved 4 U.S. Cyber Security Defined 2 Questions: Are you U.S. Critical Infrastructure (CI)? Do you have physical or virtual systems and assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on National security, National economic security, and/or National public health or safety? 5. 2012 Liberty Group Ventures. All rights reserved 5 16 DHS Critical Infrastructure Sectors 6. 2012 Liberty Group Ventures. All rights reserved 6 Framework Background Presidential Executive Order 13636 (2013) Failure by Congress to pass cyber legislation Unprecedented cyber threat environment Role of NIST Operates under Department of Commerce Develop industry-led voluntary framework Process Ten months, five workshops, transparent process 12,000 public comments adjudicated Collaboration between NIST, White House (NSC), DHS, and private sector http://www.nist.gov/cyberframework/ 7. 2012 Liberty Group Ventures. All rights reserved 7 Framework Basics Core: Set of cybersecurity activities and informative references common across CI Functions: Overview of organizations management of cyber risks Identify, Protect, Detect, Respond, Recover (IPDRR) Tiers: Mechanism to view approach and processes for managing cyber risk 1. Partial 2. Risk Informed 3. Repeatable 4. Adaptive Tier 4 is not the goal for every organization 8. 2012 Liberty Group Ventures. All rights reserved 8 Framework Basics (continued) Profiles Alignment of IPDRR with business requirements, risk tolerance, and resources of organization Current Profile Target Profile Profiles create gap analysis Creating a profile helps a company understand its dependencies with business partners, vendors, and suppliers. 9. 2012 Liberty Group Ventures. All rights reserved 9 What the Framework is Really About Creating a common language for cyber risk management COBIT 5, ISO/IEC 27001, NIST 800-53, CCS CSC, and ISA 62443 Objective: Facilitate behavioral change in organizations Treat cyber risk as a mission equal in priority to other corporate risk Intended for critical infrastructure owners and operators Can/May be used by many others Applies market-driven approach to cyber risk management Product of industry, not government Not one size fits alluser experience will vary 10. 2012 Liberty Group Ventures. All rights reserved 10 How much more do we have to spend? Why? 11. 2012 Liberty Group Ventures. All rights reserved 11 Implications of Framework Industry: Each Sector Will Define Adoption Identify metrics for success Facilitate information sharing within industry Defining cost-effectiveness Role for insurance.finally? Cyber Liability Cyber Breach Business Small (prioritize, develop risk management process) Medium (grow risk management process) Large (mature risk management process, share best practices and lessons learned) 12. 2012 Liberty Group Ventures. All rights reserved 12 Framework: The Way Ahead (continued) Industry Adopt Framework by mapping it to existing risk management process and addressing gaps that are identified through profile development Conduct training to normalize cyber risk behavior, including simulations and exercises with corporate leadership Participate in additional workshops on implementation and areas for improvement Feedback to government: Lessons learned/what works/what doesnt/whats missing Industry input will shape development of Framework 2.0 Non-lifeline sector adoption Retail, Manufacturing, Information Technology, etc. 13. 2012 Liberty Group Ventures. All rights reserved 13 Framework: The Way Ahead (continued) Government DHS role evolving Launched Critical Infrastructure Cyber Community (C3 or C Cubed) Voluntary Program Providing managed security services to states, localities who adopt framework - a good first step Work with Sector Specific Agencies (SSA) in first year, expand to all CI business in future Seeking input from small business on framework adoption Working on evolving incentives International adoptionand overcoming Snowden challenge Need for role of US business with global presence to engage and facilitate 14. 2012 Liberty Group Ventures. All rights reserved 14 Framework: The Way Ahead NIST Initial Areas for Further Work Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment Supply Chain Risk Management International Aspects, Impacts, and Alignment Technical Privacy Standards 15. 2012 Liberty Group Ventures. All rights reserved 15 Next Steps for You Engage in Cybersecurity Framework development Increase senior leadership and board engagement on cybersecurity Promote and integrate the culture of cyber security Hire a CISO Have a plan Ensure Defensible Security Practices Use the NIST Cyber Security Framework Third Party Security Measure your securitys effectiveness Invest wisely 16. 2012 Liberty Group Ventures. All rights reserved 16 Communicating Cyber Security to All Levels Board Getting hacked is not a matter of IF, but When. Management Security is a Journey. Not a Destination. All Security is Everyones Responsibility. Stop. Think. Connect. 17. 2012 Liberty Group Ventures. All rights reserved Thanks Phil Agcaoili Contributor, NIST Cybersecurity Framework version 1 Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA