2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

1/25

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202-236-0001


2/25

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman

Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, VP CISO Boeing corp.

J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon

Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers


3/25

Core Principles

1. The Internet Changes Everything2. Cyber Security is not an "IT" issue3. Government and industry must

rethink and evolve new roles,

responsibilities and practices to

create a sustainable system of cyber

security


4/25

ISAlliance Mission

Statement

ISA seeks to integrate advancements in

technology with pragmatic business needs andenlightened public policy to create a

sustainable system of cyber security.


5/25

The Economy is reliant on theInternet

The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong

security leadership for that trust to berestored. For the Internet to remain the

juggernaut of commerce and productivity it

has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008


6/25

CURRENT ECONOMIC INCENTIVESFAVOR ATTACKERS

Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous ($ 1

TRILLION in 08)

Defense is costly (Usually no ROI) Defense is often futile

Costs of Attacks are distributed


7/25

The need to understand business economics toaddress cyber issues

If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance the

value proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18


8/25

Financial Management of Cyber Risk

It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risksand potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15

ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance


9/25

Senior Exec do ARE NOTanalyzing Cyber Risk adequately

There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among IT

security professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the

governance of enterprise security. (2008Carnegie Mellon University CyLabGovernance of enterprise Security Survey)


10/25

Communication Across Corp.structures is inadequate

Intra company communication on privacyand security risks was lacking. Only 17%of respondents indicated they had a cross

organizational privacy/security team.

Less than half had a formal enterprise riskmanagement plan. (47%)

1/3 of those with a plan did not include IT-related risks in the plan.--- (CMU 2008)


11/25

Financial Impact of Cyber RiskOctober, 2008


12/25

The Economic Assessment ofCyber Security: 50 ?s for CFOs

Business Operations General Counsel Compliance Officer Media (Investors and

PR)

Human Resources Rick Manager/

Insurance


13/25

Calculate Net Financial Risk

Threat (frequency of risk event/probablynumber of events per year) X

Consequence (Severity of risk event/possible loss form event) X

Vulnerability (likelihood or % of damages/given mitigation actions) MINUS

Risk Transferred (e.g. insurance) = NET FINANCIAL RISK


14/25

Sample Questions: Legal

Analyzed liabilities? What legal rules apply to us or 3-parties? Vulnerable class action/shareholder suits? Leg Exposure to Gov investigations? Do our contracts protect us enough? Multi-state laws apply? Exposed to trade secrete theft?


15/25

Sample Questions: Compliance

Inventory of applicable regulations? Where is our regulated data? Valid reasons for holding all our data? Policies & procedures documented? Can we opt-out of reg requirements?Are we tracking compliance?Are we reviewing and updating privacy

compliance?


16/25

Sample Questions: BusinessOperations

Whats our single biggest vulnerability? How long are we down? Want to be up?Are we complying w/ SoA standards?Are we properly staffed? Have we assessed physical security Incident response/continuity plans? Risk exposure vendors? How often to we re-evaluate risks?


17/25

Sample Questions: HumanResources

Does everyone understand our $ Risk?Attract/retain the right personnel?Are we managing the human vulnerability? Is the org structured for team work?Audit network access (esp at termination)?Address soc. Networking & pub sites? HR assessment include cyber security? Discipline policy adequate for monitoring?


18/25

Sample Questions: Media/CrisisManagement Team

Do we have segmented responses for allstakeholders?

Documented crisis communication plan? Identified and trained all who need to be? Have the external contacts we need? Have we run a mock trial?Are we budgeted for a crisis?


19/25

Sample Questions: Risk Manger/Insurance

Are we insured for this? (probably no) What can we get insurance for? What is the D & O Exposure? Where can we find cyber insurance and

what does it cover (& doesnt it cover)?

Whats the cost benefit to insurance? How do we evaluate policies?


20/25

Releasing the Cyber Security Social ContractNovember, 2008


21/25

ISA Cyber Social Contract

Similar to the agreement that ledto public utility infrastructuredissemination in 20th C

Infrastructure develop -- marketincentives Consumer protection throughregulation

Gov role is more creativehardermotivate, not mandate,compliance

Industry role is to developpractices and standards andimplement them


22/25

ISA Model: Create a Market forBest Practices and Standards

Studies show nearly 90% of breachescould be prevented by following knownbest practices and standards

Priv Sector should continue to developstandards, practices technologies

Govt. test them for effectiveness Govt. should motivate adoption via sliding

scale of market incentives


23/25

President Obamas Report onCyber Security (May 30 2009)

The United States faces the dual challenge ofmaintaining an environment that promotesefficiency, innovation, economic prosperity,and free trade while also promoting safety,security, civil liberties, and privacy rights.(Presidents Cyber Space Policy Review pageiii)

Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008


24/25

President Obamas Report on CyberSecurity (May 30, 2009)

The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments to

liability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space PolicyReview May 30, 2009 page v

Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress


25/25

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202 236 0001

2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

Documents

Transcript of 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI