2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

download 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

of 25

Transcript of 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    1/25

    Larry ClintonPresident

    Internet Security [email protected]

    703-907-7028

    202-236-0001

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    2/25

    ISA Board of Directors

    Ty Sagalow, Esq. ChairPresident Innovation Division, ZurichTim McKnight Second V Chair,CSO, Northrop Grumman

    Ken Silva, Immediate Past Chair. CSO VeriSignGen. Charlie Croom (Ret.) VP Cyber Security, Lockheed MartinJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciencesJoe Buonomo, President, DCRBruno Mahlmann, VP Cyber Security, Perot SystemsLinda Meeks, VP CISO Boeing corp.

    J. Michael Hickey, 1st Vice ChairVP Government Affairs, Verizon

    Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    3/25

    Core Principles

    1. The Internet Changes Everything2. Cyber Security is not an "IT" issue3. Government and industry must

    rethink and evolve new roles,

    responsibilities and practices to

    create a sustainable system of cyber

    security

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    4/25

    ISAlliance Mission

    Statement

    ISA seeks to integrate advancements in

    technology with pragmatic business needs andenlightened public policy to create a

    sustainable system of cyber security.

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    5/25

    The Economy is reliant on theInternet

    The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong

    security leadership for that trust to berestored. For the Internet to remain the

    juggernaut of commerce and productivity it

    has become will require more, not less,input from security. PWC Global CyberSecurity Survey 2008

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    6/25

    CURRENT ECONOMIC INCENTIVESFAVOR ATTACKERS

    Attacks are cheap and easy Vulnerabilities are almost infinite Profits from attacks are enormous ($ 1

    TRILLION in 08)

    Defense is costly (Usually no ROI) Defense is often futile

    Costs of Attacks are distributed

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    7/25

    The need to understand business economics toaddress cyber issues

    If the risks and consequences can be assignedmonetary value, organizations will have greaterability and incentive to address cybersecurity. Inparticular, the private sector often seeks a businesscase to justify the resource expenditures needed forintegrating information and communications systemsecurity into corporate risk management and forengaging partnerships to mitigate collective risk.Government can assist by considering incentive-based legislative or regulatory tools to enhance the

    value proposition and fostering an environment thatencourages partnership. --- Presidents CyberSpace Policy Review May 30, 2009 page 18

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    8/25

    Financial Management of Cyber Risk

    It is not enough for the information technologyworkforce to understand the importance ofcybersecurity; leaders at all levels of government andindustry need to be able to make business andinvestment decisions based on knowledge of risksand potential impacts. Presidents Cyber SpacePolicy Review May 30, 2009 page 15

    ISA-ANSI Project on Financial Risk Management ofCyber Events: 50 Questions Every CFO should Ask----including what they ought to be asking theirGeneral Counsel and outside counsel. Also, HR, BusOps, Public and Investor Communications &Compliance

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    9/25

    Senior Exec do ARE NOTanalyzing Cyber Risk adequately

    There is still a gap between IT andenterprise risk management. Surveyresults confirm the belief among IT

    security professionals that Boards andsenior executives are not adequatelyinvolved in key areas related to the

    governance of enterprise security. (2008Carnegie Mellon University CyLabGovernance of enterprise Security Survey)

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    10/25

    Communication Across Corp.structures is inadequate

    Intra company communication on privacyand security risks was lacking. Only 17%of respondents indicated they had a cross

    organizational privacy/security team.

    Less than half had a formal enterprise riskmanagement plan. (47%)

    1/3 of those with a plan did not include IT-related risks in the plan.--- (CMU 2008)

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    11/25

    Financial Impact of Cyber RiskOctober, 2008

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    12/25

    The Economic Assessment ofCyber Security: 50 ?s for CFOs

    Business Operations General Counsel Compliance Officer Media (Investors and

    PR)

    Human Resources Rick Manager/

    Insurance

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    13/25

    Calculate Net Financial Risk

    Threat (frequency of risk event/probablynumber of events per year) X

    Consequence (Severity of risk event/possible loss form event) X

    Vulnerability (likelihood or % of damages/given mitigation actions) MINUS

    Risk Transferred (e.g. insurance) = NET FINANCIAL RISK

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    14/25

    Sample Questions: Legal

    Analyzed liabilities? What legal rules apply to us or 3-parties? Vulnerable class action/shareholder suits? Leg Exposure to Gov investigations? Do our contracts protect us enough? Multi-state laws apply? Exposed to trade secrete theft?

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    15/25

    Sample Questions: Compliance

    Inventory of applicable regulations? Where is our regulated data? Valid reasons for holding all our data? Policies & procedures documented? Can we opt-out of reg requirements?Are we tracking compliance?Are we reviewing and updating privacy

    compliance?

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    16/25

    Sample Questions: BusinessOperations

    Whats our single biggest vulnerability? How long are we down? Want to be up?Are we complying w/ SoA standards?Are we properly staffed? Have we assessed physical security Incident response/continuity plans? Risk exposure vendors? How often to we re-evaluate risks?

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    17/25

    Sample Questions: HumanResources

    Does everyone understand our $ Risk?Attract/retain the right personnel?Are we managing the human vulnerability? Is the org structured for team work?Audit network access (esp at termination)?Address soc. Networking & pub sites? HR assessment include cyber security? Discipline policy adequate for monitoring?

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    18/25

    Sample Questions: Media/CrisisManagement Team

    Do we have segmented responses for allstakeholders?

    Documented crisis communication plan? Identified and trained all who need to be? Have the external contacts we need? Have we run a mock trial?Are we budgeted for a crisis?

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    19/25

    Sample Questions: Risk Manger/Insurance

    Are we insured for this? (probably no) What can we get insurance for? What is the D & O Exposure? Where can we find cyber insurance and

    what does it cover (& doesnt it cover)?

    Whats the cost benefit to insurance? How do we evaluate policies?

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    20/25

    Releasing the Cyber Security Social ContractNovember, 2008

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    21/25

    ISA Cyber Social Contract

    Similar to the agreement that ledto public utility infrastructuredissemination in 20th C

    Infrastructure develop -- marketincentives Consumer protection throughregulation

    Gov role is more creativehardermotivate, not mandate,compliance

    Industry role is to developpractices and standards andimplement them

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    22/25

    ISA Model: Create a Market forBest Practices and Standards

    Studies show nearly 90% of breachescould be prevented by following knownbest practices and standards

    Priv Sector should continue to developstandards, practices technologies

    Govt. test them for effectiveness Govt. should motivate adoption via sliding

    scale of market incentives

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    23/25

    President Obamas Report onCyber Security (May 30 2009)

    The United States faces the dual challenge ofmaintaining an environment that promotesefficiency, innovation, economic prosperity,and free trade while also promoting safety,security, civil liberties, and privacy rights.(Presidents Cyber Space Policy Review pageiii)

    Quoting from Internet Security Alliance CyberSecurity Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    24/25

    President Obamas Report on CyberSecurity (May 30, 2009)

    The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments to

    liability considerations (reduced liability in exchange forimproved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. Presidents Cyber Space PolicyReview May 30, 2009 page v

    Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress

  • 7/31/2019 2009 10 21 Larry Clinton Financial Risk Management Presentation for ANSI

    25/25

    Larry ClintonPresident

    Internet Security [email protected]

    703-907-7028

    202 236 0001