OPHISTICATED MANAGEMENT OF YBER ISK
SOPHISTICATED MANAGEMENT OF CYBER RISK
SPONSORED BY:
Page 1
Sophisticated Management of Cyber Risk
Acknowledgements
The following professionals comprise the Internet Security Alliance¡¯s (ISA¡¯s) Board of Directors,
without which, the work of ISA would not be possible. We would also like to acknowledge AIG,
which is a member of ISA and which sponsored the workshops and publication of this case study
white paper.
Internet Security Alliance Board of Directors
Fidelity Investments
Timothy McKnight, ISA Board Chairman; EVP Information Security
and Risk
Raytheon Company
Jeffrey Brown, ISA Board First Vice Chairman; VP of Infrastructure
Services and CISO
USAA
Gary McAlum, ISA Board Second Vice Chairman; SVP and CSO
Verizon
Marcus Sachs, VP of National Security Policy
BNY Mellon
Thomas Quinn, Managing Director and CISO
Lockheed Martin Corporation
(Lt. Gen., Ret. USAF) Charlie Croom, VP of Cyber Security Solutions
Northrop Grumman
Russell Koste, Director of Identity, Intelligence and Network
Defense
Wells Fargo
Rich Baich, CISO
General Electric
Larry Trittschuh, Director of Global Information Security Operations
Carnegie Mellon University (CMU)
Tim McNulty, CyLab Associate VP for Government Relations
Dell SecureWorks
Jeffrey Schilling, Director for the Incident Response Practice
Tyco International
Gene Fredriksen, Senior Director and Global Information Security
Officer
The Boeing Company
Thomas Kelly, Director of Information Security ¨C Assessments and
Vulnerabilities
SAIC
Julie Taylor, SVP Operations, Cyber Security Services and Solutions
Direct Computer Resources
Joe Buonomo, President & CEO
AVG Technologies
Siobhan MacDermott, Chief Policy Officer
National Association of
Manufacturers (NAM)
Brian Raymond, Director of Tax, Technology and Domestic
Economic Policy
Vodafone Group
Richard Knowlton, Group Corporate Security Director
Internet Security Alliance (ISA)
Larry Clinton, President & CEO
Page 2
Sophisticated Management of Cyber Risk
About the Internet Security Alliance:
The Internet Security Alliance (ISA) is a multi-sector trade
association with membership from virtually every one of the
designated critical industry sectors, including substantial participation
from the aviation, banking, communications, defense, education,
financial services, health care, insurance, manufacturing, security and
technology industries.
ISA focuses exclusively on cybersecurity and cybersecurity related
issues as is embodied in its mission, which is to create a sustainable
system of cybersecurity by combining advanced technology with
economics and public policy.
About Our Publication and Workshops Sponsor:
American International Group, Inc. (AIG) is a leading international
insurance organization serving customers in more than 130 countries.
AIG companies serve commercial, institutional, and individual customers
through one of the most extensive worldwide property-casualty
networks of any insurer. In addition, AIG companies are leading
providers of life insurance and retirement services in the United States.
Notice:
? 2013 Internet Security Alliance (ISA)
All rights reserved. Published by ISA. Printed in the United States of America.
No part of this publication may be reproduced or distributed in any form or by any means, or
stored in a database or retrieval system, except as permitted under Sections 107 or 108 of the
U.S. Copyright Act, without prior written permission of the publisher.
Material in this publication is for educational purposes. Neither the publisher nor the authors
assume any liability for any errors or omissions or for how this publication or its contents are used
or interpreted or for any consequences resulting directly or indirectly from the use of this
publication. For legal advice or any other, please consult your personal lawyer or the appropriate
professional.
The views expressed by the individuals in this publication do not necessarily reflect the views
shared by the companies they are employed by (or the companies mentioned in this publication).
The employment status and affiliations of authors with the companies referenced are subject to
change.
Page 3
Sophisticated Management of Cyber Risk
THE EMERGENCE OF THE SOPHISTICATED THREAT
For many years, cyber attacks were thought to be the exclusive province of teenage hackers and
academic nerds. Incursions had cutesy names like ¡°Love Bug¡± and ¡°BLASTER,¡± and, while
annoying, they tended to do little actual damage; most enterprises shrugged them off as either a
petty cost of doing business, similar to low-level pilferage, or an obtuse issue best relegated to the
geeks in information technology (IT) and not worthy of senior level attentions.
Those days are over.
In his February 12, 2013 State of the Union Address, President Obama declared that: America¡¯s
¡°enemies are seeking the ability to sabotage our power grid, our financial institutions and our air
traffic control systems. We cannot look back years from now and wonder why we did nothing in the
face of real threats to our security and our economy.¡±1 The President¡¯s signature white paper on
the issue, the ¡°Cyberspace Policy Review,¡± suggests the costs to American business could run close
to one trillion dollars.2
In October, Defense Secretary Leon Panetta warned of increasingly sophisticated attacks being
launched on private cyber systems and the need for greater awareness and attention to securing
these systems.3
In February, The New York Times and The Washington Post reported the results of security firm
Mandiant¡¯s findings that not only had these iconic institutions been compromised, but that the
degree of sophistication of attacks had grown substantially.4,5,6,7 Indeed, Mandiant reported that
the sophisticated attacks that had previously been confined to governments and major defense
contractors have now spread broadly throughout the economy.8
1
Obama, Barack H. ¡°2013 State of the Union Address.¡± Address. Capitol Building, Washington, D.C. 12 Feb. 2013. .
White House, 12 Feb. 2013. Web. 18 Mar. 2013. .
2
United States. Executive Office of the President. ¡°Cyberspace Policy Review: Assuring a Trusted and Resilient Information and
Communications Infrastructure.¡± . White House, 2009. Web. 1 May 2013.
.
3
Panetta, Leon E. "Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security." Address. 2012
BENS Eisenhower Award Dinner. New York City. . U.S. Department of Defense, 11 Oct. 2012. Web. 1 May 2013.
.
4
Perlroth, Nicole. "Hackers in China Attacked the Times for Last 4 Months." . New York Times, 30 Jan. 2013. Web. 30
Apr. 2013. .
5
Sanger, David E., David Barboza, and Nicole Perlroth. "Chinese Army Unit Is Seen as Tied to Hacking Against U.S." .
New York Times, 18 Feb. 2013. Web. 30 Apr. 2013. .
6
Wan, William, and Ellen Nakashima. ¡°Report Ties Cyberattacks on U.S. Computers to Chinese Military.¡± .
Washington Post, 19 Feb. 2013. Web. 1 May 2013. .
7
Mandiant. ¡°APT1: Exposing One of China's Cyber Espionage Units.¡± Rep. Mandiant, 18 Feb. 2013. Web. 1 May 2013.
.
8
Ibid.
Page 4
Sophisticated Management of Cyber Risk
Unfortunately, the research shows that most enterprises are still attempting to fight these modern
attacks with perimeter-based defenses like anti-virus and intrusion detection, which are no longer
adequate to meet the modern cyber threats.9
Fortunately, while attack methods have continued to evolve, so too have defensive strategies.
THE RISE OF SOPHISTICATED DEFENSE
A series of studies has indicated that, while perfect security is not feasible, we are learning a good
deal about how enterprises can better manage their cyber risk.10,11,12 Although analysis of
successful attacks has generated good data on how to combat them, this data has not been
broadly integrated into business practice.13 This research suggests that by combining modern
organizational techniques with research-based technical procedures, organizations can mitigate
damage from all but the most sophisticated of cyber threats (e.g., those launched by nation-states)
and even these attacks can be better managed.
The major barriers to widespread adoption of these techniques are lack of awareness at senior
corporate levels, and, as always, cost.14,15,16,17,18
In early 2012, AIG elected to sponsor an effort by the ISA and the Union of Concerned
Cybersecurity Leaders (UCCL) to investigate how sophisticated and experienced firms are
addressing their cyber threats. Operating in conjunction with a series of partner organizations
including, the Financial Services ISAC, the Aerospace Industries Association (AIA) and the National
Association of Manufacturers (NAM), a series of workshops were held in Washington, Silicon Valley
and New York City. The goal of this effort was to analyze the risk management methods
sophisticated firms in the defense industrial base, IT and financial services were and are using. In
9
Ibid.
10
Internet Security Alliance and American National Standards Institute. ¡°The Financial Impact of Cyber Risk: 50 Questions Every CFO
Should Ask.¡± Rep. . Internet Security Alliance, 2008. Web. 30 Apr. 2013. .
11
Internet Security Alliance and American National Standards Institute. ¡°The Financial Management of Cyber Risk: An Implementation
Framework for CFOs.¡± Rep. . Internet Security Alliance, 2008. Web. 30 Apr. 2013. .
12
Verizon RISK Team, et al. ¡°2012 Data Breach Investigations Report.¡± Rep. . Verizon, March 2012. Web. 30
Apr. 2013. .
13
PricewaterhouseCoopers (PwC). ¡°The Global State of Information Security Survey: 2011.¡± Survey. .
PricewaterhouseCoopers, 2010. Web. 1 May 2013.
.
14
Westby, Jody. ¡°Governance of Enterprise Security: CyLab 2012 Report ¨C How Boards & Senior Executives are Managing Cyber
Risks.¡± Rep. . Carnegie Mellon CyLab, 16 May 2012. Web. 30 Apr. 2013.
.
15
PricewaterhouseCoopers. The Global State of Information Security: 2008. Rep. PricewaterhouseCoopers, 2007. Print.
16
Brenner, Bill. "Business Partners with Shoddy Security; Cloud Providers with Dubious Risk Controls; What¡¯s a CIO to Do?" CIO
Magazine, 14 Oct. 2010.
17
Baker, Stewart, Shaun Waterman, and George Ivanov. ¡°In the Crossfire: Critical Infrastructure in the Age of Cyber War.¡± Rep.
. McAfee, 2010. Web. 30 Apr. 2013. .
18
Domenici, Helen, and Afzal Bari. The Price of Cybersecurity: Improvements Drive Steep Cost Curve. Rep. Ponemon InstituteBloomberg Government Study, 31 Jan. 2012. Print.
Page 5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- cloud threat and security report the business impacts of
- definitive guide to account username conventions
- accorhotels engages a sophisticated business audience with
- sophisticated investor application form
- fancy pants job titles plain english foundation
- shareholders agreement of company name company 1
- the sustainability business case for the 21st century
- business analysis tools enterprise architect
- all about mergers of nonprofit organizations
- 50 examples of business collaboration co society
Related searches
- financial management of healthcare organizations
- guidelines for management of stemi
- management of business textbook
- strategic management of technology innovation
- management of information systems
- management of information systems jobs
- strategic management of information systems
- management of acute myocardial infarction
- management of information systems pdf
- management of information system pdf
- financial management of a company
- management of myocardial infarction