Managing Cyber Risk
A panel with representation from both Government and industry offered their perspective on cyber risk. In sum, as the moderator put it, it's time to stop chasing the latest threat vector and to start setting priorities within a sound risk framework.
The panel was moderated by Terry Roberts (Founder & President, WhiteHawk). The panelists included Michael Johnson (CIO, Department of Energy), Steve Orrin (Federal Chief Technologist, Intel Corp.), Tish Long (CEO of INSA, former Director of the National Geospatial Agency, and a board member of Nobilis, Raytheon, Earthcast, and four not-for-profit), and Robert Silvers (Assistant Secretary for Cyber Policy, Department of Homeland Security).
Giving an overview of the Department of Energy, Johnson said that in many cases we're still dealing with legacy systems designed for an old threat that no longer applies. His Department is focused on getting to a distributed, shared cyber risk management system. Instead of relying on disconnected, locally based organization, now everyone in the Department "looks at the same pane of glass through the same analytic framework." Ninety-seven sites across twenty-seven states share the same picture, and, while there's been no top-down change to their decision processes, the Department has required them to make their decision-making transparent. The Department has implemented industry and academic best practices, and it working to establish a baseline.
Orrin read the NIST definition of continuous monitoring. He noted that it calls out both risk management and situational awareness. "At the end of the day," he said, "it's about actionable intelligence. In cyber, it's about knowing what to do, and how to deploy your scarce resources effectively." That, he said, is where risk management comes into play, and frameworks should tell you what's important to your business. How we share information cross-domain and cross-sector will become increasingly important in deriving actionable intelligence. Orrin illustrated this with an anecdote from the banking sector. Adversaries start with regional banks and credit unions, test and refine their approaches, and then move to bigger banks. So,if they're cooperating, big banks get advanced warning, and small banks get access to more advanced resources and capabilities.
Long spoke from the perspective of the boardroom, and she argued that people in cybersecurity need to hear how cyber is talked about in that boardroom. "It's all about enterprise risk management." As a board member, she asks, first, if the company has an enterprise risk management framework. It doesn't matter if that framework is from NIST or is instead homegrown. She then asks, "what are the crown jewels?" What could damage the company? Even non-profits, she stressed, have a bottom line. She then asks about the organization's incident response plan. What is it? Where is it? Where does it start? Does everyone know their role in that plan? It's important that roles in cyber security be clearly articulated, and that the board regularly reviews cyber risk. (A good board, she said, does this at least once a quarter.) And, finally, CISOs must converse with the board in business terms, not, she emphasized, in geekspeak.
Silvers emphasized the importance of managing risk on both sides of an incident. "Even the best companies will find themselves on the wrong side of an incident." Organizations should have, first, an architecture of protection. Second, they should have threat awareness. He regards the NIST framework as foundational: it represents an approach to creating a tailored solution, and it's all based on risk.
"Cyber security is like fashion," Silvers added. "It's never finished." Thus your architecture should "blend up into the latest threat intelligence." As a strategy, he recommended first sharing information: "The threat is way too big for any one company (or even government) to go it alone." Defense must be collective. He compared it to the Las Vegas strip: if a casino spots a card shark, it won't only kick him out, but it will also tell all the other casinos who he is, what he looks like, and why they 86'd him. He closed with a recommendation of the Department of Homeland Security's threat information sharing mechanisms.