Michael Misumi. Chief Information Officer ... 2011/7%. Market. 10%. Market
Research Media. 2010/10.5% - 2015/11.3%. Federal. Gartner. 2010/8.1%.
1
What Boards Need to Know About Cyber Lessons from a Practitioner
Michael Misumi Chief Information Officer
Cyber Attacks
JHU/APL Sensitive Restricted
Social Engineering Attack Example You click link in email, Or you open a file or attachment, Malware downloads… Hacker controls system!
3
3
Order of Events Internet
Company Web Site
Company
4
There is No Such Thing as 100% Security § Not If, But When § Perceptions are changing § Certification is not Security
5
What is the Primary Risk? § Assets: What has the greatest business impact? § Attackers: Who are you most concerned about? § Threat: What is the most likely threat?
6
Where is Your Company on This Scale?
Ease of Use
7
Security
Amount of Joint Defense and Red Teaming? § Government collaboration § Consortium cyber response § External red team § New product penetration testing
Cyber Defense is a Team Sport 8
Need a New Defense Paradigm 1. Make it hard to penetrate our IT without permission, but do not assume 100% success. 2. Minimize access to sensitive information even when unwanted access to the overall system has happened. 3. Maximize service continuity even while unwanted parties are in the IT infrastructure. 4. Create ‘fast recovery’ when service does get affected. 5. Be cost sustainable.
9
Example Approaches § Secure the data § Create virtual security zones
Market Research Media 2010/10.5% - 2015/11.3% Federal
0% Information Week 2011/7% Market
FY08
FY09
FY10
FY11
FY12
FY13
FY14
FY15
FY16
Lessons Learned from Cyber Attacks § Communicate, communicate, communicate § Engaging external stakeholders § Central configuration management § Stay ahead of the curve: from cyber defense “hero” to operations “goat” in 3 months or less…