© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
If   you’re   an   executive   in   any   organization,   you   should   be   feeling   the   pressure   to   prevent   breaches   of   your   customer and   employee   personal   data.   And   for   good   reason:   As   we’ve   seen   over   and   over   again   in   the   past   five   years,   a   digital trust   failure   can   cost   millions   of   dollars   (Home   Depot),   result   in   bankruptcy   (Code   Spaces),   or   even   expose   you   to personal liability for the breach (Caremark). Beyond   data   breaches,   if   you’re   unlucky,   an   online   criminal   gang   will   encrypt   all   your   data   (Hollywood   Presbyterian Medical Center) unless you pay them a ransom. If   you’re   very   unlucky,   you’ll   get   caught   in   the   cross-fire   of   a   cyberwar:   Online   reprisals   by   nation-states   that   can completely destroy your computers (Saudi Aramco) or publicly expose all your secrets (Sony). Welcome to the New Normal Because   cybersecurity   has   become   so   disruptive   to   our   sense   of   what   to   expect   in   our   modern   world   and   being   on the   Internet,   most   executives   don’t   know   how   to   deal   with   this   “new   normal”.   This   often   leads   to   the   kind   of   false thinking   that   causes   them   to   see   it   as   a   mere   technology   problem,   trivialize   the   risks,   or   even   deny   having   any responsibility for it at all. Of course, none of that is helpful. The unfortunate truth for everyone using the Internet is this: Cyberspace   is   more   dangerous   than   ever   and   it   will   get   even   more   so   in   the   coming   years,   and   none   of   the   institutions   we’ve relied on for generations to keep us safe (congress, law enforcement, military) can help us very much in the foreseeable future. Don’t   believe   me?   In   2015,   the   FBI   began   publicly   advising   that   if   you   fall   victim   to   ransomware,   your   best   bet   is   to   pay up. Did you ever think the FBI would say something like that? How do I Thrive in the New Normal? So,   we’re   on   our   own,   folks.   And   the   only   sure   way   to   opt   out   of   these   risks   is   to   disconnect   from   the   Internet.   But that’s not very practical, is it? Let’s   do   something   different   about   the   new   normal:   Let’s   lean   into   the   cyber   risks,   to   reduce   our   risk,   find   safe   harbors, increase   our   competitiveness,   and   preserve   digital   trust   with   our   customers.   Let’s   manage   our   cyber   risks   so   well   that we   become   highly   resilient   to   cyber   failures,   errors,   and   attacks.   Leaning   in   will   enable   us   to   operate   not   only   in today’s online markets, but put us on the leading edge for tomorrow’s landscape. Sounds crazy, right? So did e-commerce, when it first showed up about 20 years ago. How   do   you   lean   in?   By   pursuing   cyber   resilience    through   measurement,   smart   prioritization   of   future   spending,   and continuous improvement. Let’s quickly step through the plan right now, at a high level. What is Cyber Resilience? How   quickly   and   easily   could   you   recover   from   a   massive   customer   data   breach,   severe   denial   of   service   attack,   or public loss of intellectual property? Don’t know? You’re not resilient enough.
GUEST BLOG Lean Into Your Cyber Risks To Thrive In The New Normal   4/20/2016 By Kip Boyle, President Cyber Risk Opportunities
Threat Intelligence Blog CRITICAL INFORMATICS INC.
(206) 687-9100
How cyber resilient are you? Companies   who   are   cyber   resilient   gain   a   competitive   advantage.   When   they   get   hacked,   it’s   infrequent,   quickly contained,   and   they   bounce   back.   In   contrast,   unprepared   competitors   who   get   hacked   stumble   for   months   and   bleed money all over the place while you keep driving towards your goals. How Do I Measure Cyber Resilience? You   need   an   appropriate   standard   to   measure   yourself   against   and   a   straight-forward   scoring   system   that   everyone   in your   organization   can   understand.   There   are   many   choices   of   standards,   including   ISO   27001/2,   COBIT,   and   the Center for Internet Security’s Critical Security Controls. We   use   the   NIST   Cybersecurity   Framework   (CSF)   and   a   scoring   system   I   invented   that   can   show   if   you’re   in   a   “green zone”   of   cybersecurity   or   not.   And,   unlike   money,   which   no   one   can   ever   seem   to   have   enough   of,   we   can   measure when you’re too secure and overspending in a particular area.
Simple, effective cybersecurity scoring system Here’s   how   we   actually   score   a   CSF   outcome,   such   as   RS.Co-1   from   the   Respond   function,   defined   as   “Personnel know   their   roles   and   order   of   operations   when   a   response   is   needed.”   Look   at   the   scoring   key   below.   We   ask   the people    closest    to    the    action    (the    experts)    to    read    a    series    of    statements    (left    column)    and    then    select    the corresponding score (right column).
Simple, Effective Cybersecurity Scoring Key All scores are then rolled up into an easy to understand scorecard. You can see an excerpt of one below.
Excerpt of a multi-national organization’s cybersecurity score card Once   you   know   where   you   are,   then   you   can   set   your   desired   scores   and   then   close   the   gaps   that   create   the   most resilience benefits. What was once murky now becomes clear. How Can I Determine The Benefits Of Cyber Resilience? We organize the benefits of increasing your cyber resilience into four major areas: Reliability Return Risk Indemnity As   you   can   see   below,   each   area   is   composed   of   specific   benefits   for   the   next   dollar   you   spend   on   cyber   resilience. Our   tools   make   it   clear   what   you   will   get   for   your   money.   This   allows   you   to   prioritize   your   limited   resources   in   the face of more risks than anyone can afford to fully manage.
Cybersecurity Business Value Model How Do I Continuously Improve My Cyber Resilience? After   you   measure   and   begin   managing   your   cyber   resilience,   you’ll   need   to   find   a   way   for   your   organization   to   treat cyber   risk   management   as   a   way   of   life   and   not   as   just   a   handful   of   tech   projects.   In   the   “new   normal,”   no   one’s cybersecurity problems will ever be “fixed”. Next,    your    organization    needs    to    accept    that    becoming    cyber    resilient    requires    more    than    just    more    or    better technology. You’ve also got to: Train your people, Strengthen critical processes, and Make sure your management team is supporting you all the way to the front line supervisors Because   you   never   have   enough   money   to   manage   all   your   cyber   risks   down   to   an   acceptable   level,   executives   need to set and prioritize their goals for cyber resilience. Tell your stakeholders about your priorities as often as you can. Finally,   you   will   need   to   encourage   a   culture   of   candid   respect   and   accountability,   otherwise   people   are   unlikely   to take the measurements very seriously. And that will make your job much more difficult. Alright! Are you ready to lean into the new normal? Kip Boyle, President Email: Kip@CyberRiskOpportunities.com Website: www.CyberRiskOpportunities.com LinkedIn: www.linkedin.com/in/kipboyle
GUEST BLOG!
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100