Cybersecurity in the Age of Government Regulation

Transcription

1 Cybersecurity in the Age of Government Regulation Compliance versus Security October 28, 2015 Harry D. Fox EVP, Technical and Operational Support Services CareFirst BlueCross BlueShield CareFirst BlueCross BlueShield is the shared business name of CareFirst of Maryland, Inc. and Group Hospitalization and Medical Services, Inc. which are independent licensees of the Blue Cross and Blue Shield Association. Registered trademark of the Blue Cross and Blue Shield Association. Registered trademark of CareFirst of Maryland, Inc.

2 Agenda Security Landscape Increased Demand For Controls And Scrutiny Compliant vs Secure Cybersecurity Frameworks and Governance Key Action Steps 2

3 Sobering Thought Cybercrime will Cost Businesses Over $2 Trillion by 2019 New research from market analysts, Juniper Research, suggests that the rapid digitization of consumers lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in Juniper Research, The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation, May

4 Security Landscape Many executives are declaring cyber as the risk that will define our generation, said Dennis Chesley, Global Risk Consulting Leader for PwC. from Turnaround and Transformation in Cybersecurity, by PwC Malware Growth Last 10 Years AV-TEST Institute registers over 390,000 new malicious programs every day. 4

5 Threat Actors are Sophisticated, Well Organized, and Well Funded Source: Mandiant APT1 Exposing One of China s Cyber Espionage Units 5

6 Threats Continue to Evolve While we can t ignore the threats of the past, there is growing sophistication Social Engineering Spear Phishing Advanced Malware that changes its signature and profile The motives and actors are also changing Nation States Hacktivism Organized Crime Cyberspace has become a full-blown war zone as governments across the globe clash for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are becoming a key weapon for governments seeking to defend national sovereignty and project national power. FireEye, World War C: Understanding Nation-State Motives Behind Today s Cyber Attacks 6

7 Increased Controls and Scrutiny Cyberattacks and breaches have left organizations scrambling to find ways to measure and demonstrate due diligence Security doesn t have a one-size-fits-all solution making measuring due diligence challenging Compliance can bring sweeping changes to the organization well beyond the traditional scope of Information Security 7

8 Greater Legislation on the way From SC Magazine 10/20/2015 8

9 Compliance and Security Compliance Security 9

10 Compliance and Security 10

11 Risk-based Compliance Frameworks Of respondents to a recent PwC study have selected a risk-based cybersecurity framework. ISO and NIST are the most common. Adapted from Slide Team s 0514 risk management framework PowerPoint Presentation 11

12 Mapping Frameworks to Controls Using a risk-based approach, companies should apply relevant compliance frameworks against technical, process, and people controls From: Do s and Don'ts of Risk-based Security Management in a Compliance-driven Culture by Shahid N. Shah 12

13 Multiple Frameworks Many enterprises are bound to multiple frameworks and requirements through regulations and contracts These controls must be centralized into a common framework Common Controls Hub from Unified Compliance Framework 13

14 Governance Model A well defined Governance Model is critical Source: Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12,

15 Challenges and Risks Overreach Focus on high-profile/low-value controls Overly prescriptive Over focus on compliance and process Laws and expectations aren t consistent with current societal norms Cost of security and compliance could overwhelm small companies 15

16 Key Steps Adopt a cybersecurity framework and apply it using a Risk Management Framework (RMF). Create a well-defined governance model with senior management oversight of decisions, risks, controls, audit/assessment, and management action plans. Create an inventory of systems, conduct a risk assessment, and use the RMF to define achievable goals. Create a multi-year roadmap for cybersecurity with clearly defined deliverables against which you can measure progress. Security threats never stop evolving so your roadmap must continually evolve to meet those threats, new obligations, and support changes in business needs. 16

17 Harry D. Fox EVP, Technical and Operational Support Services CareFirst BlueCross BlueShield Mill Run Circle Mail Stop: Owings Mills, MD 21117