Decoding security frameworks for effective cyber defense David Allott McAfee
$171B Cost of cybercrime Frameworks useful or just another distracting trend?
What are the analysts saying?
What is the industry using?
What s the trend? Gartner predicts over 50% of organizations will adopt NIST CSF By 2020 ISO 27001 Certificates CAGR (2013-2017) Australia 31% Asia Pacific 15% USA 28% Europe 16%
Poll: Which security framework are you either using or considering? a) COBIT b) ISO 27001 Series c) NIST CSF d) NIST SP 800-53 e) CIS (SANS Top 20) f) Other g) None of these
Typical day in the office High complexity Scarce resources Proving security effectiveness
Why use a security framework? Build your cybersecurity roadmap Regulatory Requirement Business Requirement Best-in-Class Management People Process Technology Security Framework Cybersecurity in business language - risk Descriptive not prescriptive Does not mean secure or compliant
General approach of frameworks Chart a course to improvement reduce risk Define core set of metrics from outset Attainment of maturity levels must be clearly understood Everyone will perceive the framework with different lens Regular reporting to stakeholders quick wins Crosswalks to other frameworks Performance Assess Align Business and threat environments Integrate cyber-risk into existing risk-management Senior management buy-in Roles & Responsibilities Current state vs desired state acceptable risk Compliance Prioritise Value Not designed to replace roadmap to improve Solutions that deliver a balanced posture for emerging needs Don t have to do everything at once Engage the entire organisation Communicate Implement Low-hanging fruit cyber hygiene and quick wins Critical activities to defend against most likely threats Some controls decided for you Consider: acceptable risk, corporate priorities and budget. Priorities based on expected value
So which framework do I chose? One or a combination? Governance COBIT 5 Frameworks / Standards ISO 27001 CIS NIST CSF NIST SP 800-53 COBIT 5 PCI DSS? Good Practices ITIL Six Sigma CMMI
How are these being implemented? Well it depends which corner you re sitting in COBIT 5 NIST SP 800-53 ISO 27001 Establish digital GRC (Governance, Risk, Compliance) Overarching security program Technical and functional controls Integrate into GRC culture NIST CSF High-level security requirements/roadmap Develop security program NIST SP 800-53 ISO 27001 or COBIT 5 Technical and functional controls Assess and adapt
The McAfee Advantage Open + Integrated = Choice and Speed-to-Value Scalable Innovation! Quickly comply or respond in dynamic landscape Avoid new threat-new widget Optimized Architecture Open approach vendor choice, not lock-in Automated solutions managed centrally Proactive Security Shared threat intelligence across multi-vendor environments Continuous learning and adaptation
The McAfee Advantage: Open & Proactive McAfee epolicy Orchestrator (epo) offers single pane-of-glass management and unified workflows for partners in McAfee SIA ecosystem Data Exchange Layer (DXL) provides threat intelligence sharing in multivendor environments over a common messaging bus-now linked with Cisco pxgrid Global Threat Intelligence (GTI) monitors millions of worldwide sensors for threats and automatically updates reputation information via the cloud
Recommendations So what s next? You will need to do some more research Build your strategy in stages solid foundation, quick wins, communicate! Establish your stakeholder steering committee early don t go alone Partner with experienced third-party to map requirements to standards Balanced approach address the entire threat defense lifecycle It will take time the longer you leave it, the harder it gets
For more information about this presentation please email anz_marketing@mcafee.com
McAfee, the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright 2017 McAfee, LLC.