Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations ›...
Transcript of Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations ›...
![Page 1: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/1.jpg)
CareFirst BlueCross BlueShield is the shared business name of CareFirst of Maryland, Inc. and Group Hospitalization and Medical Services, Inc. which are independent licensees of the Blue Cross and Blue Shield Association. ® Registered trademark of the Blue Cross and Blue Shield Association. ®′ Registered trademark of CareFirst of Maryland, Inc.
Cybersecurity in the Age of Government Regulation
Compliance versus Security
October 28, 2015
Harry D. FoxEVP, Technical and Operational Support Services
CareFirst BlueCross BlueShield
![Page 2: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/2.jpg)
Agenda
2
• Security Landscape
• Increased Demand For Controls And Scrutiny
• Compliant vs Secure
• Cybersecurity Frameworks and Governance
• Key Action Steps
![Page 3: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/3.jpg)
Sobering Thought…
3
Cybercrime will Cost Businesses
Over $2 Trillion by 2019
“New research from market analysts, Juniper Research, suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally
by 2019, increasing to almost four times the estimated cost of breaches in 2015.” – Juniper Research, The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation, May 2015
![Page 4: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/4.jpg)
Security Landscape
4
AV-TEST Institute registers over 390,000 new malicious programs every day.
Malware Growth Last 10 Years
“Many executives are declaring cyber as the risk that will define our generation,” said Dennis Chesley, Global Risk Consulting Leader for PwC. – from Turnaround and Transformationin Cybersecurity, by PwC
![Page 5: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/5.jpg)
Threat Actors are Sophisticated, Well Organized, and Well Funded
5
Source: Mandiant APT1 Exposing One of China’s Cyber Espionage Units
![Page 6: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/6.jpg)
Threats Continue to Evolve
6
• While we can’t ignore the threats of the past, there isgrowing sophistication– Social Engineering– Spear Phishing– Advanced Malware that changes its
signature and profile
• The motives and actors are also changing– Nation States– Hacktivism– Organized Crime
“Cyberspace has become a full-blown war zone as governments across the globe clash
for digital supremacy in a new, mostly invisible theater of operations. Once limited to opportunistic criminals, cyber attacks are
becoming a key weapon for governments seeking to defend national sovereignty and
project national power.” – FireEye, World War C: Understanding Nation-State Motives Behind
Today’s Cyber Attacks
![Page 7: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/7.jpg)
• Cyberattacks and breaches haveleft organizations scrambling to find ways to measure and demonstrate due diligence
• Security doesn’t have a “one-size-fits-all” solution making measuring due diligence challenging
Increased Controls and Scrutiny
7
• Compliance can bring sweeping changes to the organization well beyond the traditional scope of Information Security
![Page 8: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/8.jpg)
Greater Legislation on the way…
8
From SC Magazine 10/20/2015
![Page 9: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/9.jpg)
Compliance and Security
9
Compliance ≠ Security
![Page 10: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/10.jpg)
Compliance and Security
10
![Page 11: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/11.jpg)
Risk-based Compliance Frameworks
11
Of respondents to a recent PwC study have selected a
risk-based cybersecurity framework.
ISO 27001 and NIST are the most
common.
Adapted from Slide Team’s 0514 risk management framework PowerPoint Presentation
![Page 12: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/12.jpg)
Using a risk-based approach, companies should apply relevant compliance frameworks against
technical, process, and people controls
Mapping Frameworks to Controls
12
From: Do’s and Don'ts of Risk-based Security Management in a Compliance-driven Culture by Shahid N. Shah
![Page 13: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/13.jpg)
Multiple Frameworks
13
• Many enterprises are bound to multiple frameworks and requirements through regulations and contracts
• These controlsmust be centralized intoa common framework
Common Controls Hub from Unified Compliance Framework
![Page 14: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/14.jpg)
Governance Model
14
A well defined Governance Model is critical
Source: Framework for Improving Critical Infrastructure CybersecurityVersion 1.0 National Institute of Standards and Technology February 12, 2014
![Page 15: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/15.jpg)
Challenges and Risks
15
Overreach
Focus on high-profile/low-value controls
Overly prescriptive
Over focus on compliance and process
Laws and expectations aren’t consistent with current societal norms
Cost of security and compliance could overwhelm small companies
![Page 16: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/16.jpg)
Key Steps
16
Adopt a cybersecurity framework and apply it using a Risk Management Framework (RMF).
Create a well-defined governance model with senior management oversight of decisions, risks, controls, audit/assessment, and management action plans.
Create an inventory of systems, conduct a risk assessment, and use the RMF to define achievable goals.
Create a multi-year roadmap for cybersecurity with clearly defined deliverables against which you can measure progress.
Security threats never stop evolving so your roadmap must continually evolve to meet those threats, new obligations, and support changes in business needs.
![Page 17: Cybersecurity in the Age of Government Regulation › e › cybermdconference › presentations › Wednesd… · 0514 risk management framework PowerPoint Presentation. Using a risk-based](https://reader033.fdocuments.us/reader033/viewer/2022042316/5f04a98f7e708231d40f1521/html5/thumbnails/17.jpg)
Harry D. FoxEVP, Technical and Operational Support Services
CareFirst BlueCross [email protected]
10455 Mill Run CircleMail Stop: 01-965
Owings Mills, MD 21117