Professional Documents
Culture Documents
Andy Purdy
Chief Cybersecurity Strategist May 18, 2010
Page 1
Summary
1 2 3 4 5
What is the current cyber risk? Learn lessons from experience. What approach should we take? What capabilities do we need? Risk management for organizations and countries
Page 2
Page 3
What is Cyber? Cyber is the ability to operate in cyberspace to achieve the results that you intend and not those intended by your adversaries, competitors or cyber criminals.
Page 4
Page 5
Page 6
Premises
Experience is only valuable if we learn from it and act on it
Information sharing is not enough A strategic approach to the cyber challenge is essential Stakeholder collaboration is critical at each level Threat information is important, but risk should be the driver Risk management is critical for organizations, nations, and the global information infrastructure
Page 7
Page 8
Page 9
Industry concerns?
Data vulnerability due to the sizable increase in data volumes, flows, and interfaces System security resulting from converged, automated, and integrated environments New devices that may be immature and have security limitations Consumer privacy from increased connectivity, devices, and intelligence
Page 10
Introduction
Cybersecurity a National Security Imperative and Global Business Issue
Nations and critical infrastructure owners and operators are dependent on Cyber for national security, economic well-being, public safety and law enforcement, and privacy. Major companies must ensure the resiliency of their operations, protect their reputations and the privacy of their customers, differentiate their brand, and meet compliance obligations. Innovative technologies and information assurance strategies must be implemented by government and private companies through fully integrated, end-to-end cyber solutions
Page 11
Page 12
Page 13
Security is more about architecture and integration than about deployment of more products to build perimeter defenses.
Page 14
Page 15
Stakeholders should be engaged in the assessment and mitigation of ICT risk, spending on research & development, & cyber incident response and recovery preparedness
Page 16
Regulatory Enviroment Upcoming Challenges for Private Sector and Critical Infrastructure?
Legislative perspective: has the private sector done enough to secure their own facilities?
Executive perspective: concern about government and critical infrastructure relative to cyber threats.
Power/Utility, transportation, and other critical infrastructure sectors of significant cyber concern.
Private sector favors voluntary, private-sector developed standards, incentives, and safe harbor provisions rather than regulations
Page 17
Companies BAE, Boeing, EADS, Lockheed Martin, Northrup Grumman, Rolls Royce, Raytheon
U.S. Defense Industrial Base (DIB) a threshold of capabilities defined by U.S. DoD to protect Controlled Unclassified Information (CUI) used in Defense contracts Established and monitored by US DoD (as expressed in the DIB Cyber Security Benchmark and DIB CONOPS) One-to-one framework agreements, funded by individual companies U.S. Comprehensive National Cybersecurity Initiative (CNCI) Activities of European Network Information Security Agency (ENISA)
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 18
Page 19
know our risk posture, identify requirements for addressing that risk that are generated by a public-private collaboration, and Make it easy to hold stakeholders accountable.
Page 20
ICT preparedness;
Malicious activity and cyber crime; and Research and development.
Page 21
to identify critical functions, assess and mitigate risk, and plan, and build capacity for, response and recovery
Use standards to drive risk reduction Exercise to identify gaps and improve Pursue innovation Use this process to identify requirements to drive resource allocation for risk mitigation, response preparedness, and research and development
Page 22
Page 23
Page 24
Page 25
Sensitize private sector and public to the threat; recognize that adversaries do not reserve their most advanced technologies for use only against our Government
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 26
Page 27
The security stack - defines the problem complexity and the sophistication needed in the solution Demonstrated ability to scale to the full dimensions of the problem Demonstrated ability to leverage our government knowledge applied to our commercial delivery
Page 28
Nation State-Threats Groundbreaker Forensics training Biometric Access System Certification Phys-Lgical Access Personnel Quals
Commercial Sector
Public Sector
Page 29
present organize determine gaps integrate. Only CSC and IBM can make this case
The Security Stack
Functional Technologies
The Exercise of National Sovereignty
Security consulting understand and manage risk Security integration led by solution architects Managed Security Services Forensics analysis assessments
Certification and accreditation Security training - cyber experts Product and system evaluation common criteria
Compliance
Disaster Recovery / B-Continuity
Page 30
CSC Cyber Security Overview (1 of 3) More than 1,400 full-time security professionals globally Security and compliance services to
More than150 Commercial clients globally in more than 40 counties Many Fortune 500 companies including many with PCI compliance U.S. federal agencies and many state and local government clients Non-U.S. government clients (UK Royal Mail, UK National Health Services)
Page 31
Chesterfield, UK Marlton , NJ Newark, DE Annapolis Junction, MD Hong Kong Hyderabad, India Kuala Lumpur
Sydney, Australia
Consistent and effective 7x24 security monitoring, detection, response and recovery
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 33
Retail & Distribution: Coles, Myer, David Jones, Estee Lauder, Cargill, Astro
Travel & Transportation: Railcorp, Bombardier Health Services: National E-Health Transition Authority, University of Pennsylvania Health Systems, UK National Health Service, Nobel Biocare, Ascension Health, Consolidated Medicaid/Medicare (CMS), Virginia and North Carolina, Medicare/Medicaid Information Systems, eMed of New York, Stellaris Health Manufacturing: BlueSteel, OneSteel, Delphi, Chrysler, Freescale, Westinghouse, Motorola, Nissan, Xerox, Bombardier, Nissan Chemical, Energy & Natural Resources: Powercor, BHPB, Rio Tinto, Alcoa, Woodside Petroleum, Newmont Mining, Shell, DuPont, BHP Billiton Petroleum, Watercorp, Western Power, Exelon, Basell, Invista, Anglian Water, National Grid, Urenco, BNFL
Page 34
Page 35
Page 36
Further webinars
15.06.10 / 15:30 -16:30 Uhr / Gesellschaftlicher Wandel "Social Media machen - Tipps & Tricks zur Planung und Durchfhrung"
Quelle: www.de.csc.com
CSC Webinar Cybersecurity Towards a Strategic Approach on Cyber Risk
Page 37
Page 38