Security Technology Executive

SEP-OCT 2018

Issue link:

Contents of this Issue


Page 41 of 59

42 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2018 • www. SECURING THE GRID » Even where inherent risk is identified, programs may not succeed in prioritizing risk reduction capabilities appropriately. « I n late July, the U.S. Department of Homeland Security announced the establishment of a new National Risk Management Center to "provide a centralized home for collaborative, sector-spe- cific and cross-sector risk management efforts to better protect critical infrastructure." The announcement underscores the need for greater focus and attention on disciplined risk management in defending critical infrastructure against an increasingly adaptive set of security threats. Coincidentally, this year marks the twentieth anni- versary of Presidential Decision Directive 63 (PDD-63), the foundational executive branch guidance document on securing critical infrastructure. In a hopeful spirit, PDD-63 provided in part that "no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation's critical infrastructures from intentional acts that would sig- nificantly diminish the abilities of … the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services." And significant thought and investment has taken place since 1998 on how to secure critical infrastruc- ture. As early as 1999, the Gramm–Leach–Bliley Act defined security expectations for protecting consumer banking information, and afforded banking regulators enforcement options if financial institutions do not establish and maintain adequate information secu- rity programs. That same year, the Financial Services Information Sharing and Analysis Center was founded. By 2009, the SANS Institute, working with the Nation- al Security Agency and NIST, identified an offense- informed-defense list of 20 Critical Security Controls for Effective Cyber Defense based on insights from actual attacks. In 2014, NIST released its Framework for Improving Critical Infrastructure Cybersecurity. And yet, two decades later, despite significant policy attention, critical infrastructure risk has only grown. Last year, a number of major global companies were impacted by notPetya, a ransomware campaign that originated in Ukraine in June 2017 and has since been attributed to Russia. Companies impacted by notPetya included pharmaceutical giant Merck, FedEx and Dan- ish shipping giant Maersk – each to the tune of hun- dreds of millions of dollars. 1 Today, senior executives across all industries are asking questions along the lines of: "I see peer orga- nizations with seemingly well-resourced and audited programs experiencing significant security incidents. What's going wrong there, and what should I do to stop the same thing from happening to me? How do I know if I have an effective security program?" Understanding effectiveness can be elusive, but it starts with a continuous cycle of enterprise-level secu- rity assessment, mitigation and monitoring of security risks. Put another way, an effective security risk manage- ment strategy should, at a high level, (a) identify key risks (particularly to high-value assets) based on threat, vul- nerability and potential consequence, (b) ensure that risk-based countermeasures – including people, pro- cess and technology – are designed and implemented to address those risks, and (c) measure and report on the effectiveness of these countermeasures. These basic principles are embodied in successive versions of the National Infrastructure Protection Plan 2 , the National Preparedness Goal, 3 NIST Risk Management Framework 4 and the NIST Cybersecurity Framework. 5 Put another way, there is no shortage of guidance on how best to manage cyber risk, and yet many orga- nizations struggle with both how to prioritize in the context of limited resources and changing risks, and how to measure progress. As clients build security risk management programs, we have found they trip up in six key areas: 1. Limitations in understanding inherent risk (and its adaptive nature) 2. Challenges in planning and preparedness 3. Operational overwhelm (i.e. large numbers of false positives) 4. Unaccounted-for IT dependencies in program execution 5. Lack of business stakeholder alignment in pro- gram execution 6. Lack of transparency on whether controls are working effectively Government and the Private Sector Share Responsibility for Secure Infrastructure How to effectively manage risk for the protection of facilities, technology assets and business operations By Adam Isles

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2018