Last strategic plan was five years old and never formally adopted by

advertisement
Why build a strategy?
• Last strategic plan was five years old and never formally adopted
by leadership
• Newer technology breeds newer and more sophisticated threats
• Well engineered and professional looking malware
• Zero Day attacks continue to increase in volume (24 tracked in 2014)*
• Total Days of Exposure for malware was over 295 in 2014*
• Threat Actors are more clever and the stakes are higher
• Campaigns such as Dragonfly, Waterbug, and Turla infiltrated industrial
systems, embassies, and other sensitive targets*
• Volume and Complexity of Threat Activity Increasing
• Spear-Phishing
attempts
increased
by 8% and more sophisticated *
Options:
Detection
or Prevention
• Increased “State Sponsored” cyberespionage and greater focus on
Higher Education*
• Well engineered and professional looking malware
• Optimized risk management requires cybersecurity approaches
that center on the data
* = From Symantec’s 2015 Internet Security Threat Report
“Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.”
- Sun Tzu (Ancient Chinese Military Strategist)
7/15/2015
University of Wisconsin–Madison
2
Getting to work…
Know what you want at the end of the run…
• This is more than a Gap Analysis and Cybersecurity is more than a service
function
• Understand the assets and the need for protection
• Be prepared to “dovetail” business risk to the security plans
• Know where you are and where you want to be – it’s that simple!!!
The mindset you need to create a useful strategy:
Executive Buy-In
• Support from the CIO and other C-Leaders plus VPs
• Discussions that align guidance to business strategy
It has to be a team effort
involving domain leaders
and key performers
Speak in a Common Language
Options: Detection or Prevention
• Level set the definitions of risk, vulnerability and threat
• Understand how the business works and how managers talk
Do not be the “Merchant of No!”
•
Learn the fastest way to get to YES!
“Security Teams must demonstrate the ability to view business problems from different or
multiple perspectives.”
– Gus Agnos (VP Strategy & Operations at Synack)
7/15/2015
University of Wisconsin–Madison
3
Where is our focus?
Incident Response – Metrics and Trends
Data
Data Classification
Cybersecurity Incident Response Cycle
7/15/2015
University of Wisconsin–Madison
4
Components of UW-Madison Cybersecurity Strategy
Preparation is key!
You cannot do this alone!
•
•
Working Groups and Committees (UW-MIST, MTAG, ITC, TISC, etc)
Cybersecurity Leadership Team
Executive and Department/College/Business Unit Buy-In
•
•
Cost, Schedule, Performance
Governance and Collaboration
UW-Madison Cybersecurity Strategy
Strategic Elements
Enabling Objectives
Data Governance and Information Classification Plan
Retain previous strategy’s actions (“find it/delete it/protect it”)
Establish the UW-Madison Risk Management Framework
Enable & support culture to value cybersecurity & reduce risk
Options:
Detection
or Prevention
Build community of experts/improve user
competence
(SETA) Establish
Restricted Data Environments
Consolidate Security Operations & institute best practices
Central data collection/aggregation to analyze security events
Improve Cyber Threat Analysis/Dissemination /Remediation
Identify and seek sources of repeatable funding
Optimize Services, Security Metrics, Compliance & CDM
Establish Collaborative Partnerships to assure teaching and
research availability (Wisconsin Idea)
7/15/2015
Identify UW-Madison compliance issues (FERPA, HIPAA, PCIDSS, Red Flags Rule, etc.)
Develop and refine sustainable security ops/risk assessments
Develop & implement a marketing and communications plan
University of Wisconsin–Madison
5
Download