Why build a strategy? • Last strategic plan was five years old and never formally adopted by leadership • Newer technology breeds newer and more sophisticated threats • Well engineered and professional looking malware • Zero Day attacks continue to increase in volume (24 tracked in 2014)* • Total Days of Exposure for malware was over 295 in 2014* • Threat Actors are more clever and the stakes are higher • Campaigns such as Dragonfly, Waterbug, and Turla infiltrated industrial systems, embassies, and other sensitive targets* • Volume and Complexity of Threat Activity Increasing • Spear-Phishing attempts increased by 8% and more sophisticated * Options: Detection or Prevention • Increased “State Sponsored” cyberespionage and greater focus on Higher Education* • Well engineered and professional looking malware • Optimized risk management requires cybersecurity approaches that center on the data * = From Symantec’s 2015 Internet Security Threat Report “Strategy without tactics is the slowest route to victory, tactics without strategy is the noise before defeat.” - Sun Tzu (Ancient Chinese Military Strategist) 7/15/2015 University of Wisconsin–Madison 2 Getting to work… Know what you want at the end of the run… • This is more than a Gap Analysis and Cybersecurity is more than a service function • Understand the assets and the need for protection • Be prepared to “dovetail” business risk to the security plans • Know where you are and where you want to be – it’s that simple!!! The mindset you need to create a useful strategy: Executive Buy-In • Support from the CIO and other C-Leaders plus VPs • Discussions that align guidance to business strategy It has to be a team effort involving domain leaders and key performers Speak in a Common Language Options: Detection or Prevention • Level set the definitions of risk, vulnerability and threat • Understand how the business works and how managers talk Do not be the “Merchant of No!” • Learn the fastest way to get to YES! “Security Teams must demonstrate the ability to view business problems from different or multiple perspectives.” – Gus Agnos (VP Strategy & Operations at Synack) 7/15/2015 University of Wisconsin–Madison 3 Where is our focus? Incident Response – Metrics and Trends Data Data Classification Cybersecurity Incident Response Cycle 7/15/2015 University of Wisconsin–Madison 4 Components of UW-Madison Cybersecurity Strategy Preparation is key! You cannot do this alone! • • Working Groups and Committees (UW-MIST, MTAG, ITC, TISC, etc) Cybersecurity Leadership Team Executive and Department/College/Business Unit Buy-In • • Cost, Schedule, Performance Governance and Collaboration UW-Madison Cybersecurity Strategy Strategic Elements Enabling Objectives Data Governance and Information Classification Plan Retain previous strategy’s actions (“find it/delete it/protect it”) Establish the UW-Madison Risk Management Framework Enable & support culture to value cybersecurity & reduce risk Options: Detection or Prevention Build community of experts/improve user competence (SETA) Establish Restricted Data Environments Consolidate Security Operations & institute best practices Central data collection/aggregation to analyze security events Improve Cyber Threat Analysis/Dissemination /Remediation Identify and seek sources of repeatable funding Optimize Services, Security Metrics, Compliance & CDM Establish Collaborative Partnerships to assure teaching and research availability (Wisconsin Idea) 7/15/2015 Identify UW-Madison compliance issues (FERPA, HIPAA, PCIDSS, Red Flags Rule, etc.) Develop and refine sustainable security ops/risk assessments Develop & implement a marketing and communications plan University of Wisconsin–Madison 5