ISSA Intl Women in Security Special Interest Group (WIS SIG)

Technology Leadership Series – Part III

A look at the increasingly complex critical infrastructure protection landscape

1

July 10, 2017

2

•Ms. Domini Clark

https://www.infosecconnect.com/

WIS SIG CO-CHAIR

3

Connecting the Information Security Community With Opportunity

Post Your Resume

Find a New Position

Access Our Calendar of Worldwide Security Events

INFO SEC CONNECT

https://www.infosecconnect.com/

MissionConnecting the World,

One Cybersecurity

Practitioner at a Time.

VisionThe WIS SIG is committed

to developing women

leaders globally, building a

stronger cybersecurity

community fabric, and

enabling success across

the globe.

Creating Leaders Together ISSA WIS SIG embraces a spirit of collaboration within its organization and

throughout the industry. We partner with organizations to provide leadership programs and services, and challenge these companies to create

cybersecurity-oriented professional advancement opportunities for women.

4

5

• Foster the recruitment, retention and promotion of women within the cybersecurity industry

• Enhance women’s career growth by providing professional development events, career path information, mentoring and coaching services, and networking opportunities

• Cultivate leadership and technical competencies for women within the cybersecurity field

• Provide a global cybersecurity forum which recognizes women's professional contributions

• Continuously improve the ISSA WIS SIG's value proposition and ability to attract, develop, and retain a diverse community of women worldwide

WIS SIG Goals

6

WIS SIG PARTNERS

Ms. Deanna Boyden

Ms. Domini Clark

Ms. Lisa Jiggetts, Founder, President, and CEO

Mr. Jeff Steiner & Mr. David Leighton

Nanci Schimizzi, Board Member

Ms. Marlene Veum

Ms. Deidre Diamond

Lorena Fimbres & Jeff Terhune & Jeanne

Martin & Carole Inge

Nanci Cronk, Account Executive

Paige Needling, President and CEO

Kristen Lamoreaux, Founder, SIM Women

Ms. DeeDee Smartt Lynch, President

Ms. Laurie Wiggins, Founder, President, and CEO

Dori Farah // Director, Workforce & Affinity Alliances

7

WIS SIG PARTNERS

Mr. John von Ruden

Eric Berkowitz

Ms. Susan Leister Ms. Janice Comer Bradley, Ms. Leah Lewis & Mr. Matt LoFiego

Ms. Vera Lichtenberg & Mr. Scott Martin

Mr. Bill Smith

Ms. Melissa Butler

Mr. Scott Binder

NoVA Section

Gustavo Hinojosa, Executive Director, National Cybersecurity Student Association

Mr. David Eber & Ms. Teresa Allison

8

Million Women Mentors

Become A Sponsor

Become A Mentor

Become A Partner

Call to Action Our Structure

5 Pathways to Mentorship

We have surpassed 1 million!

OUR GOAL

Million Women Mentors (MWM), a STEMconnector initiative aims to increase the number of women and girls entering STEM fields through mentorship, thus increasing their interest and confidence in STEM areas.

stemconnector.org, www.millionwomenmentors.org

9

Carole Dicker,

Principal -

FEDROCK

Security, LLC

Fedrock

Security LLC is in

the Security Systems

Services business.

Connie Justice, CISSP,

Ph.D. CybersecurityClinical Associate Professor

of Computer Information

Technology. Director of IT

Security Education and

Experiential Learning,

http://livlab.org. Purdue

Technical Assistance Program

(TAP) Faculty,

http://tap.purdue.edu/

NEW 2017 WIS SIG

Volunteers

Dr. Maxine Henry,

PhD MAOM,

CGEIT, GRISC,

CISA, ITIL Dr. Henry is a global

strategist and

consultant focused on

the impact of GRC

and information

technology.

Christy Lodwick

VP of Marketing & Business Development Tyde Systems, LLC -- Six Sigma Green Belt, Cisco Certified Sales Expert, CyberSAFE, CCNA,HIPAA

10

Lauren Rousseau-Ball,

WIS SIG Volunteer

Extraordinaire

Paige NeedlingPaige brings 20 years of “in-the-trenches” experience to solve realworld data security andcompliance challenges for herclients. She has been recognizedas one of the Game Changers inInformation Security by HUBMagazine and has been featuredin Compliance Weekly and otherindustry publications. She hasshared her expertise as a speakerat ISACA and IIA.

NEW 2017 WIS SIG

Volunteers

Marlys Rodgers, CISM, MBATenured technology leaderexperienced in enterprisedeployments of cloud, onpremise and mobile (BYOD) forFortune 100 financial institution.Transitioned career by buildingon IS/governance work to GRCand now leading riskmeasurement for global digitalwallet company with a focus oninfo sec/cyber.

Hanna Sicker, CISM, CISSPOver 25 years of technical and management experience, including 10 years in information security operations. As Head of Global Security and Network Operations for StubHub, Sicker oversees a team of SOC analysts and NOC Engineers who provide support to all StubHub sites globally in 48 countries.

11

Rhonda Farrell

Domini Clark

CassandraDacus – Partner

Volunteer

WIS SIG Leaders

WIS SIG Advisors

12

Andrea Hoy

Candy Alexander

Anne Rogers

Debbie Christofferson

Jean Pawluk

Sandra M.Lambert

SIG Liaisons

13

Central & South FLMaureen Premo

AtlantaCassandra Dacus

Colorado SpringsDonna Kimberling,

Colleen Murphy

Central MD & NOVA Rhonda Farrell

National CapitalNicole Grey

Chicago, IllValerie Baldwin

Denver COMarlen Veum, DJ McArthur, Christy

Lodwick, Deb Peinert

MinnesotaBetty Burke

Central TXTenille Jones

PortlandBrian Ventura

San FranciscoJoan Rose, Tamara

Thompson, and Terry Quan

SingaporeMagda Chelly

14

Support Our SIGs!

• Financial

• Ms. Andrea Hoy

• Healthcare

• Mr. Andy Reeder

• Security Awareness

• Ms. Jill Feagans

• Mr. Kelley Archer

• Women In Security

• Ms. Domini Clark

• Rhonda Farrell

http://www.issa.org/?page=SIGs

15

2017 ISSA INTL Global SIG Lineup

* Additional Mentoring Meet-Ups, SANS Hosted Connect Events, Student Security, and Local Outreach and Membership Drive Events Planned

JAN 2017 FEB 2017 MAR 2017 APR 2017 MAY 2016 JUNE 2017

9th – WIS

SIG*

13th - WIS

SIG; 15th –

SEA SIG

13th - WIS

SIG; 16th –

Financial SIG

Security

Summit;

16th – HC

SIG

10th – WIS

SIG

8th – WIS

SIG; 10th –

SEA SIG

12th – WIS

SIG; 15th –

HC SIG; 16th

– FIN SIG

JUL 2017 AUG 2017 SEP 2017 OCT 2017 NOV 2017 DEC 2017

10th – WIS

SIG

9th – SEA

SIG;14th –

WIS SIG;

11th – WIS

SIG; 14th –

HC SIG; 15th

– FIN SIG

16th – WIS

SIG

8th – SEA

SIG; 13th –

WIS SIG

11th – WIS

SIG; 14th –

HC SIG; 15th

– FIN SIG

16

ISSA INTL SIG Membership Drive

*NOT APPLICABLE TO STUDENT MEMBERSHIPS

ISSA International Memberships* are

20% off for SIG Members, use Discount

Codes at Checkout: 20FSIG16, 20HCSIG16,

20SEASIG16, 20WISSIG16

17

Presenter: Dr. Diana Burley

Dr. Diana Burley

A look at the increasingly complex critical infrastructure protection landscape.

Diana L. Burley, Ph.D. is executive director and chair of the Institute for Information Infrastructure Protection (I3P) and full professor of human & organizational learning at The George Washington University. She is a globally recognized cybersecurity expert who currently co-chairs the ACM/IEEE-Computer Society Joint Task Force on Cybersecurity Education.

She is a 2016 recipient of the Executive Women’s Forum in Information Security, Risk Management and Privacy Woman of Influence award. In 2014, Dr. Burley was named the cybersecurity educator of the year as well as one of the top ten influencers in information security careers. In 2013, she served as co-Chair of the US National Research Council Committee on Professionalizing the Nation’s Cybersecurity Workforce.

18

Presenter: Dr. Diana BurleyPrior to joining GW, she managed a multi-million-dollar computer science education and research portfolio and led the CyberCorps program for the National Science Foundation. She is the sole recipient of both educator of the year and government leader of the year awards from the Colloquium for Information Systems Security Education and has been honored by the Federal CIO Council for her work on developing the federal cyber security workforce. She served two appointments on the Cyber Security Advisory Committee of the Virginia General Assembly Joint Commission on Technology & Science (2012, 2013) and has secured nearly $10 million in sponsored research support. Dr. Burley has testified before the US Congress, conducted international cybersecurity training, and written more than 80 publications on cybersecurity, information sharing, and IT-enabled change.

She holds a BA in Economics from the Catholic University of America; M.S. in Public Management and Policy, M.S. in Organization Science, and Ph.D. in Organization Science and Information Technology from Carnegie Mellon University where she studied as a Woodrow Wilson Foundation Fellow.

The Increasingly Complex Critical Infrastructure Protection Landscape

Dr. Diana L. Burley

Institute for Information Infrastructure Protection

The George Washington University

10 July 2017

19

WIS SIG July 2017 Webinar

CIP Landscape

• Overview and context

• Risk management and mitigation

• Collaboration and information sharing

• Public and international policy

• Workforce analysis and development

• Concluding thoughts

20

DiscussionTopics

“Critical infrastructure, also referred to asnationally significant infrastructure, can bebroadly defined as the systems, assets, facilitiesand networks that provide essential servicesand are necessary for the national security,economic security, prosperity, and health andsafety of their respective nations.”

21

Critical 5:Forging a Common Understanding for Critical Infrastructure

Overview and Context

22

Overview and Context

In the last 12 months, we have confirmed…

• An attack on SWIFT global banking system

• Foreign interference in US election systems

• Ukrainian power grid attacks

• A ransomware attack that shutdown major hospital systems in the UK and around the world

• The infiltration of computer networks in a US nuclear power operation

23

In the last 12 months, we have confirmed…

• An attack on SWIFT global banking system

• Foreign interference in US election systems

• Ukrainian power grid attacks

• A ransomware attack that shutdown major hospital systems in the UK

• The infiltration of computer networks in a US nuclear power operation

24

What about the

unconfirmed or suspected incidents??

Recent Black Hat Survey

25

“Most information security professionals believe that the US critical infrastructure will bebreached by a cyber attack within the next two years.”

BlackHat 2017 Survey

26

Overview and Context

Critical infrastructure protection in theage of “SMART” everything is a multi-faceted task that becomes more difficultevery day as we add more intelligenceand complexity to the systems anddevices we rely on in a wide range ofdomains.

27

Overview and Context

➢ Risk management and mitigation

➢ Collaboration and information sharing

➢ Public and international policy

➢ Workforce analysis and development

28

CIP Discussion Topics

Risk Management and Mitigation

29

Risk Management and Mitigation

• Risks associated with human, economic and public/societal loss should be considered

• Risk assessments should not be considered in isolation

• Assessments include: identification, analysis, and evaluation

30

Risk Management and Mitigation

NIST Framework for improving CIP provides a common mechanism to: [ref.]

1. Describe their current cybersecurity posture;

2. Describe their target state for cybersecurity;

3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;

4. Assess progress toward the target state;

5. Communicate among internal and external stakeholders about cybersecurity risk.

31

Risk Management and Mitigation

NIST Framework components: [ref.]

• Core: activities, outcomes and standards related to the functions - Identify, Protect, Detect, Respond, Recover.

• Implementation Tiers: context on organization views of cybersecurity risk and the processes in place to manage that risk

• Profiles: desired outcomes based on business needs

32

Collaboration and Information Sharing

• Benefits• Situational awareness to support normal

operations and incident response.

• Preventative operational and tactical risk management actions.

• Strategic planning and investment to build capabilities and resilience.

33

Collaboration and Information Sharing

• DHS Critical Infrastructure Threat Information Sharing Framework • Report suspicious or known threats, incidents, and

activities

• Receive Threat Information Relevant to Your Sector

• Access Threat Prevention and Protection Related Training and Exercises

34

Collaboration and Information Sharing

• Public Private Partnerships• Information Sharing and Analysis Centers (ISACs) • Information Sharing and Analysis Organizations (ISAOs)• Regional collaborations

• Interoperability and integration issues that must be addressed • Aligning mission, value• Identifying leadership and funding sources • Developing trust • Determining what information is to be shared

35

Public and International Policy

• Presidential Executive Order

• Department of Homeland Security Role • Provide strategic guidance to public and private

partners

• Promote a national unity of effort

• Coordinate the overall Federal effort to promote the security and resilience of the nation's critical infrastructure.

36

Public and International Policy

• The Critical Five • Established in 2012 to enhance information sharing and

work on issues of mutual interest between Australia, Canada, New Zealand, the United Kingdom and the United States.

• Published in March 2014, a shared narrative, “Forging a Common Understanding of Critical Infrastructure”

• Global Commission on the Stability of Cyberspace (cyberstabiity.org)• 1st GCSC meeting: Tallinn, Estonia June 2017• 2017 priorities include the “public core of the Internet”

and “critical infrastructures”

37

Workforce Analysis and Development

Regarding the recent cyber attack at the Wolf Creek Nuclear Operating Corporation …

“In most cases, the attacks targeted people — industrial control engineers who have direct access to systems…Hackers wrote highly targeted email messages containing fake résumés [as infected Microsoft Word documents] for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said.” [ref]

38

Workforce Analysis and Development

• Structuring the cybersecurity field• National Cybersecurity Workforce Framework

• Joint Task Force on Cybersecurity Education

39

But… Are industrial control engineers part of the

cybersecurity workforce?

Structuring the Field

• National Cybersecurity Workforce Framework [ref.]

The National Cybersecurity Workforce Framework provides a blueprint to categorize, organize, and describe cybersecurity work …[,] provides a common language to speak about cyber roles and jobs[,] and helps define personal requirements in cybersecurity.

40

Structuring the Field

• Joint Task Force on Cybersecurity Education [ref.]

• The Joint Task Force on Cybersecurity Education (JTF) is developing comprehensive curricular guidance in cybersecurity education that will support future program development and associated educational efforts.

• Global collaboration between major computing societies: ACM, IEEE-Computer Society, Association for Information Systems, and International Federal of Information Processors

• Draft and more information available at csec2017.org. Final version to be released in December 2017.

41

Workforce Development Challenges

• Analyzing and defining workforce needs

• Contextualizing learning and development experiences

• Balancing breadth and depth of content

• Advancing hands-on skill development

• Integrating technical and non-technical content

42

Engaging the Whole Workforce

Robust “awareness” programs change behavior

43

Raise

Awareness

Promote

Understanding

Increase

Engagement

Support

Action

ChangeBehavior

Concluding Thoughts

“When governments focus on making criticalinfrastructure more secure and resilient by managingrisk, trust and confidence is enhanced in the public-private relationship, which then facilitates economicgrowth. This trust and confidence in criticalinfrastructure is essential to achieving safe, secureand prosperous societies.”

44

Critical 5:Forging a Common Understanding for Critical Infrastructure

Questions?

Dr. Diana Burley

dburley@gwu.edu

45

THANK YOU!

46

▪ ISSA International Members

▪ ISSA INTL WIS SIG Members

▪ IEEE WIE Members

▪ Strategic Partners

THANK YOU TO OUR ATENDEES &

SUPPORTERS

47

• ISSA International Service Offerings

• CISO Executive Forum (Meets Quarterly)

• Domestic and International Chapter Base

• E-News

• ISSA Intl Special Interest Groups

• ISSA Industry Webinars

• ISSA Journal

• ISSA Web Conferences

• Mentoring Programs

• US and European Conferences

48

CISO Executive Forum Info

Security Awareness & TrainingEnlisting your Entire Workforce into your

Security Team

July 23-24, 2017Bally's Las Vegas

Questions: Leah Lewis (llewis@issa.org)https://www.issa.org/page/CISO2017July

49

ISSA INTERNATIONAL

CONFERENCE 2017

October 9-11, 2017San Diego, CA, USA

#ISSAConfSave the date and join us for solution-oriented and innovative sessions, all designed to help you get your hands around some of security's hottest topics.

https://www.issa.org/page/IIC2017RSVP

50

IEEE WIE FORUM USA EAST 2017

http://sites.ieee.org/wie-forum-usa-east/

51

2017 SANS & ISSA WIS SIG CONNECT

EVENTS

▪ VetSuccess▪ Women’s Academy

+

Cross Country Connect Event Tour 2017

52immersionacademy@sans.org

53immersionacademy@sans.org

54immersionacademy@sans.org

55

2017 SANS & ISSA WIS SIG CONNECT

EVENTS

Cross Country Connect Event Tour 2017

https://www.issa.org/events/event_list.asp?show=&group=107122

▪ July 27, 2017 – Washington, DC

▪ August 22, 2017 – Chicago, Illinois

▪ December 14, 2017 – Washington, DC

56

2017 Scholarship Giving Program

▪ Donate Online:http://issa-foundation.org

▪ Email Us for Info:wissig@issa.org

WIS SIG Scholarship Fund

57

ISSA International Journal Articles

http://www.issa.org/?page=ISSAJournal

Please contact SIGs@issa.org if you are interested in submitting a SIG column entry!

58

SPONSORSHIP OPPORTUNITIES

•Financial

• Ms. Andrea Hoy

•Healthcare

• Mr. Andy Reeder

•Security Awareness

• Ms. Jill Feagans, Mr. Kelley Archer

•Women In Security

• Ms. Rhonda Farrell

SIGS@issa.org

59

60

Registration Info for our WIS SIG Portal

• Non-members:

https://www.issa.org/general/register_member_type.asp?

• Members: WISSIG@issa.org or Press Join on our SIG page

once you are logged in!

61

Monthly WIS SIG & WIE Webinar Driving Innovation within STEM & Cyber Across the

Generations – Part III

Privacy as a Component of the Cybersecurity World or is it?

August 14th, 2017 (1600-1700 Eastern)

Ms. Monique Morrow, Chief Technology Strategist

https://www.issa.org/events/EventDetails.aspx?id=911311&group=107122

Join US at our NEXT Event!

Connect with us!

WIS SIG Subgroup of ISSA #ISSAWISSIG

ISSA PORTAL: http://www.issa.org/members/group.aspx?id=107122

WISSIG@issa.org62