Through the cyber looking glass The perspective from a US federal CISO turned private sector CISO Patricia Titus Chief Information Security Officer (CISO)

Through the cyber looking glass

The perspective from a US federal CISO turned private sector CISO

Patricia Titus Chief Information Security Officer (CISO) Unisys Federal Systems

© 2008 Unisys Corporation. All rights reserved. Page 2

Abstract

Security breeches, data extractions and data losses from within highly regulated public and private sector entity networks make the news nearly every day. Cyber crime revenue has now surpassed drug trafficking—and identity theft continues to rise at alarming rates. Add all of this to President Obama’s landmark announcement that cyber security a national priority, and all of the buzz about cyber security makes a lot of sense.

From data globalization to web 2.0 technologies, the CISO’s job is more daunting than ever—both in the public and private sectors. The interconnections and interdependencies that have been accelerated by cloud computing, virtualization and the extended use of the World Wide Web have introduced cyber security risks that span the public and private spheres. Now, new cyber security regulation focused on compliance looms, threatening to impact everyone.

Still, as these worlds converge, misconceptions run wild on both sides. Public sector CISO’s believe that the private sector is flush with security funding. The private sector CISO dreams of regulations and mandates that the public sector has. Delve into the cyber worlds lived by both in an in-depth discussion about the view through the “cyber looking glass.”


Impacting us all – are we serious about fixing it?

• The Morphing of the Mafia – slicing, spaming and phishing (Financial Sector)

• Data extractions and data losses – loss of the F35 war craft plans, private citizen data losses at VA (Federal Sector)

• Electrical grid attacks – worms effecting power systems (Energy Sector)

• Counterfeit equipment inserted into the supply chain (Manufacturing sector)

• Airline systems taken off line by a computer glitch crippling the air travel (Transportation sector)

• Hackers steal data pharmaceutical records of thousands of VA residents and encrypt it – holding it for ransom (Healthcare sector)


What’s stopping us???


CISO’s are we all the same

When I was a Fed, I spoke like a Fed, I understood like a Fed, I thought like a Fed. But when I left Federal service I couldn’t put away those Federal ways…… (freely adopted from I Cor xiii)

TSA CISO Unisys CISO

Then and now!

Taking it to the private sector is not an easy task!!


Where’s our leadership taking us!

“Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient.” ~Obama May 29, 2009


Where’s the Global leadership taking us!

UK Gets its own Cyber Czar!

“Just as in the nineteenth century we had to secure the seas for our national safety and prosperity, and in the twentieth century we had to secure the air, in the twenty first century we also have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely there. That is why today I am announcing - alongside our updated National Security Strategy - the UK’s first strategy for cyber security”.


Compliance issues – a view point

"[FISMA] is a real paper drill that means nothing when it comes to information security," ~Bruce Brody, former Federal CISO


Another view point!

“FISMA is a framework that gives you flexibility based on your risk profile and based on a full risk management program. Part of the reason people look at it as a paper drill is because they’re focusing on the wrong parts of it. They are focusing on counting how many systems are certified an accredited and how they get graded.” ~ Titus, former Federal CISO


Compliance paperwork verses remediation

A balancing act between stockholders and regulators

“I told you

that

complaint

didn’t

mean

secure.”

CISO

….call HR and get rid of her. If we’re compliant

how did that data breach

happen?


• Social networking and the fear – It’s like legalizing marijuana

– Enables communications

– Comments unfiltered

– Corporate guidance and training

• Cloud computing – Losing control but gaining efficiency

– Requiring your own transparency

– Trust but verify

Social networking and Cloud


Blocking and tackling

It’s the same old issue that still not being addressed.


Being successful

Watching your language -- “Did you understand a word she said?” the CFO.

Trying to think like the CEO -- “We haven’t been hacked yet so let’s hold off until next quarter. We need that money for our marketing campaign.” the CEO.

Communication is the key -- “Can you believe it. She says we can’t install that wireless router without following security policy. Who in the heck knew there was a policy to follow.” the IT Operations Manager.


Questions

1. What joint goals are there in public and private sector that can be reached?

2. How do we get past the compliance is a paper work drill and get to leveraging compliance to drive security?

3. In a world of data on demand what capabilities can be implemented to lower data loss, breaches and vulnerabilities?

Documents

Through the cyber looking glass The perspective from a US federal CISO turned private sector CISO Patricia Titus Chief Information Security Officer (CISO)