Strategic Leadership for Managing Evolving Cybersecurity Risks – HR’s Pivotal Role

CHO EventNovember 13th 2014, Phoenix AZ

Matthew RosenquistCybersecurity Strategist, Intel Corp

Biography

2

Matthew RosenquistCybersecurity StrategistIntel Security Group

Matthew benefits from 20 years in the field of security, specializing in strategy, threats, operations, crisis management, measuring value, communicating industry changes, and developing cost effective capabilities which deliver the optimal level of security. As a cybersecurity strategist, he works to understand and communicate the future of security and drive industry collaboration to tackle challenges and uncover opportunities to significantly improve global computing security.

Mr. Rosenquist built and managed Intel’s first global 24x7 Security Operations Center, overseen internal platform security products and services, was the first Incident Commander for Intel’s worldwide IT emergency response team, and managed security for Intel’s multi-billion dollar worldwide mergers and acquisitions activities. He has conducted investigations, defended corporate assets, established policies, developed strategies to protect Intel’s global manufacturing, and owned the security playbook for the PC strategic planning group. Most recently, Matthew worked to identify the synergies of Intel and McAfee as part of the creation of the Intel Security Group, one of the largest security product organizations in the world.

Twitter @Matt_RosenquistLinkedIn Blogs Intel IT Peer Network

Technology connects and enriches the lives of every

person on earth

Security is critical to protect computing technology

from threats which undermine the health of

the industry

“...If security breaks down, technology breaks down”

Brian KrebsNoted Cybersecurity Reporter

Human Behaviors Play a Key Role in Cybersecurity

5

Security is comprised of both Technology and People

Human Resources can support or undermine security

Intertwined and Inseparable

We manage security through either leadership or crisis.

In the absence of leadership, we are left with crisis.

“Cybersecurity may be fought with technology, but it is people who

triumph. We must invest in the future generations of professionals who will

carry on the fight”

7

Peering into the future of cybersecurity

49%

Unpleasant Cybersecurity Trends

8

Annual malware growth rate200M+ total malware samples

Organizations sufferingdata loss

Online adults victims of cybercrime or negative situations

Worldwide IT security spending in 2014, 7.9% increase

Organizations compromised by attacker bypassing all defenses

552MTotal identities exposed in 2013,

493% increase

$71B 97%

93%50%31 million

New 3-monthrecord

Chain Reactions Drive Cybersecurity Evolution…

9

Technology-Landscape Environmental changes

Graphic

10

More Users

~4B internet users by 2020

6.6B mobile cellular accts 2013

New users are less savvy, more likely to share sensitive data

Easier to manipulate & victimize

More Devices

50B ‘things’ connected by 2020

35% will be M2M connections

Proliferation of sensor data

New architecture vulnerabilities

More Usages

New services, applications, social ecosystems, and infrastructures

New data types, aggregation

Risky behaviors, untested tech, and unforeseen consequences

Technology-Landscape Environmental changes

11

More Data

13x increase of mobile data 2012-17

3x data increase by 2018

30GB per person/mo. (2x 2013)

18% CAGR of Business traffic

Cheaper to store data vs delete

Greater Value

$14T Internet of Things value, 2022

$90T value of the networked economy by end of next decade

Enterprises responsible 85% data

Controlling financial, defense & critical infrastructure

Evolving IT Infrastructures

M2M, Software Defined Infrastructures (SDDC, SDN, Virtualization), cloud

4x DC traffic by 2018, 31% CAGR

13,300 trillion connections by 2020

Internet of Things M2M networks will grow fastest

ITU International Telecommunications Union

12

A growing target-rich environment of more users, data, and devices

Motivation for attacks rise as information and systems increase in value

New technology adoption, infrastructures, and usages creates a larger attack surface

Easy Users/Devices/Data Target Graphic

Effects of Technology-Landscape changes

More attractive targets emerge asopportunities for attacks

Threat Evolution

13

Security talent pool shrinks

70% orgs are understaffed

58% senior and 36% staff level positions went unfilled in 2013

High leadership turnover

Threats Accelerate

Professionals emerge, educated,

organized, funded, and capable

Resources & community thrives

Success reinforces investment and

attracts new attackers

Threat Agents Evolve

Rise of government surveillance,

cyberwarfare, information control

Social, political attacks, outsourcing

Motivations shift from personal

gains to aspirations of control

14

Attackers capabilities increases with investments, experience, and professional threat agents

Successes boosts confidence, raises the lure for more attacks and boldness to expand scope

Defenders struggle with a growing attack surface, challenging effectiveness models, lack of talent, and insufficient resources

Effects of the Threat Evolution

Threats advance, outpacing defenders

The Race to Evolve is On!

Impacts and Effects

15

Speed of Attacks

Increased pace: vulnerability to

exploit to compromises

New malware at 4 per second

1M+ victims/day (12/second)

Collective impact

$3T impact to the tech market

20%-30% of IT budgets

Privacy, personal finance

Emerging Life-Safety risks

Stress and Fear

Outages, downtime, reporting

Data breaches, reputation, IP

Job loss, brand, competition, downsize, other major impacts,

Security jobs in demand

An average Day in an Average

Enterprise

16

Users are impacted more and more. Awareness increases and security issues are recognized as a serious problem

Organizations feel the pain in losses, negative press, interruption, leadership, & competitiveness

Demands for more security staff, better designed products, savvy employees, advanced security systems, and more regulation to protect assets, usability, privacy, and availability

Effects of Impacts

Expectations around security rise, driving change

www.informationisbeautiful.net

Defenses Respond

Graphic

17

Comprehensive

Security as a continuous cycle

Defense-In-Depth process

Technology and Behaviors

Obstacles and Opposition

Seeking Optimal Risk

Risk management planning

Perceptions by executives

Balancing the triple constraints of Cost, Risk, and Usability

Meeting users shifting demands

17

Explicit Regulations

Increase in number and specificity,

covering more segments and usages

Raises the bar, but not a guarantee of

security

Can be impediments to growth

Good Practices will Emerge…

18

Smarter vs More

Collaboration across security functions improving effectiveness

Better IT choices & enablement

Measurably balancing the triple constraints of risk, cost, & usability

Expectations Drive Change

Society’s expectations shift with pain, impact, and inconvenience

Trust will be valued, demanded

Better security, privacy, and more control (even if it is not used)

Improved controls

Innovation intersecting emerging attacks to keep pace with attackers

Integration across solutions vs point products

Intelligence, analysis, and action

How Cybersecurity will Evolve

19

Verge of rapid changes, will get worse before it gets better

Threat landscape becomes more professional, organized, and funded

Technology ecosystem grows rapidly, creating new attack surfaces

Value of security rises in the eyes of the public, government, and commercial sectors

Attackers will outpace defenders in the short term, until fundamental changes take place

Defenses will evolve to be smarter, with optimal and sustainable security as the goal

We manage security through either leadership or crisis.

In the absence of leadership, we are left with crisis.

We manage security through either leadership or crisis

In the absence of leadership, we are left with crisis

HR Leadership is a Key Resource

21

HR plays a role in organizations ability to Predict, Prevent, Detect, and

Respond to cybersecurity threats

1EY’s Global Information Security Survey 2014

55% of organizations do not include security

in employee performance evaluations1

53% of organizations say a lack of skilled

resources is one of the main problems to

information security1

HR expertise around people and personnel practices, can ease many

challenges

HR Issues and Challenges

22

HR must consider a number of issues across

several domains

HR can be a strong advocate for security or an apathetic bystander

Lead wisely…

Human Resources

Hiring Practices

Disgruntled Employees

CybersecHiring

Protecting HR data

Regulatory Compliance

Employee Security

Education

Cybersecurity Considerations for Human Resources

23

Human Resources

Hiring Practices

Disgruntled Employees

CybersecHiring

Protecting HR data

Regulatory Compliance

Employee Security

Education

Hiring Practices

Properly vetting new employees is the front line prevention against insiders

Consider additional scrutiny for sensitive roles

Minimize access to the business need, including when workers shift roles

Compartmentalize data and access based upon roles

Insure coverage and peer oversight

Cybersecurity Considerations for Human Resources

24

Human Resources

Hiring Practices

Disgruntled Employees

CybersecHiring

Protecting HR data

Regulatory Compliance

Employee Security

Education

Disgruntled Employees

Support open-door and online anonymous reporting as outlets to resolution, relieving pressure

Reinforce peer reporting of mounting issues, and detecting use of technology to vent

Configure cybersecurity tools and teams to look inward as well as outward for suspicious activity

Include cyber controls as part of DE response plans, effective LDO is a must

Cybersecurity Considerations for Human Resources

25

Human Resources

Hiring Practices

Disgruntled Employees

CybersecHiring

Protecting HR data

Regulatory Compliance

Employee Security

Education

Employee Security Education

Policies define the accepted level of risk and regulatory compliance

Annual, at a minimum, training of employees is needed

Awareness of risks, smart practices, and a healthy dose of paranoia of electronic communication (web, email, text, etc.)

Continuous updates to workers of cyber issues and threats

Reinforce a culture to report issues

Cybersecurity Considerations for Human Resources

26

Human Resources

Hiring Practices

Disgruntled Employees

CybersecHiring

Protecting HR data

Regulatory Compliance

Employee Security

Education

Regulatory Compliance1

Involve Legal to review gathering and storage practices for hiring data

Geographic regulations differ for employee data security

Privacy controls must extend to employees, vendors, customers and partners

Be prepared for electronic discovery

Understand when data breach notices are required

Be aware of geo limitations for hiring questions and background checks

Transparency in public privacy policy

1 I am not a lawyer, nor am I providing legal advice. These are considerations to evaluate and not all inclusive. Seek professional legal advice.

Cybersecurity Considerations for Human Resources

27

Human Resources

Hiring Practices

Disgruntled Employees

CybersecHiring

Protecting HR data

Regulatory Compliance

Employee Security

Education

Protecting HR data

Security controls must exist across internal and outsource vendors

Prioritize confidentiality as primary, with integrity and availability as secondary

Beware sharing data with 3rd party partners. You inherit their security, or lack of it

Apply good security practices: data-classification, encryption, backups, audits, retention, access control, etc.

Cybersecurity Considerations for Human Resources

28

Human Resources

Hiring Practices

Disgruntled Employees

CybersecHiring

Protecting HR data

Regulatory Compliance

Employee Security

Education

Cybersecurity Resource Hiring

The cybersecurity pool is nearly empty, senior leadership especially

Retention of quality is tough, expect aggressive headhunting

Next generation being trained, but will lack timely knowledge and experience

Skills are inconsistent with hires. Be specific for what you want

Practicality of experience varies greatly

Be patient to find a good candidate, but move fast when you find one!

We manage security through either leadership or crisis.

In the absence of leadership, we are left with crisis.

Leadership is key in organizing resources to achieve and maintain an

optimal level of security value

Recommendations for HR

30

Maintain good hiring practices to vet new employees

Consider more intense scrutiny for sensitive roles

Insure proper security policies are established and continually trained to reinforce good cyber behaviors

Include HR involvement in a strong cyber response plan (including LDO)

Be aware of confidentiality risks for HR data, privacy, and regulatory compliance

Expect challenges when hiring or retaining cybersecurity professionals

Question and Answer Discussion

31

32

Security Industry Data and Sources

33

• 3.6B people by 2020. Source: ITU International Telecommunications Union• 6.6B mobile cellular subscriptions in 2013. Source: WorldBank.org• Growth of devices chart. Source: BI Intelligence• 50B ‘things’ connected by 2020. Source: Cisco• 35% will be M2M connections. Source: Cisco• More Data growth estimate graphic Source: IDC• 13x increase of mobile data 2012-17 Source: Cisco • 3x data increase by 2018 Source: Cisco• 30GB per person/mo. (2x 2013) Source: Cisco• 18% CAGR of Business traffic Source: Cisco• $14.4 trillion dollars by 2022Internet of Things value. Source: Cisco• Theoretical network connections table. Source: Cisco• 4x DC traffic by 2018, 31% CAGR. Source: Cisco• 13,300 trillion connections by 2020. Source: Cisco• 70% of organizations claim they do not have enough IT security staff. Source: Ponemon Institute report: Understaffed and at Risk• 58% of senior staff positions and 36% of staff positions went unfilled in 2013. Source: Ponemon Institute report: Understaffed and at Risk• 15% of vulnerabilities exploited Source: University of Maryland• Average Day in an Average Enterprise Stopwatch. Source: Check Point Security Report 2014• New malware at 4 per second. Source: McAfee• 1M+ victims/day (12/second). Source: McAfee• $3T impact to the tech market: Source: World 2014 World Economic Forum’s Risk and Responsibility in a Hyperconnected World • 20%-30% of IT budgets. Sources: McKinsey report (20-30%), Forrester 21%, SANS 11%-25%• 49%, 200M+ total malware samples 240 per minute, 4 per second Source: McAfee Threat Report Q1 2014• 50% Online adults victims of cybercrime or negative situations Source: Symantec• 93% Organizations suffering data loss: Source: UK Government BIS survey 2013• $71B Worldwide IT security spending in 2014, 7.9% increase Source: Gartner• 97% Organizations compromised by attacker bypassing all defenses. Source: FireEye and Mandiant report Cybersecurity’s Maginot Line• 552M Total identities exposed in 2013, 493% increase Source: Symantec• Data Breach bubble graph. Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/