Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10...
Transcript of Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10...
![Page 1: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/1.jpg)
PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT
OCT. 14, 2015 JOHN W. LINK & JO LEE LOVELAND
LINK
1
Out Thinking The Barbarians:
The Agile Cybersecurity Action Plan (ACAP)
![Page 2: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/2.jpg)
2
John W. Link & Jo Lee Loveland Link of VOLVOX Inc. WE DO THE “HUMAN STUFF” OF IT :
ORGANIZATION DYNAMICS, STRATEGY AND STRATEGIC COMMUNICATIONS
FOR GOVERNMENT, CORPORATIONS AND NON-PROFITS
Jo Lee - Visiting Scientist CMU/SEI - CMMI, Risk Management, Managing Technology Change at NRO, Warner-Robins AFB, other agencies. Master of Applied Behavior Science, Organizational Systems Dynamics
John - Army Chief of Staff for Installation Management (OACSIM) CIO - FEMA/CSEPP, DOJ, others. Master Conflict Analysis and Resolution, Organization Change Management, Enterprise Integration
Both – Members, Senior Governance Team, DOD OSD CIO/NII Horizontal Fusion Portfolio Initiative, Johnson & Johnson Information Management Global Strategic Communications , others
Co-designers - CHAOS, Inc. ™, original experiential learning laboratory
![Page 3: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/3.jpg)
Agenda 3
Introduction Problem Definition: The Clash of Cultures What the Hell is an ACAP? The ACAP Process: Fresh Thinking ACAP: Success Factors How ACAP Transforms Cybersecurity Culture Advantages of the ACAP Approach Next Steps for ACAP
![Page 4: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/4.jpg)
4
How Cybersecurity Sees Itself
![Page 5: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/5.jpg)
5
How Cybersecurity Actually Is –Cyber-barbarians inside the Gates
![Page 6: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/6.jpg)
The Cybersecurity Problem: Clash of Cultures
6
Cyber Adversaries: Inherent Advantages: Cyber Offense can bat .001 /Cyber Defense must bat 1.000 Cheaper with Great ROI All against One: Multiple cultures and approaches Creative and Adaptive Share Information Criminal, Ideological and often Immoral
Our Cyber Defense: Inherent Disadvantages: “Compliance Culture” and Structural Factors Rigid hierarchies of decision making Compliance to National Standards known to our enemies Requires more rigid, button up folks to be clearable Users are people, people are idiots -fishing works Agile Methods still novel in conventional It
![Page 7: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/7.jpg)
Inherent Tensions in Cybersecurity Culture 7
Technical vs. human priority struggles Information secrecy vs. information sharing Adaptive vs. compliance Detail vs. speed Big picture vs. technical details The uncomfortable secret: Cybersecurity safeguards
will likely not be 100% -- how to decide the core essentials to protect?
![Page 8: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/8.jpg)
What the Hell is an ACAP? 8
Stands for Agile Cybersecurity Action Plan Facilitated multi-step process of an ACAP Strategy
Team Iterated in 1-6 month cycles Critical Activity: Threat and Risk Matrix Assess/ revise iteratively Cybersecurity infrastructure:
Technology, Processes, Staffing and Policy Active outreach: Users/ stakeholders/ community Primary ACAP Goal: Create Adaptive Cybersecurity
Strategy Collateral ACAP Goal: Create more Adaptive
Cybersecurity Culture
![Page 9: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/9.jpg)
ACAP Process: Fresh Thinking 9
1. Create (and continuously update) Threat/Risk Profile
2. Assessment #1: Current Cybersecurity Architecture and Enterprise Architecture
3. Assessment #2: Cybersecurity Infrastructure (based on Threat/Risk Profile): Technology, Monitoring Processes, Response Plans, Staff Capacity and Cybersecurity Policies
4. Anticipate what could go wrong, and fix it before it does
5. Launch integrated ACAP Action Plan
![Page 10: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/10.jpg)
Simplified ACAP Cycle 10
Strategy Alignment Performance Parameters
Develop Threat/Risk Profile
Assess: 1) Technology
2) Process 3) Staff
4) Cybersecurity Policy
Develop Action Plan To Update &
Improve 1) Technology
2) Process 3) Staff
4) Cybersecurity Policy
Implement Changes,
Improvements and Upgrades
![Page 11: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/11.jpg)
ACAP Process Chart 11
![Page 12: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/12.jpg)
ACAP Success Factors 12
1. Rapid Execution and Agile Process 2. Senior Leaders Sponsorship and Active Participation 3. Multi-level Participation on ACAP Strategy Team 4. Professionally Facilitated Process 5. Use of Subgroups 6. Culture Transformation 7. Action Planning and Implementations 8. Use of Subject Matter Experts (SMEs) with ACAP Strategy Team:
Master Strategy Team Facilitator Organizational Change Management Expert Threat/Risk Management Planning Specialist Penetration Testers/ External White Hat Hackers Attorney-Advisors
![Page 13: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/13.jpg)
How ACAP Transforms Cybersecurity Culture 13
Organizational Culture = People’s default beliefs about their organization (usually
unexpressed) and behaviors • Beliefs drive assumptions • Assumptions drive decisions • Decisions drive direction • Direction drives behaviors • Behaviors drive actions (planning, processes, rewards, etc.)
![Page 14: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/14.jpg)
Changing Cybersecurity Culture 14
Compliance Culture -Reports/shelfware -Annual -Adheres to Hierarchy -Requirements Driven -Budget Cycle -Framework Driven -SOP -Reacts
Adaptive Culture -Action -Iterative quick cycles -Collaborative Team -Agile -Need Driven -Threat /Risk Driven -Creative -Anticipates
![Page 15: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/15.jpg)
Advantages of the ACAP Approach 15
1. Enhanced Rapid Decision Making: Both Speed and Quality
2. Focus on getting it done – quickness 3. Supports smart Cyber Technology Portfolio
Management 4. Greater Coordination between Technology, Policy, and
Budget 5. Agile Speed and Iteration: Try, Test, and Revise 6. Levels the Playing Field of Ideas through Facilitated
Dialogue 7. Increases the Likelihood That Undiscovered Breaches
will be Discovered and Remediated 8. Creates ongoing System and Organizational Learning 9. Builds Organizational Resilience
![Page 16: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/16.jpg)
Next Steps for ACAP 16
AS YOU SUSPECTED ….ACAP IS CONCEPT SPACE
We are looking for: Agencies, Non-Profits, or Corporations to pilot ACAP Academic partners to collaborate in building pilots and researching outcomes Together we create foundation for ACAP capacity-building The community continues further improvements to the ACAP process Looking ahead: Congress should consider an ACAP as a due diligence for acquisition purposes to expedite Cybersecurity resource pipeline
![Page 17: Out Thinking The Barbarians - Volvox Inc.volvoxinc.com › wp-content › uploads › 2015 › 10 › OutThinkingBarbari… · PRESENTATION TO THE ICF INTERNATIONAL CYBERSCI SUMMIT](https://reader036.fdocuments.net/reader036/viewer/2022070816/5f0f5be07e708231d443c43e/html5/thumbnails/17.jpg)
JOHN W. LINK AND JO LEE LOVELAND LINK
WWW. VOLVOXINC.COM 540-465-1491
17
Thank you! Questions?