Pivotal Role of HR in Cybersecurity
-
Upload
matthew-rosenquist -
Category
Technology
-
view
458 -
download
0
description
Transcript of Pivotal Role of HR in Cybersecurity
Strategic Leadership for Managing Evolving Cybersecurity Risks – HR’s Pivotal Role
CHO EventNovember 13th 2014, Phoenix AZ
Matthew RosenquistCybersecurity Strategist, Intel Corp
Biography
2
Matthew RosenquistCybersecurity StrategistIntel Security Group
Matthew benefits from 20 years in the field of security, specializing in strategy, threats, operations, crisis management, measuring value, communicating industry changes, and developing cost effective capabilities which deliver the optimal level of security. As a cybersecurity strategist, he works to understand and communicate the future of security and drive industry collaboration to tackle challenges and uncover opportunities to significantly improve global computing security.
Mr. Rosenquist built and managed Intel’s first global 24x7 Security Operations Center, overseen internal platform security products and services, was the first Incident Commander for Intel’s worldwide IT emergency response team, and managed security for Intel’s multi-billion dollar worldwide mergers and acquisitions activities. He has conducted investigations, defended corporate assets, established policies, developed strategies to protect Intel’s global manufacturing, and owned the security playbook for the PC strategic planning group. Most recently, Matthew worked to identify the synergies of Intel and McAfee as part of the creation of the Intel Security Group, one of the largest security product organizations in the world.
Twitter @Matt_RosenquistLinkedIn Blogs Intel IT Peer Network
Technology connects and enriches the lives of every
person on earth
Security is critical to protect computing technology
from threats which undermine the health of
the industry
“...If security breaks down, technology breaks down”
Brian KrebsNoted Cybersecurity Reporter
Human Behaviors Play a Key Role in Cybersecurity
5
Security is comprised of both Technology and People
Human Resources can support or undermine security
Intertwined and Inseparable
We manage security through either leadership or crisis.
In the absence of leadership, we are left with crisis.
“Cybersecurity may be fought with technology, but it is people who
triumph. We must invest in the future generations of professionals who will
carry on the fight”
7
Peering into the future of cybersecurity
49%
Unpleasant Cybersecurity Trends
8
Annual malware growth rate200M+ total malware samples
Organizations sufferingdata loss
Online adults victims of cybercrime or negative situations
Worldwide IT security spending in 2014, 7.9% increase
Organizations compromised by attacker bypassing all defenses
552MTotal identities exposed in 2013,
493% increase
$71B 97%
93%50%31 million
New 3-monthrecord
Chain Reactions Drive Cybersecurity Evolution…
9
Technology-Landscape Environmental changes
Graphic
10
More Users
~4B internet users by 2020
6.6B mobile cellular accts 2013
New users are less savvy, more likely to share sensitive data
Easier to manipulate & victimize
More Devices
50B ‘things’ connected by 2020
35% will be M2M connections
Proliferation of sensor data
New architecture vulnerabilities
More Usages
New services, applications, social ecosystems, and infrastructures
New data types, aggregation
Risky behaviors, untested tech, and unforeseen consequences
Technology-Landscape Environmental changes
11
More Data
13x increase of mobile data 2012-17
3x data increase by 2018
30GB per person/mo. (2x 2013)
18% CAGR of Business traffic
Cheaper to store data vs delete
Greater Value
$14T Internet of Things value, 2022
$90T value of the networked economy by end of next decade
Enterprises responsible 85% data
Controlling financial, defense & critical infrastructure
Evolving IT Infrastructures
M2M, Software Defined Infrastructures (SDDC, SDN, Virtualization), cloud
4x DC traffic by 2018, 31% CAGR
13,300 trillion connections by 2020
Internet of Things M2M networks will grow fastest
ITU International Telecommunications Union
12
A growing target-rich environment of more users, data, and devices
Motivation for attacks rise as information and systems increase in value
New technology adoption, infrastructures, and usages creates a larger attack surface
Easy Users/Devices/Data Target Graphic
Effects of Technology-Landscape changes
More attractive targets emerge asopportunities for attacks
Threat Evolution
13
Security talent pool shrinks
70% orgs are understaffed
58% senior and 36% staff level positions went unfilled in 2013
High leadership turnover
Threats Accelerate
Professionals emerge, educated,
organized, funded, and capable
Resources & community thrives
Success reinforces investment and
attracts new attackers
Threat Agents Evolve
Rise of government surveillance,
cyberwarfare, information control
Social, political attacks, outsourcing
Motivations shift from personal
gains to aspirations of control
14
Attackers capabilities increases with investments, experience, and professional threat agents
Successes boosts confidence, raises the lure for more attacks and boldness to expand scope
Defenders struggle with a growing attack surface, challenging effectiveness models, lack of talent, and insufficient resources
Effects of the Threat Evolution
Threats advance, outpacing defenders
The Race to Evolve is On!
Impacts and Effects
15
Speed of Attacks
Increased pace: vulnerability to
exploit to compromises
New malware at 4 per second
1M+ victims/day (12/second)
Collective impact
$3T impact to the tech market
20%-30% of IT budgets
Privacy, personal finance
Emerging Life-Safety risks
Stress and Fear
Outages, downtime, reporting
Data breaches, reputation, IP
Job loss, brand, competition, downsize, other major impacts,
Security jobs in demand
An average Day in an Average
Enterprise
16
Users are impacted more and more. Awareness increases and security issues are recognized as a serious problem
Organizations feel the pain in losses, negative press, interruption, leadership, & competitiveness
Demands for more security staff, better designed products, savvy employees, advanced security systems, and more regulation to protect assets, usability, privacy, and availability
Effects of Impacts
Expectations around security rise, driving change
www.informationisbeautiful.net
Defenses Respond
Graphic
17
Comprehensive
Security as a continuous cycle
Defense-In-Depth process
Technology and Behaviors
Obstacles and Opposition
Seeking Optimal Risk
Risk management planning
Perceptions by executives
Balancing the triple constraints of Cost, Risk, and Usability
Meeting users shifting demands
17
Explicit Regulations
Increase in number and specificity,
covering more segments and usages
Raises the bar, but not a guarantee of
security
Can be impediments to growth
Good Practices will Emerge…
18
Smarter vs More
Collaboration across security functions improving effectiveness
Better IT choices & enablement
Measurably balancing the triple constraints of risk, cost, & usability
Expectations Drive Change
Society’s expectations shift with pain, impact, and inconvenience
Trust will be valued, demanded
Better security, privacy, and more control (even if it is not used)
Improved controls
Innovation intersecting emerging attacks to keep pace with attackers
Integration across solutions vs point products
Intelligence, analysis, and action
How Cybersecurity will Evolve
19
Verge of rapid changes, will get worse before it gets better
Threat landscape becomes more professional, organized, and funded
Technology ecosystem grows rapidly, creating new attack surfaces
Value of security rises in the eyes of the public, government, and commercial sectors
Attackers will outpace defenders in the short term, until fundamental changes take place
Defenses will evolve to be smarter, with optimal and sustainable security as the goal
We manage security through either leadership or crisis.
In the absence of leadership, we are left with crisis.
We manage security through either leadership or crisis
In the absence of leadership, we are left with crisis
HR Leadership is a Key Resource
21
HR plays a role in organizations ability to Predict, Prevent, Detect, and
Respond to cybersecurity threats
1EY’s Global Information Security Survey 2014
55% of organizations do not include security
in employee performance evaluations1
53% of organizations say a lack of skilled
resources is one of the main problems to
information security1
HR expertise around people and personnel practices, can ease many
challenges
HR Issues and Challenges
22
HR must consider a number of issues across
several domains
HR can be a strong advocate for security or an apathetic bystander
Lead wisely…
Human Resources
Hiring Practices
Disgruntled Employees
CybersecHiring
Protecting HR data
Regulatory Compliance
Employee Security
Education
Cybersecurity Considerations for Human Resources
23
Human Resources
Hiring Practices
Disgruntled Employees
CybersecHiring
Protecting HR data
Regulatory Compliance
Employee Security
Education
Hiring Practices
Properly vetting new employees is the front line prevention against insiders
Consider additional scrutiny for sensitive roles
Minimize access to the business need, including when workers shift roles
Compartmentalize data and access based upon roles
Insure coverage and peer oversight
Cybersecurity Considerations for Human Resources
24
Human Resources
Hiring Practices
Disgruntled Employees
CybersecHiring
Protecting HR data
Regulatory Compliance
Employee Security
Education
Disgruntled Employees
Support open-door and online anonymous reporting as outlets to resolution, relieving pressure
Reinforce peer reporting of mounting issues, and detecting use of technology to vent
Configure cybersecurity tools and teams to look inward as well as outward for suspicious activity
Include cyber controls as part of DE response plans, effective LDO is a must
Cybersecurity Considerations for Human Resources
25
Human Resources
Hiring Practices
Disgruntled Employees
CybersecHiring
Protecting HR data
Regulatory Compliance
Employee Security
Education
Employee Security Education
Policies define the accepted level of risk and regulatory compliance
Annual, at a minimum, training of employees is needed
Awareness of risks, smart practices, and a healthy dose of paranoia of electronic communication (web, email, text, etc.)
Continuous updates to workers of cyber issues and threats
Reinforce a culture to report issues
Cybersecurity Considerations for Human Resources
26
Human Resources
Hiring Practices
Disgruntled Employees
CybersecHiring
Protecting HR data
Regulatory Compliance
Employee Security
Education
Regulatory Compliance1
Involve Legal to review gathering and storage practices for hiring data
Geographic regulations differ for employee data security
Privacy controls must extend to employees, vendors, customers and partners
Be prepared for electronic discovery
Understand when data breach notices are required
Be aware of geo limitations for hiring questions and background checks
Transparency in public privacy policy
1 I am not a lawyer, nor am I providing legal advice. These are considerations to evaluate and not all inclusive. Seek professional legal advice.
Cybersecurity Considerations for Human Resources
27
Human Resources
Hiring Practices
Disgruntled Employees
CybersecHiring
Protecting HR data
Regulatory Compliance
Employee Security
Education
Protecting HR data
Security controls must exist across internal and outsource vendors
Prioritize confidentiality as primary, with integrity and availability as secondary
Beware sharing data with 3rd party partners. You inherit their security, or lack of it
Apply good security practices: data-classification, encryption, backups, audits, retention, access control, etc.
Cybersecurity Considerations for Human Resources
28
Human Resources
Hiring Practices
Disgruntled Employees
CybersecHiring
Protecting HR data
Regulatory Compliance
Employee Security
Education
Cybersecurity Resource Hiring
The cybersecurity pool is nearly empty, senior leadership especially
Retention of quality is tough, expect aggressive headhunting
Next generation being trained, but will lack timely knowledge and experience
Skills are inconsistent with hires. Be specific for what you want
Practicality of experience varies greatly
Be patient to find a good candidate, but move fast when you find one!
We manage security through either leadership or crisis.
In the absence of leadership, we are left with crisis.
Leadership is key in organizing resources to achieve and maintain an
optimal level of security value
Recommendations for HR
30
Maintain good hiring practices to vet new employees
Consider more intense scrutiny for sensitive roles
Insure proper security policies are established and continually trained to reinforce good cyber behaviors
Include HR involvement in a strong cyber response plan (including LDO)
Be aware of confidentiality risks for HR data, privacy, and regulatory compliance
Expect challenges when hiring or retaining cybersecurity professionals
Question and Answer Discussion
31
32
Security Industry Data and Sources
33
• 3.6B people by 2020. Source: ITU International Telecommunications Union• 6.6B mobile cellular subscriptions in 2013. Source: WorldBank.org• Growth of devices chart. Source: BI Intelligence• 50B ‘things’ connected by 2020. Source: Cisco• 35% will be M2M connections. Source: Cisco• More Data growth estimate graphic Source: IDC• 13x increase of mobile data 2012-17 Source: Cisco • 3x data increase by 2018 Source: Cisco• 30GB per person/mo. (2x 2013) Source: Cisco• 18% CAGR of Business traffic Source: Cisco• $14.4 trillion dollars by 2022Internet of Things value. Source: Cisco• Theoretical network connections table. Source: Cisco• 4x DC traffic by 2018, 31% CAGR. Source: Cisco• 13,300 trillion connections by 2020. Source: Cisco• 70% of organizations claim they do not have enough IT security staff. Source: Ponemon Institute report: Understaffed and at Risk• 58% of senior staff positions and 36% of staff positions went unfilled in 2013. Source: Ponemon Institute report: Understaffed and at Risk• 15% of vulnerabilities exploited Source: University of Maryland• Average Day in an Average Enterprise Stopwatch. Source: Check Point Security Report 2014• New malware at 4 per second. Source: McAfee• 1M+ victims/day (12/second). Source: McAfee• $3T impact to the tech market: Source: World 2014 World Economic Forum’s Risk and Responsibility in a Hyperconnected World • 20%-30% of IT budgets. Sources: McKinsey report (20-30%), Forrester 21%, SANS 11%-25%• 49%, 200M+ total malware samples 240 per minute, 4 per second Source: McAfee Threat Report Q1 2014• 50% Online adults victims of cybercrime or negative situations Source: Symantec• 93% Organizations suffering data loss: Source: UK Government BIS survey 2013• $71B Worldwide IT security spending in 2014, 7.9% increase Source: Gartner• 97% Organizations compromised by attacker bypassing all defenses. Source: FireEye and Mandiant report Cybersecurity’s Maginot Line• 552M Total identities exposed in 2013, 493% increase Source: Symantec• Data Breach bubble graph. Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/