Critical infrastructure security, cybercrime, and getting your board of directors to understand information security were among the many topics discussed at the RSA Conference 2013 in San Francisco February 25-March 1.
A Special Forum on Cyber Security, exploring the importance of securing our nation’s critical infrastructure, was part of this year’s conference. The session speakers — former Secretary of Homeland Security Michael Chertoff (now chairman of the Chertoff Group) and Michael Daniel, special assistant to the president and cyber security coordinator for the White House — parsed the recent Presidential Executive Order on Improving Critical Infrastructure Cybersecurity. As we reported last month after it was issued, President Barack Obama’s executive order calls for the government and the private sector to collaborate on a cyber security framework.
Chertoff encouraged more discussion between the public and private sector about cyber security:
This is an overdue discussion. A cyberattack that resulted in another 9/11 that resulted in a loss of lives would be treated in the same way 9/11 was treated and call for a similar response. We need to bring this into a public discourse. We understand the difficulty of translating physical rules into cyberspace. But avoiding hard problems is not way to deal with the problem.
Meanwhile, the so-called Industrial Control System (ICS) Sandbox, based in Montreal, aims to simulate real-world effects of attacks on critical infrastructure to help power plants and other operators better lock down their environments.
RSA Conference shines a spotlight on cyber crime
When it comes to cyber crime, in his March 1 RSA Conference keynote, FBI Director Robert Muller advised attendees to remember that “behind every intrusion there is an individual – not a computer, but a criminal – responsible for that intrusion.”
Recent surveys shed some disturbing light on just where cybercrime originates. For example, the Ponemon Institute study “The Risk of Insider Fraud,” released during the RSA Conference, revealed that on average, it takes 87 days for a company to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud. The study, based on a survey of more than 700 professionals at global organizations, revealed that 73% of respondents reporting that employee’s malfeasance has caused financial loss and possibly brand damage. In addition, 81 percent of respondents said they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty controls.
At RSA Conference, CISOs reveal their tips for talking to your board of directors
Experts agree that information security is something that has to be handled on an enterprise-wide basis, from the board of directors through the ranks to every single employee. But how does a CISO get the board to pay attention to security?
Information security leaders from Fidelity, Liberty Mutual, and Manulife Financial shared their experiences and best practices for presenting to your board of directors during a session at the RSA Conference. The overarching message? Get yourself out in front of the board of directors before you’re called to stand before it.
“If you wait until you’re summoned, you’re behind the eight ball already,” said Chauncey Holden, chief information security officer at Fidelity. Oswin Deally, senior director for enterprise information security operations at Liberty Mutual, noted that if you’re called before your board because something security-related has caught their attention, they’ll have already formed their opinions about it. Instead, he said, “You want to be able to help form that opinion.”
John Schramm, VP and chief information risk officer for Manulife Financial, added that taking a proactive approach to educating your board members about security is key throughout the year, not only for quarterly meetings.
About the Author
Susan Nunziata is Director of Editorial, EnterpriseEfficiency.com, a UBM Tech community.