© HIMSS 2015
Data Security Officers: Addressing Risks and
Avoiding Crisis from the Trenches
April 13, 2015
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
© HIMSS 2015
Conflicts of Interest
Gerry Hinkley, Jody Westby and Jim Wieland have no real or apparent conflicts of interest to report.
2 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Learning Objectives
• Understand how to identify and manage cyber risks
• Appreciate the nuances of open source software and issues that arise in open source licensing
• Understand why outsourcing security makes sense for organizations
3 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Panelists
Jim Wieland Jody Westby Gerry Hinkley
4 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Identifying, Quantifying, and Managing Cyber Risks
5 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Approaching Cyber Risk Management
• Know your assets – have inventories with ownership, risk categorization • Keep up with the rapid pace of technological change and threat environment • Understand operational use of IT and data • Take into consideration supply chain linkages and relationships with business
partners and vendors • Factor in legal requirements across multiple jurisdictions • Create secure system architecture and deploy technical tools & services • Implement security program based on best practices and standards • Conduct assessment to establish baseline for cyber risk management • Identify threats material to operations and bottom line
6 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Critical Questions for Cyber Risk Management
• Does your organization have an enterprise security program that meets best practices and standards?
• Do you know where there are gaps & deficiencies and the priority that should be assigned to remediation measures?
• What would be the financial consequences of a significant breach or cyber event?
• Are you prepared to manage a major event?
• What types of insurance does the organization need, what limits, and at what price?
7 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Combining Cyber Assessments & Risk Valuations IT Environment IT Risks Business Impact Risk Management
= Identified Cyber Risks + Financial Impact
8 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Quantifying Cyber Risks
• First Party Losses • Forensic/investigative costs • Legal and PR fees • Theft of money/property • Business interruption • Extra operating expenses • Loss of goodwill/reputation/market cap
• Most critical risks are those that affect customers and shareholders • Lost revenue/profit are precursors of reputational damage and market cap
loss • Trick is to identify revenue streams that are heavily reliant on data and
information flow
9 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Exposure Valuation
• Assume a cessation of revenue for a reasonably long period of time, e.g., days or weeks, not hours
• Can any operational costs be saved in the event of disruption?
• Are mitigation strategies in effect, and to what extent can the disruption period be reduced?
• What is the cost of mitigation in relation to the potential exposure?
10 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Insurance Considerations
• Cyber exposures to business interruption loss may not be insured under current first-party property and crime policies
• Data losses may not be a property loss • Some cyber policies limit “business interruption” recovery to mitigation
expenses, i.e., do not include lost profits • SEC Disclosure Guidance requires “description of relevant insurance
coverage”
11 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Other Compensating Controls
• Third party services to help detect and prevent sophisticated attacks • Technical tools • Policies and procedures • Cross-organizational security team • Governance by board and senior management • Training: Awareness, Threat Specific, Job Specific • Software code reviews, static and dynamic analysis of web applications • Continuous vulnerability monitoring • Involvement in outside organizations, threat feeds
12 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Evaluating Open Source Software Licenses
13 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
The Open Source License Basics
• Open source software is provided under a license agreement that makes the source code available and that allows the licensee to modify and distribute the software.
• Open source software source code is subject to copyright and the license agreement is a legally enforceable contract:
• Depending on the licensor, copyright restrictions are generally loosened or eliminated;
• Failure to comply with the license agreement can result in loss of the right to use the software.
• Open source compared to other types of software licenses: • May have common elements with proprietary software licenses;
• Distinction from Free Software a/k/a Free and Open Source Software (“FOSS”) is subject to debate among advocates, but “free” refers to the level of restrictions in the license agreement, not to the cost. It is as much a philosophy as a legal distinction;
• Software in the public domain is not subject to any restrictions or reservations of rights in the source; there is no license agreement.
14 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Open Source License Terms
• There are significant variations among open source software licenses; there two general categories with important differences.
• “Copyleft” licenses require that any modified versions of the source code be distributed under the same terms and the original license.
• In other words, any modifications or improvements must also be made available and copyright in modifications or improvements cannot be retained.
• “Permissive” or “Non-Copyleft” licenses permit distribution under different licensing terms.
• In other words, intellectual property rights in modifications of improvements may be retained, even in proprietary form.
• If open source software is licensed for distribution, it is vital that the intellectual property terms of downstream licenses be identified early on, before development process is undertaken.
15 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Open Source Software Issues
• Open source software is typically licensed without warranties, licensor support or maintenance programs.
• Support services are available through separate agreements: • You get what you pay for; generally a suite of services that would be available from the
licensor of proprietary software;
• For open source software in wide use, companies that market the software, i.e. are involved in its ongoing development and distribution, may be in the best position to support the software;
• Consider lag time, that is, new versions of open source software may be released before support is available ;
• Warranties and liability protection may be available.
• Security issues: • Does access to the source code provide an opportunity for hackers?;
• Does the vigilance of a community of users ensure that back doors or other security flaws will be detected fixed?
16 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Open Source Software Issues
• Heartbleed: a painful open source software security lesson: • An open source programming error allowed hackers to access secure memory, exposing
social security numbers, credit card information and other sensitive data;
• Affected most websites and users;
• A basic error not detected in development or by user community.
• Open Source Software as a Service: • Lack of access to source code vs. pay for what you use.
• Developer commitment to the open source product.
• Open Source Software in the health care context: • Is development consistent with evolving regulatory security requirements;
• Open source encryption.
17 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
The Business Case for Outsourcing Security
18 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
What is Cybersecurity?
• “Cybersecurity is technology, processes and practices employed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”
- SEC Cybersecurity Disclosure Guidance
• “Cybersecurity is not all about technology, it's much bigger than that; it's a business challenge…the impact on their bottom line isn't virtual; it's real, so companies [had] better start thinking about it as a real, honest-to-goodness business problem.”
- Former Secretary of Homeland Security Tom Ridge in September 2013
• Cyber attacks include: • hacking to steal data or assets or to corrupt data
• causing operational disruptions
• causing a website to fail (DNS attacks)
• 19 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
What is a Managed Security Service?
• A Managed Security Service is an IT Security service outsourced to and delivered by a service provider. This service is comprised of overarching business processes that go beyond the individual configuration item (asset) focused security hygiene processes performed by IT operations or an IT Infrastructure service provider
Security Hygiene Processes • Security Implementation • Security Administration • Security Enforcement • Credentials Management
Managed Security Processes • Security Solution Development • Security Operations • Security Analysis • Security Incident Response • Vulnerability Assessment
20 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Benefits of using a Managed Security Service
• Level out the playing field vs. the black hats • Deployment of best practices supported by mature business processes and complimented by
architected, integrated, operational and automated tooling
• Centers of Excellence consolidating and leveraging threat intelligence and deep, competitively capable, subject matter expertise
• Sustainability over the long term, both “same stuff different day” and adaptability to a changing threat landscape
• Benefit from lessons-learned without having to actually experience them
• Allocation of Risk • Reputational and other risks shared with the service provider
• Cyberattacks will be very difficult to counteract without skilled allies
21 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Who needs a Managed Security Service?
• It is likely that every enterprise will need some form of Managed Security Services but those who need an overarching independent service are likely to have:
• A complex IT infrastructure — especially those with complex multi delivery actor delivery fabrics
• An emerging collection of disparate cloud and SaaS solutions — especially those creating an internetwork of these disparate services
• A large number of endpoints (100k+) — especially those that are physically exposed, e.g., SCADA, POS, etc.
• Possess personal information about individuals — especially health and financial information
• A regulatory need
• A brand built on (and dependent on) reputation
22 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Why is MSS hard to procure
• An IT services deal has several basic components: • MSA - the basic legal terms and conditions governing the relationship
• Scope - describes the what that needs to be done
• Service Levels - how well the provider will commit to perform
• Price - the charges for the various services
• Solution - how the supplier will provide the services
23 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Why is MSS hard to procure (Cont’d)
• The main buyer difficulties are: • Establishing an acceptable risk allocation in the legal terms
• Describing the scope of what is to be done — the suppliers propose the how
• Allocating the processes between actors (Client, ITO, MSS, Colo, Cloud, etc.)
• Describing the service performance regime
• Determining the right things to pay for — obtaining good fixed variable ratios
• Gathering the right information for the go-to-market cycle and minimizing due diligence effort and pricing risk
24 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
It’s About More than Just Buying the Service!
• Assess corporate cyberinsurance policies in conjunction with procuring Managed Security Services
• Negotiate for lower premiums following a successful implementation
• Having the appropriate policy may reduce some contracting pressures around risk allocation/limitations of liability
• Be wary of policy terms that could eviscerate your coverage
• Robust contract management over lifecycle of Agreement • It will not be good enough to buy the Service and have a sound contract companies will need
to manage to it / monitor compliance to truly mature their security capabilities
• Governance and Audit • Managing and auditing service provider performance is crucial
25 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Five Parting Points on Managed Security Services
• The current regulatory / political environment is ripe for legislative action and continued government involvement
• Corporations should look to “Centers of Excellence” / Third Party Providers to mature corporate cybersecurity capabilities
• It is likely that every enterprise will need some form of Managed Security Services
• Choose an advisor that can navigate you through a comprehensive cybersecurity program inclusive of prevention, management, response and recovery
• Using Managed Security Services is more than just signing a contract – cyberinsurance, robust governance and audit models, and contract management are also crucial
26 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches
© HIMSS 2015
Jim Wieland Principal
Ober | Kaler 410.347.7397
Jody Westby Chief Executive Officer Global Cyber Risk LLC
202.337.0097 [email protected]
Gerry Hinkley Partner
Pillsbury Law 213.488.7188
27 | Data Security Officers: Addressing Risks and Avoiding Crisis from the Trenches